FL6
asked on
Cisco 837 VPN connection
I'm connecting from home with no router or firewall with a cisco VPN Client 4.0.3 to a Cisco 837 DSL Router.
The tunnel seems to be established, authentication goes through, client status shows as connected, I receive the proper ip addressing etc.
The client statistics show that I have sent alot of packets but have received none.
I enabled split tunnelling, as I can still surf the internet.
Before I enabled split tunnelling I would connect, but then my internet connection would fail.
My problem is that I can't ping or access anything behind the 837 router, the remote LAN I'm trying to use.
I'm suspecting maybe some kind of route problem, but I'm not sure.
With some help I can provide any logs needed.
Below is my show run output.
Thanks
##########################
Building configuration...
Current configuration : 4943 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$r8h/$y8JgB4uBg0nIVBPuei
!
username CRWS_Sangeetha privilege 15 password 7 0242551F3C5709000841581636
5E5473727D7D66647243
username ##### password 7 151C0E18172527322D
username ######### password 7 01100F175804
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.0.102
!
ip dhcp pool CLIENT
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ######
key 0 ######
dns 192.168.0.2
wins 192.168.0.2
domain blowjob.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.0.254-255.25
5.255.0
ip address 192.168.0.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip tcp adjust-mss 1452
crypto map clientmap
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ##########
ppp chap password 7 082C495A3A0D041A02
ppp pap sent-username ###########password 7 060B0A357F5A081415
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
!
ip local pool ippool 192.168.0.130 192.168.0.150
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.102 1494 interface Dialer1 1494
ip nat inside source static tcp 192.168.0.102 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.0.102 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
ip access-list extended service
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 108 permit ip 10.10.10.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.255.255 any
access-list 111 permit tcp any any eq 1494
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end
The tunnel seems to be established, authentication goes through, client status shows as connected, I receive the proper ip addressing etc.
The client statistics show that I have sent alot of packets but have received none.
I enabled split tunnelling, as I can still surf the internet.
Before I enabled split tunnelling I would connect, but then my internet connection would fail.
My problem is that I can't ping or access anything behind the 837 router, the remote LAN I'm trying to use.
I'm suspecting maybe some kind of route problem, but I'm not sure.
With some help I can provide any logs needed.
Below is my show run output.
Thanks
##########################
Building configuration...
Current configuration : 4943 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 $1$r8h/$y8JgB4uBg0nIVBPuei
!
username CRWS_Sangeetha privilege 15 password 7 0242551F3C5709000841581636
5E5473727D7D66647243
username ##### password 7 151C0E18172527322D
username ######### password 7 01100F175804
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.0.254
ip dhcp excluded-address 192.168.0.102
!
ip dhcp pool CLIENT
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.254
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ######
key 0 ######
dns 192.168.0.2
wins 192.168.0.2
domain blowjob.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.0.254-255.25
5.255.0
ip address 192.168.0.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip access-group 122 out
ip nat inside
ip tcp adjust-mss 1452
crypto map clientmap
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name redback
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname ##########
ppp chap password 7 082C495A3A0D041A02
ppp pap sent-username ###########password 7 060B0A357F5A081415
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
!
ip local pool ippool 192.168.0.130 192.168.0.150
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.102 1494 interface Dialer1 1494
ip nat inside source static tcp 192.168.0.102 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.0.102 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
ip access-list extended service
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 108 permit ip 10.10.10.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.255.255 any
access-list 111 permit tcp any any eq 1494
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end
ASKER
I tried your modifications and I still have the same symptoms.
As far as E0 goes, I think I goofed there, the instructions from cisco said to apply it to E0 so I did.
I wasn't sure if E0 was the same as dialer1.
Thanks for the help.
As far as E0 goes, I think I goofed there, the instructions from cisco said to apply it to E0 so I did.
I wasn't sure if E0 was the same as dialer1.
Thanks for the help.
I would change your VPN ippool to something other than 192.168.0.x (it gets a bit confusing)
For example, use 192.168.100.x for VPN ippool.
Then, try adding this line to your config:
ip access-list extended nonat
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source route-map nonat interface Dialer1 overload
For example, use 192.168.100.x for VPN ippool.
Then, try adding this line to your config:
ip access-list extended nonat
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip nat inside source route-map nonat interface Dialer1 overload
ASKER
Just before dgroscost commented I changed it 192.168.1.x
Anyways, I tried your suggestions too and that didn't work either.
!!!!!!!!!!!!!!!!!!!!!!!!!!
ip local pool ippool 192.168.1.130 192.168.1.150
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.0.102 interface Dialer1 1494
ip nat inside source static tcp 192.168.0.102 interface Dialer1 3389
ip nat inside source static tcp 192.168.0.102 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
ip access-list extended nonat
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended service
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 108 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 108 permit ip 192.168.0.0 0.0.255.255 any
access-list 111 permit tcp any any eq 1494
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
Anyways, I tried your suggestions too and that didn't work either.
!!!!!!!!!!!!!!!!!!!!!!!!!!
ip local pool ippool 192.168.1.130 192.168.1.150
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.0.102 interface Dialer1 1494
ip nat inside source static tcp 192.168.0.102 interface Dialer1 3389
ip nat inside source static tcp 192.168.0.102 25 interface Dialer1 25
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
!
ip access-list extended nonat
deny ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended service
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 108 permit ip 192.0.0.0 0.255.255.255 192.0.0.0 0.255.255.255
access-list 108 permit ip 192.168.0.0 0.0.255.255 any
access-list 111 permit tcp any any eq 1494
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
ASKER
Finally figured it out, not sure how, but it works.
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
route-map nonat
match ip address 108
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
route-map nonat
match ip address 108
No comment has been added to this question in more than 21 days, so it is now classified as abandoned. I will leave the following recommendation for this question in the Cleanup topic area:
PAQ - Refund points
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
donjohnston
EE Cleanup Volunteer
PAQ - Refund points
Any objections should be posted here in the next 4 days. After that time, the question will be closed.
donjohnston
EE Cleanup Volunteer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
2) you'll need to adjust your NAT policy to ensure that you aren't NAT'ing your VPN addresses to your VPN clients. Try using,
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
3) modify your access-list 111 to have the following line at the top.
access-list 111 permit ip 192.168.0.0 0.0.0.255 192.168.0.0 0.0.0.255
Cisco routers reuse the inbound ACL for unencrypted then encrypted traffic. Thus the same ACL is used twice.
--Tim