Cisco 837 Easy VPN Server

Hi there,

I am trying unsuccessfully to implement the following on our network
and would like any of you in the know to point me in the right
direction.

What I am trying to do:-

Our LAN at work is configured as follows:

Network - 192.168.0.0 /24
DMZ - 192.168.254.0 /24 - Contains the Proxy, and external Gateway

Cisco 837 - 192.168.0.11


I have a number of Cisco 837 boxes, all connected to the 192.168.0.0
network and then out via ADSL to the internet.

I have the Cisco Easy VPN Client version 3.6.3 (B) at a remote site
which is on a network 192.168.30.0 /24.

I can establish a connection to the Cisco 837 with the client but can
only ping the ip address of 837, no other IP Addresses on the
192.168.0.0 network can be pinged.

Configuration and IOS versions below.

bgswark#show version
Cisco Internetwork Operating System Software
IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(YN, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.2(11.2u)T
TAC Support: http://www.cisco.com/tac
Copyright (c) 1986-2002 by cisco Systems, Inc.
Compiled Wed 30-Oct-02 15:35 by ealyon
Image text-base: 0x800131D8, data-base: 0x8091FE68

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.2(YN, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

bgswark uptime is 3 days, 23 minutes
System returned to ROM by reload
System image file is "flash:c837-k9o3y6-mz.122-8.YN.bin"

CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
bytes of memory.
Processor board ID AMB07190VD9 (2681721202), with hardware revision
0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
Image text-base: 0x800131D8, data-base: 0x8091FE68

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: C837 Software (C837-K9O3Y6-M), Version 12.2(YN, EARLY
DEPLOYMENT RELEASE SOFTWARE (fc1)

bgswark uptime is 3 days, 23 minutes
System returned to ROM by reload
System image file is "flash:c837-k9o3y6-mz.122-8.YN.bin"

CISCO C837 (MPC857DSL) processor (revision 0x400) with 29492K/3276K
bytes of memory.
Processor board ID AMB07190VD9 (2681721202), with hardware revision
0000
CPU rev number 7
Bridging software.
1 Ethernet/IEEE 802.3 interface(s)
1 ATM network interface(s)
128K bytes of non-volatile configuration memory.
12288K bytes of processor board System flash (Read/Write)
2048K bytes of processor board Web flash (Read/Write)

Configuration register is 0x2102


-----------------


Current configuration : 4558 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname bgswark
!
logging buffered 4096 informational
enable secret 5 xxx
!
username xxxxx password 7 xxxxxx
username xxxxx password 7 xxxxx
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip domain name xxxxx.co.uk
ip name-server 192.168.0.2
ip name-server 192.168.0.3
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group homevpn
key xxxxx
dns 192.168.0.2
domain xxxxx.co.uk
pool vpnclients
acl 106
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.11 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl power-cutback 0
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxx
ppp chap password 7 xxxxx
ppp pap sent-username xxxxx password 7 xxxxx
crypto map clientmap
hold-queue 224 in
!
ip local pool vpnclients 192.168.30.10 192.168.30.254
ip nat inside source list 102 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.30.0 255.255.255.0 Dialer1
no ip http server
ip http authentication local
!
!
access-list 1 remark The local LAN.
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 106 permit ip 192.168.0.0 0.0.0.255 any
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 1724
access-list 111 permit tcp any any eq 1725
access-list 111 permit tcp any any eq 1726
access-list 111 permit tcp any any eq 1727
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any range 1723 1727
access-list 111 permit udp any any range 1723 1727
access-list 111 permit ip 192.168.30.0 0.0.0.255 any
access-list 111 permit tcp any any eq 3389
access-list 111 permit udp any any eq 3389
access-list 111 deny ip any any
access-list 111 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
end


Many thanks in anticipation for someone pointing out the flaws in my
configuration!!!

--
Dave Pearson
Chicane

David Pearson

On Sun, 18 Jan 2004 08:26:06 -0600, David Pearson wrote:

> Hi there,
>
> I am trying unsuccessfully to implement the following on our network and
> would like any of you in the know to point me in the right direction.
>
> What I am trying to do:-
>
> Our LAN at work is configured as follows:
>
> Network - 192.168.0.0 /24
> DMZ - 192.168.254.0 /24 - Contains the Proxy, and external Gateway
>
> Cisco 837 - 192.168.0.11
>
>
> I have a number of Cisco 837 boxes, all connected to the 192.168.0.0
> network and then out via ADSL to the internet.
>
> I have the Cisco Easy VPN Client version 3.6.3 (B) at a remote site
> which is on a network 192.168.30.0 /24.
>
> I can establish a connection to the Cisco 837 with the client but can
> only ping the ip address of 837, no other IP Addresses on the
> 192.168.0.0 network can be pinged.
>

You nat access-list specifies that the router should nat all packets from
the 192.168.0.0 network. you need to adjust that so that it does not nat
packets that are destined for the ip pool the vpn clients use.

Example:

access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any

Rik Bain

On Sun, 18 Jan 2004 13:53:24 -0600, Rik Bain <>
wrote:

>On Sun, 18 Jan 2004 08:26:06 -0600, David Pearson wrote:
>
>> Hi there,
>>
>> I am trying unsuccessfully to implement the following on our network and
>> would like any of you in the know to point me in the right direction.
>>
>> What I am trying to do:-
>>
>> Our LAN at work is configured as follows:
>>
>> Network - 192.168.0.0 /24
>> DMZ - 192.168.254.0 /24 - Contains the Proxy, and external Gateway
>>
>> Cisco 837 - 192.168.0.11
>>
>>
>> I have a number of Cisco 837 boxes, all connected to the 192.168.0.0
>> network and then out via ADSL to the internet.
>>
>> I have the Cisco Easy VPN Client version 3.6.3 (B) at a remote site
>> which is on a network 192.168.30.0 /24.
>>
>> I can establish a connection to the Cisco 837 with the client but can
>> only ping the ip address of 837, no other IP Addresses on the
>> 192.168.0.0 network can be pinged.
>>
>
>You nat access-list specifies that the router should nat all packets from
>the 192.168.0.0 network. you need to adjust that so that it does not nat
>packets that are destined for the ip pool the vpn clients use.
>
>Example:
>
>access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
>access-list 102 permit ip 192.168.0.0 0.0.0.255 any

Hi Rik,

Many thanks for the info, however I am still having trouble, there has
to be a whole pile of misconfigs in my cludged config file.

What I failed to mention earlier was that when I ping 192.168.0.11,
(the ip address of Ethernet0 on the Cisco837 connected to the LAN),
from the client side I got a response from the ADSL ip address on the
Dialer1 interface.

I have since removed:

ip nat inside source list 102 interface Dialer1 overload

from the config and 192.168.0.11 is responding as 192.168.0.11. I am
still unable to ping any other IP address on the 192.168.0.0 network
(

Will continue researching tomorrow.

Many thanks,

--
David Pearson
Chicane

David Pearson

On Sun, 18 Jan 2004 15:49:44 -0600, David Pearson wrote:

> On Sun, 18 Jan 2004 13:53:24 -0600, Rik Bain <>
> wrote:
>
>>On Sun, 18 Jan 2004 08:26:06 -0600, David Pearson wrote:
>>
>>>
>>>
>>You nat access-list specifies that the router should nat all packets
>>from the 192.168.0.0 network. you need to adjust that so that it does
>>not nat packets that are destined for the ip pool the vpn clients use.
>>
>>Example:
>>
>>access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
>>access-list 102 permit ip 192.168.0.0 0.0.0.255 any
>
> Hi Rik,
>
> Many thanks for the info, however I am still having trouble, there has
> to be a whole pile of misconfigs in my cludged config file.
>
> What I failed to mention earlier was that when I ping 192.168.0.11, (the
> ip address of Ethernet0 on the Cisco837 connected to the LAN), from the
> client side I got a response from the ADSL ip address on the Dialer1
> interface.
>
> I have since removed:
>
> ip nat inside source list 102 interface Dialer1 overload
>
> from the config and 192.168.0.11 is responding as 192.168.0.11. I am
> still unable to ping any other IP address on the 192.168.0.0 network
> (
>
> Will continue researching tomorrow.
>
> Many thanks,

Correct, the reason it comes back as the public address is vue to your
nat config that I mentioned above. If you are unable to reach internal
hosts, verify that packets destined for 192.168.30.0/24 are making it
back to the router.

Rik Bain

Rik Bain

On Sun, 18 Jan 2004 16:14:46 -0600, Rik Bain <>
wrote:

>> What I failed to mention earlier was that when I ping 192.168.0.11, (the
>> ip address of Ethernet0 on the Cisco837 connected to the LAN), from the
>> client side I got a response from the ADSL ip address on the Dialer1
>> interface.
>>
>> I have since removed:
>>
>> ip nat inside source list 102 interface Dialer1 overload
>>
>> from the config and 192.168.0.11 is responding as 192.168.0.11. I am
>> still unable to ping any other IP address on the 192.168.0.0 network
>> (
>>
>> Will continue researching tomorrow.
>>
>> Many thanks,
>
>Correct, the reason it comes back as the public address is vue to your
>nat config that I mentioned above. If you are unable to reach internal
>hosts, verify that packets destined for 192.168.30.0/24 are making it
>back to the router.

Hi Rik,

Correct me if I am wrong but should I have:

interface Ethernet0
ip address 192.168.0.11 255.255.255.0
ip nat inside <---------------------------------------------- ???
no ip mroute-cache
hold-queue 100 out


is this an ACL issue, and if so I am I correct in thinking that in
order for packets destined for 192.168.30.0/24 there needs to be an
ACL telling the Ethernet0 interface to accept packets destined for the
30.0/24 subnet and pass them to Dialer0

if this is the case, could you supply me with an example?

Excuse my rather poor knowledge, but I am learning )

Cheers,

--
David Pearson

David Pearson

On Sun, 18 Jan 2004 17:08:06 -0600, David Pearson wrote:

>
> Hi Rik,
>
> Correct me if I am wrong but should I have:
>
> interface Ethernet0
> ip address 192.168.0.11 255.255.255.0 ip nat inside
> <---------------------------------------------- ??? no ip mroute-cache
> hold-queue 100 out
>
>
> is this an ACL issue, and if so I am I correct in thinking that in order
> for packets destined for 192.168.30.0/24 there needs to be an ACL
> telling the Ethernet0 interface to accept packets destined for the
> 30.0/24 subnet and pass them to Dialer0
>
> if this is the case, could you supply me with an example?
>
> Excuse my rather poor knowledge, but I am learning )
>
> Cheers,

Refer to my first post. The access-list you need to modify is the one
used to determine what traffic gets NAT'd. You need to rewrite it so
that it does NOT include the VPN traffic.

I included an example in that post.

Rik Bain

Rik Bain

On Mon, 19 Jan 2004 09:01:40 -0600, Rik Bain <>
wrote:

>On Sun, 18 Jan 2004 17:08:06 -0600, David Pearson wrote:
>
>>
>> Hi Rik,
>>
>> Correct me if I am wrong but should I have:
>>
>> interface Ethernet0
>> ip address 192.168.0.11 255.255.255.0 ip nat inside
>> <---------------------------------------------- ??? no ip mroute-cache
>> hold-queue 100 out
>>
>>
>> is this an ACL issue, and if so I am I correct in thinking that in order
>> for packets destined for 192.168.30.0/24 there needs to be an ACL
>> telling the Ethernet0 interface to accept packets destined for the
>> 30.0/24 subnet and pass them to Dialer0
>>
>> if this is the case, could you supply me with an example?
>>
>> Excuse my rather poor knowledge, but I am learning )
>>
>> Cheers,
>
>Refer to my first post. The access-list you need to modify is the one
>used to determine what traffic gets NAT'd. You need to rewrite it so
>that it does NOT include the VPN traffic.
>
>I included an example in that post.

Hi Rik,

Thanks for the help sofar, I am still having great trouble seeing
anything other than the Ethernet0 - 192.168.0.11 interface on the
Cisco 837.

The Cisco 837 is installed purely for the purpose of being able to
support users establishing a VPN into the LAN so I assume we dont need
to NAT.

Heres the lastest incarnation of the config file, if anyone could
point out any obvious errors I would be very grateful.

Current configuration : 4207 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname xxxxxx
!
logging buffered 4096 informational
enable secret 5 $1$Lzd5$WBkpV1pzoNebo8EDPfpST0
!
username xxxxxx password 7 xxxxxx
username xxxxxx password 7 xxxxxx
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip domain name xxxxx.co.uk
ip name-server 192.168.0.2
ip name-server 192.168.0.3
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxx
dns 192.168.0.2
domain xxxxxx.co.uk
pool vpnclients
acl 106
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.11 255.255.255.0
no ip mroute-cache
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl power-cutback 0
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname xxxxxx
ppp chap password 7 xxxxxx
ppp pap sent-username xxxxxx password 7 xxxxxx
crypto map clientmap
hold-queue 224 in
!
ip local pool vpnclients 10.10.10.1 10.10.10.20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 106 permit ip 192.168.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 111 permit ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 1724
access-list 111 permit tcp any any eq 1725
access-list 111 permit tcp any any eq 1726
access-list 111 permit tcp any any eq 1727
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any range 1723 1727
access-list 111 permit udp any any range 1723 1727
access-list 111 permit tcp any any eq 3389
access-list 111 permit udp any any eq 3389
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
end


Many thanks,

--
Dave Pearson
Chicane

David Pearson

Hi, I went through your config and it looks fine. I did see one thing i
your access-list. I have paste it below.

access-list 111 permit ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.0.255

Should this not read as:

access-list 111 permit ip 10.10.10.0 0.0.0.255 192.168.0.0 0.0.255.255

Or am I seeing things.
Sorry if you you sordted it already. If so, please post a workin
scripts.

I just got hold of this unit myself and found your post very useful an
it has given me a starting point.

Regards.
JRfreebi


-
JRfreebi
-----------------------------------------------------------------------
Posted via http://www.mcse.m
-----------------------------------------------------------------------
View this thread: http://www.mcse.ms/message296165.htm

JRfreebie