Solved

Configure Cisco 837 VPN with VPN Client

Posted on 2009-03-29
4
1,127 Views
Last Modified: 2012-05-06
HI,

I am currently trying to configure a VPN between the Cisco VPN client and my Cisco 837 security router. I can successfully establish a connection and the VPN client says its connected and I get an IP Address of the 837's LAN on my computer. However I cannot communicate between my computer and the remote LAN, so I cant even ping a device on the remote LAN or the 837. It seems that there is no routing taking place, however I cannot work it out.

I have attached a show run (with password etc, removed).

I was wondering if anyone here had any idea?

Thanks

Mark
!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Router1

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret 5 xxxxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login clientauth local

aaa authorization network groupauthor local

!

aaa session-id common

!

!

!

!

ip cef

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

!

!

!

username user1 password 7 xxxxxxxxxxx

username user2 privilege 15 password xxxxxxxx

!

class-map match-any VoIP

 match access-group 130

!

!

policy-map VoIP-QoS

 class VoIP

  priority percent 65

  set dscp ef

 class class-default

  fair-queue

!

!

crypto keyring spokes

  pre-shared-key address 0.0.0.0 0.0.0.0 key abcdefg1234567

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group testgroup

 key abcdefg1234567

 dns 192.168.1.1

 wins 192.168.1.1

 domain mine.local

 pool ippool

crypto isakmp profile VPNclient

   description VPN clients profile

   match identity group testgroup

   client authentication list clientauth

   isakmp authorization list groupauthor

   client configuration address respond

crypto isakmp profile L2L

   description LAN-to-LAN for spoke router(s) connection

   keyring spokes

   match identity address 0.0.0.0

!

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 5

 set transform-set myset

 set isakmp-profile VPNclient

crypto dynamic-map dynmap 10

 set transform-set myset

 set isakmp-profile L2L

!

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

interface Loopback2

 ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

 ip address 192.168.4.254 255.255.255.0

 ip access-group 122 out

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 ip policy route-map nonat

 hold-queue 100 out

!

interface Ethernet2

 no ip address

 shutdown

 hold-queue 100 out

!

interface ATM0

 no ip address

 atm vc-per-vp 64

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.3 point-to-point

 description DSL

 no snmp trap link-status

 pvc 8/35

  ubr 384

  encapsulation aal5mux ppp dialer

  dialer pool-member 3

 !

!

interface FastEthernet1

 duplex auto

 speed auto

!

interface FastEthernet2

 duplex auto

 speed auto

!

interface FastEthernet3

 duplex auto

 speed auto

!

interface FastEthernet4

 duplex auto

 speed auto

!

interface Dialer3

 description ISP Dialer

 bandwidth 384

 ip address negotiated

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 3

 no cdp enable

 ppp authentication pap callin

 ppp chap refuse

 ppp pap sent-username xxx@xxx.xxx password xxxxxxxxxxxx

 crypto map mymap

!

interface Dialer1

 no ip address

!

ip local pool ippool 192.168.4.193 192.168.4.222

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer3

ip route 192.168.1.0 255.255.255.0 192.168.4.2

ip route 192.168.2.0 255.255.255.0 192.168.4.2

ip route 192.168.3.0 255.255.255.0 192.168.4.2

!

ip http server

no ip http secure-server

!

ip nat inside source list 100 interface Dialer3 overload

!

no access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

no access-list 100 permit ip 192.168.4.0 0.0.0.255 any

no access-list 111 permit tcp any any eq telnet

no access-list 111 permit icmp any any administratively-prohibited

no access-list 111 permit icmp any any echo

no access-list 111 permit icmp any any echo-reply

no access-list 111 permit icmp any any packet-too-big

no access-list 111 permit icmp any any time-exceeded

no access-list 111 permit icmp any any traceroute

no access-list 111 permit icmp any any unreachable

no access-list 111 permit udp any eq bootps any eq bootpc

no access-list 111 permit udp any eq bootps any eq bootps

no access-list 111 permit udp any eq domain any

no access-list 111 permit esp any any

no access-list 111 permit udp any any eq isakmp

no access-list 111 permit udp any any eq 10000

no access-list 111 permit tcp any any eq 1723

no access-list 111 permit tcp any any eq 139

no access-list 111 permit udp any any eq netbios-ns

no access-list 111 permit udp any any eq netbios-dgm

no access-list 111 permit gre any any

no access-list 111 deny   ip any any

no access-list 112 permit ip 192.168.32.0 0.0.0.255 192.168.1.0 0.0.0.255

no access-list 114 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255

no access-list 122 deny   tcp any any eq telnet

no access-list 122 permit ip any any

no access-list 130 permit ip host 192.168.32.120 any

no access-list 152 permit ip 192.168.32.0 0.0.0.255 192.168.1.0 0.0.0.255

no dialer-list 1 protocol ip permit

!

route-map nonat permit 10

 match ip address 152

 set ip next-hop 1.1.1.2

!

!

!

control-plane

!

!

line con 0

 password xxxxxxx

 no modem enable

 transport output all

line aux 0

 transport output all

line vty 0 4

 exec-timeout 120 0

 password xxxxxxxx

 length 0

 transport input all

 transport output all

!

scheduler max-task-time 5000

end

Open in new window

0
Comment
Question by:mark_06
  • 3
4 Comments
 
LVL 7

Expert Comment

by:mitrushi
ID: 24013987
Try and add reverse-route to your crypto dynamic-map dynmap 5. This will inject a static route in the routing table pointing through the tunnel.
0
 
LVL 6

Author Comment

by:mark_06
ID: 24015906
Adding that now gives me access to the 192.168.1.0/24 network, however I cannot ping an address on the 192.168.4.0/24 subnet, when I do it responds with relpy from the WAN IP of the 837.
0
 
LVL 7

Expert Comment

by:mitrushi
ID: 24016705
In order to exempt from nat traffic coming from the 192.168.4.0/24 range directed to your vpn pool you need to add a deny statement to acl 100
access-list 100 deny ip 192.168.4.192 0.0.0.31
0
 
LVL 7

Accepted Solution

by:
mitrushi earned 500 total points
ID: 24016729
oops sorry wrong acl entry
access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.4.192 0.0.0.31
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now