Solved

VPN Connectivity - Cisco IOS

Posted on 2006-07-17
12
444 Views
Last Modified: 2010-03-19
I have an issue with trying to grant VPN access to remote users that are connecting with the Cisco VPN client.  Relevant config:

**********************

crypto isakmp client configuration group group1
 key RemoteUsers
 pool vpnpool
 acl 101

interface Ethernet0
 ip address 65.43.21.1 255.255.255.0
 ip nat outside
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map intmap
!
interface FastEthernet0
 ip address 192.168.150.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
 speed auto
 full-duplex
 ntp broadcast

ip local pool vpnpool 65.43.21.200 65.43.21.230
ip nat inside source list 1 interface Ethernet0 overload

access-list 1 permit 192.168.150.0 0.0.0.255
access-list 101 permit ip 192.168.150.0 0.0.0.255 any

*************

Remote users can connect using the Cisco VPN client.  The VPN client shows that their IP is being assigned from the vpnpool.  However, they are unable to access the e-mail server at 192.168.150.15.  Note that the 192.168.150.X IPs from inside the router are being NAT'd to Ethernet0's IP address.

For 500 points:  What do I need to do to get the VPN clients able to communicate with the systems inside the router (192.168.150.x)?  
0
Comment
Question by:Whah
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17127388
no ip local pool vpnpool
ip local pool vpnpool 192.168.200.100 192.168.200.230
access-list 110 deny ip 192.168.150.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 any
route-map vpn permit 10
 match ip address 110

no ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source route-map vpn interface Ethernet0 overload

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127451
Just copy paste the above config from Lrmoore and it should work...

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127456
This looks like it'll work.  However, my client PCs inside the router need to have the "ip nat inside source list 1 interface Ethernet0 overload".  Will this work if I leave that in?
0
Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127464
It is taken care already;

If you look at the access-list and route-map entry, what it tells the router is that, any connection going to internet nat it using ethernet0 interface ip address. If the connection is going from inside to 192.168.200.100 (which would be the vpn client ip address), don't nat it. Your problem was that before.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127587
What about the "acl 101" in group1?  Is that going to cause a problem?  Or is the  access-list 110  supposed to be access-list 101?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127603
No. You can leave it there.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127615
This is not working.  I connect and try to run a tracert -d to 192.168.150.15, I see the first hop to 65.43.21.1, but then it times out.

Any suggestions?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127630
So you have connected the vpn client and it ain't working ?

1. After connecting to VPN, do an 'ipconfig/all' and post it here.

2. Try accessing any of the servers inside, to check if icmp is disabled.

Posting the configuration would definitely help.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127634
Also, what's the significance of 192.168.200.X?  I don't see how the router is going to know how to route 192.168.200.X to the 192.168.150.X addresses.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127652
192.168.200.x is the subnet address you'll be giving it to your vpn clients. At first when this post was started, you had it all public which is not how it should be done.

The idea of vpn is that once vpn is connected, you are virtually on the corporate network and you'll have private ip for the vpn adaptor but continue to use your isp provided ip on the main adapter on the client machine.

The significance is that you would've given this as the vpn pool in your crypto configurations somewhere (You need to post the full config). So the router knows that it hands out the ip addresses and it has to do the routing for it.

Steps would be like this;

1. VPN Client using its isp provided ip contacts the vpn server (IOS Router)
2. After negotiation, vpn is setup and as part of this, the address 192.168.200.x will be given
3. After that, the client pc will use 192.168.200.x network as its lan network for vpn traffic, sending all the 192.168.150.x requests to the router.
4. Router recognizes that it is coming from a vpn, it will route it to the internal network and anything coming out of internal network to the vpn machine will be routed back through the vpn tunnel.

  If you look at the deny access-list line in 110, what it says is that if the traffic is going through my internal network to VPN Network then DON"T NAT,otherwise nat.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127653
I beg your pardon.  It appears to be working.  I tried to telnet to 192.168.150.15, but it did not work.  The problem is a routing issue.  

When I tried to http to 192.168.150.33, it is working.  I'll run some more tests then award points.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127657
no worries. award based on the help. Lrmoore deserves it since he got it first and I was only explaning it to you...

Cheers,
Rajesh
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question