cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1699
Views
0
Helpful
5
Replies

VPN Configuration on Cisco 2621

bbellamy
Level 1
Level 1

Can anyone help with this strange problem I'm having with

configurating VPN on the Cisco. I can connect with the Cisco Client

succesfuly, but I can only telnet to the devices which are not in

access list 101:

access-list 101 permit ip 10.3.200.0 0.0.0.255 any

access-list 101 permit ip 10.3.100.0 0.0.0.255 any

route-map NIC permit 5

match ip address 101

set default interface FastEthernet0/1

ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 permanent

The interfaces are configured as below and we're using NAT.

interface FastEthernet0/0

ip address 10.3.1.1 255.255.0.0

ip nat inside

ip policy route-map NIC

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

ip address XXX.XXX.XXX.XXX 255.255.255.192

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

Is NAT causing the problem???

5 Replies 5

gmiiller
Level 1
Level 1

I'm not entirely sure what you're trying to do with your policy route-map. So I'll just cover off on my understanding of what your policy routing is accomplishing.

First, I'm never a fan of default routes referring to ethernet interfaces, as you usually end up with a huge arp cache wasting router resources.

Now, for your policy routing, remembering that your default route is fast 0/1.

Your policy route says " If traffic is coming from 10.3.100.0 or 10.3.200.0, and you don't have a route for the destination, use interface fast 0/1"

Your default route would have accomplished this anyway. Are there more entries in your route-map? What is it that your route-map is supposed to do?

Thanks for your reply, I have included a more detail config below to help further. The route map is configured for connections to Fast 0/0, and if they match the address in 101 then use the Fast 0/1.

When I connect via the cisco VPN client, I connect successfully but can only contact the system who are not specified in 101. How can I modify the config so I can conntact the systems in the 101 poilcy via VPN?

Here's a more detailed config which should help:

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXXXX

key XXXXXX

pool nicvpnpool

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

isdn switch-type basic-net3

isdn voice-call-failure 0

!

mta receive maximum-recipients 0

!

!

interface FastEthernet0/0

ip address 10.1.1.3 255.255.0.0

ip nat inside

ip policy route-map niclan

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

description Kingston Internet

ip address 21X.X.X.X 255.255.XXX.XXX

ip nat outside

duplex auto

speed auto

no cdp enable

crypto map clientmap

!

ip local pool nicvpnpool 10.2.1.1 10.2.1.254

ip nat translation timeout 119

ip nat inside source list 101 interface FastEthernet0/1 overload

ip classless

ip route 0.0.0.0 0.0.0.0 21X.XXX.XXX.XXX permanent

no ip http server

!

access-list 101 remark Internet

access-list 101 permit ip 10.1.4.0 0.0.0.255 any

access-list 101 permit ip 10.1.3.0 0.0.0.255 any

!

route-map niclan permit 5

match ip address 101

set default interface FastEthernet0/1

!

radius-server authorization permit missing Service-Type

no call rsvp-sync

!

!

mgcp profile default

!

dial-peer cor custom

!

!

!

!

banner login

########################################

# #

# #

# #

# #

# UNAUTHORISED ACCESS PROHIBITED #

########################################

!

line con 0

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXXXX

line aux 0

line vty 0 4

access-class 2 in

exec-timeout 0 0

privilege level 0

password 7 XXXXXXXXXX

!

!

end

Suggest that you look at reverse route injection on your crypto.

Sorry but I dont have much cisco experience - How can I achive this (reverse route injection on your crypto)?

Kind Regards,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: