Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Cisco 837 and Cisco VPN client wierdness.. any ideas?

Reply
Thread Tools

Cisco 837 and Cisco VPN client wierdness.. any ideas?

 
 
Christian Hewitt
Guest
Posts: n/a
 
      04-29-2005
With my current configuration I can VPN connect from anywhere on the
web and authenticate as a local user with an 837 router. Once auth'd
the VPN client is allocated an IP from the vpn pool. From a VPN
connected laptop I can ping any address on the LAN and any other
machine on the LAN can ping the IP the VPN client has been allocated.
However I can't access all resources via all protocols on all machines.
This part is inconsistent and has me baffled. e.g. from a VPN client I
can mount SMB shares on 192.168.16.250 but I can't see the webserver
(:80) on the same IP). From a LAN connected laptop I can see the
webserver running on the VPN client (192.168.17.x:80). However the VPN
client can't see a webserver on the same LAN connected laptop
(192.168.16.10:80).

This is my first ever contact with Cisco gear and while i'm quite
chuffed with getting as far as I have on setting this box up.. i'm now
way out of my depth on working out what the problem is. Any suggestions
would be greatly appreciated!

Client s/w is v4.6 (0045) on Mac OS 10.3.9
sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4
Router config (security edited) is cut/pasted below:

!
version 12.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxx
!
logging queue-limit 100
no logging buffered
enable secret 5 xxxx
!
username xxxx password 7 xxxx
username xxxx password 7 xxxx
username xxxx password 7 xxxx
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxx
key 0 xxxx
dns 192.168.16.250
wins 192.168.16.250
pool vpnpool
acl 106
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.16.1 255.255.255.0
ip access-group 102 in
ip nat inside
no ip mroute-cache
crypto map clientmap
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 101 in
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname http://www.velocityreviews.com/forums/(E-Mail Removed)
ppp chap password 7 xxxx
ppp pap sent-username (E-Mail Removed) password 7 xxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map clientmap
hold-queue 224 in
!
ip local pool vpnpool 192.168.17.1 192.168.17.10
ip nat inside source list 105 interface Dialer1 overload
ip nat inside source static tcp 192.168.16.250 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80
ip nat inside source static tcp 192.168.16.250 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
access-list 1 remark The local LAN
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 2 remark Where management can be done from
access-list 2 permit 192.168.16.0 0.0.0.255
access-list 2 permit 192.168.17.0 0.0.0.255
access-list 101 remark Traffic allowed to enter router from Internet
access-list 101 permit ip any any
access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp any any eq 1723
access-list 101 permit udp any any eq isakmp
access-list 101 permit tcp any any eq 10000
access-list 101 permit gre any any
access-list 101 deny ip any any
access-list 102 remark Traffic allowed to enter router from Ethernet
access-list 102 permit ip any any
access-list 105 remark Traffic to NAT
access-list 105 deny ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 105 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 105 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 192.168.17.0 0.0.0.255 any
access-list 106 remark User to Site VPN clients
access-list 106 permit ip 192.168.16.0 0.0.0.255 any
access-list 106 permit ip 192.168.17.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 2 in
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end

If there's any screwups i've made (things that are in that should be
out and vice versa) i'd be more than happy to have them pointed out!

-- Christian

 
Reply With Quote
 
 
 
 
Tony Clifton
Guest
Posts: n/a
 
      04-30-2005
Hello,

I think first part of the problem is nat-related.

If you try to remove this line:

no ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80

Then can you connect to 192.168.16.250:80 from vpn client?

But I don't know why you can't connect to the laptop. Can you ping it?

