Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Easy VPN Server setup

I have a Cisco 871 router which is connected to the internet. I would like to allow a few remote users to VPN into the office using the Cisco VPN Client. Currently, I can get the VPN Client to authenticate and connect. However, whenever I try pinging something inside the private network I get a reply from the external IP of the router instead. Here is the config as it stands right now. If anyone can point out what I am doing wrong I would really appreciate it. Thanks!

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname rtr-test

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 debugging

logging console critical

enable secret 5 xxxxxxxxx

!

aaa new-model

!

!

aaa authentication login userauth local

aaa authorization network groupauth local

!

aaa session-id common

!

resource policy

!

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

ip subnet-zero

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.0.1 192.168.0.99

ip dhcp excluded-address 192.168.0.201 192.168.0.254

!

ip dhcp pool sdm-pool1

import all

network 192.168.0.0 255.255.255.0

dns-server 192.168.0.25

default-router 192.168.0.1

!

!

ip tcp synwait-time 10

no ip bootp server

ip domain name bfloan.com

ip name-server 192.168.0.25

ip ssh time-out 60

ip ssh authentication-retries 2

!

!

crypto pki trustpoint TP-self-signed-3716545297

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3716545297

revocation-check none

rsakeypair TP-self-signed-3716545297

!

!

username xxxxxxxx privilege 15 password xxxxxxxxxxx

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpngate

key xxxxxxx

dns 192.168.0.25

wins 192.168.0.25

pool ippool

acl 105

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauth

crypto map clientmap isakmp authorization list groupauth

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

bridge irb

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $FW_OUTSIDE$$ES_WAN$

ip address 66.x.x.33 255.255.255.x

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map clientmap

!

interface Dot11Radio0

no ip address

!

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$

no ip address

ip tcp adjust-mss 1452

bridge-group 1

!

interface BVI1

description $ES_LAN$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1412

!

ip local pool ippool 192.168.100.1 192.168.100.25

ip classless

ip route 0.0.0.0 0.0.0.0 66.4.164.38

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 100 interface FastEthernet4 overload

!

logging trap debugging

access-list 100 remark SDM_ACL Category=2

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

no cdp run

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

privilege level 15

transport input telnet ssh

1 ACCEPTED SOLUTION

Accepted Solutions
Bronze

Re: Easy VPN Server setup

Your configuration is right, however you need to do the following:

no access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Plz rate if this helps

3 REPLIES
New Member

Re: Easy VPN Server setup

BTW ... I think the problem is with NAT ... Everything works fine if I disable NAT on the inside and outside interfaces. However, when NAT is enabled I cannot route into the private LAN when connected via VPN.

Bronze

Re: Easy VPN Server setup

Your configuration is right, however you need to do the following:

no access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 100 deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 100 permit ip 192.168.0.0 0.0.0.255 any

access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255

Plz rate if this helps

New Member

Re: Easy VPN Server setup

Perfect! That did it. Thanks for pointing that out.

116
Views
0
Helpful
3
Replies