mark_06
asked on
Configure Cisco 837 VPN with VPN Client
HI,
I am currently trying to configure a VPN between the Cisco VPN client and my Cisco 837 security router. I can successfully establish a connection and the VPN client says its connected and I get an IP Address of the 837's LAN on my computer. However I cannot communicate between my computer and the remote LAN, so I cant even ping a device on the remote LAN or the 837. It seems that there is no routing taking place, however I cannot work it out.
I have attached a show run (with password etc, removed).
I was wondering if anyone here had any idea?
Thanks
Mark
I am currently trying to configure a VPN between the Cisco VPN client and my Cisco 837 security router. I can successfully establish a connection and the VPN client says its connected and I get an IP Address of the 837's LAN on my computer. However I cannot communicate between my computer and the remote LAN, so I cant even ping a device on the remote LAN or the 837. It seems that there is no routing taking place, however I cannot work it out.
I have attached a show run (with password etc, removed).
I was wondering if anyone here had any idea?
Thanks
Mark
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
aaa session-id common
!
!
!
!
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
username user1 password 7 xxxxxxxxxxx
username user2 privilege 15 password xxxxxxxx
!
class-map match-any VoIP
match access-group 130
!
!
policy-map VoIP-QoS
class VoIP
priority percent 65
set dscp ef
class class-default
fair-queue
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key abcdefg1234567
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testgroup
key abcdefg1234567
dns 192.168.1.1
wins 192.168.1.1
domain mine.local
pool ippool
crypto isakmp profile VPNclient
description VPN clients profile
match identity group testgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile L2L
description LAN-to-LAN for spoke router(s) connection
keyring spokes
match identity address 0.0.0.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback2
ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
ip address 192.168.4.254 255.255.255.0
ip access-group 122 out
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
ip policy route-map nonat
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.3 point-to-point
description DSL
no snmp trap link-status
pvc 8/35
ubr 384
encapsulation aal5mux ppp dialer
dialer pool-member 3
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
interface Dialer3
description ISP Dialer
bandwidth 384
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 3
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxx@xxx.xxx password xxxxxxxxxxxx
crypto map mymap
!
interface Dialer1
no ip address
!
ip local pool ippool 192.168.4.193 192.168.4.222
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.2.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2
!
ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer3 overload
!
no access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
no access-list 100 permit ip 192.168.4.0 0.0.0.255 any
no access-list 111 permit tcp any any eq telnet
no access-list 111 permit icmp any any administratively-prohibited
no access-list 111 permit icmp any any echo
no access-list 111 permit icmp any any echo-reply
no access-list 111 permit icmp any any packet-too-big
no access-list 111 permit icmp any any time-exceeded
no access-list 111 permit icmp any any traceroute
no access-list 111 permit icmp any any unreachable
no access-list 111 permit udp any eq bootps any eq bootpc
no access-list 111 permit udp any eq bootps any eq bootps
no access-list 111 permit udp any eq domain any
no access-list 111 permit esp any any
no access-list 111 permit udp any any eq isakmp
no access-list 111 permit udp any any eq 10000
no access-list 111 permit tcp any any eq 1723
no access-list 111 permit tcp any any eq 139
no access-list 111 permit udp any any eq netbios-ns
no access-list 111 permit udp any any eq netbios-dgm
no access-list 111 permit gre any any
no access-list 111 deny ip any any
no access-list 112 permit ip 192.168.32.0 0.0.0.255 192.168.1.0 0.0.0.255
no access-list 114 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
no access-list 122 deny tcp any any eq telnet
no access-list 122 permit ip any any
no access-list 130 permit ip host 192.168.32.120 any
no access-list 152 permit ip 192.168.32.0 0.0.0.255 192.168.1.0 0.0.0.255
no dialer-list 1 protocol ip permit
!
route-map nonat permit 10
match ip address 152
set ip next-hop 1.1.1.2
!
!
!
control-plane
!
!
line con 0
password xxxxxxx
no modem enable
transport output all
line aux 0
transport output all
line vty 0 4
exec-timeout 120 0
password xxxxxxxx
length 0
transport input all
transport output all
!
scheduler max-task-time 5000
end
Try and add reverse-route to your crypto dynamic-map dynmap 5. This will inject a static route in the routing table pointing through the tunnel.
ASKER
Adding that now gives me access to the 192.168.1.0/24 network, however I cannot ping an address on the 192.168.4.0/24 subnet, when I do it responds with relpy from the WAN IP of the 837.
In order to exempt from nat traffic coming from the 192.168.4.0/24 range directed to your vpn pool you need to add a deny statement to acl 100
access-list 100 deny ip 192.168.4.192 0.0.0.31
access-list 100 deny ip 192.168.4.192 0.0.0.31
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.