[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Cisco 1841 EasyVPN set-up

Posted on 2011-05-06
6
Medium Priority
?
570 Views
Last Modified: 2012-05-11
Can someone help me to set-up EasyVPN on Cisco 1841 router?  I need to be able to ping my hosts on the local network.
LAN network: 10.1.1.0
here is my config


version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker

aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network StorageGroup local
!
!
aaa session-id common
ip cef

ip name-server 206.191.x.x
!
multilink bundle-name authenticated
!

username mike password 0 test

!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain.local
 pool pool100
 acl SplitTunnel
 save-password
 include-local-lan
 backup-gateway 10.1.1.13
 backup-gateway 10.1.1.18
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route remote-peer 10.1.1.18
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!

interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.x 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
ip route 10.1.1.0 255.255.255.0 FastEthernet0/1
!
!
ip http server
no ip http secure-server
ip nat inside source list SplitTunnel interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.0.0.0 0.255.255.255 any
!

!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
!
scheduler allocate 20000 1000
end

Any help would be highly appreciated.
0
Comment
Question by:stasila2010
  • 3
  • 2
6 Comments
 
LVL 47

Expert Comment

by:Craig Beck
ID: 35709579
Install SDM on a PC and use that to connect to the router (you may need to install SDM on the router too).
There's a wizard to help you configure EasyVPN in SDM.
0
 
LVL 15

Expert Comment

by:Robert Sutton Jr
ID: 35709739
I dont see any statement allowing ICMP messages in your acl.
0
 
LVL 47

Accepted Solution

by:
Craig Beck earned 2000 total points
ID: 35711898
I would try the following:

ip access-list extended SplitTunnel
 deny ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.255
 permit ip 10.0.0.0 0.255.255.255 any


It looks like you're NATing all traffic from your LAN via Fa0/1, so traffic to 10.1.1.0 won't be tunneled.

Also, you shouldn't really need the following line, as you're already routing via Fa0/1...

ip route 10.1.1.0 255.255.255.0 FastEthernet0/1
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:stasila2010
ID: 35721857
thank you for your suggestions. I have modified my config but still unable to access any resources on my LAN.
here is my config again. please advice.


Building configuration...

Current configuration : 2132 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption

hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker

aaa new-model

aaa authentication login userauthen local
aaa authorization network StorageGroup local

!
aaa session-id common
ip cef

!
ip name-server 206.191.x.x
!
multilink bundle-name authenticated

username mike password 0 test

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key xxxx
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain.local
 pool pool100
 acl SplitTunnel
 save-password
 include-local-lan
 backup-gateway 10.1.1.13
 backup-gateway 10.1.1.18
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route remote-peer 10.1.1.18
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source list SplitTunnel interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 deny   ip 10.0.0.0 0.255.255.255 10.1.1.0 0.0.0.255
 permit ip 10.0.0.0 0.255.255.255 any


0
 

Author Comment

by:stasila2010
ID: 35731492
I cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.) any help would be highly appreciated.
0
 

Author Comment

by:stasila2010
ID: 35732532
here is my latest config

hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
!
!
!
crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain castgroup.local
 pool pool100
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip default-gateway 10.1.1.13
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source list 100 interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question