Solved

Configure Cisco 837 VPN with VPN Client

Posted on 2009-03-29
4
1,147 Views
Last Modified: 2012-05-06
HI,

I am currently trying to configure a VPN between the Cisco VPN client and my Cisco 837 security router. I can successfully establish a connection and the VPN client says its connected and I get an IP Address of the 837's LAN on my computer. However I cannot communicate between my computer and the remote LAN, so I cant even ping a device on the remote LAN or the 837. It seems that there is no routing taking place, however I cannot work it out.

I have attached a show run (with password etc, removed).

I was wondering if anyone here had any idea?

Thanks

Mark
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router1
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
!
aaa session-id common
!
!
!
!
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
username user1 password 7 xxxxxxxxxxx
username user2 privilege 15 password xxxxxxxx
!
class-map match-any VoIP
 match access-group 130
!
!
policy-map VoIP-QoS
 class VoIP
  priority percent 65
  set dscp ef
 class class-default
  fair-queue
!
!
crypto keyring spokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key abcdefg1234567
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group testgroup
 key abcdefg1234567
 dns 192.168.1.1
 wins 192.168.1.1
 domain mine.local
 pool ippool
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group testgroup
   client authentication list clientauth
   isakmp authorization list groupauthor
   client configuration address respond
crypto isakmp profile L2L
   description LAN-to-LAN for spoke router(s) connection
   keyring spokes
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 5
 set transform-set myset
 set isakmp-profile VPNclient
crypto dynamic-map dynmap 10
 set transform-set myset
 set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback2
 ip address 1.1.1.1 255.255.255.0
!
interface Ethernet0
 ip address 192.168.4.254 255.255.255.0
 ip access-group 122 out
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 ip policy route-map nonat
 hold-queue 100 out
!
interface Ethernet2
 no ip address
 shutdown
 hold-queue 100 out
!
interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.3 point-to-point
 description DSL
 no snmp trap link-status
 pvc 8/35
  ubr 384
  encapsulation aal5mux ppp dialer
  dialer pool-member 3
 !
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
interface Dialer3
 description ISP Dialer
 bandwidth 384
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 3
 no cdp enable
 ppp authentication pap callin
 ppp chap refuse
 ppp pap sent-username xxx@xxx.xxx password xxxxxxxxxxxx
 crypto map mymap
!
interface Dialer1
 no ip address
!
ip local pool ippool 192.168.4.193 192.168.4.222
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer3
ip route 192.168.1.0 255.255.255.0 192.168.4.2
ip route 192.168.2.0 255.255.255.0 192.168.4.2
ip route 192.168.3.0 255.255.255.0 192.168.4.2
!
ip http server
no ip http secure-server
!
ip nat inside source list 100 interface Dialer3 overload
!
no access-list 100 deny   ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
no access-list 100 permit ip 192.168.4.0 0.0.0.255 any
no access-list 111 permit tcp any any eq telnet
no access-list 111 permit icmp any any administratively-prohibited
no access-list 111 permit icmp any any echo
no access-list 111 permit icmp any any echo-reply
no access-list 111 permit icmp any any packet-too-big
no access-list 111 permit icmp any any time-exceeded
no access-list 111 permit icmp any any traceroute
no access-list 111 permit icmp any any unreachable
no access-list 111 permit udp any eq bootps any eq bootpc
no access-list 111 permit udp any eq bootps any eq bootps
no access-list 111 permit udp any eq domain any
no access-list 111 permit esp any any
no access-list 111 permit udp any any eq isakmp
no access-list 111 permit udp any any eq 10000
no access-list 111 permit tcp any any eq 1723
no access-list 111 permit tcp any any eq 139
no access-list 111 permit udp any any eq netbios-ns
no access-list 111 permit udp any any eq netbios-dgm
no access-list 111 permit gre any any
no access-list 111 deny   ip any any
no access-list 112 permit ip 192.168.32.0 0.0.0.255 192.168.1.0 0.0.0.255
no access-list 114 permit ip 192.168.4.0 0.0.0.255 192.168.3.0 0.0.0.255
no access-list 122 deny   tcp any any eq telnet
no access-list 122 permit ip any any
no access-list 130 permit ip host 192.168.32.120 any
no access-list 152 permit ip 192.168.32.0 0.0.0.255 192.168.1.0 0.0.0.255
no dialer-list 1 protocol ip permit
!
route-map nonat permit 10
 match ip address 152
 set ip next-hop 1.1.1.2
!
!
!
control-plane
!
!
line con 0
 password xxxxxxx
 no modem enable
 transport output all
line aux 0
 transport output all
line vty 0 4
 exec-timeout 120 0
 password xxxxxxxx
 length 0
 transport input all
 transport output all
!
scheduler max-task-time 5000
end

Open in new window

0
Comment
Question by:mark_06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24013987
Try and add reverse-route to your crypto dynamic-map dynmap 5. This will inject a static route in the routing table pointing through the tunnel.
0
 
LVL 6

Author Comment

by:mark_06
ID: 24015906
Adding that now gives me access to the 192.168.1.0/24 network, however I cannot ping an address on the 192.168.4.0/24 subnet, when I do it responds with relpy from the WAN IP of the 837.
0
 
LVL 7

Expert Comment

by:Ilir Mitrushi
ID: 24016705
In order to exempt from nat traffic coming from the 192.168.4.0/24 range directed to your vpn pool you need to add a deny statement to acl 100
access-list 100 deny ip 192.168.4.192 0.0.0.31
0
 
LVL 7

Accepted Solution

by:
Ilir Mitrushi earned 500 total points
ID: 24016729
oops sorry wrong acl entry
access-list 100 deny ip 192.168.4.0 0.0.0.255 192.168.4.192 0.0.0.31
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question