VPN Configuration question.

[TravisM]

I'm having some problems setting up VPN on a Cisco 1601 router. The router is connected directly to the Internet and the Ethernet interface is attached to another router on my internal network. This router is basically acting as a firewall/Internet Router (With NAT enabled) and hopefully a VPN server.

I can get the client to connect to the Serial interface, it gives me the proper IP address, and sets everything up (Wins, DNS, etc) but then I cannot ping anything on either my local network, or the other side of the VPN tunnel.

I'm useing IOS 12.2(8)T, and the 3.5.1 client. Is there anywhere I can look for sample VPN configurations, or does anyone have any ideas as to what the issue might be?

Thanks in advance,
Travis.

 

[ak8899]

Here's a good place to start:

http://www.cisco.com/warp/public/707/index.shtml#ipsec

regards,
Alain

 

[TravisM]

Okay. I've got the tunnel working correctly now, but the issue seems to be with NAT. I can only ping address that have a static translation to the outside world. I have address 192.168.1.4 and 92.168.1.2 staticly translated out, as well as a NAT pool of address for outbound access. I can ping the 1.4 and 1.2 address through tthe tunnel, but they reply with the outside interface addresses. I have tried the following commands to stop NAT translation:


ip nat inside source route-map nonat interface Serial1.1 overload
(Serial1.1 is my outside interface)

access-list 110 deny ip 192.168.0.0 0.0.255.255 192.168.6.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
!
route-map nonat permit 10
match ip address 110


My VPN address pool is in the 192.168.6.0 range, and all my inside subnets are 192.168.x.x.

Have I messed something up here? Can anyone see what's wrong with this config that it's not stoping NAT translation for that address pool?

Thanks,
-Travis.

 

[Stryke3]

Okay here's where i'm at;
I've set up a tightvnc server in my private network.
I have a remote client hooked to the internet via dial up, he/she has downloaded and installed tightvnc also.
here is the kicker.
My net is comprised of private address's. beind a cisco router which provided internet access vis a frac/T1.

how do i get the router to let the tight vnc connection happen? I know port forwarding is probbable the answer, but to be honest i used cisco config maker to set the router up and am not really versed in cisco router configurations via telnet or hyperterm. as a side note, I am trying desperatly to get the remote user to go to some type of broadband connection so i have one ip address to work with, this seems a little more secure to me. I dint want my Lan hanging out waiting for someone wiling/able to do as they may. are these concerns valid? the router config is below.


Router#show running-config
Building configuration...

Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname hostname
!
no logging console
enable password removed
!
ip subnet-zero
no ip domain-lookup
ipx routing removed
!
!
!
interface Ethernet0
description connected to EthernetLAN
ip address 10.222.XXX.XXX 255.255.XXX.XXX
no ip directed-broadcast
ip nat inside
ipx network XX
!
interface Serial0
no ip address
no ip directed-broadcast
shutdown
! not sure this even need to be here as frame relay is no longer used
interface Serial1
no ip address
no ip directed-broadcast
encapsulation frame-relay IETF
service-module t1 remote-alarm-enable
frame-relay lmi-type ansi
!
interface Serial1.1 point-to-point
description connected to internet
bandwidth 1536
ip address 65.197.XXX.XXX 255.255.XXX.XXX
no ip directed-broadcast
ip nat outside
ipx network 9999
frame-relay interface-dlci 500
!
router rip
version 2
passive-interface Serial1.1
network 10.0.0.0
no auto-summary
!
ip nat pool router-natpool-1 65.197.XXX.XXX 65.197.XXX.XXX netmask 255.255.XXX.XXX
ip nat inside source list 1 pool router-natpool-1 overload
ip nat inside source static 10.222.XXX.XXX 65.197.XXX.XXX
ip classless
ip route 0.0.0.0 0.0.0.0 Serial1.1
!
access-list 1 permit 10.222.XXX.XXX 0.0.0.XXX
access-list 100 permit udp any eq rip any eq rip
access-list 101 permit tcp any any established
!
!
ipx router rip
no network 9999
!
!
!
snmp-server community public RO
banner motd ^C the ususal stuff about connecting^C
!
line con 0
exec-timeout 0 0
password removed
login
transport input none
line 1
line vty 0 4
password removed
login
!
end

Any thoughts/ideas are greatly appreciated!!

TB

 

[Stryke3]

Dang!!!! i guess i need to pay attention to what i'm doing sorry, this was intended as a new post.

TB