07-25-2006 08:28 AM - edited 02-21-2020 02:32 PM
We are using the following config below.
We have a vpn between two offices, this works perfectly, However, When we try and vpn into this for remote access we can ping the devices (PCs, Servers, Routers etc..) but cannot telnet to any routers or devices not even vnc to the servers.
Any ideas
The ip address you will get is 192.168.20.x for the vpn client and we need to access all devices in the 200.100.50.0 network.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Dublin_ISR
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
ip cef
!
!
!
!
ip host cork 200.x.80.1
!
!
username xxxx password xxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxx address 99.x.x.99 no-xauth
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group xxxx
key xxxx
pool SDM_POOL_1
netmask 255.255.255.0
!
crypto isakmp client configuration group ras-test
key xxxx
dns 200.100.50.2
domain test
pool SDM_POOL_1
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description tunnel to yy.yy.yy.yy
set peer yy.yy.yy.yy
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
ip address 200.100.x.x.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-LAN$
ip address yy.yy.yy.yy 255.255.255.192
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.20.1 192.168.20.2
ip classless
ip route 0.0.0.0 0.0.0.0 yy.yy.yy.yy
!
!
ip http server
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 200.100.50.0 0.0.0.255
access-list 100 permit ip 200.100.50.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 100 permit tcp any any
access-list 100 permit ip 1.1.1.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 100 permit ip 200.100.70.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 100 permit ip 200.100.90.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 101 remark IPSec Rule
access-list 101 remark SDM_ACL Category=18
access-list 101 deny ip any 192.168.20.0 0.0.0.3
access-list 101 deny ip 200.100.50.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 101 deny tcp any any
access-list 101 deny ip 1.1.1.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 101 deny ip 200.100.70.0 0.0.0.255 200.100.80.0 0.0.0.255
access-list 101 deny ip 200.100.90.0 0.0.0.255 200.100.80.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 101
07-31-2006 08:21 AM
08-02-2006 09:09 PM
Do you get any logs on the VPN client ? Also what does sh ip route for the private ip you get give on the router ?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: