cisco vpn help

[mercxi]

I am trying to setup vpn on a 1751 router that works with the vpn client, but it is not connecting. Is their something wrong with my config?

User Access Verification

Username: mercxi
Password:

Router>en
Password:
Router#sh conf
Using 2512 out of 29688 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$51e9$vGKxOdOT8HZkUgCQiKfAM0
!
username mercxi password 0 merc84
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login user_authentication local
aaa session-id common
ip subnet-zero
!
!
ip name-server 68.237.161.12
ip name-server 71.250.0.12
ip name-server 4.2.2.1
!
ip dhcp pool DATA
network 50.0.0.0 255.255.255.0
dns-server 50.0.0.1
default-router 50.0.0.1
!
ip dhcp pool CABLE
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
!
ip cef
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mercgroup
key merc84
pool CLIENT_ADDRESSES
acl 101
!
!
crypto ipsec transform-set mytransformset esp-3des esp-md5-hmac
!
crypto dynamic-map mydynamicmap 1
set transform-set mytransformset
!
!
crypto map clientmap client authentication list user_authentication
crypto map clientmap isakmp authorization list user_authentication
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic mydynamicmap
!
!
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
speed auto
crypto map clientmap
!
interface FastEthernet1/1
switchport access vlan 50
no ip address
!
interface FastEthernet1/2
switchport access vlan 10
no ip address
!
interface FastEthernet1/3
switchport trunk native vlan 50
switchport trunk allowed vlan 1,2,10,50,1002-1005
switchport mode trunk
no ip address
!
interface FastEthernet1/4
switchport access vlan 10
no ip address
!
interface Vlan1
no ip address
shutdown
!
interface Vlan10
ip address 10.10.10.1 255.255.255.0
ip nat inside
!
interface Vlan50
ip address 50.0.0.1 255.255.255.0
ip nat inside
!
router rip
version 2
network 10.0.0.0
network 50.0.0.0
!
ip local pool CLIENT_ADDRESSES 50.0.0.2 50.0.0.100
ip classless
no ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet0/0 overload
!
ip dns server
!
!
access-list 1 permit 50.0.0.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip any 50.0.0.0 0.0.0.255
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
password merc84
!
!
end

Router#

 

[burtsbees]

crypto map clientmap isakmp authorization list user_authentication

This must point to an authorization method, not authentication

Try these

aaa author network XAUTH local

crypto map clientmap isakmp author list XAUTH

Also, you have to separate the vpn pool from the LAN addresses for the NAT acl...and you cannot use public IP addresses...

ip local pool CLIENT_ADDRESSES 10.0.0.2 10.0.0.100

access-list 102 deny ip any host 10.0.0.2
access-list 102 deny ip any host 10.0.0.5
access-list 102 deny ip any 10.0.0.4 0.0.0.3
access-list 102 deny ip any 10.0.0.8 0.0.0.7
access-list 102 deny ip any 10.0.0.16 0.0.0.15
access-list 102 deny ip any 10.0.0.32 0.0.0.31
access-list 102 deny ip any 10.0.0.64 0.0.0.31
access-list 102 deny ip any host 10.0.0.97
access-list 102 deny ip any host 10.0.0.98
access-list 102 deny ip any host 10.0.0.99
access-list 102 deny ip any host 10.0.0.100

route-map VPN permit 10
match ip add 102

no ip nat inside source list 1 int fa0/0 over
ip nat inside source route-map VPN int fa0/0 over

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[mercxi]

wouldnt this take down my internet connection?

 

[burtsbees]

Yes, until the NAT statement is reapplied. I forgot---the last statement must allow NAT for the 10.10.10.0/24 nw

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[mercxi]

then whats with the deny statements? Also the first part did work

 

[burtsbees]

Crap---nevermind---if they never get NATted, there are no worries! I was thinking that the vpn pool was going to be in the same subnet as the LAN. Then they would have to be excluded from NAT...

So it's now working?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!

 

[mercxi]

sorry for the late reply yes you fixed it thanks