Announcement

Collapse
No announcement yet.

help vpn

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • help vpn

    Can anyone help me to setup correctly a vpn ?
    I use at home pc a cisco vpn client. In my office instead, i have a cisco 837 that i configured to set up a vpn.
    The tunnel is up correctly and my home pc receive ip address from local pool configured on 837. But i cannot ping the lan pc behind the 837...why??
    This is my conf:
    Thx in advance!!!



    Building configuration...

    Current configuration : 4722 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname cisco-vpn
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$VAeI$mTduUojniuH.Xx5usgf57e
    !
    aaa new-model
    !
    !
    aaa authentication login LISTA-UTENTI-VPN local
    aaa authorization network GRUPPO-UTENTI-VPN local
    aaa session-id common
    !
    resource manager
    !
    ip subnet-zero
    no ip gratuitous-arps
    !
    !
    no ip dhcp use vrf connected
    !
    ip dhcp pool miopool
    import all
    network 10.100.100.0 255.255.255.0
    default-router 10.100.100.1
    dns-server 151.11.99.3
    !
    !
    ip dhcp update dns both
    ip cef
    ip name-server 151.11.99.3
    ip ddns update method DynDNS
    HTTP
    add http://mariox79:[email protected]@dyndns.org/nic/update^Vsystem=dyndns&hostname=xc0mvpn.dyndns.org& myip=&wildcard=OFF
    interval maximum 1 0 0 0
    !
    ip dhcp-client update dns server both
    !
    no ftp-server write-enable
    !
    !
    username mario password 0 miapwd
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 5
    !
    crypto isakmp policy 20
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
    !
    crypto isakmp client configuration group mariovpn
    key mariopass
    pool VPN-CLIENT-POOL
    acl 106
    !
    !
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
    !
    crypto ipsec profile CRYPTO-VPN
    !
    !
    crypto dynamic-map VPNDYNAMIC 1
    set transform-set myset
    reverse-route
    !
    !
    crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
    crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
    crypto map CRYPTO-VPN client configuration address respond
    crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
    !
    !
    !
    interface Ethernet0
    ip address 10.100.100.220 255.255.255.0
    ip access-group 105 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    no ip mroute-cache
    crypto map CRYPTO-VPN
    hold-queue 100 out
    !
    interface Ethernet2
    no ip address
    shutdown
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Dialer0
    ip ddns update hostname marioxx.dyndns.org
    ip ddns update DynDNS host members.dyndns.org
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip mroute-cache
    dialer pool 1
    no fair-queue
    ppp chap hostname TELECOM
    ppp chap password 0 pippo
    ppp pap sent-username TELECOM password 0 pippo
    crypto map CRYPTO-VPN
    !
    ip local pool VPN-CLIENT-POOL 10.100.100.28 10.100.100.30
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    no ip http secure-server
    !
    ip nat inside source list 125 interface Dialer0 overload
    !
    access-list 1 permit 10.100.100.0 0.0.0.255
    access-list 25 permit any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.0.0.255 any
    access-list 100 permit ip any any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 permit tcp any any eq 7954
    access-list 101 permit udp any any eq 23580
    access-list 101 permit udp any any eq 4673
    access-list 101 permit udp any any eq isakmp log
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 101 deny ip 10.100.100.0 0.0.0.255 any
    access-list 101 permit tcp any any eq 6881
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq 6882
    access-list 105 permit ip any any
    access-list 105 permit gre any any
    access-list 106 permit ip 10.100.100.0 0.0.0.255 any
    access-list 111 permit ip 10.100.100.0 0.0.0.255 any
    access-list 125 permit ip 10.100.100.0 0.0.0.255 any
    no cdp run
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    line vty 0 4
    password mar10
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    end

  • #2
    Re: help vpn

    Hi Mario,
    you say you cannot ping a PC on the protected LAN.

    -is this PC pingable from the the 'inside'?

    And, can you check what IP you get from the VPN? (ipconfig /all if you are on Windows)

    I also see you've used part of your internal network as your address pool for the vpn. (10.100.100.28 10.100.100.30,
    from your config). As a quick start, it might be worthwhile changing this for something completely different, such as
    10.100.200.0/24. On occasion I've had to do this, as routing seems to fail sometimes when you use a portion of your
    internal net. (I haven't worked out why yet, but I think its to do with gateways).

    cheers,

    theterranaut
    Last edited by theterranaut; 15th October 2006, 22:03.

