cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1482
Views
5
Helpful
3
Replies

ipsec vpn on 2621 router

terry-weyandt
Level 1
Level 1

Check out my second post - I've gotten a little further but still need help

I've got a very basic configuration, and I just added configuration to allow a remote access vpn.

My issue is that I can connect to the VPN but I can't ping others that are connected, I can't ping the router, and I lose my local access to everything. I've figured out that my route table on the client doesn't have an entry for the 10.10.10.0 network, thus the reason why I can't ping anything on that network. I am unsure why I cant ping anything on the vpn ip pool either.
heres a copy of my route table (route print) in windows

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.1.6     192.168.1.6       1

50.**.***.117 255.255.255.255    192.168.100.1  192.168.100.180      1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.1.0    255.255.255.0      192.168.1.6     192.168.1.6       25

      192.168.1.6  255.255.255.255        127.0.0.1       127.0.0.1       25

    192.168.1.255  255.255.255.255      192.168.1.6     192.168.1.6       25

    192.168.100.0    255.255.255.0  192.168.100.180  192.168.100.180      25

    192.168.100.0    255.255.255.0      192.168.1.6     192.168.1.6       25

  192.168.100.122  255.255.255.255  192.168.100.180  192.168.100.180      1

  192.168.100.180  255.255.255.255        127.0.0.1       127.0.0.1       25

  192.168.100.255  255.255.255.255  192.168.100.180  192.168.100.180      25

        224.0.0.0        240.0.0.0      192.168.1.6     192.168.1.6       25

        224.0.0.0        240.0.0.0  192.168.100.180  192.168.100.180      25

  255.255.255.255  255.255.255.255      192.168.1.6     192.168.1.6       1

  255.255.255.255  255.255.255.255  192.168.100.180               3       1

  255.255.255.255  255.255.255.255  192.168.100.180  192.168.100.180      1

Default Gateway:       192.168.1.6

Persistent Routes:

  None

Here's an copy of my config, hopefully someone might be able to help me!

Building configuration...

Current configuration : 2020 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

boot-start-marker

boot-end-marker

!

enable secret 5 $**************

!

aaa new-model

!

!

aaa authentication login AAA-VPN local

aaa authorization network AAA-VPN local

aaa session-id common

ip subnet-zero

no ip cef

!

!

ip name-server 75.75.75.75

ip name-server 75.75.75.76

!

ip audit po max-events 100

!

!

!

!

!

!

!

!

!

!

!

!

username ci***** privilege 15 password 7 *************************

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnall

key ******************

dns 4.2.2.2

pool VPNALLPOOL

!

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set 3des-sha

!

!

crypto map vpn client authentication list AAA-VPN

crypto map vpn isakmp authorization list AAA-VPN

crypto map vpn client configuration address respond

crypto map vpn 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

description *** Outside ***

ip address 50.**.***.117 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map vpn

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip local pool VPNALLPOOL 192.168.1.1 192.168.1.254

ip nat inside source route-map RM-POLICY-NAT interface FastEthernet0/0 overload

ip http server

no ip http secure-server

ip classless

ip route 0.0.0.0 0.0.0.0 50.78.229.118

!

!

!

ip access-list extended ACL-POLICY-NAT

permit ip 10.10.10.0 0.0.0.255 any

deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended acl_firewall

permit esp any any

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

!

route-map RM-POLICY-NAT permit 10

match ip address ACL-POLICY-NAT

!

!

!

!

!

!

line con 0

line aux 0

line vty 0

password 7 *****************

line vty 1 4

!

!

end

Thank you!

3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

Hello Zac,

Can you change the order of the ACL to the following:

deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

Regards,

Rate if it helps!

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Jcarvaja Thank you

Alright - well I was able to get one of the routes working (my problem was I wasn't split tunneling so ALL of my traffic was trying to go through the router. I only want remote LAN traffic) - But I still can't figure out why I can't get access through the VPN to ping the 10.10.10.0 network. I have a feeling it has to do with an access list. -> maybe I need to add one somewhere?

I need to be able to be on the vpn and have access to the lan behind my router. So ping from the 192 network to the 10 network

Here is my config, my routes, and a route print from my client.

sh run

Building configuration...

Current configuration : 2001 bytes

!

version 12.3

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

!

boot-start-marker

boot-end-marker

!

enable secret 5 jklsefjklsdfsdf

!

aaa new-model

!