Regards,

/TC

"Christian Hewitt" <(E-Mail Removed)> skrev i meddelandet
news:(E-Mail Removed)...
> With my current configuration I can VPN connect from anywhere on the web
> and authenticate as a local user with an 837 router. Once auth'd the VPN
> client is allocated an IP from the vpn pool. From a VPN connected laptop I
> can ping any address on the LAN and any other machine on the LAN can ping
> the IP the VPN client has been allocated. However I can't access all
> resources via all protocols on all machines. This part is inconsistent and
> has me baffled. e.g. from a VPN client I can mount SMB shares on
> 192.168.16.250 but I can't see the webserver (:80) on the same IP). From a
> LAN connected laptop I can see the webserver running on the VPN client
> (192.168.17.x:80). However the VPN client can't see a webserver on the
> same LAN connected laptop (192.168.16.10:80).
>
> This is my first ever contact with Cisco gear and while i'm quite chuffed
> with getting as far as I have on setting this box up.. i'm now way out of
> my depth on working out what the problem is. Any suggestions would be
> greatly appreciated!
>
> Client s/w is v4.6 (0045) on Mac OS 10.3.9
> sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version
> 12.2(13)ZH4
> Router config (security edited) is cut/pasted below:
>
> !
> version 12.2
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> service password-encryption
> !
> hostname xxxx
> !
> logging queue-limit 100
> no logging buffered
> enable secret 5 xxxx
> !
> username xxxx password 7 xxxx
> username xxxx password 7 xxxx
> username xxxx password 7 xxxx
> aaa new-model
> !
> !
> aaa authentication login userauthen local
> aaa authorization network groupauthor local
> aaa session-id common
> ip subnet-zero
> !
> !
> ip audit notify log
> ip audit po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> crypto isakmp policy 3
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp client configuration group xxxx
> key 0 xxxx
> dns 192.168.16.250
> wins 192.168.16.250
> pool vpnpool
> acl 106
> !
> !
> crypto ipsec transform-set myset esp-3des esp-sha-hmac
> !
> crypto dynamic-map dynmap 10
> set transform-set myset
> !
> !
> crypto map clientmap client authentication list userauthen
> crypto map clientmap isakmp authorization list groupauthor
> crypto map clientmap client configuration address respond
> crypto map clientmap 10 ipsec-isakmp dynamic dynmap
> !
> !
> !
> !
> interface Ethernet0
> ip address 192.168.16.1 255.255.255.0
> ip access-group 102 in
> ip nat inside
> no ip mroute-cache
> crypto map clientmap
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no ip mroute-cache
> atm vc-per-vp 64
> no atm ilmi-keepalive
> pvc 0/38
> encapsulation aal5mux ppp dialer
> dialer pool-member 1
> !
> dsl operating-mode auto
> !
> interface Dialer1
> ip address negotiated
> ip access-group 101 in
> ip nat outside
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication chap pap callin
> ppp chap hostname (E-Mail Removed)
> ppp chap password 7 xxxx
> ppp pap sent-username (E-Mail Removed) password 7 xxxx
> ppp ipcp dns request
> ppp ipcp wins request
> crypto map clientmap
> hold-queue 224 in
> !
> ip local pool vpnpool 192.168.17.1 192.168.17.10
> ip nat inside source list 105 interface Dialer1 overload
> ip nat inside source static tcp 192.168.16.250 3389 interface Dialer1 3389
> ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80
> ip nat inside source static tcp 192.168.16.250 1723 interface Dialer1 1723
> ip classless
> ip route 0.0.0.0 0.0.0.0 Dialer1
> no ip http server
> no ip http secure-server
> !
> access-list 1 remark The local LAN
> access-list 1 permit 192.168.16.0 0.0.0.255
> access-list 2 remark Where management can be done from
> access-list 2 permit 192.168.16.0 0.0.0.255
> access-list 2 permit 192.168.17.0 0.0.0.255
> access-list 101 remark Traffic allowed to enter router from Internet
> access-list 101 permit ip any any
> access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.16.0 0.0.0.255
> access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.17.0 0.0.0.255
> access-list 101 permit tcp any any eq www
> access-list 101 permit tcp any any eq 3389
> access-list 101 permit tcp any any eq 1723
> access-list 101 permit udp any any eq isakmp
> access-list 101 permit tcp any any eq 10000
> access-list 101 permit gre any any
> access-list 101 deny ip any any
> access-list 102 remark Traffic allowed to enter router from Ethernet
> access-list 102 permit ip any any
> access-list 105 remark Traffic to NAT
> access-list 105 deny ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
> access-list 105 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
> access-list 105 permit ip 192.168.16.0 0.0.0.255 any
> access-list 105 permit ip 192.168.17.0 0.0.0.255 any
> access-list 106 remark User to Site VPN clients
> access-list 106 permit ip 192.168.16.0 0.0.0.255 any
> access-list 106 permit ip 192.168.17.0 0.0.0.255 any
> dialer-list 1 protocol ip permit
> !
> line con 0
> exec-timeout 120 0
> no modem enable
> stopbits 1
> line aux 0
> stopbits 1
> line vty 0 4
> access-class 2 in
> exec-timeout 120 0
> length 0
> !
> scheduler max-task-time 5000
> !
> end
>
> If there's any screwups i've made (things that are in that should be out
> and vice versa) i'd be more than happy to have them pointed out!
>
> -- Christian
>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
VPN between Cisco 837 and cisco 837 with IP static and ip dinamic lyvicro@hotmail.com Cisco 4 12-15-2005 09:10 PM
Remote access fun with Cisco 837 and locally auth'd Cisco VPN client Christian Hewitt Cisco 0 04-24-2005 09:48 AM
Cisco vpn client to Cisco 837 problem maurice Cisco 1 01-07-2005 10:01 AM
Cisco 837 to Cisco 837 VPN, ping OK, NetBios / VNC DROPPING! Suppa Lamah Cisco 8 12-19-2003 01:15 PM
Cisco 837-837 VPN Confused Cisco 0 07-09-2003 11:13 AM



Advertisments