2811 VPN Configuration help
Home › Forums › Networking › Cisco Routers & Switches How-to › 2811 VPN Configuration help
- This topic has 0 replies, 1 voice, and was last updated 11 years, 6 months ago by
root_console.
-
AuthorPosts
-
root_consoleMemberJul 20, 2009 at 4:02 pm #143250I have a 2811 router running as a VPN server for remote client access and running a site-to-site VPN with another company.
The remote site location is not under our control. The goal is to allow the VPN users access to a node on the other end of the site-to-site VPN. As it is right now…only users that are locally connected to the routers inside interface through a switch (172.16.6.0) can connect to the remote node (10.200.1.2). The VPN users that are grabbing an IP from the VPN pool (172.16.100.0) are not able to ping the remote host. The other site is stating they have updated their firewall to allow connections from our VPN Pool.
Is there something special we need to do in order to make sure traffic to the remote node (10.200.1.2) from the VPN pool works on our end?
Here is our config.
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname kamma
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$
!
aaa new-model
aaa local authentication attempts max-fail 5
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
no ip source-route
ip tcp synwait-time 15
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp bootp ignore!
ip dhcp pool DHCPSERVER
network 172.16.6.0 255.255.255.0
dns-server 216.183.32.6 216.183.32.7
default-router 172.16.6.1
!
!
ip domain name yourdomain.com
ip name-server 216.183.32.6
ip name-server 216.183.32.7
!
multilink bundle-name authenticated!
crypto pki trustpoint TP-self-signed-351923016
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-351923016
revocation-check none
rsakeypair TP-self-signed-351923016
!
!
crypto pki certificate chain TP-self-signed-351923016
certificate self-signed 01
quit
!
!
username tlsn privilege 15 secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
username tcalvin privilege 15 secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
!
!
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect edonkey match-any sdm-app-edonkey
match file-transfer
match text-chat
match search-file-name
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 25
encr 3des
hash md5
authentication pre-share
crypto isakmp key %%%% address 222.222.222.222
!
crypto isakmp client configuration group ####
key ####
pool vpn_pool
acl 155
netmask 255.255.255.192
!
crypto isakmp client configuration group ^^^^
key ^^^^
pool learn_pool
acl 165
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set office1-to-office2 esp-3des esp-md5-hmac
!
crypto dynamic-map dymap 10
set transform-set ESP-3DES-SHA
!
!
crypto map mymap isakmp authorization list sdm_vpn_group_ml_1
crypto map mymap client configuration address respond
crypto map mymap 20 ipsec-isakmp
set peer 222.222.222.222
set transform-set office1-to-office2
match address 170
crypto map mymap 65535 ipsec-isakmp dynamic dymap
!
!
!
!
interface Tunnel1
no ip address
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$FW_OUTSIDE$$ETH-LAN$
ip address 172.16.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1300
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$$FW_INSIDE$
ip address 77.77.77.254 255.255.255.192
no ip unreachables
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map mymap
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
ip local pool vpn_pool 172.16.100.1 172.16.100.6
ip local pool learn_pool 172.16.150.1 172.16.150.10
ip route 0.0.0.0 0.0.0.0 77.77.77.253
!
ip flow-top-talkers
top 5
sort-by bytes
!
ip http server
ip http access-class 50
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
ip nat inside source static tcp 172.16.6.7 3389 77.77.77.254 3389 route-map SDM_RMAP_2 extendable
!
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap debugging
logging 88.88.88.88
access-list 50 permit 172.16.100.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip host 172.16.6.7 172.16.100.0 0.0.0.7
access-list 100 deny ip host 172.16.6.7 host 172.16.150.10
access-list 100 deny ip host 172.16.6.7 host 172.16.150.9
access-list 100 deny ip host 172.16.6.7 host 172.16.150.8
access-list 100 deny ip host 172.16.6.7 host 172.16.150.7
access-list 100 deny ip host 172.16.6.7 host 172.16.150.6
access-list 100 deny ip host 172.16.6.7 host 172.16.150.5
access-list 100 deny ip host 172.16.6.7 host 172.16.150.4
access-list 100 deny ip host 172.16.6.7 host 172.16.150.3
access-list 100 deny ip host 172.16.6.7 host 172.16.150.2
access-list 100 deny ip host 172.16.6.7 host 172.16.150.1
access-list 100 permit tcp host 172.16.6.7 eq 3389 any
access-list 101 remark SDM_ACL Category=18
access-list 101 deny ip any host 172.16.100.1
access-list 101 deny ip any host 172.16.100.2
access-list 101 deny ip any host 172.16.100.3
access-list 101 deny ip any host 172.16.100.4
access-list 101 deny ip any host 172.16.100.5
access-list 101 deny ip any host 172.16.100.6
access-list 101 deny ip any host 172.16.150.1
access-list 101 deny ip any host 172.16.150.2
access-list 101 deny ip any host 172.16.150.3
access-list 101 deny ip any host 172.16.150.4
access-list 101 deny ip any host 172.16.150.5
access-list 101 deny ip any host 172.16.150.6
access-list 101 deny ip any host 172.16.150.7
access-list 101 deny ip any host 172.16.150.8
access-list 101 deny ip any host 172.16.150.9
access-list 101 deny ip any host 172.16.150.10
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.72
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.255
access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
access-list 101 deny tcp host 172.16.6.7 eq 3389 any
access-list 101 permit ip 172.16.6.0 0.0.0.255 any
access-list 155 permit ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.7access-list 165 permit ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.2
access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.72
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.2
access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.72
!
!
route-map SDM_RMAP_1 permit 1
description Disable NAT for VPN Clients
match ip address 101
!
route-map SDM_RMAP_2 permit 1
match ip address 100
!
!
!
control-plane
!
banner login ^C
This system is restricted to authorized users for business purposes. Unauthorized
access is a violation of the law. This service may be monitored for administrative
and security reasons. By proceeding, you consent to this monitoring.
^C
!
line con 0
exec-timeout 5 0
logging synchronous
line aux 0
exec-timeout 0 0
no exec
transport output none
line vty 0 4
exec-timeout 5 0
logging synchronous
transport input ssh
line vty 5 15
exec-timeout 5 0
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
end***************************************************************
The users on the vpn_pool can ping all nodes on the 172.16.6.0 network
using a source address of the inside interface.The vpn_pool users cannot ping the 10.200.1.2 or the 10.200.1.72 nodes which are behind the Outside interface of 222.222.222.222 at the remote site.
The remote site is suggesting it is a problem on our end.
Any help would be greatly appreciated.
-
AuthorPosts
You must be logged in to reply to this topic.