Remote Access VPN (Via VPN Client) UP but no ping LAN/ can ping DG
hi all,
been racking my brains out for hours now, my remote access VPN via Cisco VPN Client is UP i can ping the RA VPN DG but cant get no further than that
relevant config below
i can ping 192.168.250.1 and it replies with the public ip address, but i cant ping any 192.168.101.* addresses
anyone know whats up here?
Thankyou!
been racking my brains out for hours now, my remote access VPN via Cisco VPN Client is UP i can ping the RA VPN DG but cant get no further than that
relevant config below
i can ping 192.168.250.1 and it replies with the public ip address, but i cant ping any 192.168.101.* addresses
anyone know whats up here?
Thankyou!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN local
aaa authorization network RAVPN_AUTHOR local
!
ip source-route
!
ip cef
no ip domain lookup
ip domain name domain.local
ip name-server 192.168.101.1
ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip inspect name UserTraffic dns
ip inspect name UserTraffic tcp
ip inspect name UserTraffic udp
ip inspect name UserTraffic icmp
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
no ipv6 cef
!
username user privilege 0 password 0 xxxxxxxxxxxxxxxxxxxxxxxx
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp key xxxxxxxxxxxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30
crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
key xxxxxxxxxxxxxxxxxxxxxx
dns 192.168.101.1
domain domain.local
pool RAVPN_POOL
max-users 8
netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
match identity group RAVPN_GROUP
client authentication list RAVPN_AUTHEN
isakmp authorization list RAVPN_AUTHOR
client configuration address respond
virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set VPN_SET
!
crypto ipsec profile DataTunnels
set transform-set AES-SHA
!
!
crypto dynamic-map RemoteVPNS 20
set transform-set VPN_SET
set isakmp-profile RAVPN_PROFILE
reverse-route
!
!
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS
!
!
!
!
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
!
interface ATM0
description PPP DIALER TO KAROO
no ip address
no atm ilmi-keepalive
pvc 1/50
dialer pool-member 1
protocol ppp dialer
!
!
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 101
!
interface FastEthernet1
switchport access vlan 101
!
interface FastEthernet2
switchport access vlan 201
!
interface FastEthernet3
switchport access vlan 500
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Vlan1
no ip address
shutdown
!
interface Vlan101
ip address 192.168.101.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
dialer pool 1
ppp chap hostname cxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
no cdp enable
crypto map HOME_VPNS
!
router nhrp
!
router odr
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10
ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INBOUND
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit tcp any host xxx.xxx.xxx.xx3 eq 54321
permit udp any host xxx.xxx.xxx.xx3 eq 54321
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny ip any any
!
no cdp runASKER
ive made said changes (see below)
i still cannot ping any address inside the network beyond the loopback interface :|
i still cannot ping any address inside the network beyond the loopback interface :|
crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
key asdasdasdasdasdasdasdqwdqwdqwdqwd
dns 192.168.101.1
domain domain.local
pool RAVPN_POOL
acl RemoteVPN
max-users 8
netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
match identity group RAVPN_GROUP
client authentication list RAVPN_AUTHEN
isakmp authorization list RAVPN_AUTHOR
client configuration address respond
client configuration group RAVPN_GROUP
virtual-template 1
Extended IP access list RemoteVPN
10 permit ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
Extended IP access list OUTBOUND
10 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
20 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15ASKER
some outputs below
sh crypto sess
Interface: Virtual-Access6
Username: user
Profile: RAVPN_PROFILE
Group: RAVPN_GROUP
Assigned address: 192.168.250.3
Session status: UP-ACTIVE
Peer: 192.168.101.57 port 52383
IKEv1 SA: local xxx.xxx.xxx.xx3/500 remote 192.168.101.57/52383 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.250.3
Active SAs: 2, origin: crypto map
sh cr ipsec sa
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.250.3/255.255.255.255/0/0)
current_peer 192.168.101.57 port 500
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 195, #pkts decrypt: 195, #pkts verify: 195
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: xxx.xxx.xxx.xx3, remote crypto endpt.: 192.168.101.57
path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
Try the following:
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
ip nat inside source route-map nonat interface Dialer1 overload
access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
ip nat inside source route-map nonat interface Dialer1 overload
ASKER
i already have that though
i just added ip nat in to the loopback0 interface, now my test laptop im trying this on, the default DG of its wifi card is not getting disabled
and as the laptop im testing on is inside the network i cant tell if its working (presumably not, since the DG for the RAVPN is blank and the one for its WIFI adapter is set
how has this happend, once the vpn is connected is it not supposed to disable the internal dg and enable the VPN only dg
im goign to call one of the users whos been tryign to connect see if it will come up externally
i just added ip nat in to the loopback0 interface, now my test laptop im trying this on, the default DG of its wifi card is not getting disabled
and as the laptop im testing on is inside the network i cant tell if its working (presumably not, since the DG for the RAVPN is blank and the one for its WIFI adapter is set
how has this happend, once the vpn is connected is it not supposed to disable the internal dg and enable the VPN only dg
im goign to call one of the users whos been tryign to connect see if it will come up externally
ip nat inside source list OUTBOUND interface Dialer1 overload
Extended IP access list OUTBOUND
10 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255 (230719 matches)
20 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15 (182 matches)
40 deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255 (71145 matches)
50 permit tcp any any eq smtp (2000 matches)
60 permit tcp any any eq 443 (75093 matches)
70 permit ip 192.168.101.0 0.0.0.255 any (2198140 matches)
90 permit ip 192.168.250.0 0.0.0.255 any (8 matches)
100 deny ip any any (1245613 matches)ASKER
confirmed offsite, the DG for the VPN adpater is not set and the local adpaters DG is set
so dont know where things are at now but im baffled lol
so dont know where things are at now but im baffled lol
Did you already have a look at the logs to see if anything shows up in there?
ASKER
nothing in there at all :|
damn this! lol
damn this! lol
ASKER
ok ive trimmed the fat and heres where im at now
connectivity wise, i can ping 192.168.250.1 and it replies as 192.168.250.1 (previously when it worked it replied as public ip)
and i cant get further than that i cant ping any 192.168.101.* addresses :|
Cheers
connectivity wise, i can ping 192.168.250.1 and it replies as 192.168.250.1 (previously when it worked it replied as public ip)
and i cant get further than that i cant ping any 192.168.101.* addresses :|
Cheers
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN local
aaa authorization network RAVPN_AUTHOR local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
key xxxxxxxxxxxxxxxx
dns 192.168.101.1
domain domain.local
pool RAVPN_POOL
max-users 8
netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
match identity group RAVPN_GROUP
client authentication list RAVPN_AUTHEN
isakmp authorization list RAVPN_AUTHOR
client configuration address respond
virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set VPN_SET
!
crypto ipsec profile DataTunnels
set transform-set AES-SHA
!
!
crypto dynamic-map RemoteVPNS 20
set transform-set VPN_SET
set isakmp-profile RAVPN_PROFILE
reverse-route
!
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Vlan1
no ip address
shutdown
!
interface Vlan101
ip address 192.168.101.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
crypto map HOME_VPNS
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10
!
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip access-list extended OUTBOUND
deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.101.0 0.0.0.255 any
deny ip any any
crypto isakmp profile RAVPN_PROFILE
acl 103
access-list 103 permit ip [lan subnet] [wildcard netmask] [vpn subnet] [wildcard netmask]
ie
access-list 103 permit ip 192.168.0.0 0.0.1.255 172.16.10.0 0.0.0.255
acl 103
access-list 103 permit ip [lan subnet] [wildcard netmask] [vpn subnet] [wildcard netmask]
ie
access-list 103 permit ip 192.168.0.0 0.0.1.255 172.16.10.0 0.0.0.255
ASKER
as soon as i enable the acl on the group, then the DG from the vpn client goes and the DG for the original card stays, if you know what i mean?
Nope, didn't get.
ASKER
ill show you....
as you can see below, when a cisco VPN Client connects, it removes the local DG and adds a ip config and DG to its VPN adapter
when i add that acl to the RAVPN_GROUP, the DG is not removed and the vpn client DG is not added and i cannot ping the VPN gateway
info.png
as you can see below, when a cisco VPN Client connects, it removes the local DG and adds a ip config and DG to its VPN adapter
when i add that acl to the RAVPN_GROUP, the DG is not removed and the vpn client DG is not added and i cannot ping the VPN gateway
info.png
Sorry, my bad, it is for split-tunnel. Try to allow in your inbound access-list vpn to lan communications. I don't see any in your 1st config.
