Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

Need VPN help, can't contact remote.

Hello All,

Finally got my vpn to work somewhat.

Set-up:

Cisco 1720 (VPN Endpoint?)  ---> Cisco 2514 --> Cisco VPN client v4

I am able to establish connection and receive an IP from the local pool on the 1720. I am also able to ping from 1720 to vpn client but not from client to internal net of 1720. I added an acl to the vpn group for split tunneling. I have also tried this without the 2514 in the way and still same results. Any ideas?

Thanx,
GR
0
GR999
Asked:
GR999
  • 3
1 Solution
 
GR999Author Commented:
Ok I can ping at the moment, but cannot access service on internal workstations. Checked all acls to allow comm back and forth, everything seems fine.


GR
0
 
GR999Author Commented:
Here is my config:



aaa new-model
!
!
aaa authentication login user local
aaa authorization network group local
aaa session-id common

!
username vpnuser password 0 password
ip subnet-zero
!
!
ip name-server y.y.y.y
ip name-server y.y.y.y
ip dhcp database tftp://x.x.1.240/dhcpdata
ip dhcp excluded-address x.x.1.1
!
ip dhcp pool HOME
   network x.x.1.0 255.255.255.0
   dns-server y.y.y.y y.y.y.y
   default-router x.x.1.1
   lease infinite
!
ip audit notify log
ip audit po max-events 100
ip cef
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 1720client
 key cisco123
 dns y.y.y.y y.y.y.y
 pool vpnpool
 acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map mymap client authentication list user
crypto map mymap isakmp authorization list group
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
         
!
interface Ethernet0
 ip address y.y.y.y 255.255.252.0
 ip access-group 103 in
 ip nat outside
 crypto map mymap
!
interface FastEthernet0
 ip address x.x.1.1 255.255.255.0
 ip nat inside
!
ip local pool vpnpool x.x.2.21
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.y
no ip http server
!
!
access-list 1 permit x.x.1.0 0.0.0.255

access-list 102 permit ip x.x.1.0 0.0.0.255 host x.x.2.21

access-list 103 permit ip host x.x.2.21 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
access-list 103 permit udp host y.y.y.y eq domain any
access-list 103 permit udp host y.y.y.y eq domain any
access-list 103 permit ip host y.y.y.y any
access-list 103 deny   ip any any log

end

GR
0
 
lrmooreCommented:
You need to change your nat statement:

>ip nat inside source list 1 interface Ethernet0 overload

To this:
    ip nat inside source route-map no_nat interface Ethernet 0 overload

   access-list 101 deny ip x.x.1.0 255.255.255.0  x.x.2.0  255.255.255.0
                                  <local IP> <mask>      <vpnpool> <mask>
   access-list 101 permit ip x.x.1.0 255.255.255.0 any

 route-map no_nat permit 10
   match ip address 101

Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml


0
 
GR999Author Commented:
Thanks alot lrmoore. Works great now. Appreciate all the help!

GR
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now