Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client config & site to site

We are using the following config below.

We have a vpn between two offices, this works perfectly, However, When we try and vpn into this for remote access we can ping the devices (PCs, Servers, Routers etc..) but cannot telnet to any routers or devices not even vnc to the servers.

Any ideas

The ip address you will get is 192.168.20.x for the vpn client and we need to access all devices in the 200.100.50.0 network.

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Dublin_ISR

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable password cisco

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

ip cef

!

!

!

!

ip host cork 200.x.80.1

!

!

username xxxx password xxxx

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxx address 99.x.x.99 no-xauth

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group xxxx

key xxxx

pool SDM_POOL_1

netmask 255.255.255.0

!

crypto isakmp client configuration group ras-test

key xxxx

dns 200.100.50.2

domain test

pool SDM_POOL_1

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 1 ipsec-isakmp

description tunnel to yy.yy.yy.yy

set peer yy.yy.yy.yy

set transform-set ESP-3DES-SHA

match address 100

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

!

interface FastEthernet0/0

ip address 200.100.x.x.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description $ETH-LAN$

ip address yy.yy.yy.yy 255.255.255.192

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.20.1 192.168.20.2

ip classless

ip route 0.0.0.0 0.0.0.0 yy.yy.yy.yy

!

!

ip http server

no ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload

!

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 200.100.50.0 0.0.0.255

access-list 100 permit ip 200.100.50.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 100 permit tcp any any

access-list 100 permit ip 1.1.1.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 100 permit ip 200.100.70.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 100 permit ip 200.100.90.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 remark IPSec Rule

access-list 101 remark SDM_ACL Category=18

access-list 101 deny ip any 192.168.20.0 0.0.0.3

access-list 101 deny ip 200.100.50.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 deny tcp any any

access-list 101 deny ip 1.1.1.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 deny ip 200.100.70.0 0.0.0.255 200.100.80.0 0.0.0.255

access-list 101 deny ip 200.100.90.0 0.0.0.255 200.100.80.0 0.0.0.255

!

route-map SDM_RMAP_1 permit 1

match ip address 101

2 REPLIES
New Member

Re: VPN Client config & site to site

Silver

Re: VPN Client config & site to site

Do you get any logs on the VPN client ? Also what does sh ip route for the private ip you get give on the router ?

105
Views
0
Helpful
2
Replies
CreatePlease login to create content