ASKER
im not following
on inbound permit?
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
but if the VPN adapater does not have a DG, the clients will not know where to send the VPN traffic?
on inbound permit?
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
but if the VPN adapater does not have a DG, the clients will not know where to send the VPN traffic?
CWCH#sh ip access-lists
Extended IP access list INBOUND
10 deny tcp any any eq 22 (530 matches)
20 deny tcp any any eq telnet (451 matches)
60 permit tcp any host xxx.xxx.xxx.xx3 eq www (1305609 matches)
70 permit tcp any host xxx.xxx.xxx.xx3 eq 443 (766661 matches)
80 permit tcp any host xxx.xxx.xxx.xx3 eq smtp (642569 matches)
90 permit udp any host xxx.xxx.xxx.xx3 eq isakmp (149976 matches)
100 permit esp any host xxx.xxx.xxx.xx3 (47645216 matches)
110 permit ahp any host xxx.xxx.xxx.xx3
120 permit tcp any host xxx.xxx.xxx.xx3 eq 54321 (5707 matches)
130 permit udp any host xxx.xxx.xxx.xx3 eq 54321 (698179 matches)
140 permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp (736721 matches)
160 deny ip any any (1165810 matches)
170 permit ip any any
Extended IP access list OUTBOUND
10 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15 (847 matches)
20 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255 (1013 matches)
30 deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255 (82752 matches)
40 permit tcp any any eq smtp (2100 matches)
50 permit tcp any any eq 443 (77436 matches)
60 permit ip 192.168.101.0 0.0.0.255 any (2281717 matches)
70 permit ip 192.168.201.0 0.0.0.255 any (58487 matches)
80 deny ip any any (1303895 matches)
Extended IP access list RemoteVPN
10 permit ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
Forget my post about 103 ACL :) Took from bad example and didn't realease that you don't have to do split-tunnel.
Add to you INBOUND access-list
Add to you INBOUND access-list
5 permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255ASKER
done that, the DG is back on the vpn adapter now i still cant ping 192.168.101.* and the new acl entry hasnt incremented when i send the ping
Extended IP access list INBOUND
5 permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
10 deny tcp any any eq 22 (530 matches)
20 deny tcp any any eq telnet (451 matches)
60 permit tcp any host xxx.xxx.xxx.xx3 eq www (1307509 matches)
70 permit tcp any host xxx.xxx.xxx.xx3 eq 443 (766957 matches)
80 permit tcp any host xxx.xxx.xxx.xx3 eq smtp (642820 matches)
90 permit udp any host xxx.xxx.xxx.xx3 eq isakmp (150086 matches)
100 permit esp any host xxx.xxx.xxx.xx3 (47694848 matches)
110 permit ahp any host xxx.xxx.xxx.xx3
120 permit tcp any host xxx.xxx.xxx.xx3 eq 54321 (5707 matches)
130 permit udp any host xxx.xxx.xxx.xx3 eq 54321 (698572 matches)
140 permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp (736721 matches)
160 deny ip any any (1166140 matches)
170 permit ip any any
CWCH#
Show route information from client after you established vpn connection and able to ping router and latest config from router.
