Solved

Cisco VPN cONFIG

Posted on 2010-11-13
4
390 Views
Last Modified: 2012-06-21
Hi,
Below is the config on my 2600 router. I can log in remotely using Cisco client and access the internal network all ok, however, I can not go through the router to the public internet. Please help.

Current configuration : 2266 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname ****
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$lLqs$9Fc/KK/l0v05cx1hE/nFF1
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool mypool
   network 10.10.10.0 255.255.255.0
   domain-name ****
   dns-server 84.*.*.* 84.*.*.*
   default-router 10.10.10.1
   lease 24
!
!
!
!
!
!
username **** secret 5 $1$o/hk$8ejXyR4V3DOu/WXuUN4Wp0
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ****
 key ******
 dns 84.*.*.*
 domain ****
 pool ippool2
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface ATM0/0
 no ip address
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface FastEthernet0/0
 ip address 88.*.*.* 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 10.10.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
ip local pool ippool2 10.10.20.1 10.10.20.50
ip route 0.0.0.0 0.0.0.0 88.*.*.*
!
no ip http server
no ip http secure-server
ip nat inside source route-map map interface FastEthernet0/0 overload
!
access-list 101 deny   ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 10.10.20.0 0.0.0.255 any
route-map map permit 10
 match ip address 101
!
!
!
control-plane
!
!
!
!
line con 0
 password 7 1139395042055B1E006B
line aux 0
 password 7 073F01191B1E49171353
line vty 0 4
 password 7 073F01191B1E49171353
!
!
end
0
Comment
Question by:souldigital
  • 2
4 Comments
 
LVL 10

Expert Comment

by:koudry
ID: 34128791
Hello,

I am not a VPN expert but have tested some VPN solutions in the past. From a function point of view, I would test pure IP first to make sure that the IP part of the infrastructure, is working correctly without VPN. This means that you can ping end to end and you can also connect to the Internet.

Then  once you are satisfied that your IP network is working correctly, you lay VPN on top of it.  This is because sometimes, the problem may be at the IP level. So my first advice is to check that your IP network is working properly.

You also have DHCP and NAT. You need to check that these features too are working properly. Above all you need to check that NAT translation is taking place.

Since you have a default static route, you need to check that this is working correctly (sh ip route) and also ping the remote end to make sure that you resolve the destination.  You may have a routing problem but this is not obvious at this point. So make sure you can ping from end to end.

Cisco VPN client can be strange. Depending on your client platform, you need to check IP on the client (ipconfig /all) before connecting to VPN and again (ipconfig /all) after connecting to VPN to make sure you the correct IP. And make sure your client connectivity details are correct, i.e. server host IP, username, password, security token etc.

Good luck

Koudry
0
 

Author Comment

by:souldigital
ID: 34128870
Basically the users sat behind the router can access the Internet all ok.

The users on the VPN client at remote sits can access the Internet but when connected to the VPN they can only access the servers and others users connected directly to the router but not the Internet.

I think it has something to do with the ip addressing appliend to the remote VPN clients, the default gateway is 10.0.0.1 and the subnet is 255.0.0.0 with no dns servers, this looks completely wrong :-s
0
 
LVL 10

Expert Comment

by:koudry
ID: 34141755
Hello,

It may be a good idea to check if the IP address of the VPN client after connecting to VPN, to make sure that the IP address falls within the range pre-allocated to that authentication group or security token.

If a security token was used for a one-time password, an IP address range is associated with the security token in a way that when a client is connected to the VPN server using the security token, the VPN client IP address must fall within the allocated IP range.

The VPN server administrator should know the IP range for the VPN client. So you could check and see if the client is allocated the correct IP.

Good luck.
0
 
LVL 29

Accepted Solution

by:
Alan Huseyin Kayahan earned 500 total points
ID: 34142378
Hello souldigital,
    Split-tunneling has to be configured in order to sustain the VPN client's default route locally.

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Regards
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

Suggested Solutions

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now