03-05-2009 03:08 PM
Hi
the problem that i am having is that once i am connected i can ping or connect to anything from the remote host. but i can ping the remote host from inside the network. i think the problem that i am having are related to the NAT settings that are configured. but i am not sure
below if the current config
FIDEL#sh run
Building configuration...
Current configuration : 3876 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname FIDEL
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN-XAUTH local
aaa authorization exec default local
aaa authorization network VPN-GROUP local
!
!
aaa session-id common
memory-size iomem 20
!
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.190 192.168.1.200
ip dhcp excluded-address 192.168.1.1 192.168.1.20
!
ip dhcp pool DHCP-INTERNAL
network 192.168.1.0 255.255.255.0
dns-server 68.87.77.130 68.87.72.130
default-router 192.168.1.1
lease 7
!
!
no ip domain lookup
ip domain name FIDEL.com
ip inspect name OUTSIDE-INSPECT tcp
ip inspect name OUTSIDE-INSPECT udp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group FIDEL-VPN-GROUP
key xxxxxx
dns 4.2.2.2
pool xxxxxx
include-local-lan
netmask 255.255.255.0
crypto isakmp profile VPN-CLIENT
description VPN-CLIENT profile
match identity group FIDEL-VPN-GROUP
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
!
!
crypto ipsec transform-set MYSET esp-aes esp-sha-hmac
!
crypto dynamic-map DYNMAP 5
set transform-set MYSET
set isakmp-profile VPN-CLIENT
reverse-route
!
!
crypto map MYMAP 10 ipsec-isakmp dynamic DYNMAP
!
archive
log config
hidekeys
!
!
ip ssh time-out 60
ip ssh authentication-retries 1
ip ssh version 2
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address x.x.x.x 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map MYMAP
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect OUTSIDE-INSPECT in
ip virtual-reassembly
!
ip local pool FIDEL-VPN-POOL 192.168.1.230 192.168.1.250
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map VPN-ROUTE-MAP interface FastEthernet4 overload
ip nat inside source static 192.168.1.194 x.x.x.x
ip nat inside source static 192.168.1.195 x.x.x.x
ip nat inside source static 192.168.1.196 x.x.x.x
ip nat inside source static 192.168.1.197 x.x.x.x
!
ip access-list standard SSH-ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended NATADD
permit ip 192.168.1.0 0.0.0.255 any
deny ip any any log
ip access-list extended OUTSIDE-LIST
permit udp any any eq isakmp log
permit icmp any any echo-reply
deny tcp any any eq 22
deny tcp any any eq telnet
deny ip 127.0.0.0 0.0.0.255 any
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
deny ip any any
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
route-map VPN-ROUTE-MAP permit 5
match ip address NATADD
!
!
control-plane
!
banner login ^C
************************************************
YOUR ARE NOT AUTH0RIZED TO ACCESS THE ROUTER
DISCONNECT NOW!!!
************************************************^C
!
line con 0
logging synchronous
no modem enable
line aux 0
access-class 1 in
line vty 0 4
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end
FIDEL#
03-10-2009 02:55 AM
please clarify the "can" & "cannot" in the correct places - as from your post it sounds like everything is working ok.
03-10-2009 06:29 AM
the tunnel it self is working. the problem is the remote client not being able to receive packets back. but i think i found the problem.
i believe that i need to remove the host addresses that are in the vpn pool from the NAT ACL
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide