Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN - Client to 1700 problems

Hello all, I have been pulling out my hair over this.

This is my first attempt at creating a VPN from a client (3.5 and 4) to a head end device (in this instance a 1701 router)

I connecting between two routable addresses. Transparency over UDP is enabled (not sure if this is even needed)

The VPN tunnel is created successfully, and authentication is fine.

However, the VPN client status reflects that

Transparent Tunneling: Inactive (although that is selected to UDP)

Tunnel Port:0

Local LAN Access:Disabled (although this is selected)

The client does receive an ip address from the address pool (should this address be part of the private network?)

I do not have split tunneling enabled because traffic flow is not needed out of the LAN to LAN tunnel( is this correct?)

I have removed the access-list from the dialer interface -no joy

I have posted my config -any ideas....please???

Building configuration...

Current configuration : 2835 bytes

!

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname XX_GTW

!

logging queue-limit 100

no logging console

enable password 7 1506121C017973

!

username XXXXX password xxxxx

username XXX password xxxx

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network default local

aaa session-id common

ip subnet-zero

!

!

!

!

ip audit notify log

ip audit po max-events 100

no ftp-server write-enable

!

!

!

!

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group XXXXX

key 0 TXX

pool VPNCLIENT

!

!

crypto ipsec transform-set shtset esp-3des esp-sha-hmac

!

crypto dynamic-map shtdynamic 10

set transform-set shtset

!

!

crypto map shtmap client authentication list userauthen

crypto map shtmap isakmp authorization list default

crypto map shtmap client configuration address respond

crypto map shtmap 10 ipsec-isakmp dynamic shtdynamic

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface BRI0

no ip address

shutdown

!

interface FastEthernet0

ip address 192.177.125.254 255.255.255.0

ip access-group 120 out

speed auto

!

interface Dialer1

ip address 71.137.245.100 255.255.255.0

ip access-group 110 in

encapsulation ppp

dialer pool 1

ppp authentication chap callin

ppp chap hostname XXXXX@XXX.btclick.com

ppp chap password xxxxx

crypto map shtmap

!

ip local pool XXXXX 192.77.125.160 192.77.125.162

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.177.125.211 5900 71.137.245.100 5900 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

!

!

ip access-list extended Fast

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended save-password

ip access-list extended service

ip access-list extended timeout

ip access-list extended tty6

ip access-list extended tunnel-password

ip access-list extended wins-servers

access-list 1 permit 192.177.125.0 0.0.0.255

access-list 110 permit esp 191.66.16.0 0.0.0.255 any

access-list 110 permit udp 191.66.16.0 0.0.0.255 eq isakmp any

access-list 110 permit tcp 191.66.16.0 0.0.0.255 host 71.137.245.100 eq telnet

access-list 110 permit ip 192.77.125.0 0.0.0.255 any

access-list 120 permit tcp any host 192.177.125.211 eq 5900

!

radius-server authorization permit missing Service-Type

!

line con 0

exec-timeout 120 0

stopbits 1

line aux 0

line vty 0 4

exec-timeout 120 0

password xxxx

!

no scheduler allocate

!

end

SHT_GTW#

1 REPLY
Gold

Re: VPN - Client to 1700 problems

no nat statement is missing

no access-list 1 permit 192.177.125.0 0.0.0.255

no ip nat inside source list 1 interface Dialer1 overload

access-list 102 deny ip 192.177.125.0 0.0.0.255 host 192.77.125.160

access-list 102 deny ip 192.177.125.0 0.0.0.255 host 192.77.125.161

access-list 102 deny ip 192.177.125.0 0.0.0.255 host 192.77.125.162

access-list 102 permit ip 192.177.125.0 0.0.0.255 any

route-map nonat permit 10

match ip address 102

ip nat inside source route-map nonat interface Dialer1 overload

190
Views
0
Helpful
1
Replies
CreatePlease to create content