02-28-2006 08:09 AM - edited 02-21-2020 02:17 PM
using Easy VPN Server on Cisco 1801 (Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1), tried with 12.4(4)T1 first) and Cisco VPN Client 4.6 I can establish a tunnel and access the router via telnet and SDM but cannot access anything else on the routers side of the network
part of config:
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
ip cef
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 24.x.x.x
ip name-server 24.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group test
key test123
dns 24.222.x.x.x.0.5
pool SDM_POOL_1
acl 101
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 24.222.X.X 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
no ip route-cache cef
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.1.170 192.168.1.175
ip route 0.0.0.0 0.0.0.0 24.222.X.X (default gateway for ISP)
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.170
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.171
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.172
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.173
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.174
access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.175
access-list 100 deny ip any host 192.168.1.170
access-list 100 deny ip any host 192.168.1.171
access-list 100 deny ip any host 192.168.1.172
access-list 100 deny ip any host 192.168.1.173
access-list 100 deny ip any host 192.168.1.174
access-list 100 deny ip any host 192.168.1.175
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
03-02-2006 12:44 AM
hi
In the first point i would suggest to change the SDM_POOL from where you offer ips to the RAVPN Clients.
Just change the same to either on 10.x.x.x or 172.16.x.x network.Also change the ACL 101 accordingly allowing the VPN traffic to get encrypted.Matching the newly defined block and your local lan network and bind under the ISAKMP policy.
with your current network config the ACL 101 which you defined as the interesting traffic here to get encrypted mite be the possible cause for the inaccessiable issue.
regds
03-20-2006 09:17 AM
I tried changing things and still didn't work. I even tried some example config (reset router first) and they didn't work either. I put a FTP server in the inside of the router and when trying to connect the FTP log shows the VPN Client IP connecting but the server cannot reply, example:
(000016) 3/20/2006 13:13:29 PM - (not logged in) (192.168.0.220)> Connected, sending welcome message...
(000016) 3/20/2006 13:13:29 PM - (not logged in) (192.168.0.220)> 220-FileZilla Server version 0.9.12 beta
(000016) 3/20/2006 13:13:29 PM - (not logged in) (192.168.0.220)> could not send reply, disconnected.
04-25-2006 11:50 AM
I have the exact same problem...did you get this fixed?
04-25-2006 10:36 PM
I think you should try:
1.- removing any config relating to isakmp and crypto to start up fresh.
2.- When assigning the IP addresses ( Pool ) make sure you create a new subnet and also make sure your hosts on the internal network (behind the router ) know how to reach this subnet. Perform a traceroute which should reach the internal interface of the router.
3.- Don't use split tunneling on the first try to try asolating what the issue is.
4.- Test connecting from the VPN client and make sure you are authenticated and an IP address in the appropriate range has been allocated.
5.- If you are still unable to connect, then you might be hiting a bug even though I could not find any easy vpn server bug related to your particular IOS version
Hope this helps
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: