Solved

Remote Access VPN (Via VPN Client) UP but no ping LAN/ can ping DG

Posted on 2011-09-29
25
526 Views
Last Modified: 2012-05-20
hi all,

been racking my brains out for hours now, my remote access VPN via Cisco VPN Client is UP i can ping the RA VPN DG but cant get no further than that

relevant config below
i can ping 192.168.250.1 and it replies with the public ip address, but i cant ping any 192.168.101.* addresses
anyone know whats up here?

Thankyou!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN local
aaa authorization network RAVPN_AUTHOR local 
!
ip source-route
!

ip cef
no ip domain lookup
ip domain name domain.local
ip name-server 192.168.101.1
ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip inspect name UserTraffic dns
ip inspect name UserTraffic tcp
ip inspect name UserTraffic udp
ip inspect name UserTraffic icmp
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3
no ipv6 cef
!
username user privilege 0 password 0 xxxxxxxxxxxxxxxxxxxxxxxx
!

crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 15
encr 3des
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
lifetime 7800
crypto isakmp key xxxxxxxxxxxxxxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp fragmentation
crypto isakmp keepalive 10 4
crypto isakmp nat keepalive 30

crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
key xxxxxxxxxxxxxxxxxxxxxx
dns 192.168.101.1
domain domain.local
pool RAVPN_POOL
max-users 8
netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
   match identity group RAVPN_GROUP
   client authentication list RAVPN_AUTHEN
   isakmp authorization list RAVPN_AUTHOR
   client configuration address respond
   virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac 
mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac 
mode transport
!
crypto ipsec profile DMVPN
set transform-set VPN_SET 
!
crypto ipsec profile DataTunnels
set transform-set AES-SHA 
!
!
crypto dynamic-map RemoteVPNS 20
set transform-set VPN_SET 
set isakmp-profile RAVPN_PROFILE
reverse-route
!
!
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS 
!
!
!
!
!
interface Loopback0
ip address 192.168.250.1 255.255.255.0
!

interface ATM0
description PPP DIALER TO KAROO
no ip address
no atm ilmi-keepalive
pvc 1/50 
  dialer pool-member 1
  protocol ppp dialer
!
!
interface FastEthernet0
description INTERNAL LAN
switchport access vlan 101
!
interface FastEthernet1
switchport access vlan 101
!
interface FastEthernet2
switchport access vlan 201
!
interface FastEthernet3
switchport access vlan 500
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile DMVPN
!
interface Vlan1
no ip address
shutdown
!
interface Vlan101
ip address 192.168.101.250 255.255.255.0
ip nat inside
ip virtual-reassembly
!
!
interface Dialer1
ip address negotiated
ip access-group INBOUND in
ip nbar protocol-discovery
ip nat outside
ip inspect UserTraffic out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1300
load-interval 30
dialer pool 1
ppp chap hostname cxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxx
no cdp enable
crypto map HOME_VPNS
!
router nhrp
!
router odr
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10

ip forward-protocol nd
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
no ip nat service sip udp port 5060
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

!
ip access-list extended INBOUND
deny   tcp any any eq 22
deny   tcp any any eq telnet
permit tcp any host xxx.xxx.xxx.xx3 eq www
permit tcp any host xxx.xxx.xxx.xx3 eq 443
permit tcp any host xxx.xxx.xxx.xx3 eq smtp
permit udp any host xxx.xxx.xxx.xx3 eq isakmp
permit esp any host xxx.xxx.xxx.xx3
permit ahp any host xxx.xxx.xxx.xx3
permit tcp any host xxx.xxx.xxx.xx3 eq 54321
permit udp any host xxx.xxx.xxx.xx3 eq 54321
permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
deny   ip any any
permit ip any any

ip access-list extended OUTBOUND
permit tcp any any eq smtp
permit tcp any any eq 443
permit ip 192.168.101.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
permit ip 192.168.250.0 0.0.0.255 any
deny   ip any any
!
no cdp run

Open in new window

0
Comment
Question by:awilderbeast
  • 14
  • 5
  • 2
  • +2
25 Comments
 
LVL 17

Expert Comment

by:MAG03
Comment Utility
Just after a quick browse through your config.  You seem to be missing the group under the isakmp profile.

crypto isakmp profile RAVPN_PROFILE
   match identity group RAVPN_GROUP
   client authentication list RAVPN_AUTHEN
   isakmp authorization list RAVPN_AUTHOR
   client configuration group RAVPN_GROUP  
   client configuration address respond
   virtual-template 1

Also you might want to exclude traffic going from 192.168.101.x to 192.168.250.x and vice versa from being natted.
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
ive made said changes (see below)

i still cannot ping any address inside the network beyond the loopback interface :|
crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
 key asdasdasdasdasdasdasdqwdqwdqwdqwd
 dns 192.168.101.1
 domain domain.local
 pool RAVPN_POOL
 acl RemoteVPN
 max-users 8
 netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
   match identity group RAVPN_GROUP
   client authentication list RAVPN_AUTHEN
   isakmp authorization list RAVPN_AUTHOR
   client configuration address respond
   client configuration group RAVPN_GROUP
   virtual-template 1


Extended IP access list RemoteVPN
    10 permit ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15

Extended IP access list OUTBOUND
    10 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
    20 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15

Open in new window

0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility

some outputs below
sh crypto sess

Interface: Virtual-Access6
Username: user
Profile: RAVPN_PROFILE
Group: RAVPN_GROUP
Assigned address: 192.168.250.3
Session status: UP-ACTIVE
Peer: 192.168.101.57 port 52383
  IKEv1 SA: local xxx.xxx.xxx.xx3/500 remote 192.168.101.57/52383 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.250.3
        Active SAs: 2, origin: crypto map

sh cr ipsec sa
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.250.3/255.255.255.255/0/0)
   current_peer 192.168.101.57 port 500
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 195, #pkts decrypt: 195, #pkts verify: 195
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: xxx.xxx.xxx.xx3, remote crypto endpt.: 192.168.101.57
     path mtu 1500, ip mtu 1500, ip mtu idb Dialer1
     current outbound spi: 0x0(0)
     PFS (Y/N): N, DH group: none

     inbound esp sas:

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

     outbound ah sas:

     outbound pcp sas:

Open in new window

0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Try the following:

access-list 101 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
access-list 101 permit ip 192.168.101.0 0.0.0.255 any
route-map nonat permit 10
match ip address 101
ip nat inside source route-map nonat interface Dialer1 overload
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
i already have that though

i just added ip nat in to the loopback0 interface, now my test laptop im trying this on, the default DG of its wifi card is not getting disabled
and as the laptop im testing on is inside the network i cant tell if its working (presumably not, since the DG for the RAVPN is blank and the one for its WIFI adapter is set

how has this happend, once the vpn is connected is it not supposed to disable the internal dg and enable the VPN only dg

im goign to call one of the users whos been tryign to connect see if it will come up externally

ip nat inside source list OUTBOUND interface Dialer1 overload

Extended IP access list OUTBOUND
    10 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255 (230719 matches)
    20 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15 (182 matches)
    40 deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255 (71145 matches)
    50 permit tcp any any eq smtp (2000 matches)
    60 permit tcp any any eq 443 (75093 matches)
    70 permit ip 192.168.101.0 0.0.0.255 any (2198140 matches)
    90 permit ip 192.168.250.0 0.0.0.255 any (8 matches)
    100 deny ip any any (1245613 matches)

Open in new window

0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
confirmed offsite, the DG for the VPN adpater is not set and the local adpaters DG is set

so dont know where things are at now but im baffled lol
0
 
LVL 35

Expert Comment

by:Ernie Beek
Comment Utility
Did you already have a look at the logs to see if anything shows up in there?
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
nothing in there at all :|

damn this! lol
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
ok ive trimmed the fat and heres where im at now

connectivity wise, i can ping 192.168.250.1 and it replies as 192.168.250.1 (previously when it worked it replied as public ip)

and i cant get further than that i cant ping any 192.168.101.* addresses :|

Cheers
aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN local
aaa authorization network RAVPN_AUTHOR local 

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr 3des
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 7800

crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
 key xxxxxxxxxxxxxxxx
 dns 192.168.101.1
 domain domain.local
 pool RAVPN_POOL
 max-users 8
 netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
   match identity group RAVPN_GROUP
   client authentication list RAVPN_AUTHEN
   isakmp authorization list RAVPN_AUTHOR
   client configuration address respond
   virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set VPN_SET 
!
crypto ipsec profile DataTunnels
 set transform-set AES-SHA 
!
!
crypto dynamic-map RemoteVPNS 20
 set transform-set VPN_SET 
 set isakmp-profile RAVPN_PROFILE
 reverse-route
!
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS 
!
interface Loopback0
 ip address 192.168.250.1 255.255.255.0
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile DMVPN
!
interface Vlan1
 no ip address
 shutdown
!
interface Vlan101
 ip address 192.168.101.250 255.255.255.0
 ip nat inside
 ip virtual-reassembly

!
interface Dialer1
 crypto map HOME_VPNS
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10
!
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1

ip access-list extended OUTBOUND
 deny   ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
 deny   ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
 deny   ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit ip 192.168.101.0 0.0.0.255 any
 deny   ip any any

Open in new window

0
 
LVL 2

Expert Comment

by:simplejack
Comment Utility
crypto isakmp profile RAVPN_PROFILE
acl 103

access-list 103 permit ip [lan subnet] [wildcard netmask] [vpn subnet] [wildcard netmask]

ie

access-list 103 permit ip 192.168.0.0 0.0.1.255 172.16.10.0 0.0.0.255
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
as soon as i enable the acl on the group, then the DG from the vpn client goes and the DG for the original card stays, if you know what i mean?
0
 
LVL 2

Expert Comment

by:simplejack
Comment Utility
Nope, didn't get.
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
ill show you....

as you can see below, when a cisco VPN Client connects, it removes the local DG and adds a ip config and DG to its VPN adapter

when i add that acl to the RAVPN_GROUP, the DG is not removed and the vpn client DG is not added and i cannot ping the VPN gateway
info.png
0
 
LVL 2

Expert Comment

by:simplejack
Comment Utility
Sorry, my bad, it is for split-tunnel. Try to allow in your inbound access-list vpn to lan communications. I don't see any in your 1st config.
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
im not following

on inbound permit?
permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255

but if the VPN adapater does not have a DG, the clients will not know where to send the VPN traffic?
CWCH#sh ip access-lists
Extended IP access list INBOUND
    10 deny tcp any any eq 22 (530 matches)
    20 deny tcp any any eq telnet (451 matches)
    60 permit tcp any host xxx.xxx.xxx.xx3 eq www (1305609 matches)
    70 permit tcp any host xxx.xxx.xxx.xx3 eq 443 (766661 matches)
    80 permit tcp any host xxx.xxx.xxx.xx3 eq smtp (642569 matches)
    90 permit udp any host xxx.xxx.xxx.xx3 eq isakmp (149976 matches)
    100 permit esp any host xxx.xxx.xxx.xx3 (47645216 matches)
    110 permit ahp any host xxx.xxx.xxx.xx3
    120 permit tcp any host xxx.xxx.xxx.xx3 eq 54321 (5707 matches)
    130 permit udp any host xxx.xxx.xxx.xx3 eq 54321 (698179 matches)
    140 permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp (736721 matches)
    160 deny ip any any (1165810 matches)
    170 permit ip any any
Extended IP access list OUTBOUND
    10 deny ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15 (847 matches)
    20 deny ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255 (1013 matches)
    30 deny ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255 (82752 matches)
    40 permit tcp any any eq smtp (2100 matches)
    50 permit tcp any any eq 443 (77436 matches)
    60 permit ip 192.168.101.0 0.0.0.255 any (2281717 matches)
    70 permit ip 192.168.201.0 0.0.0.255 any (58487 matches)
    80 deny ip any any (1303895 matches)
Extended IP access list RemoteVPN
    10 permit ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15

Open in new window

0
 
LVL 2

Expert Comment

by:simplejack
Comment Utility
Forget my post about 103 ACL :) Took from bad example and didn't realease that you don't have to do split-tunnel.

Add to you INBOUND access-list

5 permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255

Open in new window

0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
done that, the DG is back on the vpn adapter now i still cant ping 192.168.101.* and the new acl entry hasnt incremented when i send the ping
Extended IP access list INBOUND
    5 permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
    10 deny tcp any any eq 22 (530 matches)
    20 deny tcp any any eq telnet (451 matches)
    60 permit tcp any host xxx.xxx.xxx.xx3 eq www (1307509 matches)
    70 permit tcp any host xxx.xxx.xxx.xx3 eq 443 (766957 matches)
    80 permit tcp any host xxx.xxx.xxx.xx3 eq smtp (642820 matches)
    90 permit udp any host xxx.xxx.xxx.xx3 eq isakmp (150086 matches)
    100 permit esp any host xxx.xxx.xxx.xx3 (47694848 matches)
    110 permit ahp any host xxx.xxx.xxx.xx3
    120 permit tcp any host xxx.xxx.xxx.xx3 eq 54321 (5707 matches)
    130 permit udp any host xxx.xxx.xxx.xx3 eq 54321 (698572 matches)
    140 permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp (736721 matches)
    160 deny ip any any (1166140 matches)
    170 permit ip any any
CWCH#

Open in new window

0
 
LVL 2

Expert Comment

by:simplejack
Comment Utility
Show route information from client after you established vpn connection and able to ping router and latest config from router.
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
see below, ive tried to keep things relevant
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\User>ipconfig
Windows IP Configuration

Ethernet adapter Wireless Network Connection 4:
        Connection-specific DNS Suffix  . : local
        IP Address. . . . . . . . . . . . : 192.168.0.68
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection:
        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.102.8
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . :
Ethernet adapter Local Area Connection 2:
        Connection-specific DNS Suffix  . : domain.local
        IP Address. . . . . . . . . . . . : 192.168.250.6
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.250.1
C:\Documents and Settings\User>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x2 ...1c af f7 10 66 a3 ...... D-Link AirPlus G DWL-G510 Wireless PCI Adapter(r
ev.C) - Packet Scheduler Miniport
0x3 ...00 1e 8c 89 c5 31 ...... Atheros L2 Fast Ethernet 10/100 Base-T Controlle
r - Packet Scheduler Miniport
0x20005 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Scheduler
 Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0    192.168.250.1   192.168.250.6       1
      77.86.7.193  255.255.255.255     192.168.0.11    192.168.0.68       1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
      192.168.0.0    255.255.255.0     192.168.0.68    192.168.0.68       20
      192.168.0.0    255.255.255.0    192.168.250.1   192.168.250.6       20
     192.168.0.11  255.255.255.255     192.168.0.68    192.168.0.68       1
     192.168.0.68  255.255.255.255        127.0.0.1       127.0.0.1       20
    192.168.0.255  255.255.255.255     192.168.0.68    192.168.0.68       20
    192.168.102.0    255.255.255.0    192.168.102.8   192.168.102.8       20
    192.168.102.0    255.255.255.0    192.168.250.1   192.168.250.6       20
    192.168.102.8  255.255.255.255        127.0.0.1       127.0.0.1       20
  192.168.102.255  255.255.255.255    192.168.102.8   192.168.102.8       20
    192.168.250.0    255.255.255.0    192.168.250.6   192.168.250.6       25
    192.168.250.6  255.255.255.255        127.0.0.1       127.0.0.1       25
  192.168.250.255  255.255.255.255    192.168.250.6   192.168.250.6       25
        224.0.0.0        240.0.0.0     192.168.0.68    192.168.0.68       20
        224.0.0.0        240.0.0.0    192.168.102.8   192.168.102.8       20
        224.0.0.0        240.0.0.0    192.168.250.6   192.168.250.6       25
  255.255.255.255  255.255.255.255     192.168.0.68    192.168.0.68       1
  255.255.255.255  255.255.255.255    192.168.102.8   192.168.102.8       1
  255.255.255.255  255.255.255.255    192.168.250.6   192.168.250.6       1
Default Gateway:     192.168.250.1
===========================================================================
Persistent Routes:
  None
C:\Documents and Settings\User>

Open in new window

aaa authentication login default local
aaa authentication login NO_LOGIN none
aaa authentication login admin local
aaa authentication login RAVPN_AUTHEN local
aaa authorization network RAVPN_AUTHOR local 

no ip domain lookup
ip domain name domain.local
ip name-server 192.168.101.1
ip inspect name UserTraffic http
ip inspect name UserTraffic https
ip inspect name UserTraffic dns
ip inspect name UserTraffic tcp
ip inspect name UserTraffic udp
ip inspect name UserTraffic icmp
ip dhcp-server 192.168.101.1
login block-for 180 attempts 5 within 60
login delay 2
login quiet-mode access-class QUIETMODE
login on-failure log every 3

crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 15
 encr 3des
 authentication pre-share
!
crypto isakmp policy 20
 encr 3des
 authentication pre-share
 group 2
 lifetime 7800

crypto isakmp client configuration address-pool local RAVPN_POOL
!
crypto isakmp client configuration group RAVPN_GROUP
 key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 dns 192.168.101.1
 domain domain.local
 pool RAVPN_POOL
 max-users 8
 netmask 255.255.255.0
crypto isakmp profile RAVPN_PROFILE
   match identity group RAVPN_GROUP
   client authentication list RAVPN_AUTHEN
   isakmp authorization list RAVPN_AUTHOR
   client configuration address respond
   virtual-template 1
!
crypto ipsec security-association idle-time 7800
!
crypto ipsec transform-set VPN_SET esp-3des esp-sha-hmac 
 mode transport
crypto ipsec transform-set AES-SHA esp-aes esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set VPN_SET 
!
crypto ipsec profile DataTunnels
 set transform-set AES-SHA 
!
crypto dynamic-map RemoteVPNS 20
 set transform-set VPN_SET 
 set isakmp-profile RAVPN_PROFILE
 reverse-route
!
crypto map HOME_VPNS 30 ipsec-isakmp dynamic RemoteVPNS 
!
interface Loopback0
 ip address 192.168.250.1 255.255.255.0

interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile DMVPN
!

interface Dialer1
 crypto map HOME_VPNS
!
ip local pool RAVPN_POOL 192.168.250.2 192.168.250.10
!
ip nat inside source list OUTBOUND interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended INBOUND
 permit ip 192.168.250.0 0.0.0.15 192.168.101.0 0.0.0.255
 deny   tcp any any eq 22
 deny   tcp any any eq telnet
 permit tcp any host xxx.xxx.xxx.xx3 eq www
 permit tcp any host xxx.xxx.xxx.xx3 eq 443
 permit tcp any host xxx.xxx.xxx.xx3 eq smtp
 permit udp any host xxx.xxx.xxx.xx3 eq isakmp
 permit esp any host xxx.xxx.xxx.xx3
 permit ahp any host xxx.xxx.xxx.xx3
 permit tcp any host xxx.xxx.xxx.xx3 eq 54321
 permit udp any host xxx.xxx.xxx.xx3 eq 54321
 permit udp any host xxx.xxx.xxx.xx3 eq non500-isakmp
 deny   ip any any
 permit ip any any

ip access-list extended OUTBOUND
 deny   ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15
 deny   ip 192.168.101.0 0.0.0.255 172.30.2.0 0.0.0.255
 deny   ip 192.168.101.0 0.0.0.255 172.30.3.0 0.0.0.255
 permit tcp any any eq smtp
 permit tcp any any eq 443
 permit ip 192.168.101.0 0.0.0.255 any
 permit ip 192.168.201.0 0.0.0.255 any
 deny   ip any any
ip access-list extended RemoteVPN
 permit ip 192.168.101.0 0.0.0.255 192.168.250.0 0.0.0.15

Open in new window

0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
If you do a traceroute on one of your 192.168.101.x machines to 192.168.250.2, what is the output?

Can your 192.168.101.x machines ping 192.168.250.1?
0
 
LVL 28

Expert Comment

by:asavener
Comment Utility
After you establish the VPN, double-click the VPN icon in the system tray, then click on Status->statistics.

Try pinging 192.168.250.1 and 192.168.101.x addresses.  Does the "packets encrypted" count  increment during both operations?

Click on "Route Details" and make sure that 192.168.101.0 255.255.255.0 is listed.
0
 
LVL 1

Author Comment

by:awilderbeast
Comment Utility
i havent managed to test this out as yet as the laptop i was using to test is out in the field, i will get back to this next week and let you know

thanks
0
 
LVL 1

Accepted Solution

by:
awilderbeast earned 0 total points
Comment Utility
solved this

need to add a new transform set with mode set to tunnel
0
 
LVL 1

Author Closing Comment

by:awilderbeast
Comment Utility
found out solution through teseting
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now