Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

2611xm VPN Sever to 836 VPN Cliente network extension

Hello,

Can any one look at my configuration and tell me what is missing.

- I can ping between the two sites

- I connect to web server from VPN server to VPN client.

- I do not connect to web server from VPN client to VPN server.

*** Client easy vpn config ***

hostname yourname

!

logging queue-limit 100

logging buffered 51200 warnings

!

username sdm privilege 15 password 0 sdm

ip subnet-zero

ip domain name yourdomain.com

ip name-server 10.0.0.6

!

!

crypto ipsec client ezvpn tunel1

connect auto

group xxxxx key xxxxx

mode network-extension

peer 195.23.20.21

!

!

!

interface Ethernet0

ip address 10.10.13.254 255.255.255.0

ip tcp adjust-mss 1452

crypto ipsec client ezvpn tunel1 inside

!

interface BRI0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode etsi

!

interface ATM0.3 point-to-point

pvc 0/35

pppoe-client dial-pool-number 1

!

!

interface Dialer2

ip address negotiated

ip mtu 1452

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname teste

ppp chap password 0 teste

ppp pap sent-username teste

crypto ipsec client ezvpn tunel1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer2

ip route 10.0.0.0 255.255.255.0 195.23.20.21

!

dialer-list 1 protocol ip permit

!

*** SERVER easy vpn config ***

!

version 12.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname MontiCentral

!

logging queue-limit 100

logging buffered 51200 debugging

logging console critical

enable secret t

!

aaa new-model

!

!

aaa authorization network montisistemas local

aaa session-id common

ip subnet-zero

no ip source-route

ip tcp synwait-time 10

ip cef

!

!

ip domain name montisistemas.com

ip name-server 195.23.129.126

ip name-server 194.79.69.222

!

no ip bootp server

ip audit notify log

ip audit po max-events 100

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group montisistemas

key sistemasmonti

dns 10.0.0.6

domain montisistemas.com

acl 150

!

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

!

crypto map dynmap isakmp authorization list montisistemas

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

!

!

interface ATM0/0

ip route-cache flow

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode etsi

!

interface FastEthernet0/0

description rede interna

ip address 10.0.0.253 255.255.255.0

ip nat inside

ip route-cache flow

duplex auto

speed auto

!

!

interface Dialer1

ip address 195.23.20.21 255.255.255.252

ip mtu 1492

ip nat outside

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname teste1

ppp chap password teste1

ppp pap sent-username teste1

ppp ipcp dns request

ppp ipcp wins request

crypto map dynmap

!

ip nat inside source route-map nonat interface Dialer1 overload

ip http server

ip http authentication local

ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

!

ip access-list extended UNKNOWN

ip access-list extended console

ip access-list extended dns-servers

ip access-list extended group-lock

ip access-list extended idletime

ip access-list extended service

!

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 105 deny ip 10.0.0.0 0.0.0.255 10.10.13.0 0.0.0.255

access-list 105 permit ip 10.0.0.0 0.0.0.255 any

access-list 150 permit ip 10.0.0.0 0.0.0.255 any

access-list 150 permit ip 10.10.13.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 105

!

!

end

If i put a web server on the cliente lan it works fine, but if the server is on the server lan it does not work.

the ping between the two lan´s it works fine.

Can you help me to find my error.

Regards carlos

1 REPLY
New Member

Re: 2611xm VPN Sever to 836 VPN Cliente network extension

Solution:

I recommend to add the following commands to the crypto map related with that connection:

crypto ipsec df-bit clear

Then go to the router interace where the crypto map is applied and put this:

ip mtu 1440

ip tcp adjust-mss 1440

Carlos

194
Views
0
Helpful
1
Replies
CreatePlease to create content