ASKER
see below, ive tried to keep things relevant
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\User>ipconfig
Windows IP Configuration
Ethernet adapter Wireless Network Connection 4:
Connection-specific DNS Suffix . : local
IP Address. . . . . . . . . . . . : 192.168.0.68
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.102.8
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : domain.local
IP Address. . . . . . . . . . . . : 192.168.250.6
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.250.1
C:\Documents and Settings\User>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...1c af f7 10 66 a3 ...... D-Link AirPlus G DWL-G510 Wireless PCI Adapter(r
ev.C) - Packet Scheduler Miniport
0x3 ...00 1e 8c 89 c5 31 ...... Atheros L2 Fast Ethernet 10/100 Base-T Controlle
r - Packet Scheduler Miniport
0x20005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler
Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.250.1 192.168.250.6 1
77.86.7.193 255.255.255.255 192.168.0.11 192.168.0.68 1
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.0.0 255.255.255.0 192.168.0.68 192.168.0.68 20
192.168.0.0 255.255.255.0 192.168.250.1 192.168.250.6 20
192.168.0.11 255.255.255.255 192.168.0.68 192.168.0.68 1
192.168.0.68 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.0.255 255.255.255.255 192.168.0.68 192.168.0.68 20
192.168.102.0 255.255.255.0 192.168.102.8 192.168.102.8 20
192.168.102.0 255.255.255.0 192.168.250.1 192.168.250.6 20
192.168.102.8 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.102.255 255.255.255.255 192.168.102.8 192.168.102.8 20
192.168.250.0 255.255.255.0 192.168.250.6 192.168.250.6 25
192.168.250.6 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.250.255 255.255.255.255 192.168.250.6 192.168.250.6 25
224.0.0.0 240.0.0.0 192.168.0.68 192.168.0.68 20
224.0.0.0 240.0.0.0 192.168.102.8 192.168.102.8 20
224.0.0.0 240.0.0.0 192.168.250.6 192.168.250.6 25
255.255.255.255 255.255.255.255 192.168.0.68 192.168.0.68 1
255.255.255.255 255.255.255.255 192.168.102.8 192.168.102.8 1
255.255.255.255 255.255.255.255 192.168.250.6 192.168.250.6 1
Default Gateway: 192.168.250.1
===========================================================================
Persistent Routes:
None
C:\Documents and Settings\User>aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN local
aaa authorization network RAVPN_AUTHOR local
no ip domain lookup
ip domain name domain.local
ip name-server 192.168.101.1
ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip inspect name UserTraffic dns
ip inspect name UserTraffic tcp
ip inspect name UserTraffic udp
ip inspect name UserTraffic icmp
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dns 192.168.101.1
domain domain.local
pool RAVPN_POOL
max-users 8
netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
match identity group RAVPN_GROUP
client authentication list RAVPN_AUTHEN
isakmp authorization list RAVPN_AUTHOR
client configuration address respond
virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac
mode transport
!
crypto ipsec profile DMVPN
set transform-set VPN_SET
!
crypto ipsec profile DataTunnels
set transform-set AES-SHA
!
crypto dynamic-map RemoteVPNS 20
set transform-set VPN_SET
set isakmp-profile RAVPN_PROFILE
reverse-route
!
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Dialer1
crypto map HOME_VPNS
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10
!
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INBOUND
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
deny tcp any any eq 22
deny tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit tcp any host xxx.xxx.xxx.xx3 eq 54321
permit udp any host xxx.xxx.xxx.xx3 eq 54321
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny ip any any
permit ip any any
ip access-list extended OUTBOUND
deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
deny ip any any
ip access-list extended RemoteVPN
permit ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
If you do a traceroute on one of your 192.168.101.x machines to 192.168.250.2, what is the output?
Can your 192.168.101.x machines ping 192.168.250.1?
Can your 192.168.101.x machines ping 192.168.250.1?
After you establish the VPN, double-click the VPN icon in the system tray, then click on Status->statistics.
Try pinging 192.168.250.1 and 192.168.101.x addresses. Does the "packets encrypted" count increment during both operations?
Click on "Route Details" and make sure that 192.168.101.0 255.255.255.0 is listed.
Try pinging 192.168.250.1 and 192.168.101.x addresses. Does the "packets encrypted" count increment during both operations?
Click on "Route Details" and make sure that 192.168.101.0 255.255.255.0 is listed.
ASKER
i havent managed to test this out as yet as the laptop i was using to test is out in the field, i will get back to this next week and let you know
thanks
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
found out solution through teseting
crypto isakmp profile RAVPN_PROFILE
match identity group RAVPN_GROUP
client authentication list RAVPN_AUTHEN
isakmp authorization list RAVPN_AUTHOR
client configuration group RAVPN_GROUP
client configuration address respond
virtual-template 1
Also you might want to exclude traffic going from 192.168.101.x to 192.168.250.x and vice versa from being natted.