souldigital
asked on
Cisco VPN cONFIG
Hi,
Below is the config on my 2600 router. I can log in remotely using Cisco client and access the internal network all ok, however, I can not go through the router to the public internet. Please help.
Current configuration : 2266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$lLqs$9Fc/KK/l0v05cx1hE/
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool mypool
network 10.10.10.0 255.255.255.0
domain-name ****
dns-server 84.*.*.* 84.*.*.*
default-router 10.10.10.1
lease 24
!
!
!
!
!
!
username **** secret 5 $1$o/hk$8ejXyR4V3DOu/WXuUN
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group ****
key ******
dns 84.*.*.*
domain ****
pool ippool2
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 88.*.*.* 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool2 10.10.20.1 10.10.20.50
ip route 0.0.0.0 0.0.0.0 88.*.*.*
!
no ip http server
no ip http secure-server
ip nat inside source route-map map interface FastEthernet0/0 overload
!
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
route-map map permit 10
match ip address 101
!
!
!
control-plane
!
!
!
!
line con 0
password 7 1139395042055B1E006B
line aux 0
password 7 073F01191B1E49171353
line vty 0 4
password 7 073F01191B1E49171353
!
!
end
Below is the config on my 2600 router. I can log in remotely using Cisco client and access the internal network all ok, however, I can not go through the router to the public internet. Please help.
Current configuration : 2266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$lLqs$9Fc/KK/l0v05cx1hE/
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool mypool
network 10.10.10.0 255.255.255.0
domain-name ****
dns-server 84.*.*.* 84.*.*.*
default-router 10.10.10.1
lease 24
!
!
!
!
!
!
username **** secret 5 $1$o/hk$8ejXyR4V3DOu/WXuUN
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group ****
key ******
dns 84.*.*.*
domain ****
pool ippool2
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0/0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0/0
ip address 88.*.*.* 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool2 10.10.20.1 10.10.20.50
ip route 0.0.0.0 0.0.0.0 88.*.*.*
!
no ip http server
no ip http secure-server
ip nat inside source route-map map interface FastEthernet0/0 overload
!
access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
route-map map permit 10
match ip address 101
!
!
!
control-plane
!
!
!
!
line con 0
password 7 1139395042055B1E006B
line aux 0
password 7 073F01191B1E49171353
line vty 0 4
password 7 073F01191B1E49171353
!
!
end
ASKER
Basically the users sat behind the router can access the Internet all ok.
The users on the VPN client at remote sits can access the Internet but when connected to the VPN they can only access the servers and others users connected directly to the router but not the Internet.
I think it has something to do with the ip addressing appliend to the remote VPN clients, the default gateway is 10.0.0.1 and the subnet is 255.0.0.0 with no dns servers, this looks completely wrong :-s
The users on the VPN client at remote sits can access the Internet but when connected to the VPN they can only access the servers and others users connected directly to the router but not the Internet.
I think it has something to do with the ip addressing appliend to the remote VPN clients, the default gateway is 10.0.0.1 and the subnet is 255.0.0.0 with no dns servers, this looks completely wrong :-s
Hello,
It may be a good idea to check if the IP address of the VPN client after connecting to VPN, to make sure that the IP address falls within the range pre-allocated to that authentication group or security token.
If a security token was used for a one-time password, an IP address range is associated with the security token in a way that when a client is connected to the VPN server using the security token, the VPN client IP address must fall within the allocated IP range.
The VPN server administrator should know the IP range for the VPN client. So you could check and see if the client is allocated the correct IP.
Good luck.
It may be a good idea to check if the IP address of the VPN client after connecting to VPN, to make sure that the IP address falls within the range pre-allocated to that authentication group or security token.
If a security token was used for a one-time password, an IP address range is associated with the security token in a way that when a client is connected to the VPN server using the security token, the VPN client IP address must fall within the allocated IP range.
The VPN server administrator should know the IP range for the VPN client. So you could check and see if the client is allocated the correct IP.
Good luck.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I am not a VPN expert but have tested some VPN solutions in the past. From a function point of view, I would test pure IP first to make sure that the IP part of the infrastructure, is working correctly without VPN. This means that you can ping end to end and you can also connect to the Internet.
Then once you are satisfied that your IP network is working correctly, you lay VPN on top of it. This is because sometimes, the problem may be at the IP level. So my first advice is to check that your IP network is working properly.
You also have DHCP and NAT. You need to check that these features too are working properly. Above all you need to check that NAT translation is taking place.
Since you have a default static route, you need to check that this is working correctly (sh ip route) and also ping the remote end to make sure that you resolve the destination. You may have a routing problem but this is not obvious at this point. So make sure you can ping from end to end.
Cisco VPN client can be strange. Depending on your client platform, you need to check IP on the client (ipconfig /all) before connecting to VPN and again (ipconfig /all) after connecting to VPN to make sure you the correct IP. And make sure your client connectivity details are correct, i.e. server host IP, username, password, security token etc.
Good luck
Koudry