VPN woes

[g0at]

Hi, wondering whether anyone can help?

Have managed to establish a VPN tunnel with a 3rd party site.

ACL is set to
permit ip any host 158.XXX.XXX.XXX

I'm having trouble getting any devices using the router as their gateway to go through the tunnel. I can hit google and other sites straight off the bat whereas I would have thought the default route would be to travel through the VPN.

Can anyone help?

 

[g0at]

Edit: 857 Router, using SDM although can telnet in if I need to make any console commands.

 

[g0at]

Edit 2: Default route is set to Dialer0 if that helps..

Current configuration : 6309 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 XXXXXXX
!
no aaa new-model
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-4191985501
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4191985501
revocation-check none
rsakeypair TP-self-signed-4191985501
!
!
crypto pki certificate chain TP-self-signed-4191985501
certificate self-signed 01
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]
[block ] [block ] [block ] [block ] [block ] [block ]

quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip bootp server
ip domain name yourdomain.com
ip name-server dns1.XXX.XXX.XXX
ip name-server dns2.XXX.XXX.XXX
!
!
!
username admin privilege 15 secret 5 XXXXXXXX
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXXX address 158.XXX.XXX.X no-xauth
!
!
crypto ipsec transform-set O2TransForm esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to158.230.XXX.X
set peer 158.230.XXX.X
set transform-set O2TransForm
match address 101
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
crypto ipsec df-bit clear
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.0.182 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname nn118ufXXXX@XXXX
ppp chap password 7 XXXXXXXXXX
crypto map SDM_CMAP_1
crypto ipsec df-bit clear
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.0.235 5900 interface Dialer0 5900
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 remark 172.XX.X.X
access-list 100 deny ip any host 172.XX.X.X
access-list 100 deny ip any host 158.230.X.X
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark O2IPSEC
access-list 101 remark SDM_ACL Category=4
access-list 101 remark 158.230.X.X
access-list 101 permit ip any host 158.230.X.X
access-list 101 remark 172.17.0.0
access-list 101 permit ip any host 172.17.X.X
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!

 

[t0mm0]

I'm not sure what context you're using the ACL 100 for, but I believe it won't work as its been placed under a permit statement;


[blue]access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 remark 172.XX.X.X
access-list 100 deny ip any host 172.XX.X.X
access-list 100 deny ip any host 158.230.X.X[/blue]

 

[g0at]

ok.. managed to resolve the above..

next question

How do I NAT the VLAN1 IP to the IP assigned by my ISP? The other end of the VPN can see me trying to hit hosts however is blocked by the firewall as it's the VLAN1 IP that is being used?

Basically - when i access a host through the VPN i want the IP assigned by my ISP to be passed rather than the vlan1 IP..

Thanks

 

[t0mm0]

How did you manage to resolve your problem?

I was doing some studying the other day & came across this concept; [red]Reflexive Access List[/red] & on my travels seen this config:- [blue]h**p://itdaddy.wordpress.com/2008/05/19/windows-vpn-config-in-cisco-2600-series-router/[/blue]

I hope it helps

 

[g0at]

Hi,

Prblem is still outstanding.

Cannot for the life of me NAT over VPN, when i test the tunnel the router's private IP pings the end host. When i ping from our servers the private IP is used.

When applying any ACL's on the VPN it autmoatically puts in a deny entry in the NAT routing table, deleting these doesn't seem to work, nor does changing the deny to permit.

Did you manage to resolve your issue?

I'll take a look at that config..