    Comment


    • #3
      Re: help vpn

      thx for your interesting...
      Well:

      1. The home pc is not pingable from "inside office lan"
      2. My home pc receive correctly an ip address from ip local pool: 10.100.100.28 - 10.100.100.30

      I will try to change the local pool from 10.100.100.28-10.100.100.30 to 10.100.200.1-10.100.200.10
      as you suggest.
      Tomorrow i say you what happens...
      Thx for your interesting!!!
      Mario

      Comment


      • #4
        Re: help vpn

        Hi mariox79,

        I would find some service that is available from the inside network, like RDP. Enable terminal services (RDP) on the inside network. Take your remote VPN PC and put it on the inside network. Connect successfully with terminal services to the inside PC. Once you can do that, move that PC to the Internet and connect with VPN. Can you do the same terminal services connection that was successful on the inside? If not, check the IPCONFIG and the routing table on the router. Does it have both networks? Can it ping both the vpn device and the inside PC?

        I hope the username & password combination you posted below is not real. If so, I would change it.

        Also, check the checkbox in the advanced windows networking settings that says "use default gateway on remote network" for the vpn adaptor. This is what will allow you to connect to both the Internet and the home network at the same time. By default, this box is usually checked and you can only connect to the VPN network when connected to VPN (no Internet communications).

        Just some thoughts... Let us know how it goes.

        Thanks for the post!
        David
        David Davis - Petri Forums Moderator & Video Training Author
        Train Signal - The Global Leader in IT Video Training
        TrainSignalTraining.com - Free IT Training Products
        Personal Websites: HappyRouter.com & VMwareVideos.com

        Comment


        • #5
          Re: help vpn

          Hi davis!
          Thx for your interesting...
          Well:
          1. I'm able to connect via remote desktop from lan pc to home pc and from home pc to lan pc.
          2. Obviously user and pwd are not true in the conf.
          3. I'm not able to find the option "use default gateway on remote network" (i'm using xp and i think that option is present on win9.
          4. I find a more simple conf on cisco site to create a vpn client-site but not still working:


          cisco-vpn#sh run
          Building configuration...

          Current configuration : 3574 bytes
          !
          version 12.3
          no service pad
          service timestamps debug datetime msec
          service timestamps log datetime msec
          no service password-encryption
          !
          hostname cisco-vpn
          !
          boot-start-marker
          boot-end-marker
          !
          enable secret 5 $1$VAeI$mTduUojgfdgdfgdfgg
          !
          aaa new-model
          !
          !
          aaa authentication login LISTA-UTENTI-VPN local
          aaa authorization network GRUPPO-UTENTI-VPN local
          aaa session-id common
          !
          resource manager
          !
          ip subnet-zero
          no ip gratuitous-arps
          !
          !
          !
          !
          ip dhcp update dns both
          no ip cef
          ip name-server 151.54.66.1
          ip name-server 10.100.100.3
          ip ddns update method DynDNS
          HTTP
          add http://mariox79:[email protected]@dyndns.org/nic/update^Vsystem=dyndns&hostname=myvpn.dyndns.org&my ip=&wildcard=OFF
          interval maximum 1 0 0 0
          !
          ip dhcp-client update dns server both
          !
          no ftp-server write-enable
          !
          !
          username myuser password 0 mypass
          !
          !
          !
          crypto isakmp policy 10
          encr 3des
          authentication pre-share
          group 2
          crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
          !
          crypto isakmp client configuration group xc0mvpn
          key pluto
          dns 10.100.100.3
          wins 10.100.100.3
          domain pluto.local
          pool VPN-CLIENT-POOL
          !
          !
          crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
          !
          crypto ipsec profile CRYPTO-VPN
          !
          !
          crypto dynamic-map VPNDYNAMIC 1
          set transform-set myset1
          reverse-route
          !
          !
          crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
          crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
          crypto map CRYPTO-VPN client configuration address respond
          crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
          !
          !
          !
          interface Ethernet0
          ip address 10.100.100.220 255.255.255.0
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          ip nat inside
          ip virtual-reassembly
          no ip mroute-cache
          !
          interface Ethernet2
          no ip address
          shutdown
          hold-queue 100 out
          !
          interface ATM0
          no ip address
          no ip mroute-cache
          no atm ilmi-keepalive
          dsl operating-mode auto
          pvc 8/35
          encapsulation aal5mux ppp dialer
          dialer pool-member 1
          !
          !
          interface FastEthernet1
          no ip address
          duplex auto
          speed auto
          !
          interface FastEthernet2
          no ip address
          shutdown
          duplex auto
          speed auto
          !
          interface FastEthernet3
          no ip address
          shutdown
          duplex auto
          speed auto
          !
          interface FastEthernet4
          no ip address
          shutdown
          duplex auto
          speed auto
          !
          interface Dialer0
          ip ddns update hostname xc0mvpn.dyndns.org
          ip ddns update DynDNS host members.dyndns.org
          ip address negotiated
          no ip redirects
          no ip unreachables
          no ip proxy-arp
          ip nat outside
          ip virtual-reassembly
          encapsulation ppp
          ip policy route-map VPN-client
          no ip mroute-cache
          dialer pool 1
          no fair-queue
          ppp chap hostname fff
          ppp chap password 0 ggg
          ppp pap sent-username fff password 0 ggg
          crypto map CRYPTO-VPN
          !
          ip local pool VPN-CLIENT-POOL 10.100.200.1 10.100.200.10
          ip classless
          ip route 0.0.0.0 0.0.0.0 Dialer0
          !
          ip http server
          no ip http secure-server
          !
          ip nat inside source list 125 interface Dialer0 overload
          !
          access-list 1 permit 10.100.100.0 0.0.0.255
          access-list 1 permit 10.100.0.0 0.0.255.255
          access-list 102 permit tcp any any
          access-list 125 permit ip any any
          access-list 144 permit ip 10.100.200.0 0.0.0.255 any
          dialer-list 1 protocol ip permit
          no cdp run
          !
          route-map VPN-client permit 10
          match ip address 144
          set interface Ethernet0
          !
          !
          control-plane
          !
          !
          line con 0
          no modem enable
          transport preferred all
          transport output all
          line aux 0
          line vty 0 4
          password mar10
          transport preferred all
          transport input all
          transport output all
          !
          scheduler max-task-time 5000
          end

