July 25, 2008 12:42pm pdt

1. batry_boy 62,960
2. lrmoore 52,165
3. RobWill 21,300
4. arnold 17,500
5. dpk_wal 16,475
6. mkielar 12,500
7. Voltz-dk 12,420
8. ebjers 12,130
9. MrHusy 10,000
10. Cyclops3... 8,900
11. SteveH_UK 8,000
12. mwecom... 7,985
13. trinak96 7,865
14. AugustTen 6,500
15. PeteLong 5,975

1. lrmoore 311,507
2. RobWill 176,524
3. richrumble 111,117
4. batry_boy 109,335
5. rsivanandan 50,017
6. ahoffmann 44,523
7. grblades 35,012
8. pseudocy... 34,059
9. Cyclops3... 33,775
10. arnold 30,760
11. tim_holman 27,445
12. kbbcnet 26,524
13. dpk_wal 26,475
14. Tolomir 23,651
15. sciwriter 23,050

08.23.2007 at 08:21AM PDT, ID: 22782490

	[x] Attachment Details

[x]

The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

The Grade of the Solution
The Zone Rank of the Expert Providing the Solution
The Number of Author and Expert Comments
The Number of Experts Contributing
The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!

8.2

Configuring Cisco VPN Client on IOS using Active Directory Authentication

Zones: IPSec Security Protocol, Network Routers, Virtual Private Networking (VPN)

Tags: cisco, vpn, client, active, directory

Hi

We have a Cisco 1841 configured for VPN using the Microsoft L2TP/IPSec connection. This is working at the moment but we want to move over to using the Cisco VPN Client.

I have the Cisco VPN Client authenticating against our Active Directory, it updates the routing table of the local machine for the 2 networks we have but when you try to ping or connect to any of the hosts behind the Cisco it returns the Public IP address. So if I ping 192.168.0.20 it replys with the public IP address.

Below is a copy of our config with the passwords and IP addresses removed. Any help would be greatly appreciated.

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname cisco1841
!
boot-start-marker
boot system flash c1841-advsecurityk9-mz.124-16.bin
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 warnings
no logging console
enable secret 5 #########
!
aaa new-model
!
!
aaa authentication login default group radius local
aaa authentication login CONSOLE local
aaa authentication login userauthen group radius
aaa authentication ppp default group radius local
aaa authorization exec default none
aaa authorization network default if-authenticated
aaa authorization network groupauthor local
!
aaa session-id common
no ip source-route
no ip cef
!
!
ip inspect tcp idle-time 28800
ip inspect name outbound cuseeme
ip inspect name outbound h323
ip inspect name outbound netshow
ip inspect name outbound rcmd
ip inspect name outbound realaudio
ip inspect name outbound rtsp
ip inspect name outbound sqlnet
ip inspect name outbound streamworks
ip inspect name outbound tftp
ip inspect name outbound tcp
ip inspect name outbound vdolive
ip inspect name outbound icmp
no ip dhcp conflict logging
!
!
no ip bootp server
ip domain name domain.local
ip name-server 192.168.0.20
ip name-server 192.168.0.21
vpdn enable
vpdn logging
!
vpdn-group dsi-remote
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
local name Teleworker
no l2tp tunnel authentication
ip mtu adjust
!
!
async-bootp dns-server 192.168.0.20
async-bootp nbns-server 192.168.0.20
!
!
!
username admin privilege 15 secret 5 ################
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key ################## address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 60
!
crypto isakmp client configuration group vpngroup
key ##################
dns 192.168.0.20 192.168.0.21
domain domain.local
pool ippool
acl VPN-Split-Tunnel
!
!
crypto ipsec transform-set sitevpn esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dmap 10
set transform-set sitevpn
!
!
crypto map clientmap client authentication list default
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dmap
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
ip address 192.168.0.253 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1298
duplex auto
speed auto
!
interface FastEthernet0/1
ip address PublicIP1 255.255.255.240
ip access-group Firewall in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect outbound in
ip inspect outbound out
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map clientmap
!
interface ATM0/0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Virtual-Template1
ip unnumbered FastEthernet0/0
no ip redirects
no ip unreachables
peer default ip address dhcp
ppp authentication ms-chap-v2 ms-chap callin
!
ip local pool ippool 10.1.1.1 10.1.1.254
ip route 0.0.0.0 0.0.0.0 next-hop
ip route 192.168.254.0 255.255.255.0 192.168.0.254
!
ip http server
ip http secure-server
ip nat inside source list NAT_RULE interface FastEthernet0/1 overload
ip nat inside source static 192.168.0.26 PublicIP2 extendable
!
ip access-list extended Firewall
permit tcp any host PublicIP2 eq smtp
permit tcp any host PublicIP2 eq www
permit tcp any host PublicIP2 eq 443
remark vpn
permit udp any eq isakmp host PublicIP1 eq isakmp
permit esp any host PublicIP1
permit gre any any
permit udp any host PublicIP1 eq isakmp
permit udp any host PublicIP1 eq non500-isakmp
permit udp any host PublicIP1 eq 1701
remark ping allow rule
permit icmp any PublicRange 0.0.0.15 echo
permit icmp any PublicRange 0.0.0.15 echo-reply
permit icmp any PublicRange 0.0.0.15 time-exceeded
permit icmp any PublicRange 0.0.0.15 unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip host 0.0.0.0 any
deny ip any any log
ip access-list extended NAT_RULE
deny tcp host 192.168.0.26 eq smtp any
deny tcp host 192.168.0.26 eq www any
deny tcp host 192.168.0.26 eq 443 any
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended VPN-Split-Tunnel
permit ip 192.168.0.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 192.168.254.0 0.0.0.255 10.0.0.0 0.255.255.255
!
!
radius-server host 192.168.0.21 auth-port 1812 acct-port 1813 key #######
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
login authentication CONSOLE
!
scheduler allocate 20000 1000
end

Start your free trial to view this solution

Question Stats

Zone: Networking

Question Asked By: chrismenear

Solution Provided By: llyquid

Participating Experts: 1

Solution Grade: A

Translate:

Loading Advertisement...

20080236-EE-VQP-29 / EE_QW_2_20070628