VPN Connectivity - Cisco IOS

I have an issue with trying to grant VPN access to remote users that are connecting with the Cisco VPN client.  Relevant config:

**********************

crypto isakmp client configuration group group1
 key RemoteUsers
 pool vpnpool
 acl 101

interface Ethernet0
 ip address 65.43.21.1 255.255.255.0
 ip nat outside
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map intmap
!
interface FastEthernet0
 ip address 192.168.150.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
 speed auto
 full-duplex
 ntp broadcast

ip local pool vpnpool 65.43.21.200 65.43.21.230
ip nat inside source list 1 interface Ethernet0 overload

access-list 1 permit 192.168.150.0 0.0.0.255
access-list 101 permit ip 192.168.150.0 0.0.0.255 any

*************

Remote users can connect using the Cisco VPN client.  The VPN client shows that their IP is being assigned from the vpnpool.  However, they are unable to access the e-mail server at 192.168.150.15.  Note that the 192.168.150.X IPs from inside the router are being NAT'd to Ethernet0's IP address.

For 500 points:  What do I need to do to get the VPN clients able to communicate with the systems inside the router (192.168.150.x)?  
WhahAsked:
Who is Participating?
 
lrmooreCommented:
no ip local pool vpnpool
ip local pool vpnpool 192.168.200.100 192.168.200.230
access-list 110 deny ip 192.168.150.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 any
route-map vpn permit 10
 match ip address 110

no ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source route-map vpn interface Ethernet0 overload

0
 
rsivanandanCommented:
Just copy paste the above config from Lrmoore and it should work...

Cheers,
Rajesh
0
 
WhahAuthor Commented:
This looks like it'll work.  However, my client PCs inside the router need to have the "ip nat inside source list 1 interface Ethernet0 overload".  Will this work if I leave that in?
0
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

 
rsivanandanCommented:
It is taken care already;

If you look at the access-list and route-map entry, what it tells the router is that, any connection going to internet nat it using ethernet0 interface ip address. If the connection is going from inside to 192.168.200.100 (which would be the vpn client ip address), don't nat it. Your problem was that before.

Cheers,
Rajesh
0
 
WhahAuthor Commented:
What about the "acl 101" in group1?  Is that going to cause a problem?  Or is the  access-list 110  supposed to be access-list 101?
0
 
rsivanandanCommented:
No. You can leave it there.

Cheers,
Rajesh
0
 
WhahAuthor Commented:
This is not working.  I connect and try to run a tracert -d to 192.168.150.15, I see the first hop to 65.43.21.1, but then it times out.

Any suggestions?
0
 
rsivanandanCommented:
So you have connected the vpn client and it ain't working ?

1. After connecting to VPN, do an 'ipconfig/all' and post it here.

2. Try accessing any of the servers inside, to check if icmp is disabled.

Posting the configuration would definitely help.

Cheers,
Rajesh
0
 
WhahAuthor Commented:
Also, what's the significance of 192.168.200.X?  I don't see how the router is going to know how to route 192.168.200.X to the 192.168.150.X addresses.

0
 
rsivanandanCommented:
192.168.200.x is the subnet address you'll be giving it to your vpn clients. At first when this post was started, you had it all public which is not how it should be done.

The idea of vpn is that once vpn is connected, you are virtually on the corporate network and you'll have private ip for the vpn adaptor but continue to use your isp provided ip on the main adapter on the client machine.

The significance is that you would've given this as the vpn pool in your crypto configurations somewhere (You need to post the full config). So the router knows that it hands out the ip addresses and it has to do the routing for it.

Steps would be like this;

1. VPN Client using its isp provided ip contacts the vpn server (IOS Router)
2. After negotiation, vpn is setup and as part of this, the address 192.168.200.x will be given
3. After that, the client pc will use 192.168.200.x network as its lan network for vpn traffic, sending all the 192.168.150.x requests to the router.
4. Router recognizes that it is coming from a vpn, it will route it to the internal network and anything coming out of internal network to the vpn machine will be routed back through the vpn tunnel.

  If you look at the deny access-list line in 110, what it says is that if the traffic is going through my internal network to VPN Network then DON"T NAT,otherwise nat.

Cheers,
Rajesh
0
 
WhahAuthor Commented:
I beg your pardon.  It appears to be working.  I tried to telnet to 192.168.150.15, but it did not work.  The problem is a routing issue.  

When I tried to http to 192.168.150.33, it is working.  I'll run some more tests then award points.
0
 
rsivanandanCommented:
no worries. award based on the help. Lrmoore deserves it since he got it first and I was only explaning it to you...

Cheers,
Rajesh
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.