Cisco VPN client through Cisco router

[stre1026]

Hi All -

I am having a problem connecting to a VPN network with the Cisco VPN client through a Cisco router running NAT, IOS Firewall, and also DMVPN to another completely separate network. The client just sits there and says the remote VPN has stopped responding or something like that. If I put the machine directly on the internet, the client works fine. I also have one small "gotcha" in the project requirements - I have to be able to use the VPN client on different machines but not on the same time. So a laptop and desktop PC should be able to connect to remote VPN at different times without having to change anything in the router. How would I do this without doing a site-to-site VPN? I would simply add the site to my DMVPN but this remote VPN is for a totally separate company. I happen to be the IT guy at both companies so I can modify the router at the other company if necessary. The router I am trying to connect to at the remote company is a 2621 and the router I am trying to connect through with the VPN client is a 1711.

I don't have any of the configs handy, but I can get them if you would like to see them. I'm basically looking for starting points on how to resolve this. I thought NAT Traversal was automatic on Cisco routers?

Thanks in advance!
Steve

 

[unclerico]

I thought NAT Traversal was automatic on Cisco routers?

Depends on teh IOS

Can you post configs?? Also, have you tried running a crypto debug??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[stre1026]

Hi unclerico,

Here is the sanitized config of the router I'm trying to connect through...I haven't tried a crypto debug because I know it works when I put the client directly on the internet. That's why I think there is a problem with the config below.

Thanks for your help!

version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Hooksett-Router
!
boot-start-marker
boot system flash c1710-k9o3sy-mz.123-25.bin
boot-end-marker
!
logging console warnings
!
memory-size iomem 25
aaa new-model
!
aaa user profile ***
!
aaa authentication login default local
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.2.1 10.0.2.99
!
ip dhcp pool 10.0.2.x
network 10.0.2.0 255.255.255.0
domain-name ***
dns-server 10.0.8.3 10.0.0.3 208.67.222.222 208.67.220.220
default-router 10.0.2.1
netbios-node-type h-node
netbios-name-server 10.0.0.3 10.0.8.3
!
ip cef
ip inspect name firewall rcmd
ip inspect name firewall tftp
ip inspect name firewall ftp
ip inspect name firewall udp
ip inspect name firewall tcp timeout 43200
ip inspect name firewall realaudio
ip inspect name firewall vdolive
ip inspect name firewall netshow
ip audit po max-events 100
!
modemcap entry multitech:MSC=&FS0=1&C4&D3$SB115200
!
username ***
!
!
!
!
crypto isakmp policy 5
authentication pre-share
group 2
crypto isakmp key *** address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
!
crypto ipsec profile dmvpnprof
set transform-set vpn
!
!
!
!
interface Tunnel0
description Dynamic GRE Tunnel
bandwidth 1000
ip address 172.16.0.4 255.255.255.0
no ip redirects
ip mtu 1428
ip nhrp authentication dmvpn
ip nhrp map 172.16.0.1 ***
ip nhrp map multicast ***
ip nhrp network-id 99
ip nhrp holdtime 300
ip nhrp nhs 172.16.0.1
no ip route-cache cef
no ip mroute-cache
delay 1000
qos pre-classify
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile dmvpnprof
!
interface Ethernet0
ip address dhcp hostname router
ip access-group 100 in
ip nat outside
ip inspect firewall out
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 10.0.2.1 255.255.255.0
ip nat inside
speed auto
full-duplex
!
router eigrp 1
network 10.0.2.0 0.0.0.255
network 172.16.0.0 0.0.0.255
no auto-summary
!
ip nat inside source route-map nonat interface Ethernet0 overload
ip nat inside source static tcp 10.0.2.2 80 interface Ethernet0 80
ip classless
no ip http server
ip http secure-server
!
!
access-list 100 permit icmp 10.0.0.0 0.0.255.255 any
access-list 100 permit tcp 10.0.0.0 0.0.255.255 any eq telnet
access-list 100 deny icmp any any echo
access-list 100 deny tcp any any eq telnet
access-list 100 permit ip any any
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.5.0 0.0.0.255
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.7.0 0.0.0.255
access-list 110 deny ip 10.0.2.0 0.0.0.255 10.0.8.0 0.0.0.255
access-list 110 permit ip 10.0.2.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 110
!
snmp-server community public RO
!
banner motd ^CAuthorized Users Only!^C
!

 

[burtsbees]

What are you trying to accomplish with a router config? It has nothing to do from the client side in a remote access VPN. It is the remote router that needs the config...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[stre1026]

Hi burtsbees,

I understand that. As I said, the remote router (the VPN server if you will) works fine as I can connect to it via VPN just fine when I put the client directly on the internet without the Cisco router on the client side. The reason I posted the router config of the router on the client side is so someone could help me figure out what I need to do to the config above to allow the client to connect THROUGH it to the VPN being terminated at the remote router.

 

[burtsbees]

Can the router and PC ping the public IP of the remote router? If so, all local site requirements have been fulfilled...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[stre1026]

Hi burtsbees,

I block pings on the remote router via an ACL. Could this be the problem?

 

[burtsbees]

Post the config of the remote router please.

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[stre1026]

I ended up fixing the issue. It ended up being with the remote router. I guess I was too stubborn to even think the problem was on that end because it was working fine. Once I looked at the config, I relized I wasn't using a route-map I was just nat'ing with an access-list. Once I put a route map in place, everything worked like a charm. Thanks for everyone's help!

 

[burtsbees]

Usually natting with an acl will be fine...weird...

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!