Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 461
  • Last Modified:

Cisco VPN cONFIG

Hi,
Below is the config on my 2600 router. I can log in remotely using Cisco client and access the internal network all ok, however, I can not go through the router to the public internet. Please help.

Current configuration : 2266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$lLqs$9Fc/KK/l0v05cx1hE/nFF1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool mypool
   network 10.10.10.0 255.255.255.0
   domain-name ****
   dns-server 84.*.*.* 84.*.*.*
   default-router 10.10.10.1
   lease 24
!
!
!
!
!
!
username **** secret 5 $1$o/hk$8ejXyR4V3DOu/WXuUN4Wp0
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ****
 key ******
 dns 84.*.*.*
 domain ****
 pool ippool2
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet0/0
 ip address 88.*.*.* 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip local pool ippool2 10.10.20.1 10.10.20.50
ip route 0.0.0.0 0.0.0.0 88.*.*.*
!
no ip http server
no ip http secure-server
ip nat inside source route-map map interface FastEthernet0/0 overload
!
access-list 101 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
route-map map permit 10
 match ip address 101
!
!
!
control-plane
!
!
!
!
line con 0
 password 7 1139395042055B1E006B
line aux 0
 password 7 073F01191B1E49171353
line vty 0 4
 password 7 073F01191B1E49171353
!
!
end
0
souldigital
Asked:
souldigital
  • 2
1 Solution
 
koudryCommented:
Hello,

I am not a VPN expert but have tested some VPN solutions in the past. From a function point of view, I would test pure IP first to make sure that the IP part of the infrastructure, is working correctly without VPN. This means that you can ping end to end and you can also connect to the Internet.

Then  once you are satisfied that your IP network is working correctly, you lay VPN on top of it.  This is because sometimes, the problem may be at the IP level. So my first advice is to check that your IP network is working properly.

You also have DHCP and NAT. You need to check that these features too are working properly. Above all you need to check that NAT translation is taking place.

Since you have a default static route, you need to check that this is working correctly (sh ip route) and also ping the remote end to make sure that you resolve the destination.  You may have a routing problem but this is not obvious at this point. So make sure you can ping from end to end.

Cisco VPN client can be strange. Depending on your client platform, you need to check IP on the client (ipconfig /all) before connecting to VPN and again (ipconfig /all) after connecting to VPN to make sure you the correct IP. And make sure your client connectivity details are correct, i.e. server host IP, username, password, security token etc.

Good luck

Koudry
0
 
souldigitalAuthor Commented:
Basically the users sat behind the router can access the Internet all ok.

The users on the VPN client at remote sits can access the Internet but when connected to the VPN they can only access the servers and others users connected directly to the router but not the Internet.

I think it has something to do with the ip addressing appliend to the remote VPN clients, the default gateway is 10.0.0.1 and the subnet is 255.0.0.0 with no dns servers, this looks completely wrong :-s
0
 
koudryCommented:
Hello,

It may be a good idea to check if the IP address of the VPN client after connecting to VPN, to make sure that the IP address falls within the range pre-allocated to that authentication group or security token.

If a security token was used for a one-time password, an IP address range is associated with the security token in a way that when a client is connected to the VPN server using the security token, the VPN client IP address must fall within the allocated IP range.

The VPN server administrator should know the IP range for the VPN client. So you could check and see if the client is allocated the correct IP.

Good luck.
0
 
Alan Huseyin KayahanCommented:
Hello souldigital,
    Split-tunneling has to be configured in order to sustain the VPN client's default route locally.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now