Solved

Need VPN help, can't contact remote.

Posted on 2004-09-04
4
191 Views
Last Modified: 2010-04-12
Hello All,

Finally got my vpn to work somewhat.

Set-up:

Cisco 1720 (VPN Endpoint?)  ---> Cisco 2514 --> Cisco VPN client v4

I am able to establish connection and receive an IP from the local pool on the 1720. I am also able to ping from 1720 to vpn client but not from client to internal net of 1720. I added an acl to the vpn group for split tunneling. I have also tried this without the 2514 in the way and still same results. Any ideas?

Thanx,
GR
0
Comment
Question by:GR999
  • 3
4 Comments
 

Author Comment

by:GR999
ID: 11980613
Ok I can ping at the moment, but cannot access service on internal workstations. Checked all acls to allow comm back and forth, everything seems fine.


GR
0
 

Author Comment

by:GR999
ID: 11981360
Here is my config:



aaa new-model
!
!
aaa authentication login user local
aaa authorization network group local
aaa session-id common

!
username vpnuser password 0 password
ip subnet-zero
!
!
ip name-server y.y.y.y
ip name-server y.y.y.y
ip dhcp database tftp://x.x.1.240/dhcpdata
ip dhcp excluded-address x.x.1.1
!
ip dhcp pool HOME
   network x.x.1.0 255.255.255.0
   dns-server y.y.y.y y.y.y.y
   default-router x.x.1.1
   lease infinite
!
ip audit notify log
ip audit po max-events 100
ip cef
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 1720client
 key cisco123
 dns y.y.y.y y.y.y.y
 pool vpnpool
 acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map mymap client authentication list user
crypto map mymap isakmp authorization list group
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
         
!
interface Ethernet0
 ip address y.y.y.y 255.255.252.0
 ip access-group 103 in
 ip nat outside
 crypto map mymap
!
interface FastEthernet0
 ip address x.x.1.1 255.255.255.0
 ip nat inside
!
ip local pool vpnpool x.x.2.21
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.y
no ip http server
!
!
access-list 1 permit x.x.1.0 0.0.0.255

access-list 102 permit ip x.x.1.0 0.0.0.255 host x.x.2.21

access-list 103 permit ip host x.x.2.21 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
access-list 103 permit udp host y.y.y.y eq domain any
access-list 103 permit udp host y.y.y.y eq domain any
access-list 103 permit ip host y.y.y.y any
access-list 103 deny   ip any any log

end

GR
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11982205
You need to change your nat statement:

>ip nat inside source list 1 interface Ethernet0 overload

To this:
    ip nat inside source route-map no_nat interface Ethernet 0 overload

   access-list 101 deny ip x.x.1.0 255.255.255.0  x.x.2.0  255.255.255.0
                                  <local IP> <mask>      <vpnpool> <mask>
   access-list 101 permit ip x.x.1.0 255.255.255.0 any

 route-map no_nat permit 10
   match ip address 101

Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml


0
 

Author Comment

by:GR999
ID: 11984455
Thanks alot lrmoore. Works great now. Appreciate all the help!

GR
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now