Solved

Need VPN help, can't contact remote.

Posted on 2004-09-04
4
198 Views
Last Modified: 2010-04-12
Hello All,

Finally got my vpn to work somewhat.

Set-up:

Cisco 1720 (VPN Endpoint?)  ---> Cisco 2514 --> Cisco VPN client v4

I am able to establish connection and receive an IP from the local pool on the 1720. I am also able to ping from 1720 to vpn client but not from client to internal net of 1720. I added an acl to the vpn group for split tunneling. I have also tried this without the 2514 in the way and still same results. Any ideas?

Thanx,
GR
0
Comment
Question by:GR999
  • 3
4 Comments
 

Author Comment

by:GR999
ID: 11980613
Ok I can ping at the moment, but cannot access service on internal workstations. Checked all acls to allow comm back and forth, everything seems fine.


GR
0
 

Author Comment

by:GR999
ID: 11981360
Here is my config:



aaa new-model
!
!
aaa authentication login user local
aaa authorization network group local
aaa session-id common

!
username vpnuser password 0 password
ip subnet-zero
!
!
ip name-server y.y.y.y
ip name-server y.y.y.y
ip dhcp database tftp://x.x.1.240/dhcpdata
ip dhcp excluded-address x.x.1.1
!
ip dhcp pool HOME
   network x.x.1.0 255.255.255.0
   dns-server y.y.y.y y.y.y.y
   default-router x.x.1.1
   lease infinite
!
ip audit notify log
ip audit po max-events 100
ip cef
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 1720client
 key cisco123
 dns y.y.y.y y.y.y.y
 pool vpnpool
 acl 102
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map mymap client authentication list user
crypto map mymap isakmp authorization list group
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
         
!
interface Ethernet0
 ip address y.y.y.y 255.255.252.0
 ip access-group 103 in
 ip nat outside
 crypto map mymap
!
interface FastEthernet0
 ip address x.x.1.1 255.255.255.0
 ip nat inside
!
ip local pool vpnpool x.x.2.21
ip nat inside source list 1 interface Ethernet0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 y.y.y.y
no ip http server
!
!
access-list 1 permit x.x.1.0 0.0.0.255

access-list 102 permit ip x.x.1.0 0.0.0.255 host x.x.2.21

access-list 103 permit ip host x.x.2.21 any
access-list 103 permit tcp any any established
access-list 103 permit icmp any any
access-list 103 permit udp host y.y.y.y eq domain any
access-list 103 permit udp host y.y.y.y eq domain any
access-list 103 permit ip host y.y.y.y any
access-list 103 deny   ip any any log

end

GR
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 250 total points
ID: 11982205
You need to change your nat statement:

>ip nat inside source list 1 interface Ethernet0 overload

To this:
    ip nat inside source route-map no_nat interface Ethernet 0 overload

   access-list 101 deny ip x.x.1.0 255.255.255.0  x.x.2.0  255.255.255.0
                                  <local IP> <mask>      <vpnpool> <mask>
   access-list 101 permit ip x.x.1.0 255.255.255.0 any

 route-map no_nat permit 10
   match ip address 101

Reference:
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml


0
 

Author Comment

by:GR999
ID: 11984455
Thanks alot lrmoore. Works great now. Appreciate all the help!

GR
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now