Does anyone have a working config for a 1841 w/ the VPN server configured? I've been able to get the router working correctly w/ the ACL's, but I can't connect to it using VPN client.
Post what you have. You shouldn't need any acl's for a remote access vpn, unless you mean that the vpn pool is in the same subnet as the internal LAN, and you're using a route-map or extended acl to exclude the vpn pool from being natted...
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 warnings
enable secret 5 <secret>
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
!
aaa session-id common
!
resource policy
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip tcp synwait-time 10
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.9
ip dhcp excluded-address 192.168.1.26 192.168.1.254
!
ip dhcp pool LAN
import all
network 192.168.1.0 255.255.255.0
dns-server 68.87.72.130 68.87.77.130
default-router 192.168.1.1
!
!
no ip bootp server
ip domain name TestDomain.com
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
crypto pki trustpoint TP-self-signed-3823157960
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3823157960
revocation-check none
rsakeypair TP-self-signed-3823157960
!
!
crypto pki certificate chain TP-self-signed-3823157960
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383233 31353739 3630301E 170D3038 30343032 30373131
33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38323331
35373936 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AB2C 11E189EB 394AAB92 A8709A39 EF136FA1 775BAD3C 0DF06C71 BB08DE5C
CFDF02C1 67EB227E 620737BA 8BB4F8AC 19F0CC4D B98D0684 EDB07278 75527FD2
4CC1700E 5CFD1AA6 DDBAE797 81E592A7 C5CD92EE 876C1497 6EB56F27 A2544B0B
B218BA36 CE4E656D 1492D35F B003DBD8 F09A9D2E FF958B4E 8B1ECBE4 C471AF62
3D3B0203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E543252 2D526F75 7465722E 54686F75 67687432 5265616C
6974792E 636F6D30 1F060355 1D230418 30168014 9D784FB9 665DD24E A825EF1F
FDEFD75C 5E39E3E0 301D0603 551D0E04 1604149D 784FB966 5DD24EA8 25EF1FFD
EFD75C5E 39E3E030 0D06092A 864886F7 0D010104 05000381 81005A08 B4D55A87
521529AA BB4972CC C24B4692 F284BBA6 F4048D56 D24FF35F C020ADE1 75B88CD9
DD962BA8 56F7FC16 C885BCEF 17437025 62FCBDF4 A2EC0DB1 A752E470 E57F8F0F
E8B7EC5E 6C3A81F9 C5B586E1 D570F575 63DDB4B2 704D5401 D0311015 97A171DF
07234BD7 601929C1 F6C16F4C 2D1D1672 13123D19 2DDFC42F 54C3
quit
username LeDeau privilege 15 secret 5 $1$dzu4$uEGWRvm44WGck2hNNEFIK0
!
!
controller T1 0/0/0
framing esf
linecode b8zs
!
controller T1 0/1/0
framing esf
linecode b8zs
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group VPN
key TestKey
dns 68.87.72.130 68.87.77.130
pool SDM_POOL_2
acl 105
include-local-lan
netmask 255.255.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 900
set transform-set ESP-3DES-SHA2
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description Outside$FW_OUTSIDE$
mac-address 0011.5bcb.fdc3
ip address dhcp
ip access-group 102 in
ip access-group sdm_fastethernet0/0_out out
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
description Inside$ETH-LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
ip local pool SDM_POOL_1 192.168.1.226 192.168.1.250
ip local pool SDM_POOL_2 192.168.2.1 192.168.2.10
ip classless
!
no ip http server
ip http access-class 2
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.101 3389 interface FastEthernet0/0 3389
ip nat inside source static tcp 192.168.1.101 80 interface FastEthernet0/0 80
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0/0 overload
ip nat inside source static 192.168.1.101 69.148.74.190 route-map SDM_RMAP_3
!
