Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
387
Views
0
Helpful
3
Replies

Remote Access VPN Not Connecting

DOUGLAS DRURY
Level 1
Level 1

‎04-15-2014 11:29 AM - edited ‎02-21-2020 07:36 PM

Hi All,

I've tried to configure a remote access VPN however, I'm having some trouble getting a successful connection.  When I try and connect using the Cisco VPN client It tries to connect after I enter my username and password but doesn't connect.  Below is my config.  Any questions please ask.

Thanks

Doug

 

TS-RT-PHD-01#sh run br
Building configuration...

Current configuration : 3037 bytes
!
! Last configuration change at 18:16:28 UTC Tue Apr 15 2014 by tsadmin
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname TS-RT-PHD-01
!
boot-start-marker
boot-end-marker
!
!
enable secret 4 sii94NGY12oyst/3n4bnmySHfE/PcvkoNt83rjGoB8I
!
aaa new-model
!
!
aaa authentication login VPNUSERSAUTH local
aaa authorization network VPNUSERS local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1949736083
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1949736083
 revocation-check none
 rsakeypair TP-self-signed-1949736083
!
!
crypto pki certificate chain TP-self-signed-1949736083
 certificate self-signed 01
!
!
!
!


!
!
!
!
ip domain name tekserv.local
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO887VA-SEC-K9 sn FCZ181070DN
!
!
username TSADMIN privilege 15 secret 4 uPZOF4WNwQLxItezL1tN0tQfJdHHF1lVqEc1jJRdRJM
username DOUG secret 4 yB/GHNjx1QvOLWFpeTQUmsWmeP4srUhae4JMIe8AGkY
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 7
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPNUSERS
 key <Key Removed>
 pool VPN-POOL
 acl ACL-SPLIT-VPN
!
!
crypto ipsec transform-set PHIL ah-md5-hmac esp-aes esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map VPNDYNMAP 1
 set transform-set PHIL
 reverse-route
!
!
crypto map MAP-OUTSIDE client authentication list VPNUSERSAUTH
crypto map MAP-OUTSIDE isakmp authorization list VPNUSERS
crypto map MAP-OUTSIDE client configuration address respond
crypto map MAP-OUTSIDE 6500 ipsec-isakmp dynamic VPNDYNMAP
!
!
!
!
!
interface Ethernet0
 no ip address
 shutdown
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface Dialer0
 ip address negotiated
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <Removed>
 ppp chap password 0 <Removed>
 crypto map MAP-OUTSIDE
!
ip local pool VPN-POOL 10.1.74.5 10.1.74.250
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended ACL-SPLIT-VPN
 permit ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
ip access-list extended NAT
 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
 transport output telnet ssh
!
!
end

TS-RT-PHD-01#

Labels:
0 Helpful
3 Replies 3

cisco.met.co.uk
Level 1
Level 1

‎04-16-2014 06:24 AM

I would first remove the VPN pool from being included in NAT.

ip access-list extended NAT

 deny ip 192.168.1.0 0.0.0.255 10.1.74.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any

0 Helpful

DOUGLAS DRURY
Level 1
Level 1
In response to cisco.met.co.uk

‎04-16-2014 06:38 AM

Thanks for getting back to me.  I've made the change to the access list but still can't connect

0 Helpful

cisco.met.co.uk
Level 1
Level 1
In response to DOUGLAS DRURY

‎04-16-2014 08:07 AM

start with some debugging on the Cisco VPN client.

Does it pass the authentication process? - debug on the client for authentication and router

Is it traffic that is not traversing? debug on the router

Although not an advocate of the SDM, here is a link

http://www.cisco.com/c/en/us/support/docs/cloud-systems-management/router-security-device-manager/70374-router-remotevpn-sdm.html

Although is does not include the NAT parts.

 

 

 

 

0 Helpful
Customers Also Viewed These Support Documents