Solved

VPN Connectivity - Cisco IOS

Posted on 2006-07-17
12
438 Views
Last Modified: 2010-03-19
I have an issue with trying to grant VPN access to remote users that are connecting with the Cisco VPN client.  Relevant config:

**********************

crypto isakmp client configuration group group1
 key RemoteUsers
 pool vpnpool
 acl 101

interface Ethernet0
 ip address 65.43.21.1 255.255.255.0
 ip nat outside
 no ip mroute-cache
 full-duplex
 no cdp enable
 crypto map intmap
!
interface FastEthernet0
 ip address 192.168.150.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
 speed auto
 full-duplex
 ntp broadcast

ip local pool vpnpool 65.43.21.200 65.43.21.230
ip nat inside source list 1 interface Ethernet0 overload

access-list 1 permit 192.168.150.0 0.0.0.255
access-list 101 permit ip 192.168.150.0 0.0.0.255 any

*************

Remote users can connect using the Cisco VPN client.  The VPN client shows that their IP is being assigned from the vpnpool.  However, they are unable to access the e-mail server at 192.168.150.15.  Note that the 192.168.150.X IPs from inside the router are being NAT'd to Ethernet0's IP address.

For 500 points:  What do I need to do to get the VPN clients able to communicate with the systems inside the router (192.168.150.x)?  
0
Comment
Question by:Whah
  • 6
  • 5
12 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 17127388
no ip local pool vpnpool
ip local pool vpnpool 192.168.200.100 192.168.200.230
access-list 110 deny ip 192.168.150.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 110 permit ip 192.168.150.0 0.0.0.255 any
route-map vpn permit 10
 match ip address 110

no ip nat inside source list 1 interface Ethernet0 overload
ip nat inside source route-map vpn interface Ethernet0 overload

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127451
Just copy paste the above config from Lrmoore and it should work...

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127456
This looks like it'll work.  However, my client PCs inside the router need to have the "ip nat inside source list 1 interface Ethernet0 overload".  Will this work if I leave that in?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127464
It is taken care already;

If you look at the access-list and route-map entry, what it tells the router is that, any connection going to internet nat it using ethernet0 interface ip address. If the connection is going from inside to 192.168.200.100 (which would be the vpn client ip address), don't nat it. Your problem was that before.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127587
What about the "acl 101" in group1?  Is that going to cause a problem?  Or is the  access-list 110  supposed to be access-list 101?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127603
No. You can leave it there.

Cheers,
Rajesh
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:Whah
ID: 17127615
This is not working.  I connect and try to run a tracert -d to 192.168.150.15, I see the first hop to 65.43.21.1, but then it times out.

Any suggestions?
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127630
So you have connected the vpn client and it ain't working ?

1. After connecting to VPN, do an 'ipconfig/all' and post it here.

2. Try accessing any of the servers inside, to check if icmp is disabled.

Posting the configuration would definitely help.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127634
Also, what's the significance of 192.168.200.X?  I don't see how the router is going to know how to route 192.168.200.X to the 192.168.150.X addresses.

0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127652
192.168.200.x is the subnet address you'll be giving it to your vpn clients. At first when this post was started, you had it all public which is not how it should be done.

The idea of vpn is that once vpn is connected, you are virtually on the corporate network and you'll have private ip for the vpn adaptor but continue to use your isp provided ip on the main adapter on the client machine.

The significance is that you would've given this as the vpn pool in your crypto configurations somewhere (You need to post the full config). So the router knows that it hands out the ip addresses and it has to do the routing for it.

Steps would be like this;

1. VPN Client using its isp provided ip contacts the vpn server (IOS Router)
2. After negotiation, vpn is setup and as part of this, the address 192.168.200.x will be given
3. After that, the client pc will use 192.168.200.x network as its lan network for vpn traffic, sending all the 192.168.150.x requests to the router.
4. Router recognizes that it is coming from a vpn, it will route it to the internal network and anything coming out of internal network to the vpn machine will be routed back through the vpn tunnel.

  If you look at the deny access-list line in 110, what it says is that if the traffic is going through my internal network to VPN Network then DON"T NAT,otherwise nat.

Cheers,
Rajesh
0
 

Author Comment

by:Whah
ID: 17127653
I beg your pardon.  It appears to be working.  I tried to telnet to 192.168.150.15, but it did not work.  The problem is a routing issue.  

When I tried to http to 192.168.150.33, it is working.  I'll run some more tests then award points.
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17127657
no worries. award based on the help. Lrmoore deserves it since he got it first and I was only explaning it to you...

Cheers,
Rajesh
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now