[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

No Data flowing once VPN is established between Cisco VPN client and Cisco 2610 router

Hi experts, I just reconfigured a Cisco 2610 router to accept VPN connectios from portable machines using ciscp vpn client 4.0.5 The connection establishes perfectly and I get an ip from the router to my notebook just fine. But once I want to browse the internal network or even ping any device internally I get a time out  error basically it deos not see anything. I tried adding the vpn pool to the access list since I beleive this is where I have the problem. Please advise and thanks in advance. The 2 permanent tunnels going to other routers are working just fine.

                                                                                   Router config

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Building configuration...

Current configuration : 3778 bytes
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname JR1
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 $1$0pII$/iAoFi4/LZUSdSFFrTx5S.
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip cef
!
!
no ip domain lookup
!
ip audit po max-events 100
!
!
!
!
!
!
!
!
!
!
!
!
username administrator password 7 0325570A0B0A254D19584855
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
 lifetime 3600
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
 lifetime 3600
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key alameda address 70.xx.xx.xx no-xauth
crypto isakmp key alameda address 70.xx.xx.xx no-xauth
!
crypto isakmp client configuration group xxxxxxxxxxxxx
 key xxxxxxxxxxxxxx
 dns 192.168.1.5
 wins 192.168.1.5
 domain xxxxxxxx.local
 pool ippool
!
!
crypto ipsec transform-set cm-transformset-1 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set cm-transformset-2 ah-md5-hmac esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map cm-cryptomap local-address Serial0/0.1
crypto map cm-cryptomap 1 ipsec-isakmp
 set peer 70.xx.xx.xx
 set transform-set cm-transformset-1
 match address 100
crypto map cm-cryptomap 2 ipsec-isakmp
 set peer 70.xx.xx.xx
 set transform-set cm-transformset-2
 match address 101
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0/0
 description connected to EthernetLAN
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Serial0/0
 ip address 151.xx.xx.xx. 255.255.255.252
 encapsulation frame-relay
 no ip route-cache cef
 no ip route-cache
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
 description connected to Internet
 ip address 70.xx.xx.xx 255.255.255.224
 ip nat outside
 no ip route-cache
 frame-relay interface-dlci 706 IETF
 crypto map clientmap
!
ip local pool ippool 14.1.1.245 14.1.1.250
ip nat inside source route-map nonat interface Serial0/0.1 overload
ip nat inside source static tcp 192.168.1.5 3389 70.xx.xx.xx 3389 extendable
ip nat inside source static tcp 192.168.1.21 3389 70.xx.xx.xx 3389 extendable
ip nat inside source static tcp 192.168.1.235 5000 70.xx.xx.xx 5000 extendabl
e
ip nat inside source static tcp 192.168.1.236 5001 70.xx.xx.xx 5001 extendabl
e
ip nat inside source static tcp 192.168.1.19 3389 70.xx.xx.xx 3389 extendable
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 14.1.1.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any

!
route-map nonat permit 10
 match ip address 110
!
snmp-server location Alameda
snmp-server contact Armando Raynal,(915)227-7744
!
!
!
!
!
line con 0
 exec-timeout 0 0
 password 7 1533070D092F2F257F626472
line aux 0
line vty 0 4
 password 7 0227085A06030B201B1F5849
!
!
0
amanytx
Asked:
amanytx
  • 3
1 Solution
 
amanytxAuthor Commented:
Actually I lost the router-to-router vpn tunnels also so I removed the access-list entries that defined the pool ips for the vpn clients so the connections would go up
0
 
mikebernhardtCommented:
Check out this doc:
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml

You need to send the clients a route so they can split-tunnel (determine what to send through the VPN and what to send to the ISP). And the doc indicates that doing this while also using router-router tunnel needs special treatment.
0
 
amanytxAuthor Commented:
will try and will get back
0
 
amanytxAuthor Commented:
Thanks it worked great!
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now