ip access-list extended sdm_fastethernet0/0_out
remark SDM_ACL Category=1
permit ip any any
permit icmp any any
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 3 remark SDM_ACL Category=2
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=0
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip host 192.168.1.226 any
access-list 101 permit ip host 192.168.1.227 any
access-list 101 permit ip host 192.168.1.228 any
access-list 101 permit ip host 192.168.1.229 any
access-list 101 permit ip host 192.168.1.230 any
access-list 101 permit ip host 192.168.1.231 any
access-list 101 permit ip host 192.168.1.232 any
access-list 101 permit ip host 192.168.1.233 any
access-list 101 permit ip host 192.168.1.234 any
access-list 101 permit ip host 192.168.1.235 any
access-list 101 permit ip host 192.168.1.236 any
access-list 101 permit ip host 192.168.1.237 any
access-list 101 permit ip host 192.168.1.238 any
access-list 101 permit ip host 192.168.1.239 any
access-list 101 permit ip host 192.168.1.240 any
access-list 101 permit ip host 192.168.1.241 any
access-list 101 permit ip host 192.168.1.242 any
access-list 101 permit ip host 192.168.1.243 any
access-list 101 permit ip host 192.168.1.244 any
access-list 101 permit ip host 192.168.1.245 any
access-list 101 permit ip host 192.168.1.246 any
access-list 101 permit ip host 192.168.1.247 any
access-list 101 permit ip host 192.168.1.248 any
access-list 101 permit ip host 192.168.1.249 any
access-list 101 permit ip host 192.168.1.250 any
access-list 101 permit ahp any any
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any log
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip host 192.168.2.1 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.2 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.3 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.4 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.5 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.6 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.7 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.8 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.9 192.168.1.0 0.0.0.255
access-list 102 permit ip host 192.168.2.10 192.168.1.0 0.0.0.255
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq www
access-list 102 permit udp host 68.87.77.130 eq domain any
access-list 102 permit udp host 68.87.72.130 eq domain any
access-list 102 permit ip host 192.168.1.226 any
access-list 102 permit ip host 192.168.1.227 any
access-list 102 permit ip host 192.168.1.228 any
access-list 102 permit ip host 192.168.1.229 any
access-list 102 permit ip host 192.168.1.230 any
access-list 102 permit ip host 192.168.1.231 any
access-list 102 permit ip host 192.168.1.232 any
access-list 102 permit ip host 192.168.1.233 any
access-list 102 permit ip host 192.168.1.234 any
access-list 102 permit ip host 192.168.1.235 any
access-list 102 permit ip host 192.168.1.236 any
access-list 102 permit ip host 192.168.1.237 any
access-list 102 permit ip host 192.168.1.238 any
access-list 102 permit ip host 192.168.1.239 any
access-list 102 permit ip host 192.168.1.240 any
access-list 102 permit ip host 192.168.1.241 any
access-list 102 permit ip host 192.168.1.242 any
access-list 102 permit ip host 192.168.1.243 any
access-list 102 permit ip host 192.168.1.244 any
access-list 102 permit ip host 192.168.1.245 any
access-list 102 permit ip host 192.168.1.246 any
access-list 102 permit ip host 192.168.1.247 any
access-list 102 permit tcp any host 192.168.1.101 eq www
access-list 102 permit ip host 192.168.1.248 any
access-list 102 permit ip host 192.168.1.249 any
access-list 102 permit ip host 192.168.1.250 any
access-list 102 permit ahp any any
access-list 102 permit esp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 permit udp any eq bootps any eq bootpc
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 102 permit tcp any any eq ftp
access-list 103 remark SDM_ACL Category=2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.1
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.2
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.3
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.4
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.5
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.6
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.7
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.8
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.9
access-list 103 deny ip 192.168.1.0 0.0.0.255 host 192.168.2.10
access-list 103 deny ip host 192.168.1.101 any
access-list 103 deny ip any host 192.168.1.226
access-list 103 deny ip any host 192.168.1.227
access-list 103 deny ip any host 192.168.1.228
access-list 103 deny ip any host 192.168.1.229
access-list 103 deny ip any host 192.168.1.230
access-list 103 deny ip any host 192.168.1.231
access-list 103 deny ip any host 192.168.1.232
access-list 103 deny ip any host 192.168.1.233
access-list 103 deny ip any host 192.168.1.234
access-list 103 deny ip any host 192.168.1.235
access-list 103 deny ip any host 192.168.1.236
access-list 103 deny ip any host 192.168.1.237
access-list 103 deny ip any host 192.168.1.238
access-list 103 deny ip any host 192.168.1.239
access-list 103 deny ip any host 192.168.1.240
access-list 103 deny ip any host 192.168.1.241
access-list 103 deny ip any host 192.168.1.242
access-list 103 deny ip any host 192.168.1.243
access-list 103 deny ip any host 192.168.1.244
access-list 103 deny ip any host 192.168.1.245
access-list 103 deny ip any host 192.168.1.246
access-list 103 deny ip any host 192.168.1.247
access-list 103 deny ip any host 192.168.1.248
access-list 103 deny ip any host 192.168.1.249
access-list 103 deny ip any host 192.168.1.250
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 deny ip host 192.168.1.101 host 192.168.2.10
access-list 104 deny ip host 192.168.1.101 host 192.168.2.9
access-list 104 deny ip host 192.168.1.101 host 192.168.2.8
access-list 104 deny ip host 192.168.1.101 host 192.168.2.7
access-list 104 deny ip host 192.168.1.101 host 192.168.2.6
access-list 104 deny ip host 192.168.1.101 host 192.168.2.5
access-list 104 deny ip host 192.168.1.101 host 192.168.2.4
access-list 104 deny ip host 192.168.1.101 host 192.168.2.3
access-list 104 deny ip host 192.168.1.101 host 192.168.2.2
access-list 104 deny ip host 192.168.1.101 host 192.168.2.1
access-list 104 deny ip host 192.168.1.101 host 192.168.1.250
access-list 104 deny ip host 192.168.1.101 host 192.168.1.249
access-list 104 deny ip host 192.168.1.101 host 192.168.1.248
access-list 104 deny ip host 192.168.1.101 host 192.168.1.247
access-list 104 deny ip host 192.168.1.101 host 192.168.1.246
access-list 104 deny ip host 192.168.1.101 host 192.168.1.245
access-list 104 deny ip host 192.168.1.101 host 192.168.1.244
access-list 104 deny ip host 192.168.1.101 host 192.168.1.243
access-list 104 deny ip host 192.168.1.101 host 192.168.1.242
access-list 104 deny ip host 192.168.1.101 host 192.168.1.241
access-list 104 deny ip host 192.168.1.101 host 192.168.1.240
access-list 104 deny ip host 192.168.1.101 host 192.168.1.239
access-list 104 deny ip host 192.168.1.101 host 192.168.1.238
access-list 104 deny ip host 192.168.1.101 host 192.168.1.237
access-list 104 deny ip host 192.168.1.101 host 192.168.1.236
access-list 104 deny ip host 192.168.1.101 host 192.168.1.235
access-list 104 deny ip host 192.168.1.101 host 192.168.1.234
access-list 104 deny ip host 192.168.1.101 host 192.168.1.233
access-list 104 deny ip host 192.168.1.101 host 192.168.1.232
access-list 104 deny ip host 192.168.1.101 host 192.168.1.231
access-list 104 deny ip host 192.168.1.101 host 192.168.1.230
access-list 104 deny ip host 192.168.1.101 host 192.168.1.229
access-list 104 deny ip host 192.168.1.101 host 192.168.1.228
access-list 104 deny ip host 192.168.1.101 host 192.168.1.227
access-list 104 deny ip host 192.168.1.101 host 192.168.1.226
access-list 104 permit ip host 192.168.1.101 any
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
disable-eadi
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
route-map SDM_RMAP_3 permit 1
match ip address 104
!
!
!
control-plane
!
banner login ^CThis system is monitored. ^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 10 in
password 7 <password>
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
!
scheduler allocate 4000 1000
end
wow, you let SDM setup your ACL's didn't you. i'll bet you can reduce what SDM did to about five lines. it did that to me when i set it up too. as for your VPN issue, i've never had much luck with the EZvpn connections, they always seem flakey. do you have the option of a webvpn (SSLVPN) much easier to work with. i know my 1811's got it, never checked my 1841 though.
interval maximum 0 8 0 0
!
username xxxxxxxxxx privilege 15 secret 5 $1$j1lK$2muDeSOGBBX748WPwlsT21
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxxxxxxx
key xxxxxxxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
!
!
interface ATM0/0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0.1 point-to-point
no snmp trap link-status
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
no ip address
no ip redirects
ip accounting output-packets
ip mtu 1492
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip address 10.69.69.1 255.255.255.0
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.68.68.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.20
encapsulation dot1Q 20
ip address 10.67.67.1 255.255.255.0
!
interface Serial0/1
ip address 10.1.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip virtual-reassembly
ip route-cache flow
no fair-queue
!
interface Dialer0
ip ddns update hostname xxxxxxxxxxxxx.com
ip ddns update sdm_ddns1 host members.dyndns.org
ip address negotiated
no ip redirects
ip accounting output-packets
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
!
ip local pool vpn_pool_1 10.68.68.69 10.68.68.70
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
top 100
sort-by bytes
cache-timeout 60000
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map vpn_routemap_1 interface Dialer0 overload
!
logging dmvpn
logging history warnings
logging trap debugging
logging source-interface Dialer0
logging server-arp
logging 10.69.69.2
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 deny ip any 10.68.68.68 0.0.0.3
access-list 101 permit ip 10.68.68.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
route-map vpn_routemap_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
banner motd ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/
alias configure pc int fa0/0
!
line con 0
password 7 xxxxxxxxxxxxxxxxx
logging synchronous
line aux 0
line vty 0 4
password 7 xxxxxxxxxxxxxxxxxxxxx
transport input ssh
!
ntp clock-period 17180370
ntp server 64.113.32.5 source Dialer0
!
end
!
crypto isakmp client configuration group T2R
key <presharedkey>
pool VPN
acl 103
include-local-lan
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
interface FastEthernet0/0
description Outside
mac-address 0011.5bcb.fdc3
ip address dhcp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map vpn_cmap_1
!
interface FastEthernet0/1
description Inside
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
!
ip local pool VPN 192.168.2.1 192.168.2.10
ip classless
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-port 8888
ip nat inside source static tcp 192.168.1.101 80 interface FastEthernet0/0 80
ip nat inside source static tcp 192.168.1.101 3389 interface FastEthernet0/0 3389
ip nat inside source route-map rmap_1 interface FastEthernet0/0 overload
!
access-list 1 permit 192.168.1.0 0.0.0.25
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit esp any any
access-list 101 permit udp any any eq isakmp
access-list 101 permit udp any any eq non500-isakmp
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
disable-eadi
no cdp run
route-map rmap_1 permit 1
match ip address 102
!
!
!
control-plane
!
!
line con 0
password 7 <password>
line aux 0
line vty 0 4
password 7 <password>
!
end
I can connect using the VPN Client. However, I can not access the local network. I noticed that whenever I try to ping any device on the local network (192.168.1.0/24), I get a response from the Outside IP of the router. I'm sure that's significant, but not sure what it tells me.
crypto isakmp client configuration group T2R
no acl 103
netmask 255.255.255.0
no access-list 101
no access-list 103
Now the best bet would be to have a block of 14 addresses for the vpn for ease of configuration, but if you only want 10, then let's say that ip addresses 192.168.1.17 through 192.168.1.26 are available. This is how I do it in a router---I make the VPN pool in the same subnet, but use a route-map for NAT and exclude the vpn addresses, and permit everything else. This would look like this...
no access-list 102
Blow the acl away first and start over...then, ...
access-list permit ip host 192.168.1.16 any
access-list 102 deny ip any 192.168.1.16 0.0.0.7
access-list 102 deny ip any host 192.168.1.24
access-list 102 deny ip any host 192.168.1.25
access-list 102 deny ip any host 192.168.1.26
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
And now delete the old pool and create the new one...
no ip local pool VPN 192.168.2.1 192.168.2.10
ip local pool VPN 192.168.1.17 192.168.1.26
By the way, this line
access-list permit ip host 192.168.1.16 any
is supposed to be
access-list 102 permit ip host 192.168.1.16 any
Also, once you've successfully created the vpn and can navigate in the LAN, I would also NOT static NAT for RDP---no sense now that a VPN is there for remote access---RDC once vpn'd in. Just a suggestion...
I was able to connect w/ the new configuration. Once connected, I was able to ping the inside interface and LAN devices.
I was not able to establish any TCP connections. I tried to RDP into a server and was unable to do so. Any ideas?
Also, When I try to connect to a local web server, nslookup returns the WAN IP Address of the router. I normally would have fixed this using a route map from the WAN IP to the server IP, but when I do this, I'm unable to establish a VPN connection.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.