Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1371
Views
0
Helpful
2
Replies

IPSEC VPN - no internet traffic

JaredDale
Level 1
Level 1

‎01-21-2014 03:52 AM - edited ‎03-04-2019 10:07 PM

Hello,
I am trying to do the following:

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml#vpn405

I get the VPN established, but cant access internet from my client.
I want to get my public IP on the remote client.

Thanks any help. Have been trying for many hours, failing - so might be some configruation missing og missplaced.

Altibox#sh run

Building configuration...

Current configuration : 4641 bytes

!

! Last configuration change at 11:38:13 UTC Tue Jan 21 2014 by xxxxx

version 15.3

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Altibox

!

boot-start-marker

boot-end-marker

!

aqm-register-fnf

!

enable secret 4 uL3ahII.qXcmuiG8zcrkZkgNezrXtDCZ.UPBVEbygK2

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userlist local

aaa authentication enable default enable

aaa authorization exec default local

aaa authorization network default local

aaa authorization network VPNGROUP local

!

!

aaa session-id common

!

!

ip dhcp excluded-address 10.0.0.1 10.0.0.15

!

ip dhcp pool LAN

network 10.0.0.0 255.255.255.0

default-router 10.0.0.1

domain-name xxxx

dns-server x.x.x.3 x.x.x.53

!

!

!

ip cef

no ipv6 cef

!

!

multilink bundle-name authenticated

!

license udi pid C892FSP-K9 sn FCZ173992BG

!        

!

username xxxx privilege 15 secret 4 xxxxxxxxxxxxxxxxxxxxxx

username VPN password 0 vpn

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 3600

crypto isakmp client configuration address-pool local vpnpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group VPNGROUP

key xxxx

domain xxxx

pool vpnpool

acl 144

!

!

crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac

mode tunnel

!

!

!

crypto dynamic-map dynmap 1

set transform-set transform-1

reverse-route

!

!

crypto map dynmap client authentication list userlist

crypto map dynmap isakmp authorization list VPNGROUP

crypto map dynmap client configuration address respond

crypto map dynmap 1 ipsec-isakmp dynamic dynmap

!

!

interface Loopback0

ip address 10.0.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet0

no ip address

!

interface GigabitEthernet1

no ip address

!

interface GigabitEthernet2

no ip address

!

interface GigabitEthernet3

no ip address

!

interface GigabitEthernet4

no ip address

!

interface GigabitEthernet5

no ip address

!

interface GigabitEthernet6

no ip address

!

interface GigabitEthernet7

no ip address

!

interface GigabitEthernet8

no ip address

duplex auto

speed auto

!

interface GigabitEthernet9

description *** Outside ***

ip address dhcp

ip nat outside

ip virtual-reassembly in

ip policy route-map VPN-Client

duplex auto

speed auto

crypto map dynmap

!

interface Vlan1

description *** LAN ***

ip address 10.0.0.1 255.255.255.0

no ip redirects

no ip unreachables

ip directed-broadcast

no ip proxy-arp

ip nat inside

ip virtual-reassembly in max-reassemblies 64

!

ip local pool vpnpool 10.0.1.10 10.0.1.15

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

!

ip nat inside source static tcp 10.0.0.200 80 interface GigabitEthernet9 80

ip nat inside source static tcp 10.0.0.5 8081 interface GigabitEthernet9 8081

ip nat inside source static tcp 10.0.0.5 8080 interface GigabitEthernet9 8080

ip nat inside source static udp 10.0.0.5 8080 interface GigabitEthernet9 8080

ip nat inside source static tcp 10.0.0.253 5002 interface GigabitEthernet9 5002

ip nat inside source static tcp 10.0.0.254 5001 interface GigabitEthernet9 5001

ip nat inside source static tcp 10.0.0.5 1554 interface GigabitEthernet9 1554

ip nat inside source static tcp 10.0.0.5 3389 interface GigabitEthernet9 3389

ip nat inside source static tcp 10.0.0.3 3000 interface GigabitEthernet9 3000

ip nat inside source static tcp 10.0.0.190 3389 interface GigabitEthernet9 4000

ip nat inside source static tcp 10.0.0.3 5000 interface GigabitEthernet9 5000

ip nat inside source static tcp 10.0.0.3 32400 interface GigabitEthernet9 32400

ip nat inside source list 101 interface GigabitEthernet9 overload

ip nat inside source list vpnpool interface GigabitEthernet9 overload

ip route 0.0.0.0 255.255.255.0 xxxxxxxxx

ip route 10.0.1.0 255.255.255.0 Vlan1

ip route 0.0.0.0 0.0.0.0 dhcp

!

!

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.0.1.2

!

access-list 101 permit ip any any

access-list 101 deny   ip any any

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

access-list 144 permit ip 10.0.1.0 0.0.0.255 any

!        

!

control-plane

!

!

mgcp behavior rsip-range tgcp-only

mgcp behavior comedia-role none

mgcp behavior comedia-check-media-src disable

mgcp behavior comedia-sdp-force disable

!

mgcp profile default

!

!

line con 0

no modem enable

line aux 0

line vty 0 4

logging synchronous

transport input all

!

scheduler allocate 20000 1000

!

end

Labels:
0 Helpful
2 Replies 2

blau grana
Level 7
Level 7

‎01-25-2014 12:22 AM

Hi Jared,

I am not sure if this is possible with crypto-map configuration. VPN Internet trafffic arrive via outside interface and should be NATed and again send out via outside interface -> this could be problem.

I would suggest to change your configuration and use virtual-template. This article may help you, let me know if you need any help.

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/809-cisco-router-vpn-client.html

Best Regards

Please rate all helpful posts and close solved questions

Best Regards Please rate all helpful posts and close solved questions
0 Helpful

pieterh
VIP
VIP
In response to blau grana

‎01-25-2014 09:05 AM

route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.0.1.2

I think there is an error in the example config

I think you need to set the next hop to the routiers loopback adress 10.0.1.1
Not 10.0.1.2, this "network" is not used anywhere in the example, just the loopback interface.

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card