Help with RAS VPN (Cisco)

Ok, I have a RAS vpn set up. It terminates in a C850 Cisco router.  I can connect to the network and get an IP address fine (via cisco vpn client). However, I cannot access any resources on the corporate side.  When I ping 192.168.1.1 for example, this is what I get back:


Ethernet adapter Local Area Connection 2:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1

C:\Documents and Settings\rn>ping 192.168.1.1

Pinging 192.168.1.1 with 32 bytes of data:

Reply from 69.248.216.66: bytes=32 time=32ms TTL=255
Reply from 69.248.216.66: bytes=32 time=32ms TTL=255
Reply from 69.248.216.66: bytes=32 time=102ms TTL=255
Reply from 69.248.216.66: bytes=32 time=33ms TTL=255


That is our public IP. How come it is responding?
******************************************************
UNAUTHORIZED ACCESS IS PROHIBITED
*******************************************************
ORAWEROUTER#sh run
Building configuration...
 
Current configuration : 6008 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ORAWEROUTER
!
boot-start-marker
boot-end-marker
!
logging buffered 16834
 
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.20
ip dhcp excluded-address 192.168.2.1 192.168.2.20
!
ip dhcp pool INTERNAL-NET
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   domain-name INTERNAL_NET
   lease 4
!
ip dhcp pool vlan20
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1
   domain-name vlan20
   lease 4
!
!
ip cef
ip domain name ORAWE
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-3795100480
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3795100480
 revocation-check none
 rsakeypair TP-self-signed-3795100480
!
!
 
  quit
!
!
vtp domain ****
vtp mode transparent
username **** privilege 15 password *****
username **** password 7 ****
!
!
crypto logging session
!
crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group albertvpn
 key ***
 pool VPN
!
!
crypto ipsec transform-set albertsset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set albertsset
!
!
crypto map albertsmap client authentication list userauthen
crypto map albertsmap isakmp authorization list groupauthor
crypto map albertsmap client configuration address respond
crypto map albertsmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet1
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet2
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet3
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet4
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 ip tcp adjust-mss 1460
 speed 100
 full-duplex
 no cdp enable
 crypto map albertsmap
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 encryption vlan 20 mode ciphers tkip
 !
 ssid GUEST-WLAN
    vlan 20
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 03055707011A245F5A1A
 !
 ssid PATIENCE
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 111918111E17050F01
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 channel 2412
 station-role root
 no dot11 extension aironet
 no cdp enable
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
 description Guest wireless LAN - routed WLAN
 encapsulation dot1Q 20
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Vlan1
 description Internal Network
 no ip address
 ip nat inside
 ip virtual-reassembly
 bridge-group 1
 bridge-group 1 spanning-disabled
!
interface BVI1
 description Bridge to Internal Network
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
router rip
 network 192.168.1.0
 network 192.168.2.0
!
ip local pool VPN 192.168.10.1 192.168.10.3
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source list NAT_ADDRESSES interface FastEthernet4 overload
!
ip access-list standard NAT_ADDRESSES
 permit 192.168.1.0 0.0.0.255
 permit 192.168.2.0 0.0.0.255
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
route-map nonat permit 10
 match ip address 100
!
!
control-plane
!
bridge 1 route ip
banner motd ^C
*******************************************************
UNAUTHORIZED ACCESS IS PROHIBITED
*******************************************************^C
alias exec s show ip interface brief
!
line con 0
 exec-timeout 59 0
 password 7 06070C2E1F1C58
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 exec-timeout 59 0
 
 logging synchronous
!
scheduler max-task-time 5000
end
-----------------
sh ver
 
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(11)T1, RELEASE SOFTWARE (fc5)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Fri 26-Jan-07 00:47 by prod_rel_team
 
ROM: System Bootstrap, Version 12.3(8r)YI3, RELEASE SOFTWARE

Open in new window

LVL 1
WERAracerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kerem ERSOYPresidentCommented:
Hi,

t seesm to me that your 192.168.1.0 traffic is routed to your  default gateway instead of cisco VPN. As for the response you're getting is coming from a router which has got the pachage with TTL=0 so it is responding non 192.168.1.1' s behalf.

What you'll gonna do is to add a static route to your PC's with VPN conection and iit will be:

route add 192.168.1.0 mask 255.255.255.0 192.168.10.1

if you make it permanent use the -p switch before add.

Cheers,
K.
0
Kerem ERSOYPresidentCommented:
pachage = packet.
To verify this you'll need to execute this command on your PC's with VPN connection active :

tracert -d 192.168.1.1

You'll see that packets are routed to your default gateway rather than to your VPN DG. This might be due to the metric values of your interfaces. Check it with a command like that :

netstat -rn

You might also like to post the output here.

0
WERAracerAuthor Commented:
strange, I have deployed several RAS vpns in firewalls and have not had to do that?  I will give it a shot, but is there anything in the config of the router which can do this? I used to implement crypto nat traversal to solve this problem in firewalls
0
Do You Have a Trusted Wireless Environment?

A Trusted Wireless Environment is a framework for building a complete Wi-Fi network that is fast, easy to manage, and secure.

Kerem ERSOYPresidentCommented:
In fact the problem here is your RAS interface. It has no way to know that 192.168.1.x/24  network is accessible through your VPN concentrator. I guess in this configuration you're using split VPN tunnel in that only VPN traffic is routed to your VPN interface as opposed to sending ALL traffic to your VPN interface.

This might be partly because of the new Metric assignment scheme introduced in Vista. In XP all network metrics were the same but beginning in Vista metrics are assigned according to the speed of the interface thus if you have a Gbit ethernet and VPN connection og 1Mbbps Interface metric for ethernet is always lower so the default gateway stays with your ethernet. Hence the packets are going to ethernet DG instead on VPN.
0
Kerem ERSOYPresidentCommented:
I am really not sure what good using NAT traversal do to you in this context.
0
WERAracerAuthor Commented:
well I tried that static route command and it still replied with the public IP.  I am on an XP machine.
0
Kerem ERSOYPresidentCommented:
that is the output from your netstat -rn  and  tracert -d 192.168.1.10  ?

This has started with wista and came to XP with SP3 :)
0
WERAracerAuthor Commented:
the first hop is the public IP. Then everything else times out.

By the way, i am not doing split tunneling
0
WERAracerAuthor Commented:
any ideas?
0
Kerem ERSOYPresidentCommented:
Isn't it strange that both your IP address and Default Gateway address are the same ?
How can any packet be routed to your VPN under this circumstances??
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WERAracerAuthor Commented:
how do we fix? is it something in the vpn pool?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.