cancelar
Mostrar resultados para 
Pesquisar em vez de 
Queria dizer: 
Comunicados
Bem-vindo à Comunidade de Suporte da Cisco, gostaríamos de ter seus comentários.
New Member

VPN on ISR 1802

Olá,

Será possível configurar o router ISR 1802 com VPN, em que este equipamento possa autenticar e autorizar os utilizador sem necessitar de um elemento como  por exemplo Cisco VPN 3000?

Será possível usar AD (Windows Autthentication) ou RADIUS para autenticar os utilizadores por VPN em vez do Cisco VPN 3000? E neste caso como configurar o router?

Obrigado,

António

Marcas (1)
2 SOLUÇÕES ACEITES

Soluções aceites

Re: VPN on ISR 1802

Usually business class DSL service IP address do not change even though this IP address is assigned dynamically. The ISP register or reserve the given public IP they assign on your DSL connection to your DSL account, so that it is easier accounting for the ISP, therefore you will always receives the same IP address from DSL PPPoE connection with a DSL Service provider even after rebooting the router. This is true in Canada with some of the ISP I have dealt with.

So, you may check with your local ISP, whether this is the case with your business class DSL service on your branch router.

If this is case with your local ISP, then you should change public IP address to reflect your public IP address on the ACL 101 and apply it on the dialer interface as facing "in"

As with Firewall inspection, try avoid inspecting traffic on both direction and stick with only for going outside as "ip inspect FW out" and for the inside traffic coming in, use the ACL 101 instead.

I hope that helps.

Thanks

Rizwan Rafeek

Re: VPN on ISR 1802

   Olá Antonio

Apenas escolha as respostas que vc considerou como a correta e clique no botão Resposta correta.


Não esqueça de Avaliar as respostas, utilizando as Estrelas

Cheers Bruno Rangel Please remember to rate helpful responses using the stars bellow and identify helpful or correct answers .
66 RESPOSTAS

VPN on ISR 1802

Can you speak English, so someone can help you here?

Are you looking for VPN Server with Windows Radius authentication on ISR router 1802 ?

New Member

VPN on ISR 1802

Hi,

I have one ISR 1802 and need to connect VPN through the ISR. The router can performance the VPN with authentication without Cisco VPN 3000 concentrator or another hardware and software? Can I use the authentication of RADIUS instead of Cisco VPN 3000 concentrator?

I read the chapter 6 - Configuring a VPN Using Easy VPN and an IPSec Tunnel, but the question is: can I replace the Cisco VPN 3000 concentrator for RAIUS (w2K8)? If so, the users (clients) what kind of software need to use to connect?

Thanks in advanced,

António

VPN on ISR 1802

Yes, the router can send vpn authentication to a Radius Sever and can function as a VPN server without an external concentrator involve.

"can I replace the Cisco VPN 3000 concentrator for RAIUS (w2K8)?"

Sure you can, I do not see a reason why you cannot.

New Member

VPN on ISR 1802

Can you provide a peace of configuration how to do a router be a VPN server without an external concentrator involve?

If I want to use the RADIUS (w2k8), the clients what kind of software need to use to connect?

Thanks,

VPN on ISR 1802

Sure, I can help you with config but you have to give me about an hour, as I am helping someone else for the time being.

your users can use Cisco standard vpn client.

New Member

Re: VPN on ISR 1802

Thank you.

The foloow figure show, in a easy way what are need.

About the software Cisco standard VPN Client, I think the user can use! How much that it cost?

Thank you.

VPN on ISR 1802

Your attached image is not clear at all.

So, please change the IP schema to reflect your network setup.

-------------------------------------------------------------------------------------------------------------------------

aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local
aaa authorization network ANTONIO-router-ADMIN local


ip local pool VPN-POOL 192.168.0.11 192.168.0.254


ip access-list extended SPLIT-TUNNEL
permit ip 10.100.100.0 0.255.255.255 192.168.0.0 0.0.0.255

!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2

!
crypto isakmp client configuration group ANTONIO-EMPLOYEES
key ANTONIO-PASSWORD
domain ANTONIO.COM
pool VPN-POOL
acl SPLIT-TUNNEL
save-password
!
!

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DYNA-CRYPTO 1
set transform-set ESP-AES-128-SHA
reverse-route

!
!
crypto map OUTSIDE-CRYTPO client authentication list ANTONIO-RADIUS-AUTHENTICATION
crypto map OUTSIDE-CRYTPO isakmp authorization list ANTONIO-router-ADMIN
crypto map OUTSIDE-CRYTPO client configuration address respond
crypto map OUTSIDE-CRYTPO 1 ipsec-isakmp dynamic DYNA-CRYPTO


interface FastEthernet0/0
description MY OUTSIDE INTERFACE
ip address xxx.xxx.xxx.xxx 255.255.255.224
crypto map OUTSIDE-CRYTPO
ip nat outside


interface FastEthernet0/1
description MY INSIDE INTERFACE
ip address 10.100.100.2 255.255.255.0
ip virtual-reassembly
speed 100
full-duplex
ip nat inside


ip radius source-interface FastEthernet0/1

radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY

ip access-list extended PAT_ACL
deny   ip 10.100.100.0 0.0.255.255 192.168.0.0 0.0.0.255


ip nat inside source list PAT_ACL interface FastEthernet0/0 overload

-------------------------------------------------------------------------------------------------------------------------

Thanks

Rizwan Rafeek

New Member

Re: VPN on ISR 1802

Sorry about the image.

You assume my network was 10.100.100.0/24 (actually it is 192.168.30.0/24).

deny ip 10.100.100.0 0.0.255.255 192.168.0.0 0.0.0.255

Why you have the line?

permit ip 10.100.100.0 0.255.255.255 192.168.0.0 0.0.0.255

What does this line?

Thank you.

VPN on ISR 1802

When your inside network traffic and vpn-client traffic hit the router, it must go through the crypto engine.

Therefore, you tell the router to not to Pat-over-load this traffic (destine to and from) between these two network segments, so that this traffic will go via the crypto engine instead.

deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255

Thanks

Rizwan Rafeek

New Member

Re: VPN on ISR 1802

Can you tell me where Is define this 2 variable, ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?

One of them can be

radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY

Thank you.

Re: VPN on ISR 1802

all three are globle commands.

Define a method and apply the method on the static crypto.

aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local

now apply it on the static crypto.

crypto map OUTSIDE-CRYTPO client authentication list ANTONIO-RADIUS-AUTHENTICATION

same applied to this as well.
aaa authorization network ANTONIO-router-ADMIN local

" One of them can be

radius-server host 10.100.100.100 auth-port 1812 acct-port 1812 key ANTONIO-PASSWORD-KEY"

In the radius-server host, is where you tell the router, the ip address of the MS Radius Server and key(i.e. password) to communicate the Raduis Server.

New Member

Re: VPN on ISR 1802

Hi,

With line (*) when the RADIUS is not available I cannot access to the router (even I local configure a username and a password).

(*) aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local

If I change for

aaa authentication login default local group rad_admin

with

aaa group server radius rad_admin

server 192.168.30.1 auth-port 1812 acct-port 1813

Can I access to the VPN (with RADIUS available) and access to the router?

Thank you.

Re: VPN on ISR 1802

For router administration you have set this up for using local account on the router "aaa authorization network ANTONIO-router-ADMIN local"

Even without VPNing you should be able to telnet or ssh to your router with your local account on the router.

"With line (*) when the RADIUS is not available I cannot access to the router (even I local configure a username and a password)."

If your radius is not available, it will fall back onto local user account.

as we have set below.

aaa authentication login ANTONIO-RADIUS-AUTHENTICATION group radius local.

New Member

Re: VPN on ISR 1802

Hi,

I’m sorry to be annoying, but where is the code that represents the variable ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?

For example, could be ANTONIO-RADIUS-AUTHENTICATION

aaa group server radius ANTONIO-RADIUS-AUTHENTICATION

server 192.168.30.1 auth-port 1812 acct-port 1813

And ANTONIO-router-ADMIN if is local, how I define it?

Thank you.

Re: VPN on ISR 1802

"I’m sorry to be annoying, but where is the code that represents the variable ANTONIO-RADIUS-AUTHENTICATION and ANTONIO-router-ADMIN?"

Read my 4th posting from the top, they are defined in the very first and second line.

Port is 1812, not 1813.

radius-server host 192.168.30.1 auth-port 1812 acct-port 1812 key your-password-goes-here

Thanks

Rizwan Rafeek

Re: VPN on ISR 1802

at last please rate any help post on this thread.

New Member

Re: VPN on ISR 1802

Hi,

I didn’t have the time to apply the solution that you gave me.

