?
Solved

Problem with VPN connection with a Cisco 831

Posted on 2005-04-13
3
Medium Priority
?
237 Views
Last Modified: 2010-04-12
Here is my config file.  I can connect to my VPN but can't access anything on the 192.168.0.0 network.  I also can not connect to a telnet session now on either interface

I also added
route-map nonat permit 10
match ip address 103

Any ideas on the problem?

aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip name-server 207.5.128.9
ip name-server 207.5.128.10
!
ip dhcp pool CLIENT
   import all
   network 192.168.0.0 255.255.255.0
   domain-name suscom-maine.net
   default-router 192.168.0.1
   lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group *****
 key 0 ********
 dns 192.168.0.10
 domain nmaec.com
 pool ippool
 acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 192.168.0.1 255.255.255.0
 ip access-group 122 out
 ip nat inside
 no cdp enable
 hold-queue 32 in
!
interface Ethernet1
 ip address dhcp client-id Ethernet1
 ip access-group 111 in
 ip nat outside
 ip inspect myfw out
 duplex auto
 no cdp enable
 crypto map clientmap
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
ip local pool ippool 192.168.1.100 192.168.1.110
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip any any
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny   ip any any
access-list 122 deny   tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 120 0
 length 0
!
scheduler max-task-time 5000
!
end
0
Comment
Question by:BDMP
  • 2
3 Comments
 
LVL 7

Accepted Solution

by:
minmei earned 375 total points
ID: 13781150
take the original nat line out

ip nat inside source list 102 interface Ethernet1 overload

This is still translating traffic through the vpn

Your firewall commands let way too much stuff in (netbios?)
0
 

Author Comment

by:BDMP
ID: 13799633
I got it working, but only when wired.  Is there anything wrong with client 3.5.1 and wireless?  Will 4.6 work?
0
 
LVL 7

Expert Comment

by:minmei
ID: 13802638
4.6 is better anyway - try it. I had 4.x working wirelessly. Can't remember if 3.5.1 worked or didnt work, but I can't think of why it would be picky.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've had to do a bit of research to setup my VPN connection so that Clients can access Windows Server 2008 network shares.  I have a Cisco ASA 5510 firewall.  I found an article which was extremely useful: It had a solution if you use ASDM to config…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses

750 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question