VPN Client config & site to site

cmelbourne · ‎07-25-2006

We are using the following config below.

We have a vpn between two offices, this works perfectly, However, When we try and vpn into this for remote access we can ping the devices (PCs, Servers, Routers etc..) but cannot telnet to any routers or devices not even vnc to the servers.

Any ideas

The ip address you will get is 192.168.20.x for the vpn client and we need to access all devices in the 200.100.50.0 network.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Dublin_ISR

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password cisco

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

ip host cork 200.x.80.1

!

username xxxx password xxxx

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 99.x.x.99 no-xauth

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group xxxx

key xxxx

pool SDM_POOL_1

netmask 255.255.255.0

!

crypto isakmp client configuration group ras-test

key xxxx

dns 200.100.50.2

domain test

pool SDM_POOL_1

netmask 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description tunnel to yy.yy.yy.yy

set peer yy.yy.yy.yy

set transform-set ESP-3DES-SHA

match address 100

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0/0

ip address 200.100.x.x.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description $ETH-LAN$

ip address yy.yy.yy.yy 255.255.255.192

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.20.1 192.168.20.2

ip classless

ip route 0.0.0.0 0.0.0.0 yy.yy.yy.yy

!

ip http server

no ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 200.100.50.0 0.0.0.255

access-list 100 permit ip 200.100.50.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 100 permit tcp any any

access-list 100 permit ip 1.1.1.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 100 permit ip 200.100.70.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 100 permit ip 200.100.90.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 remark SDM_ACL Category=18

access-list 101 deny ip any 192.168.20.0 0.0.0.3

access-list 101 deny ip 200.100.50.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 deny tcp any any

access-list 101 deny ip 1.1.1.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 deny ip 200.100.70.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 deny ip 200.100.90.0 0.0.0.255 200.100.80.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 101

p.krane · ‎07-31-2006

This URL should help you:

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2301/products_tech_note09186a0080094ba0.shtml

attrgautam · ‎08-02-2006

Do you get any logs on the VPN client ? Also what does sh ip route for the private ip you get give on the router ?