• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2384
  • Last Modified:

Cisco 877 router --- Easy Vpn Server setup

Hello.
I have set up the Easy Vpn Server following the  "Easy Vpn Server setup wizard"
i can dial in and get authenticated. but i can't see the computers on the network or say ping router address.
Simple setup just the cisco router and 8 port switch for testing purpose.
here is the running config
**************************************************************************************************************
Building configuration...

Current configuration : 3007 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BrooksRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$qEnA$YGRJNKLeF8z1cKBKbsFdj/
enable password admin808
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.199 192.168.1.254
!
ip dhcp pool CiscoDHCP
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 205.214.192.201 205.214.192.202
   default-router 192.168.1.77
   lease 7
!
!
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
!
!
username user privilege 15 secret 5 $1$U6/8$YPdMfXTwbvgTBU/
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group brooks
 key H3ll09854$
 pool SDM_POOL_1
 max-users 20
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group brooks
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Loopback0
 ip address 192.168.200.1 255.255.255.0
!
interface ATM0
 no ip address
 no ip route-cache
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.4 point-to-point
 no ip route-cache
 no snmp trap link-status
 pvc 0/36
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 ip address 192.168.1.77 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip route-cache
 ip tcp adjust-mss 1412
!
interface Dialer3
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap callin
 ppp chap hostname xxxxxxxxxx
 ppp chap password xxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.200.51 192.168.200.99
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer3 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password xxxxxxx
!
scheduler max-task-time 5000
end

****************************************************************************************************************
0
icdl101
Asked:
icdl101
  • 6
  • 3
1 Solution
 
JFrederick29Commented:
The config looks fine to me.

What are you trying to ping?

You should be able to ping both 192.168.200.1 and 192.168.1.77...
0
 
icdl101Author Commented:
i can ping 192.168.200.1
i can't ping 192.168.1.77

Doing tracert to 192.168.1.77 it stops at 192.168.200.1 and doesnt know where to go from there or it is getting denied
Also i m unable to surf the web once i get connected on the vpn server.
0
 
JFrederick29Commented:
For Internet, add this:

conf t
access-list 1 permit 192.168.200.0 0.0.0.255

interface Virtual-Template1 type tunnel
ip nat inside

You should be able to ping 192.168.1.77 (nothing is blocking it on the router).  Is the VLAN1 interface up/up? i.e. do you have something plugged into one of the Fastethernet ports?  You can't ping it if it is down.
0
Rewarding opportunities for women in IT

Across the nation, technology jobs are vacant because there aren’t enough qualified professionals to fill them. With a degree from WGU, you can get the credentials it takes to become an in-demand IT professional. Plus, WGU’s IT programs include industry certifications.

 
icdl101Author Commented:
ok i last command were good for surfing the web.

but still no resolution for internal lan.
i noticed that on a working vpn server for another site i once the client is connected i can see in the stats under Route Details-----> under Secured Routes Network and subnet mask popuplated where on this one i just see 0.0.0.0 and 0.0.0.0. for network and subnet mask.
so i  do i add these routes it seems this is the missing link.
Yes the VLAN1 interface is up
0
 
JFrederick29Commented:
Having the routes 0.0.0.0 0.0.0.0 is actually tunneling all traffic so that isn't the issue.

From the router itself, can you ping 192.168.1.77?  Can you post a "show int vlan1"?

Also, do this on the router "debug ip icmp" then ping from the VPN client to 192.168.1.77 and post the results.  You can then turn off the debug "undebug all".
0
 
JFrederick29Commented:
By the way, if you only want to tunnel traffic to the LAN (192.168.1.0/24) and use your local Internet connection, you can split tunnel.  It sounds like you are doing this at other locations.

conf t
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255

crypto isakmp client configuration group brooks
acl 150
0
 
JFrederick29Commented:
Sorry, typo.

Should be:

conf t
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255

crypto isakmp client configuration group brooks
acl 150
0
 
icdl101Author Commented:
Thank you so much JFrederick29

Everything working like a charm, no wonder u r Genius.


0
 
JFrederick29Commented:
Sweet.  Glad to assist.
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now