Cisco 877 router --- Easy Vpn Server setup
Hello.
I have set up the Easy Vpn Server following the "Easy Vpn Server setup wizard"
i can dial in and get authenticated. but i can't see the computers on the network or say ping router address.
Simple setup just the cisco router and 8 port switch for testing purpose.
here is the running config
**************************
Building configuration...
Current configuration : 3007 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BrooksRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$qEnA$YGRJNKLeF8z1cKBKbs
enable password admin808
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.199 192.168.1.254
!
ip dhcp pool CiscoDHCP
import all
network 192.168.1.0 255.255.255.0
dns-server 205.214.192.201 205.214.192.202
default-router 192.168.1.77
lease 7
!
!
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
!
!
username user privilege 15 secret 5 $1$U6/8$YPdMfXTwbvgTBU/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group brooks
key H3ll09854$
pool SDM_POOL_1
max-users 20
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group brooks
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Loopback0
ip address 192.168.200.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.4 point-to-point
no ip route-cache
no snmp trap link-status
pvc 0/36
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address 192.168.1.77 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
ip tcp adjust-mss 1412
!
interface Dialer3
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx
ppp chap password xxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.200.51 192.168.200.99
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer3 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxx
!
scheduler max-task-time 5000
end
**************************
I have set up the Easy Vpn Server following the "Easy Vpn Server setup wizard"
i can dial in and get authenticated. but i can't see the computers on the network or say ping router address.
Simple setup just the cisco router and 8 port switch for testing purpose.
here is the running config
**************************
Building configuration...
Current configuration : 3007 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BrooksRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$qEnA$YGRJNKLeF8z1cKBKbs
enable password admin808
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.150
ip dhcp excluded-address 192.168.1.199 192.168.1.254
!
ip dhcp pool CiscoDHCP
import all
network 192.168.1.0 255.255.255.0
dns-server 205.214.192.201 205.214.192.202
default-router 192.168.1.77
lease 7
!
!
ip name-server 205.214.192.201
ip name-server 205.214.192.202
!
!
!
username user privilege 15 secret 5 $1$U6/8$YPdMfXTwbvgTBU/
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group brooks
key H3ll09854$
pool SDM_POOL_1
max-users 20
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group brooks
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Loopback0
ip address 192.168.200.1 255.255.255.0
!
interface ATM0
no ip address
no ip route-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.4 point-to-point
no ip route-cache
no snmp trap link-status
pvc 0/36
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address 192.168.1.77 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
ip tcp adjust-mss 1412
!
interface Dialer3
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxxxxxx
ppp chap password xxxxxxxxxxx
!
ip local pool SDM_POOL_1 192.168.200.51 192.168.200.99
ip route 0.0.0.0 0.0.0.0 Dialer3
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer3 overload
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
snmp-server community public RO
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password xxxxxxx
!
scheduler max-task-time 5000
end
**************************
ASKER
i can ping 192.168.200.1
i can't ping 192.168.1.77
Doing tracert to 192.168.1.77 it stops at 192.168.200.1 and doesnt know where to go from there or it is getting denied
Also i m unable to surf the web once i get connected on the vpn server.
i can't ping 192.168.1.77
Doing tracert to 192.168.1.77 it stops at 192.168.200.1 and doesnt know where to go from there or it is getting denied
Also i m unable to surf the web once i get connected on the vpn server.
For Internet, add this:
conf t
access-list 1 permit 192.168.200.0 0.0.0.255
interface Virtual-Template1 type tunnel
ip nat inside
You should be able to ping 192.168.1.77 (nothing is blocking it on the router). Is the VLAN1 interface up/up? i.e. do you have something plugged into one of the Fastethernet ports? You can't ping it if it is down.
conf t
access-list 1 permit 192.168.200.0 0.0.0.255
interface Virtual-Template1 type tunnel
ip nat inside
You should be able to ping 192.168.1.77 (nothing is blocking it on the router). Is the VLAN1 interface up/up? i.e. do you have something plugged into one of the Fastethernet ports? You can't ping it if it is down.
ASKER
ok i last command were good for surfing the web.
but still no resolution for internal lan.
i noticed that on a working vpn server for another site i once the client is connected i can see in the stats under Route Details-----> under Secured Routes Network and subnet mask popuplated where on this one i just see 0.0.0.0 and 0.0.0.0. for network and subnet mask.
so i do i add these routes it seems this is the missing link.
Yes the VLAN1 interface is up
but still no resolution for internal lan.
i noticed that on a working vpn server for another site i once the client is connected i can see in the stats under Route Details-----> under Secured Routes Network and subnet mask popuplated where on this one i just see 0.0.0.0 and 0.0.0.0. for network and subnet mask.
so i do i add these routes it seems this is the missing link.
Yes the VLAN1 interface is up
Having the routes 0.0.0.0 0.0.0.0 is actually tunneling all traffic so that isn't the issue.
From the router itself, can you ping 192.168.1.77? Can you post a "show int vlan1"?
Also, do this on the router "debug ip icmp" then ping from the VPN client to 192.168.1.77 and post the results. You can then turn off the debug "undebug all".
From the router itself, can you ping 192.168.1.77? Can you post a "show int vlan1"?
Also, do this on the router "debug ip icmp" then ping from the VPN client to 192.168.1.77 and post the results. You can then turn off the debug "undebug all".
By the way, if you only want to tunnel traffic to the LAN (192.168.1.0/24) and use your local Internet connection, you can split tunnel. It sounds like you are doing this at other locations.
conf t
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
crypto isakmp client configuration group brooks
acl 150
conf t
access-list 150 permit ip 192.168.0.0 0.0.0.255 192.168.200.0 0.0.0.255
crypto isakmp client configuration group brooks
acl 150
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you so much JFrederick29
Everything working like a charm, no wonder u r Genius.
Everything working like a charm, no wonder u r Genius.
Sweet. Glad to assist.
What are you trying to ping?
You should be able to ping both 192.168.200.1 and 192.168.1.77...