02-09-2012 04:20 PM - edited 02-21-2020 05:52 PM
Check out my second post - I've gotten a little further but still need help
I've got a very basic configuration, and I just added configuration to allow a remote access vpn.
My issue is that I can connect to the VPN but I can't ping others that are connected, I can't ping the router, and I lose my local access to everything. I've figured out that my route table on the client doesn't have an entry for the 10.10.10.0 network, thus the reason why I can't ping anything on that network. I am unsure why I cant ping anything on the vpn ip pool either.
heres a copy of my route table (route print) in windows
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.6 192.168.1.6 1
50.**.***.117 255.255.255.255 192.168.100.1 192.168.100.180 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.6 192.168.1.6 25
192.168.1.6 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.6 192.168.1.6 25
192.168.100.0 255.255.255.0 192.168.100.180 192.168.100.180 25
192.168.100.0 255.255.255.0 192.168.1.6 192.168.1.6 25
192.168.100.122 255.255.255.255 192.168.100.180 192.168.100.180 1
192.168.100.180 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.100.255 255.255.255.255 192.168.100.180 192.168.100.180 25
224.0.0.0 240.0.0.0 192.168.1.6 192.168.1.6 25
224.0.0.0 240.0.0.0 192.168.100.180 192.168.100.180 25
255.255.255.255 255.255.255.255 192.168.1.6 192.168.1.6 1
255.255.255.255 255.255.255.255 192.168.100.180 3 1
255.255.255.255 255.255.255.255 192.168.100.180 192.168.100.180 1
Default Gateway: 192.168.1.6
Persistent Routes:
None
Here's an copy of my config, hopefully someone might be able to help me!
Building configuration...
Current configuration : 2020 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
enable secret 5 $**************
!
aaa new-model
!
!
aaa authentication login AAA-VPN local
aaa authorization network AAA-VPN local
aaa session-id common
ip subnet-zero
no ip cef
!
!
ip name-server 75.75.75.75
ip name-server 75.75.75.76
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username ci***** privilege 15 password 7 *************************
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnall
key ******************
dns 4.2.2.2
pool VPNALLPOOL
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set 3des-sha
!
!
crypto map vpn client authentication list AAA-VPN
crypto map vpn isakmp authorization list AAA-VPN
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
description *** Outside ***
ip address 50.**.***.117 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map vpn
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip local pool VPNALLPOOL 192.168.1.1 192.168.1.254
ip nat inside source route-map RM-POLICY-NAT interface FastEthernet0/0 overload
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 50.78.229.118
!
!
!
ip access-list extended ACL-POLICY-NAT
permit ip 10.10.10.0 0.0.0.255 any
deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended acl_firewall
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
!
route-map RM-POLICY-NAT permit 10
match ip address ACL-POLICY-NAT
!
!
!
!
!
!
line con 0
line aux 0
line vty 0
password 7 *****************
line vty 1 4
!
!
end
Thank you!
02-09-2012 05:09 PM
Hello Zac,
Can you change the order of the ACL to the following:
deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
Regards,
Rate if it helps!
Julio
02-10-2012 10:46 AM
Jcarvaja Thank you
Alright - well I was able to get one of the routes working (my problem was I wasn't split tunneling so ALL of my traffic was trying to go through the router. I only want remote LAN traffic) - But I still can't figure out why I can't get access through the VPN to ping the 10.10.10.0 network. I have a feeling it has to do with an access list. -> maybe I need to add one somewhere?
I need to be able to be on the vpn and have access to the lan behind my router. So ping from the 192 network to the 10 network
Here is my config, my routes, and a route print from my client.
sh run
Building configuration...
Current configuration : 2001 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
enable secret 5 jklsefjklsdfsdf
!
aaa new-model
!
!
aaa authentication login AAA-VPN local
aaa authorization network AAA-VPN local
aaa session-id common
ip subnet-zero
no ip cef
!
!
ip name-server 75.75.75.75
ip name-server 75.75.75.76
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username kasdfjklasdf privilege 15 password 7 sdjklsdfjklsdfjklf
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnall
key jkljklsdfjklsdfjklasdf
dns 4.2.2.2
pool VPNALLPOOL
acl SPLIT-TUNNEL
!
!
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set 3des-sha
!
!
crypto map vpn client authentication list AAA-VPN
crypto map vpn isakmp authorization list AAA-VPN
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
description *** Outside ***
ip address 50.**.***.117 255.255.255.252
ip nat outside
duplex auto
speed auto
crypto map vpn
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
duplex auto
speed auto
!
ip local pool VPNALLPOOL 192.168.1.1 192.168.1.254
ip nat inside source route-map RM-POLICY-NAT interface FastEthernet0/0 overload
ip http server
no ip http secure-server
no ip classless
ip route 0.0.0.0 0.0.0.0 50.78.229.118
!
!
!
ip access-list extended ACL-POLICY-NAT
deny 9 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
ip access-list extended SPLIT-TUNNEL
!
route-map RM-POLICY-NAT permit 10
match ip address ACL-POLICY-NAT
!
!
!
!
!
!
line con 0
line aux 0
line vty 0
password 7 sdfjklsdfjklsdf
line vty 1 4
!
!
end
Gateway of last resort is 50.**.***.118 to network 0.0.0.0
50.0.0.0/30 is subnetted, 1 subnets
C 50.**.***.116 is directly connected, FastEthernet0/0
10.0.0.0/24 is subnetted, 1 subnets
C 10.10.10.0 is directly connected, FastEthernet0/1
S* 0.0.0.0/0 [1/0] via 50.**.***.118
My computers route table (the client) you'll notice I don't have a route to 10.10.10.0 so my computer has no idea how to get there.
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.100.1 192.168.100.180 25
50.78.***.117 255.255.255.255 192.168.100.1 192.168.100.180 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.28 192.168.1.28 1
192.168.1.28 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.28 192.168.1.28 25
192.168.100.0 255.255.255.0 192.168.100.180 192.168.100.180 25
192.168.100.122 255.255.255.255 192.168.100.180 192.168.100.180 1
192.168.100.180 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.100.255 255.255.255.255 192.168.100.180 192.168.100.180 25
224.0.0.0 240.0.0.0 192.168.1.28 192.168.1.28 25
224.0.0.0 240.0.0.0 192.168.100.180 192.168.100.180 25
255.255.255.255 255.255.255.255 192.168.1.28 192.168.1.28 1
255.255.255.255 255.255.255.255 192.168.100.180 2 1
255.255.255.255 255.255.255.255 192.168.100.180 192.168.100.180 1
Default Gateway: 192.168.100.1
02-10-2012 11:45 AM
I could see you have configured spli tunnel in your configuration
Either remove it from client configuration or configure your split access list . As per your configuration
crypto isakmp client configuration group vpnall
key jkljklsdfjklsdfjklasdf
dns 4.2.2.2
pool VPNALLPOOL
acl SPLIT-TUNNEL
! here you have configured split tunnel and you have not confgigured anything in your split access list
ip access-list extended SPLIT-TUNNEL
So make the following change
=============================
1. In case you want split tunnel and access 10.10.10.0/24 subnet
ip access-list extended SPLIT-TUNNEL
permit ip 10.10.10.0 0.0.0.0.255 192.168.1.0 0.0.0.255
You will be able to access the 10.10.10.0 subnet
2. In case you want tunnel all config
crypto isakmp client configuration group vpnall
no acl SPLIT-TUNNEL
Lety me know if it helps.
Varinder
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: