Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN PROBLEM

Hy,

I ve got a problem on my VPN. I try to add a VPN Client access to another VPN and it won' t work.

I connect but I do not arrive to ressource.

Wine Bordeaux to anyone help me !

thx u

access-list NONAT permit ip 1.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 1.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 1.0.0.0 255.255.255.0

access-list NONAT permit ip 172.16.1.0 255.255.255.0 1.0.0.0 255.255.255.0

access-list GroupVPN_splitTunnelAcl permit ip 1.0.0.0 255.255.255.0 any

access-list outside_cryptomap_dyn_20 permit ip any 172.16.1.0 255.255.255.0

nat (inside) 0 access-list NONAT

sysopt connection permit-ipsec

crypto ipsec transform-set TRANS_ESP_DES_MD5 esp-des esp-md5-hmac

crypto ipsec transform-set TRANS_ESP_DES_MD5 mode transport

crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac

crypto dynamic-map outside_dyn_map 20 match address outside_cryptomap_dyn_20

crypto dynamic-map outside_dyn_map 20 set transform-set TRANS_ESP_DES_MD5

crypto map newmap 11 ipsec-isakmp

crypto map newmap 11 match address NONAT

crypto map newmap 11 set peer 205.0.0.1

crypto map newmap 11 set transform-set ESP-DES-MD5

crypto map newmap 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map newmap interface outside

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

isakmp enable outside

isakmp key ******** address 205.0.0.1 netmask 255.255.255.255

isakmp key ******** address 0.0.0.0 netmask 0.0.0.0

isakmp identity address

isakmp policy 11 authentication pre-share

isakmp policy 11 encryption des

isakmp policy 11 hash md5

isakmp policy 11 group 1

isakmp policy 11 lifetime 1000

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption des

isakmp policy 20 hash md5

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

vpngroup GroupVPN address-pool pptp-pool

vpngroup GroupVPN split-tunnel GroupVPN_splitTunnelAcl

vpngroup GroupVPN idle-time 1800

vpngroup GroupVPN password ********

2 REPLIES
Cisco Employee

Re: VPN PROBLEM

These lines are your problem:

access-list NONAT permit ip 1.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 1.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0

access-list NONAT permit ip 192.168.0.0 255.255.0.0 1.0.0.0 255.255.255.0

access-list NONAT permit ip 172.16.1.0 255.255.255.0 1.0.0.0 255.255.255.0

crypto map newmap 11 match address NONAT

Now that you have defined an additional client crypto map, you need to separate your NONAT ACL from your LAN-to-LAN ACL. What's happening is your client is sending packets to an inside host (on the 1.0.0.0 net), but when the reply hits the PIX the PIX reads the crypto map from top-down, so it sees the "crypto map newmap 11" instance first for the LAN-to-LAN tunnel. It compares the NONAT ACL with the traffic, sees that it matches and sends the reply packet over the LAN-to-LAN tunnel, rather than back to your VPN client.

I'm assuming here that 1.0.0.0 is this PIX's inside network, 192.168.0.0 is the remote PIX's inside network, and 172.16.1.0 is the pptp-pool of VPN Client IP addresses. If I'm wrong with any of that substitute the correct values below.

First off, clean up your NONAT ACL by making it just this:

access-list NONAT permit ip 1.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0

access-list NONAT permit ip 1.0.0.0 255.255.255.0 172.16.1.0 255.255.255.0

Then create a new ACL specifically for your LAN-to-LAN tunnel:

access-list L2L permit ip 1.0.0.0 255.255.255.0 192.168.0.0 255.255.0.0

Then set your LAN-to-LAN crypto map to look at this ACL rather than at your NONAT one:

crypto map newmap 11 match address L2L

That should get you going. Be careful when playing around with crypto map ACL's though, you can stop all traffic going through the PIX. Safest thing is to do the following:

no crypto map newmap interface outside

crypto map newmap interface outside

Also, when you remove ACL's in the PIX, be aware that this can remove other commands, so make sure everything is still there before re-applying the crypto map (for example, removing the NONAT access-list will automatically remove the "nat (inside) 0 access-list NONAT" command, so you need to add it back in after adding in the new NONAT ACL).

New Member

Re: VPN PROBLEM

Thk a lot !

If you take Holidays or if you work in France contact me for taking some of bottle of Bordeaux Wine !

ofulbert@ocea.net

94
Views
0
Helpful
2
Replies
CreatePlease to create content