!

aaa authentication login AAA-VPN local

aaa authorization network AAA-VPN local

aaa session-id common

ip subnet-zero

no ip cef

!

!

ip name-server 75.75.75.75

ip name-server 75.75.75.76

!

ip audit po max-events 100

!

!

!

!

!

!

!

!

!

!

!

!

username kasdfjklasdf privilege 15 password 7 sdjklsdfjklsdfjklf

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnall

key jkljklsdfjklsdfjklasdf

dns 4.2.2.2

pool VPNALLPOOL

acl SPLIT-TUNNEL

!

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set 3des-sha

!

!

crypto map vpn client authentication list AAA-VPN

crypto map vpn isakmp authorization list AAA-VPN

crypto map vpn client configuration address respond

crypto map vpn 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

description *** Outside ***

ip address 50.**.***.117 255.255.255.252

ip nat outside

duplex auto

speed auto

crypto map vpn

!

interface Serial0/0

no ip address

shutdown

!

interface FastEthernet0/1

ip address 10.10.10.1 255.255.255.0

ip nat inside

duplex auto

speed auto

!

ip local pool VPNALLPOOL 192.168.1.1 192.168.1.254

ip nat inside source route-map RM-POLICY-NAT interface FastEthernet0/0 overload

ip http server

no ip http secure-server

no ip classless

ip route 0.0.0.0 0.0.0.0 50.78.229.118

!

!

!

ip access-list extended ACL-POLICY-NAT

deny   9 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

ip access-list extended SPLIT-TUNNEL

!

route-map RM-POLICY-NAT permit 10

match ip address ACL-POLICY-NAT

!

!

!

!

!

!

line con 0

line aux 0

line vty 0

password 7 sdfjklsdfjklsdf

line vty 1 4

!

!

end

Gateway of last resort is 50.**.***.118 to network 0.0.0.0

     50.0.0.0/30 is subnetted, 1 subnets

C       50.**.***.116 is directly connected, FastEthernet0/0

     10.0.0.0/24 is subnetted, 1 subnets

C       10.10.10.0 is directly connected, FastEthernet0/1

S*   0.0.0.0/0 [1/0] via 50.**.***.118

My computers route table (the client) you'll notice I don't have a route to 10.10.10.0 so my computer has no idea how to get there.

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0    192.168.100.1  192.168.100.180      25

50.78.***.117 255.255.255.255    192.168.100.1  192.168.100.180      1

        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1

      192.168.1.0    255.255.255.0     192.168.1.28    192.168.1.28       1

     192.168.1.28  255.255.255.255        127.0.0.1       127.0.0.1       25

    192.168.1.255  255.255.255.255     192.168.1.28    192.168.1.28       25

    192.168.100.0    255.255.255.0  192.168.100.180  192.168.100.180      25

  192.168.100.122  255.255.255.255  192.168.100.180  192.168.100.180      1

  192.168.100.180  255.255.255.255        127.0.0.1       127.0.0.1       25

  192.168.100.255  255.255.255.255  192.168.100.180  192.168.100.180      25

        224.0.0.0        240.0.0.0     192.168.1.28    192.168.1.28       25

        224.0.0.0        240.0.0.0  192.168.100.180  192.168.100.180      25

  255.255.255.255  255.255.255.255     192.168.1.28    192.168.1.28       1

  255.255.255.255  255.255.255.255  192.168.100.180               2       1

  255.255.255.255  255.255.255.255  192.168.100.180  192.168.100.180      1

Default Gateway:     192.168.100.1

I could see you have configured spli tunnel in your configuration

Either remove it from client configuration or configure your split access list . As per your configuration

crypto isakmp client configuration group vpnall

key jkljklsdfjklsdfjklasdf

dns 4.2.2.2

pool VPNALLPOOL

acl SPLIT-TUNNEL

! here you have configured split tunnel and you have not confgigured anything in your split access list

ip access-list extended SPLIT-TUNNEL

So make the following change

=============================

1. In case you want split tunnel and access 10.10.10.0/24 subnet

ip access-list extended SPLIT-TUNNEL

permit ip 10.10.10.0 0.0.0.0.255 192.168.1.0 0.0.0.255

You will be able to access the 10.10.10.0 subnet

2. In case you want tunnel all config

crypto isakmp client configuration group vpnall

no acl SPLIT-TUNNEL

Lety me know if it helps.

Varinder

Regards, Varinder P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: