02-05-2003 11:30 AM - edited 02-20-2020 10:32 PM
Can anyone help with this strange problem I'm having with
configurating VPN on the Cisco. I can connect with the Cisco Client
succesfuly, but I can only telnet to the devices which are not in
access list 101:
access-list 101 permit ip 10.3.200.0 0.0.0.255 any
access-list 101 permit ip 10.3.100.0 0.0.0.255 any
route-map NIC permit 5
match ip address 101
set default interface FastEthernet0/1
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent
The interfaces are configured as below and we're using NAT.
interface FastEthernet0/0
ip address 10.3.1.1 255.255.0.0
ip nat inside
ip policy route-map NIC
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
ip address XXX.XXX.XXX.XXX 255.255.255.192
ip nat outside
duplex auto
speed auto
no cdp enable
crypto map clientmap
Is NAT causing the problem???
02-06-2003 01:52 PM
I'm not entirely sure what you're trying to do with your policy route-map. So I'll just cover off on my understanding of what your policy routing is accomplishing.
First, I'm never a fan of default routes referring to ethernet interfaces, as you usually end up with a huge arp cache wasting router resources.
Now, for your policy routing, remembering that your default route is fast 0/1.
Your policy route says " If traffic is coming from 10.3.100.0 or 10.3.200.0, and you don't have a route for the destination, use interface fast 0/1"
Your default route would have accomplished this anyway. Are there more entries in your route-map? What is it that your route-map is supposed to do?
02-07-2003 01:38 AM
Thanks for your reply, I have included a more detail config below to help further. The route map is configured for connections to Fast 0/0, and if they match the address in 101 then use the Fast 0/1.
When I connect via the cisco VPN client, I connect successfully but can only contact the system who are not specified in 101. How can I modify the config so I can conntact the systems in the 101 poilcy via VPN?
Here's a more detailed config which should help:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXXXX
key XXXXXX
pool nicvpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
isdn switch-type basic-net3
isdn voice-call-failure 0
!
mta receive maximum-recipients 0
!
!
interface FastEthernet0/0
ip address 10.1.1.3 255.255.0.0
ip nat inside
ip policy route-map niclan
duplex auto
speed auto
no cdp enable
!
interface FastEthernet0/1
description Kingston Internet
ip address 21X.X.X.X 255.255.XXX.XXX
ip nat outside
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
ip local pool nicvpnpool 10.2.1.1 10.2.1.254
ip nat translation timeout 119
ip nat inside source list 101 interface FastEthernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent
no ip http server
!
access-list 101 remark Internet
access-list 101 permit ip 10.1.4.0 0.0.0.255 any
access-list 101 permit ip 10.1.3.0 0.0.0.255 any
!
route-map niclan permit 5
match ip address 101
set default interface FastEthernet0/1
!
radius-server authorization permit missing Service-Type
no call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
!
!
banner login
########################################
# #
# #
# #
# #
# UNAUTHORISED ACCESS PROHIBITED #
########################################
!
line con 0
exec-timeout 0 0
privilege level 0
password 7 XXXXXXXXXXXX
line aux 0
line vty 0 4
access-class 2 in
exec-timeout 0 0
privilege level 0
password 7 XXXXXXXXXX
!
!
end
02-10-2003 10:00 PM
Suggest that you look at reverse route injection on your crypto.
02-10-2003 11:39 PM
Sorry but I dont have much cisco experience - How can I achive this (reverse route injection on your crypto)?
Kind Regards,
02-11-2003 09:15 PM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: