Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 1721 acting as VPN server - clients can RDP but not HTTP or DNS?

Status
Not open for further replies.

Tatster

Technical User
Mar 23, 2009
1
Hi all,
I am struggling to get my 1721 config doing what I want it to do.
What I have is a 1721 connected to an ADSL connection with static IP, and an internal network 192.168.200.0/24
I can connect successfully from a remote machine with VPN client software and get assigned an IP by the router from 192.168.201.1-20 range.
I can access servers within 192.168.200.0/24 range via RDP (TCP3389) but I can't HTTP to any devices inside the LAN, ie access point web interface etc. and I can't talk to internal DNS server, 192.168.200.200

Please could someone have a look through my config and tell me what I'm doing wrong - this is driving me nuts!!!

Thanks in advance,

Anthony

PS. Apologies for the long post, I figured it might be easier to see the config.

Code:
!This is the running config of the router: 192.168.200.254
!----------------------------------------------------------------------------
!version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTR-1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 4096 errors
enable secret 5 <removed>
!
username rtr<snip> privilege 15 password 7 <removed>
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 192.168.200.1 192.168.200.9
ip dhcp excluded-address 192.168.200.51 192.168.200.254
!
!
ip tcp synwait-time 10
ip domain name <removed>
ip name-server 208.67.222.222
no ip bootp server
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group ICT
 key <removed>
 dns 192.168.200.254
 domain <removed>.local
 pool SDM_POOL_1
 acl 104
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
interface Null0
 no ip unreachables
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 no atm ilmi-keepalive
 dsl operating-mode auto 
!
interface ATM0.1 point-to-point
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 pvc 0/38 
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
 description $FW_INSIDE$
 ip address 192.168.200.254 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 speed auto
 no cdp enable
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address xxx.xxx.48.253 255.255.255.0
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname <removed>
 ppp chap password 7 <removed>
 ppp pap sent-username <removed> password 7 <removed>
 crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 192.168.201.1 192.168.201.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http access-class 2
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip dns server
!
!
logging trap errors
access-list 1 remark INSIDE_IF=FastEthernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.200.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip any host 192.168.201.1
access-list 100 deny   ip any host 192.168.201.2
access-list 100 deny   ip any host 192.168.201.3
access-list 100 deny   ip any host 192.168.201.4
access-list 100 deny   ip any host 192.168.201.5
access-list 100 deny   ip any host 192.168.201.6
access-list 100 deny   ip any host 192.168.201.7
access-list 100 deny   ip any host 192.168.201.8
access-list 100 deny   ip any host 192.168.201.9
access-list 100 deny   ip any host 192.168.201.10
access-list 100 deny   ip any host 192.168.201.11
access-list 100 deny   ip any host 192.168.201.12
access-list 100 deny   ip any host 192.168.201.13
access-list 100 deny   ip any host 192.168.201.14
access-list 100 deny   ip any host 192.168.201.15
access-list 100 deny   ip any host 192.168.201.16
access-list 100 deny   ip any host 192.168.201.17
access-list 100 deny   ip any host 192.168.201.18
access-list 100 deny   ip any host 192.168.201.19
access-list 100 deny   ip any host 192.168.201.20
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 remark VTY Access-class list
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 deny   ip xxx.xxx.48.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit udp host 208.67.222.222 eq domain host xxx.xxx.48.253
access-list 103 remark Auto generated by SDM for NTP (123) 194.164.127.5
access-list 103 permit udp host 194.164.127.5 eq ntp host xxx.xxx.48.253 eq ntp
access-list 103 permit ahp any host xxx.xxx.48.253
access-list 103 permit esp any host xxx.xxx.48.253
access-list 103 permit udp any host xxx.xxx.48.253 eq isakmp
access-list 103 permit udp any host xxx.xxx.48.253 eq non500-isakmp
access-list 103 permit icmp any host xxx.xxx.48.253 echo-reply
access-list 103 permit icmp any host xxx.xxx.48.253 time-exceeded
access-list 103 permit icmp any host xxx.xxx.48.253 unreachable
access-list 103 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 permit ip 192.168.201.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 104 permit ip 192.168.200.0 0.0.0.255 any
access-list 104 permit ip 192.168.201.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
banner login ^CThis is a protected system.  Authorised Users Only.  All system access is logged.^C
!
line con 0
line aux 0
line vty 0 4
 access-class 101 in
 password 7 <removed>
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
end
 
Not sure if you have got this working yet, as this is an old post, but I figured I would give it a shot. DNS server you have listed in the post is different from what you VPN_POOL is giving out to the clients. That's why you are able to RDP (by ip I assume), but not http (hostname) to the servers in question.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top