asked on
Easy VPN Set-up on Cisoc 1841
Can some one please help me with my config? I have set-up the Easy VPN and my VPN clients are receiving and IP address but they cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.) any help would be highly appreciated.
Here is my config.
Building configuration...
Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key test
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain domain
pool pool100
acl SplitTunnel
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address VPN-traffic
sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0
173.206.0.0/29 is subnetted, 1 subnets
C 173.206.x.8 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.1.2.200/32 [1/0] via 67.212.13.26
S* 0.0.0.0/0 [1/0] via 173.206.x.9
Router#sh cryp ip sa
interface: FastEthernet0/1
Crypto map tag: vpnmap, local addr 173.206.x.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.25
current_peer 67.212.13.26 port 61277
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xBB412AC8(3141610184)
inbound esp sas:
spi: 0x39F28194(972194196)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583849/3264)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBB412AC8(3141610184)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583862/3255)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
Here is my config.
Building configuration...
Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group StorageGroup
key test
dns 10.1.1.3 10.1.1.11
wins 10.1.1.3 10.1.1.11
domain domain
pool pool100
acl SplitTunnel
save-password
netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set aessha
reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.1.1.18 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 173.206.x.11 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map vpnmap
!
interface Serial0/0/0
no ip address
shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address VPN-traffic
sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0
173.206.0.0/29 is subnetted, 1 subnets
C 173.206.x.8 is directly connected, FastEthernet0/1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.1.2.200/32 [1/0] via 67.212.13.26
S* 0.0.0.0/0 [1/0] via 173.206.x.9
Router#sh cryp ip sa
interface: FastEthernet0/1
Crypto map tag: vpnmap, local addr 173.206.x.11
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.25
current_peer 67.212.13.26 port 61277
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
current outbound spi: 0xBB412AC8(3141610184)
inbound esp sas:
spi: 0x39F28194(972194196)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583849/3264)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBB412AC8(3141610184)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
sa timing: remaining key lifetime (k/sec): (4583862/3255)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
VPNRoutersInternet Protocol Security
Last Comment
stasila2010