          Comment


          • #6
            Re: help vpn

            Interesting news...
            Now i from home pc can ping 10.100.100.220 (eth interface of office router) but i can't telnet on it (from office lan i can telnet on 10.100.100.220).
            And from my home pc i can't access to web resources of my office.
            Is it an access-list problem??

            Comment


            • #7
              Re: help vpn

              Hi mariox79,

              I was going to tell you to remove the ACL's and try it then but I don't see any ACL's applied with an ip access-group statement, anywhere in the confing. In that case, it can't be an ACL restricting traffic.

              Once you are connected, please do a IPCONFIG /ALL on your remote VPN PC and your home resource you are trying to access. Then do a show ip route on the router. Copy and paste all that and post it up here. I suspect you have some kind of routing issue.

              The "use default gateway on remote host would only be used on the Microsoft VPN client connection. It is in Win XP, I attached some screenshots from my system. However, i don't think this is the issue. What VPN client are you using on the remote VPN PC?

              Also, I should point out that ICMP is NOT considered IP. So, just because your ACL says permit ip any any, that doesn't permit any ICMP (ping) traffic.

              Take a look-
              Router(config)#access-list 101 per ?
              <0-255> An IP protocol number
              ahp Authentication Header Protocol
              eigrp Cisco's EIGRP routing protocol
              esp Encapsulation Security Payload
              gre Cisco's GRE tunneling
              icmp Internet Control Message Protocol
              igmp Internet Gateway Message Protocol
              ip Any Internet Protocol
              ipinip IP in IP tunneling
              nos KA9Q NOS compatible IP over IP tunneling
              ospf OSPF routing protocol
              pcp Payload Compression Protocol
              pim Protocol Independent Multicast
              tcp Transmission Control Protocol
              udp User Datagram Protocol

              Router(config)#access-list 101 per icmp
              Attached Files
              David Davis - Petri Forums Moderator & Video Training Author
              Train Signal - The Global Leader in IT Video Training
              TrainSignalTraining.com - Free IT Training Products
              Personal Websites: HappyRouter.com & VMwareVideos.com

              Comment


              • #8
                Re: help vpn

                Hi davis,
                thx very much for your gentility and patience.

                I post the new sh run + sh ip route + ipconfig/all from my home pc:

                SHOW RUN:

                cisco-vpn#sh run
                Building configuration...