However, I thank you to the availability and all enlightenment.

António

New Member

Re: VPN on ISR 1802

Hi,

With the scenario in the image, the PC with 172.16.50.1 is windows 7, with windows VPN set up, and the above configuration (by Rizwan Rafeek)

When I try to connect to the router through VPN the follow message appears.

On the router the message is

001002: *Jan 31 18:31:57.609: %CRYPTO-4-IKMP_NO_SA: IKE message from 172.16.50.1 has no SA and is not an initialization offer

I have a w2k8 with NPS configuration to accept connect to VPN. And with the user used no logging appears on security logs.

Can I use the windows configuration to connect via VPN?

If so, what is missing to complete the connection?

If not, what can I do?

Thanks,

António

Re: VPN on ISR 1802

Please use, Cisco VPN client.

New Member

Re: VPN on ISR 1802

Hi,

I download the version 5.0.07.0290 Cisco System VPN Client 64bit, and install without firewall.

I configure the F0 of router ISR 1802 with IP address 172.16.50.1/24.

I configure the local interface of my laptop with 172.16.50.200/24 and no gateway (and later more with gateway 172.16.50.1).

The configurations of VPN client are

I suppose that the Group Authentication is the user and password in RADIUS in my w2k8.

And after a one minute the results is this message:

What is missing?

Thank you,

António

Re: VPN on ISR 1802

Well, use login name without FQDN, i.e. just a username without @srv-teste.local

that doesn't help, copy your config on the forum.

New Member

Re: VPN on ISR 1802

Hi,

The result it is the same.

The configuration of router is attached.

Thanks,

António

VPN on ISR 1802

Please remove highlighted line:

no ip nat inside source list ACL_de_Rede_Interna interface FastEthernet0 overload

Please fix this ACL, the PAT_ACL only for pat overload but nothing else it does.  So, you will have network 30, 31, 33, 34 will be pat overloaded to interface Fa/0

ip access-list extended PAT_ACL
  deny ip 192.168.30.0 0.0.0.255 192.168.0.0 0.0.0.255
  permit ip 192.168.30.0 0.0.0.255 any
  permit ip 192.168.31.0 0.0.0.255 any
  permit ip 192.168.33.0 0.0.0.255 any
  permit ip 192.168.34.0 0.0.0.255 any

Be sure to have a static route on your inside network to push "192.168.0.0 255.255.255.0" to router's inside ip address.

Thanks

Rizwan Rafeek

New Member

Re: VPN on ISR 1802

Hi,

I try to configure the router with all the change that is indicated, but there was no success to configure the router to be a VPN Server with RADIUS.

Then I tried a different thing, i.e., configure the router with VPN server with authentication an authorization local.

Inside everything is operational, but when I try to connect to my VPN server there is no answer (with the same configuration of VPN client, outside gateway 172.16.50.1).

What is missing?

Thanks,

António

The configuration is :

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname MyLab-router

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

!

username admin privilege 15 password 7

username x1x secret 5

clock summer-time WET recurring last Sun Mar 2:00 last Sun Oct 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPNclient local

aaa authorization exec default local

aaa authorization network LOCALgroups local

aaa session-id common

ip subnet-zero

!

!

ip cef

ip dhcp excluded-address 192.168.30.254

ip dhcp excluded-address 192.168.30.1

ip dhcp excluded-address 192.168.30.220 192.168.30.229

!

ip dhcp pool DHCP-vlan1

   network 192.168.30.0 255.255.255.0

   domain-name dados-MyLab.pt

   dns-server 192.168.30.254

   default-router 192.168.30.254

   lease 1 0 1

!        

!

ip domain name MyLab.pt

ip ips po max-events 100

login block-for 60 attempts 3 within 15

login on-failure

login on-success

no ftp-server write-enable

!

!

!

spanning-tree portfast bpduguard

archive

log config

logging enable

logging size 1000

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 20 3

!

crypto isakmp client configuration group engineering

key engine123

pool MyPool

!

!

crypto ipsec transform-set ClientTransform esp-aes esp-sha-hmac

!

crypto dynamic-map dyn_map 10

set transform-set ClientTransform

reverse-route

!

!

crypto map MyMap client authentication list VPNclient

crypto map MyMap isakmp authorization list LOCALgroups

crypto map MyMap client configuration address respond

crypto map MyMap 1000 ipsec-isakmp dynamic dyn_map

!

!

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

description Internet Connection

ip address 172.16.50.1 255.255.255.0

no ip unreachables

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map MyMap

!

interface FastEthernet1

description Dados+Wifi

switchport access vlan 1

no ip address

!        

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description Trunk-Rede Interna

switchport mode trunk

no ip address

!        

interface Vlan1

description Local LAN

ip address 192.168.30.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool MyPool 192.168.30.200 192.168.30.219

ip classless

!

ip dns server

!

ip http server

no ip http secure-server

ip nat inside source list SPLITEremote interface FastEthernet0 overload

!

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.255 any

!

!

!

!        

!

control-plane

!

banner motd ^C

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

|                                                                  * \

*                       MyLab   /   Portugal                       | *

|       ----------------------------------------------             * |

*                             Router                               | *

|                          Cisco 1802                             * |

*       ----------------------------------------------             | *

|   ---         UNAUTHORIZED ACCESS DENIED!           ---         * |

*   --- Entradas nao autorizadas sao punidas por lei ---        | *

|                                                                   * |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* *

\                                                                   \ |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-^C

!

line con 0

line aux 0

line vty 0 4

exec-timeout 5 0

password 7

line vty 5 15

exec-timeout 5 0

password 7

!

no scheduler allocate

end

Re: VPN on ISR 1802

Well, there are number of things you did not pay attention. Things I mentioned on my 4th and 5th post.

If I were you, I would put Remote VPN users' IP range into a separate subnet rather than making VPN users’ subnet same as internal network segment.

Just make it simple, so put your Remote VPN users’ subnet into a separate subnet different from your internal network, I break it into subnets.

ip access-list extended PAT_ACL

deny ip 192.168.30.128 0.0.0.31 any

permit ip 192.168.30.0 0.0.0.127 any

ip nat inside source list PAT_ACL interface FastEthernet0 overload

ip radius source-interface FastEthernet0/1

interface Vlan1

ip address 192.168.30.1 255.255.255.128

ip local pool MyPool 192.168.30.129 192.168.30.158

ip dhcp pool DHCP-vlan1

   network 192.168.30.0 255.255.255.128

   domain-name dados-MyLab.pt

   dns-server 192.168.30.126

   default-router 192.168.30.1

   lease 1 0 1

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

ip dhcp excluded-address 192.168.30.1

no ip dhcp excluded-address 192.168.30.254

no ip dhcp excluded-address 192.168.30.220 192.168.30.229

Ask questions and please understand syntax.

thanks

Rizwan Rafeek

New Member

Re: VPN on ISR 1802

Hi Rizwan Rafeek,

First all, thank you for your response.

OK, I will put the VPN user’s in different IP rang (another IP address).

But with the syntax (see below)

ip access-list extended SPLITEremote

deny ip 192.168.30.128 0.0.0.31 any ! here deny all traffic from 192.168.30.129 to 254 to anywhere, because this is the VPN user’s poll address

permit ip 192.168.30.0 0.0.0.127 any ! here permit all traffic from 192.168.30.1 to 126 to anywhere, because this is the inside user’s poll address

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31 ! here permit the traffic between then 192.168.30.1 to 126 to 192.168.30.129 to 254, but this line this is implicit in line above, correct?

However, with all of this configuration I have no RADIUS to authentication and authorization, this will be locally.

So what is wrong? Because I cannot have connection when I’m outside.

Thanks,

António

Re: VPN on ISR 1802

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

The ACL "SPLITEremote" is only used for spliting the tunnel, otherwise all traffic internal network traffic (and including internet web-browsing) from vpn client will fall into vpn tunnel.  By spliting the tunnel, only internal network traffic will fall into vpn tunnel.

Now PAT_ACL.

 

ip access-list extended PAT_ACL

deny ip 192.168.30.128 0.0.0.31 any

permit ip 192.168.30.0 0.0.0.127 any

This PAT_ACL used only for PAT overload, it is forcing VPN tunnel bound traffic to go via the crypto engine instead of being PAT overloaded for accessing internet.

So, please stick with this ACL one below.

ip access-list extended PAT_ACL

deny ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

permit ip 192.168.30.0 0.0.0.127 any

thanks

Rizwan Rafeek

New Member

Re: VPN on ISR 1802

Hi,

The follow picture illustrates the scenario.

