Cisco vpn client to Cisco 837 problem

Discussion in 'Cisco' started by maurice, Dec 28, 2004.

  1. maurice

    maurice Guest

    hi,

    I have trouble to solve this issue and would like to get your help.

    I try to set up remote access vpn with cisco client software to a
    cisco 837 vpn server but I can only get the tunnel up but d'ont be
    able to ping router ethernet interface nor all computer in the LAN
    site.

    cisco client 4.0.2b--------Internet--------ADSL_Cisco
    837_vpn_server-------LAN_Windows2003_terminal_server



    Building configuration...

    Current configuration : 3499 bytes

    version 12.3

    no service pad

    service timestamps debug datetime msec

    service timestamps log datetime msec

    no service password-encryption

    hostname cisco837

    boot-start-marker

    boot-end-marker

    logging buffered 51200 warnings

    enable secret 5 xxxxxxxxxxx!

    username admin privilege 15 password 0 XXXXXX
    username vpnuser secret 5 xxxxxxxxx

    clock timezone PCTimeZone 11

    aaa new-model

    aaa authentication login default local
    aaa authentication login userlist local
    aaa authentication ppp default local
    aaa authorization network grouplist local

    aaa session-id common

    ip subnet-zero

    no ip source-route

    no ip domain lookup
    ip domain name xxxxx.nc
    ip name-server 202.171.yy.x
    ip name-server 202.171.yy.x!

    ip audit notify log
    ip audit po max-events 100
    ip ssh break-string
    no ftp-server write-enable

    crypto isakmp policy 1

    authentication pre-share

    crypto isakmp policy 2
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration group vegavpn
    key xxxxxxx
    domain xxxxxx.nc
    pool vpnclients
    acl 106

    crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac

    crypto dynamic-map vpnusers 1

    description Client to Site VPN Users

    set transform-set tr-des-md5

    crypto map cm-cryptomap client authentication list userlist
    crypto map cm-cryptomap isakmp authorization list grouplist
    crypto map cm-cryptomap client configuration address respond
    crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers

    interface Ethernet0

    description $ETH-LAN$

    ip address 192.168.10.254 255.255.255.0
    ip access-group 102 in
    ip nat inside
    ip tcp adjust-mss 1452
    hold-queue 100 out

    interface ATM0
    no ip address
    no atm ilmi-keepalive
    dsl operating-mode auto

    interface ATM0.1 point-to-point
    pvc 8/35
    ubr 250
    pppoe-client dial-pool-number 1

    interface Dialer0

    ip address negotiated
    ip access-group 101 in
    ip mtu 1452
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap callin
    ppp chap hostname
    ppp chap password 0 XXXXX
    crypto map cm-cryptomap

    ip local pool vpnclients 192.168.10.220 192.168.10.225
    ip nat inside source route-map nonat interface Dialer0 overload

    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0

    ip http server
    ip http authentication local
    ip http secure-server

    access-list 1 remark The local LAN.

    access-list 1 permit 192.168.10.0 0.0.0.255

    access-list 101 permit ip any any

    access-list 102 permit ip any any

    access-list 105 remark Traffic to NAT
    access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.10.0
    0.0.0.255
    access-list 105 permit ip 192.168.10.0 0.0.0.255 any

    access-list 106 remark User to Site VPN Clients
    access-list 106 permit ip 192.168.10.0 0.0.0.255 any

    dialer-list 1 protocol ip permit

    route-map nonat permit 10
    match ip address 105

    control-plane

    !

    banner login ^CAuthorized access only!

    Disconnect IMMEDIATELY if you are not an authorized user!^C

    !

    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    transport preferred all
    transport output all
    line vty 0 4
    privilege level 15
    transport preferred all
    transport input telnet ssh
    transport output all

    scheduler max-task-time 5000

    end
     
    maurice, Dec 28, 2004
    #1
    1. Advertising

  2. Hi,

    Configure the command "reverse-route injection" under "crypto
    dynamic-map vpnusers 1"

    On the otherway, you can clean up your config and use Cisco SDM
    (Security Device Manager) to configure the Easy VPN Server.

    www.cisco.com/go/sdm


    -Ravikumar




    maurice wrote:
    > hi,
    >
    > I have trouble to solve this issue and would like to get your help.
    >
    > I try to set up remote access vpn with cisco client software to a
    > cisco 837 vpn server but I can only get the tunnel up but d'ont be
    > able to ping router ethernet interface nor all computer in the LAN
    > site.
    >
    > cisco client 4.0.2b--------Internet--------ADSL_Cisco
    > 837_vpn_server-------LAN_Windows2003_terminal_server
    >
    >
    >
    > Building configuration...
    >
    > Current configuration : 3499 bytes
    >
    > version 12.3
    >
    > no service pad
    >
    > service timestamps debug datetime msec
    >
    > service timestamps log datetime msec
    >
    > no service password-encryption
    >
    > hostname cisco837
    >
    > boot-start-marker
    >
    > boot-end-marker
    >
    > logging buffered 51200 warnings
    >
    > enable secret 5 xxxxxxxxxxx!
    >
    > username admin privilege 15 password 0 XXXXXX
    > username vpnuser secret 5 xxxxxxxxx
    >
    > clock timezone PCTimeZone 11
    >
    > aaa new-model
    >
    > aaa authentication login default local
    > aaa authentication login userlist local
    > aaa authentication ppp default local
    > aaa authorization network grouplist local
    >
    > aaa session-id common
    >
    > ip subnet-zero
    >
    > no ip source-route
    >
    > no ip domain lookup
    > ip domain name xxxxx.nc
    > ip name-server 202.171.yy.x
    > ip name-server 202.171.yy.x!
    >
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh break-string
    > no ftp-server write-enable
    >
    > crypto isakmp policy 1
    >
    > authentication pre-share
    >
    > crypto isakmp policy 2
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp client configuration group vegavpn
    > key xxxxxxx
    > domain xxxxxx.nc
    > pool vpnclients
    > acl 106
    >
    > crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
    > crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
    > crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
    > crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
    >
    > crypto dynamic-map vpnusers 1
    >
    > description Client to Site VPN Users
    >
    > set transform-set tr-des-md5
    >
    > crypto map cm-cryptomap client authentication list userlist
    > crypto map cm-cryptomap isakmp authorization list grouplist
    > crypto map cm-cryptomap client configuration address respond
    > crypto map cm-cryptomap 65000 ipsec-isakmp dynamic vpnusers
    >
    > interface Ethernet0
    >
    > description $ETH-LAN$
    >
    > ip address 192.168.10.254 255.255.255.0
    > ip access-group 102 in
    > ip nat inside
    > ip tcp adjust-mss 1452
    > hold-queue 100 out
    >
    > interface ATM0
    > no ip address
    > no atm ilmi-keepalive
    > dsl operating-mode auto
    >
    > interface ATM0.1 point-to-point
    > pvc 8/35
    > ubr 250
    > pppoe-client dial-pool-number 1
    >
    > interface Dialer0
    >
    > ip address negotiated
    > ip access-group 101 in
    > ip mtu 1452
    > ip nat outside
    > encapsulation ppp
    > dialer pool 1
    > dialer-group 1
    > ppp authentication chap callin
    > ppp chap hostname
    > ppp chap password 0 XXXXX
    > crypto map cm-cryptomap
    >
    > ip local pool vpnclients 192.168.10.220 192.168.10.225
    > ip nat inside source route-map nonat interface Dialer0 overload
    >
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Dialer0
    >
    > ip http server
    > ip http authentication local
    > ip http secure-server
    >
    > access-list 1 remark The local LAN.
    >
    > access-list 1 permit 192.168.10.0 0.0.0.255
    >
    > access-list 101 permit ip any any
    >
    > access-list 102 permit ip any any
    >
    > access-list 105 remark Traffic to NAT
    > access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.10.0
    > 0.0.0.255
    > access-list 105 permit ip 192.168.10.0 0.0.0.255 any
    >
    > access-list 106 remark User to Site VPN Clients
    > access-list 106 permit ip 192.168.10.0 0.0.0.255 any
    >
    > dialer-list 1 protocol ip permit
    >
    > route-map nonat permit 10
    > match ip address 105
    >
    > control-plane
    >
    > !
    >
    > banner login ^CAuthorized access only!
    >
    > Disconnect IMMEDIATELY if you are not an authorized user!^C
    >
    > !
    >
    > line con 0
    > no modem enable
    > transport preferred all
    > transport output all
    > line aux 0
    > transport preferred all
    > transport output all
    > line vty 0 4
    > privilege level 15
    > transport preferred all
    > transport input telnet ssh
    > transport output all
    >
    > scheduler max-task-time 5000
    >
    > end
     
    Ravikumar Eswaran, Jan 7, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Confused

    Cisco 837-837 VPN

    Confused, Jul 9, 2003, in forum: Cisco
    Replies:
    0
    Views:
    1,730
    Confused
    Jul 9, 2003
  2. Suppa Lamah
    Replies:
    8
    Views:
    1,633
  3. Christian Hewitt
    Replies:
    0
    Views:
    2,972
    Christian Hewitt
    Apr 24, 2005
  4. Replies:
    4
    Views:
    4,172
  5. Graham Turner
    Replies:
    3
    Views:
    940
    Graham Turner
    Apr 3, 2007
Loading...

Share This Page