Cisco 837 and Cisco VPN client wierdness.. any ideas?

Discussion in 'Cisco' started by Christian Hewitt, Apr 29, 2005.

  1. With my current configuration I can VPN connect from anywhere on the
    web and authenticate as a local user with an 837 router. Once auth'd
    the VPN client is allocated an IP from the vpn pool. From a VPN
    connected laptop I can ping any address on the LAN and any other
    machine on the LAN can ping the IP the VPN client has been allocated.
    However I can't access all resources via all protocols on all machines.
    This part is inconsistent and has me baffled. e.g. from a VPN client I
    can mount SMB shares on 192.168.16.250 but I can't see the webserver
    :)80) on the same IP). From a LAN connected laptop I can see the
    webserver running on the VPN client (192.168.17.x:80). However the VPN
    client can't see a webserver on the same LAN connected laptop
    (192.168.16.10:80).

    This is my first ever contact with Cisco gear and while i'm quite
    chuffed with getting as far as I have on setting this box up.. i'm now
    way out of my depth on working out what the problem is. Any suggestions
    would be greatly appreciated!

    Client s/w is v4.6 (0045) on Mac OS 10.3.9
    sh version reports: IOS (tm) C837 Software (C837-K9O3Y6-M), Version 12.2(13)ZH4
    Router config (security edited) is cut/pasted below:

    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname xxxx
    !
    logging queue-limit 100
    no logging buffered
    enable secret 5 xxxx
    !
    username xxxx password 7 xxxx
    username xxxx password 7 xxxx
    username xxxx password 7 xxxx
    aaa new-model
    !
    !
    aaa authentication login userauthen local
    aaa authorization network groupauthor local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip audit notify log
    ip audit po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group xxxx
    key 0 xxxx
    dns 192.168.16.250
    wins 192.168.16.250
    pool vpnpool
    acl 106
    !
    !
    crypto ipsec transform-set myset esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 10
    set transform-set myset
    !
    !
    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Ethernet0
    ip address 192.168.16.1 255.255.255.0
    ip access-group 102 in
    ip nat inside
    no ip mroute-cache
    crypto map clientmap
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface Dialer1
    ip address negotiated
    ip access-group 101 in
    ip nat outside
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    ppp authentication chap pap callin
    ppp chap hostname
    ppp chap password 7 xxxx
    ppp pap sent-username password 7 xxxx
    ppp ipcp dns request
    ppp ipcp wins request
    crypto map clientmap
    hold-queue 224 in
    !
    ip local pool vpnpool 192.168.17.1 192.168.17.10
    ip nat inside source list 105 interface Dialer1 overload
    ip nat inside source static tcp 192.168.16.250 3389 interface Dialer1 3389
    ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80
    ip nat inside source static tcp 192.168.16.250 1723 interface Dialer1 1723
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer1
    no ip http server
    no ip http secure-server
    !
    access-list 1 remark The local LAN
    access-list 1 permit 192.168.16.0 0.0.0.255
    access-list 2 remark Where management can be done from
    access-list 2 permit 192.168.16.0 0.0.0.255
    access-list 2 permit 192.168.17.0 0.0.0.255
    access-list 101 remark Traffic allowed to enter router from Internet
    access-list 101 permit ip any any
    access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.16.0 0.0.0.255
    access-list 101 permit ip 192.168.17.0 0.0.0.255 192.168.17.0 0.0.0.255
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq 3389
    access-list 101 permit tcp any any eq 1723
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit tcp any any eq 10000
    access-list 101 permit gre any any
    access-list 101 deny ip any any
    access-list 102 remark Traffic allowed to enter router from Ethernet
    access-list 102 permit ip any any
    access-list 105 remark Traffic to NAT
    access-list 105 deny ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
    access-list 105 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
    access-list 105 permit ip 192.168.16.0 0.0.0.255 any
    access-list 105 permit ip 192.168.17.0 0.0.0.255 any
    access-list 106 remark User to Site VPN clients
    access-list 106 permit ip 192.168.16.0 0.0.0.255 any
    access-list 106 permit ip 192.168.17.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    stopbits 1
    line vty 0 4
    access-class 2 in
    exec-timeout 120 0
    length 0
    !
    scheduler max-task-time 5000
    !
    end

    If there's any screwups i've made (things that are in that should be
    out and vice versa) i'd be more than happy to have them pointed out!

    -- Christian
     
    Christian Hewitt, Apr 29, 2005
    #1
    1. Advertisements

  2. Christian Hewitt

    Tony Clifton Guest

    Hello,

    I think first part of the problem is nat-related.

    If you try to remove this line:

    no ip nat inside source static tcp 192.168.16.250 80 interface Dialer1 80

    Then can you connect to 192.168.16.250:80 from vpn client?

    But I don't know why you can't connect to the laptop. Can you ping it?

    Regards,

    /TC
     
    Tony Clifton, Apr 30, 2005
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.