Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco Easy VPN Server Setup...Almost there! 2

Status
Not open for further replies.

technicaluser4

Technical User
Dec 28, 2006
310
MT
Hi,

I am trying to setup Cisco Easy VPN Server. I managed to go tru the SDM wizard and finished it.
fastethernet0 is my interenet connection receiving incoming VPN connections.
I managed to setup Cisco VPN client 5.0.

The connection is established and I can ping the vlan1 interface of the router, but I cannot access any other machine on the LAN.
I have unnumbered the virtual interface with VLAN1. Is this the right way?
I believe it must be either a route problem or an access-list problem but I cannot figure out what is wrong I tried everything!

Any help? Thanks!!



Configuration:
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2016299323
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2016299323
revocation-check none
rsakeypair TP-self-signed-2016299323
!
!
crypto pki certificate chain TP-self-signed-2016299323
certificate self-signed 01
A6549855 DA847E67 76C3C51C 9682774F 1A6C1AC5 1FEB0148 A7B9DA92 F78CDDEA 2538
quit
dot11 syslog
ip source-route
!
!
!
!
ip cef
4
ip name-server 82.15.46.122
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username user1 privilege 15 secret 5 $1$Q5xI$ZQasfNi59JjrtarDHxhyMQTasdadasEvJ6o.
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group-vpn
key Passw0rd
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group group-vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
!
!
!
interface Multilink1
no ip address
ppp multilink
ppp multilink group 1
!
interface Dot11Radio0
no ip address
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
!
interface Dot11Radio1
no ip address
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
ip address 191.24.15.46 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet1
ip address 10.1.1.10 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ES_LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map LAN
!
interface Async1
no ip address
encapsulation slip
!
ip local pool SDM_POOL_1 10.10.10.150 10.10.10.160
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source route-map NAT_LAN interface FastEthernet0 overload
ip nat inside source route-map NAT_LAN2 interface FastEthernet1 overload
!
logging 10.0.0.1
access-list 20 permit 10.10.10.10
!
!
!
route-map LAN permit 10
match ip address 20
set ip next-hop 191.24.15.45
set interface FastEthernet0
!
route-map NAT_LAN permit 10
match interface FastEthernet0
!
route-map NAT_LAN2 permit 10
match interface FastEthernet1
!
!
!
control-plane
!
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
privilege level 15
transport input telnet
!
end
 
right off the top i see that your ip pool for vpn addresses is in the same address space as your LAN. change it to be a completely different network range and try again.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Yes--SDM always screws that part up. The problem is that you cannot NAT the VPN subnet.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Yes Both of you right. The pool has to be on a different subnet. It worked straight away!

Thanks!
 
glad we could help


BURT!!!!! You have redeemed yourself my friend!!!



I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
lol...from what? Oh...being blind...uh huh huh huh huh...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
its sounds like a nat problem. Make sure on your outside interface that the route map is excluding the GRE traffic.
 
^^People just do not read........... There should be a required competency test for everyone who wants to join..

I keep thinking there are new exciting prolems, and its just old crap people dig up.

P.S There is no GRE invloved here! ???
 
I'm with you---I did not want to grace his stupidity with a comment...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top