And with this configuration

no service pad

service timestamps debug datetime msec localtime

service timestamps log datetime msec localtime

service password-encryption

service sequence-numbers

!

hostname MyLab-router

!

boot-start-marker

boot-end-marker

!

logging buffered 16384 debugging

!

username admin privilege 15 password 7

username x1x secret 5

clock summer-time WET recurring last Sun Mar 2:00 last Sun Oct 2:00

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

aaa new-model

!

!

aaa authentication login default local

aaa authentication login VPNclient local

aaa authorization exec default local

aaa authorization network LOCALgroups local

aaa session-id common

ip subnet-zero

!

!

ip cef

ip dhcp excluded-address 192.168.30.1

!

ip dhcp pool DHCP-vlan1

   network 192.168.30.0 255.255.255.128

   domain-name dados-MyLab.pt

   dns-server 192.168.30.126

   default-router 192.168.30.1

   lease 1 0 1

!

!

ip domain name MyLab.pt

ip ips po max-events 100

login block-for 60 attempts 3 within 15

login on-failure

login on-success

no ftp-server write-enable

!

!

!

spanning-tree portfast bpduguard

archive

log config

logging enable

logging size 1000

!

!

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 20 3

!

crypto isakmp client configuration group engineering

key engine123

pool MyPool

!

!

crypto ipsec transform-set ClientTransform esp-aes esp-sha-hmac

!

crypto dynamic-map dyn_map 10

set transform-set ClientTransform

reverse-route

!

!

crypto map MyMap client authentication list VPNclient

crypto map MyMap isakmp authorization list LOCALgroups

crypto map MyMap client configuration address respond

crypto map MyMap 1000 ipsec-isakmp dynamic dyn_map

!

!

!

interface ATM0

no ip address

shutdown

no atm ilmi-keepalive

dsl operating-mode auto

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

description Internet Connection

ip address 172.16.50.1 255.255.255.0

no ip unreachables

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map MyMap

!

interface FastEthernet1

description Dados+Wifi

switchport access vlan 1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface FastEthernet4

no ip address

!

interface FastEthernet5

no ip address

!

interface FastEthernet6

no ip address

!

interface FastEthernet7

no ip address

!

interface FastEthernet8

description Trunk-Rede Interna

switchport mode trunk

no ip address

!

interface Vlan1

description Local LAN

ip address 192.168.30.1 255.255.255.128

ip nat inside

ip virtual-reassembly

!

ip local pool MyPool 192.168.30.129 192.168.30.158

ip classless

!

ip dns server

!

ip http server

no ip http secure-server

ip nat inside source list PAT_ACL interface FastEthernet0 overload

!

ip access-list extended PAT_ACL

deny   ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

permit ip 192.168.30.0 0.0.0.127 any

ip access-list extended SPLITEremote

permit ip 192.168.30.0 0.0.0.127 192.168.30.128 0.0.0.31

!

!

!

!

!

control-plane

!

banner motd ^C

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

|                                                                   * \

*                       MyLab   /   Portugal                       | *

|       ----------------------------------------------             * |

*                             Router                               | *

|                           Cisco 1802                             * |

*       ----------------------------------------------             | *

|   ---         UNAUTHORIZED ACCESS DENIED!           ---         * |

*   --- Entradas nao autorizadas sao punidas por lei ---         | *

|                                                                   * |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-* *

\                                                                   \ |

*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-

^C

!

line con 0

line aux 0

line vty 0 4

exec-timeout 5 0

password 7

line vty 5 15

exec-timeout 5 0

password 7

!

no scheduler allocate

end

The results it’s the same, as before. Outside of router (through the fastEthernet 0) I cannot connect the VPN, with the configuration of Feb 1, 2012 post (but with different user and subnet mask of course).

What’s missing? Can you help me solve this?

Thnaks,

António

Re: VPN on ISR 1802

"What’s missing?" one below is...

ip radius source-interface FastEthernet0/1

Are you able to access the internet from inside the network, you answer is "yes" ?

then add the above line (ip radius source-interface FastEthernet0/1) and try it.

If you cannot access the internet from inside, then there is a NAT is missing in the "Dados+Wifi" cloud.

Or you can try this instead.

try this, connect your router interface to a switch "interface FastEthernet0" and connect a PC with a VPN client to same switch and give the PC an IP address from same range 172.16.50.100 /24 and then try VPN in from outside while connected the same switch.

Let me know.

thanks

4603
Apresentações
51
Kudo
66
Respostas