Solved

Cisco 877 router --- Easy Vpn Server setup

Posted on 2009-04-14
9
2,298 Views
Last Modified: 2012-05-06
Hello.
I have set up the Easy Vpn Server following the  "Easy Vpn Server setup wizard"
i can dial in and get authenticated. but i can't see the computers on the network or say ping router address.
Simple setup just the cisco router and 8 port switch for testing purpose.
here is the running config
**************************************************************************************************************
Building configuration...

Current configuration : 3007 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BrooksRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$qEnA$YGRJNKLeF8z1cKBKbsFdj/
enable password admin808
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.199 192.168.1.254
!
ip dhcp pool CiscoDHCP
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 205.214.192.201 205.214.192.202
   default-router 192.168.1.77
   lease 7
!
!
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
!
!
username user privilege 15 secret 5 $1$U6/8$YPdMfXTwbvgTBU/
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group brooks
 key H3ll09854$
 pool SDM_POOL_1
 max-users 20
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group brooks
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Loopback0
 ip address 192.168.200.1 255.255.255.0
!
interface ATM0
 no ip address
 no ip route-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.4 point-to-point
 no ip route-cache
 no snmp trap link-status
 pvc 0/36
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 ip address 192.168.1.77 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 ip tcp adjust-mss 1412
!
interface Dialer3
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxx
 ppp chap password xxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.200.51 192.168.200.99
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer3 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password xxxxxxx
!
scheduler max-task-time 5000
end

****************************************************************************************************************
0
Comment
Question by:icdl101
  • 6
  • 3
9 Comments
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
The config looks fine to me.

What are you trying to ping?

You should be able to ping both 192.168.200.1 and 192.168.1.77...
0
 

Author Comment

by:icdl101
Comment Utility
i can ping 192.168.200.1
i can't ping 192.168.1.77

Doing tracert to 192.168.1.77 it stops at 192.168.200.1 and doesnt know where to go from there or it is getting denied
Also i m unable to surf the web once i get connected on the vpn server.
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
For Internet, add this:

conf t
access-list 1 permit 192.168.200.0 0.0.0.255

interface Virtual-Template1 type tunnel
ip nat inside

You should be able to ping 192.168.1.77 (nothing is blocking it on the router).  Is the VLAN1 interface up/up? i.e. do you have something plugged into one of the Fastethernet ports?  You can't ping it if it is down.
0
 

Author Comment

by:icdl101
Comment Utility
ok i last command were good for surfing the web.

but still no resolution for internal lan.
i noticed that on a working vpn server for another site i once the client is connected i can see in the stats under Route Details-----> under Secured Routes Network and subnet mask popuplated where on this one i just see 0.0.0.0 and 0.0.0.0. for network and subnet mask.
so i  do i add these routes it seems this is the missing link.
Yes the VLAN1 interface is up
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Having the routes 0.0.0.0 0.0.0.0 is actually tunneling all traffic so that isn't the issue.

From the router itself, can you ping 192.168.1.77?  Can you post a "show int vlan1"?

Also, do this on the router "debug ip icmp" then ping from the VPN client to 192.168.1.77 and post the results.  You can then turn off the debug "undebug all".
0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
By the way, if you only want to tunnel traffic to the LAN (192.168.1.0/24) and use your local Internet connection, you can split tunnel.  It sounds like you are doing this at other locations.

conf t
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255

crypto isakmp client configuration group brooks
acl 150
0
 
LVL 43

Accepted Solution

by:
JFrederick29 earned 500 total points
Comment Utility
Sorry, typo.

Should be:

conf t
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

crypto isakmp client configuration group brooks
acl 150
0
 

Author Comment

by:icdl101
Comment Utility
Thank you so much JFrederick29

Everything working like a charm, no wonder u r Genius.


0
 
LVL 43

Expert Comment

by:JFrederick29
Comment Utility
Sweet.  Glad to assist.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now