04-15-2014 11:29 AM - edited 02-21-2020 07:36 PM
Hi All,
I've tried to configure a remote access VPN however, I'm having some trouble getting a successful connection. When I try and connect using the Cisco VPN client It tries to connect after I enter my username and password but doesn't connect. Below is my config. Any questions please ask.
Thanks
Doug
TS-RT-PHD-01#sh run br
Building configuration...
Current configuration : 3037 bytes
!
! Last configuration change at 18:16:28 UTC Tue Apr 15 2014 by tsadmin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-PHD-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1949736083
revocation-check none
rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
certificate self-signed 01
!
!
!
!
!
!
!
!
ip domain name tekserv.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username TSADMIN privilege 15 secret 4 uPZOF4WNwQLxItezL1tN0tQfJdHHF1lVqEc1jJRdRJM
username DOUG secret 4 yB/GHNjx1QvOLWFpeTQUmsWmeP4srUhae4JMIe8AGkY
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNUSERS
key <Key Removed>
pool VPN-POOL
acl ACL-SPLIT-VPN
!
!
crypto ipsec transform-set PHIL ah-md5-hmac esp-aes esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
set transform-set PHIL
reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 6500 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <Removed>
ppp chap password 0 <Removed>
crypto map MAP-OUTSIDE
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-SPLIT-VPN
permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
!
end
TS-RT-PHD-01#
04-16-2014 06:24 AM
I would first remove the VPN pool from being included in NAT.
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
04-16-2014 06:38 AM
Thanks for getting back to me. I've made the change to the access list but still can't connect
04-16-2014 08:07 AM
start with some debugging on the Cisco VPN client.
Does it pass the authentication process? - debug on the client for authentication and router
Is it traffic that is not traversing? debug on the router
Although not an advocate of the SDM, here is a link
http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/router-security-device-manager/70374-router-remotevpn-sdm.html
Although is does not include the NAT parts.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide