Client to Router VPN driving me nuts

[JPFSanders]

Hi,

Just a month ago I got a second hand Cisco 827 Router with 3DES/IPSEC capabilities, it has IOS version 12.3(24)

This router has two interfaces, a DSL one (ATM + Dialer) and a 10Base-T Ethernet port.

The DSL interface is the external internet facing one. I had so far not a single issue configuring this router except for configuring a Client (my laptop) to the Router VPN.

What I try to achieve is to use the cisco vpn client in my laptop to connect to my cisco 827 at home and be able to access my internal network from any other location.

So far I made the client authenticate and connect, but... once connected if I try to reach any of the computers on the internal network it does not work, I can not connect to any of the machines in my internal network.

Also I have noticed that the router configures the vpn interface on my laptop to have a default gateway of 192.168.249.1 which is wrong because the router's internal interface is "192.168.249.2".

If anyone could help me with this I would be so grateful up to send a pack of beers, sweets, pizza, whatever... I have been banging my head against the router for almost two weeks, and so far I can just connect the VPN client to the router but do nothing more after the connection is established.

Thanks in advance...

This is my configuration, bear in mind that I'm no Cisco expert, in fact I had not touched a Cisco router in my entire life, I configured everything using a book I got from a friend and looking on the net.

version 12.3
no service pad
service timestamps debug datetime localtime
service timestamps log uptime
service password-encryption
!
hostname CISCO827
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxxx
!
clock timezone GMT 1
clock summer-time BST recurring
aaa new-model
!
!
aaa authentication login default local
aaa authentication login NO_AUTHENT none
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
ip domain name xxxxx.org
ip host xxxxxxx 192.168.249.10
ip name-server 192.168.249.10
ip name-server 213.149.224.66
ip name-server 80.58.61.254
ip dhcp excluded-address 192.168.249.1 192.168.249.20
ip dhcp excluded-address 192.168.249.80 192.168.249.81 192.168.249.82
ip dhcp excluded-address 192.168.249.240 192.168.249.249
!
ip dhcp pool 192.168.249.0/24
network 192.168.249.0 255.255.255.0
domain-name xxxxx.org
dns-server 192.168.249.10 213.149.224.66 80.58.61.254
netbios-name-server 192.168.249.10
netbios-node-type h-node
default-router 192.168.249.2
lease 7
!

vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
ip mtu adjust
!
!
username user secret 5 xxxxxx
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group chumbo-vpn
key xxxxxx
dns 192.168.249.10
wins 192.168.249.10
domain xxxxxx.org
pool pool-ip-vpn
acl 110
!
!
crypto ipsec transform-set chumbo-vpn-set esp-3des esp-sha-hmac
!
crypto dynamic-map chumbo-dyn-map 10
description A dynamic crypto map for VPN users
set transform-set chumbo-vpn-set
!
!
crypto map chumbo-map client authentication list userauthen
crypto map chumbo-map isakmp authorization list groupauthor
crypto map chumbo-map client configuration address respond
crypto map chumbo-map 10 ipsec-isakmp dynamic chumbo-dyn-map
!
!
!
interface Ethernet0
ip address 192.168.249.2 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/32
pppoe-client dial-pool-number 1
!
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxx@xxxxx password 7 xxxxxxx
crypto map chumbo-map
!
ip local pool pool-ip-vpn 192.168.249.240 192.168.249.249
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.249.10 443 interface Dialer1 443
ip nat inside source static tcp 192.168.249.10 80 interface Dialer1 80

ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
ip http path console
!
access-list 1 permit 192.168.249.0 0.0.0.255
access-list 2 permit 192.168.249.0 0.0.0.255
access-list 2 deny any log
access-list 2 remark Restrict Router's Telnet access to local IP's Only
access-list 110 permit ip any any
access-list 110 remark allow split VPN traffic
no cdp run
!
banner motd 

Private!


!
line con 0
login authentication NO_AUTHENT
full-help
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 30 0
length 0
transport input ssh
!
scheduler max-task-time 5000
sntp server 91.189.94.4
sntp server 82.96.64.2
end

 

[paella33]

Try making your dhcp pool different subnet and no default gw.

 

[burtsbees]

Actually, the problem is that your VPN pool is in the same subnet as the local LAN pool in the router. The only way this will let you reach local resources is if you exclude these addresses from being NATted back out...
router>en
router#conf t
router(config)#ip access-list standard 1
20 deny 192.168.249.240 0.0.0.7
30 deny host 192.168.249.248
40 deny host 192.168.249.249

I would recommend instead of doing this, you make the vpn pool in a different subnet...

router(config)#ip local pool pool-ip-vpn 192.168.253.1 192.168.253.16

It is also recommended to specify the netmask for the pool...

crypto isakmp client configuration group chumbo-vpn
key xxxxxx
dns 192.168.249.10
wins 192.168.249.10
domain xxxxxx.org
pool pool-ip-vpn
acl 110
netmask 255.255.255.0

Burt

 

[burtsbees]

One more thing...this helps also (include-local-lan)...

crypto isakmp client configuration group chumbo-vpn
key xxxxxx
dns 192.168.249.10
wins 192.168.249.10
domain xxxxxx.org
pool pool-ip-vpn
acl 110
netmask 255.255.255.0
include-local-lan

Burt

 

[JPFSanders]

@Burtsbees

Hi, many thanks for your reply.

Neither include-local-lan or netmask 255.255.255.0 are supported on my 827H ver:12.3(24)

The NAT being the problem makes sense, I'll try to do what you say about using a different IP pool for the VPN... Let's see how it goes...

 

[JPFSanders]

Hi Again,

I tested it and I could ping from the internal network to the client but not the other way around, so it was a NAT issue.

Using a route map to prevent traffic from my internal lan to be natted between the VPN lan did the trick.

Thank you very much!

 

[CBRRyda]

JPF,

I'm having a somewhat similar problem with my Cisco 1811W and VPN IPSEC using the Cisco VPN Client. Can you explain in more detail your statement, "Using a route map to prevent traffic from my internal lan to be natted between the VPN lan did the trick."

I'd greatly appreciate it. Thank you in advance.

 

[burtsbees]

A route map like this...let's say the vpn pool is the same as the local lan addresses...vpn ip addresses=192.168.1.5 and 192.168.1.6. The route map would look like this...
route-map nonat permit 1
match address 101
Then the acl for NAT...
access-list 101 deny ip host 192.168.1.5 any
access-list 101 deny ip host 192.168.1.6 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
Then apply the route-map to the interface as NAT...
Let's say the outgoing interface is dialer0...
ip nat inside source route-map nonat int di0 overload.
This separates the vpn addresses from being NATted back out.

Burt