                Current configuration : 3954 bytes
                !
                version 12.3
                no service pad
                service timestamps debug datetime msec
                service timestamps log datetime msec
                no service password-encryption
                !
                hostname cisco-vpn
                !
                boot-start-marker
                boot-end-marker
                !
                enable secret 5 $1$VAeI$mTduUojniuH.X09olpsYGTm0
                !
                aaa new-model
                !
                !
                aaa authentication login LISTA-UTENTI-VPN local
                aaa authorization network GRUPPO-UTENTI-VPN local
                aaa session-id common
                !
                resource manager
                !
                ip subnet-zero
                no ip gratuitous-arps
                !
                !
                no ip dhcp use vrf connected
                ip dhcp excluded-address 10.100.100.220
                !
                ip dhcp pool home
                import all
                network 10.100.100.0 255.255.255.0
                default-router 10.100.100.220
                dns-server 81.114.147.36
                !
                !
                ip dhcp update dns both
                ip cef
                ip name-server 10.100.100.3
                ip name-server 81.114.147.36
                ip name-server 151.99.125.1
                ip ddns update method DynDNS
                HTTP
                add http://mariox79[email protected]@dyndns.org/nic/update^Vsystem=dyndns&hostname=mario.dyndns.org&my ip=&wildcard=OFF
                interval maximum 1 0 0 0
                !
                ip dhcp-client update dns server both
                !
                no ftp-server write-enable
                !
                !
                username mario password 0 miapwd
                !
                !
                !
                crypto isakmp policy 10
                encr 3des
                authentication pre-share
                group 2
                crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
                !
                crypto isakmp client configuration group mariovpn
                key ciccio
                dns 10.100.100.3
                wins 10.100.100.3
                domain mario.local
                pool VPN-CLIENT-POOL
                acl 101
                netmask 255.255.255.0
                !
                !
                crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
                !
                crypto dynamic-map VPNDYNAMIC 1
                set transform-set myset1
                reverse-route
                !
                !
                crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
                crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
                crypto map CRYPTO-VPN client configuration address respond
                crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
                !
                !
                !
                interface Ethernet0
                ip address 10.100.100.220 255.255.255.0
                no ip unreachables
                ip nat inside
                ip virtual-reassembly
                no ip mroute-cache
                crypto map CRYPTO-VPN
                !
                interface Ethernet2
                no ip address
                shutdown
                hold-queue 100 out
                !
                interface ATM0
                no ip address
                no ip mroute-cache
                no atm ilmi-keepalive
                dsl operating-mode auto
                pvc 8/35
                encapsulation aal5mux ppp dialer
                dialer pool-member 1
                !
                !
                interface FastEthernet1
                no ip address
                duplex auto
                speed auto
                !
                interface FastEthernet2
                no ip address
                shutdown
                duplex auto
                speed auto
                !
                interface FastEthernet3
                no ip address
                shutdown
                duplex auto
                speed auto
                !
                interface FastEthernet4
                no ip address
                duplex auto
                speed auto
                !
                interface Dialer0
                ip ddns update hostname xc0mvpn.dyndns.org
                ip ddns update DynDNS host members.dyndns.org
                ip address negotiated
                no ip redirects
                no ip unreachables
                no ip proxy-arp
                ip nat outside
                ip virtual-reassembly
                encapsulation ppp
                ip policy route-map VPN-client
                no ip mroute-cache
                dialer pool 1
                no fair-queue
                ppp chap hostname user
                ppp chap password 0 pwd
                ppp pap sent-username user password 0 pwd
                crypto map CRYPTO-VPN
                !
                ip local pool VPN-CLIENT-POOL 10.100.200.1 10.100.200.10
                ip classless
                ip route 0.0.0.0 0.0.0.0 Dialer0
                !
                ip http server
                no ip http secure-server
                !
                ip nat inside source list 125 interface Dialer0 overload
                ip nat inside source static tcp 10.100.100.205 80 interface Ethernet0 80
                !
                access-list 1 permit 10.100.100.0 0.0.0.255
                access-list 1 permit 10.100.200.0 0.0.0.255
                access-list 1 permit 10.100.0.0 0.0.255.255
                access-list 101 permit ip 10.100.100.0 0.0.0.255 10.100.200.0 0.0.0.255
                access-list 125 deny ip 10.100.100.0 0.0.0.255 10.100.200.0 0.0.0.255
                access-list 125 permit ip 10.100.100.0 0.0.0.255 any
                access-list 144 permit ip 10.100.200.0 0.0.0.255 any
                dialer-list 1 protocol ip permit
                no cdp run
                !
                route-map VPN-client permit 10
                match ip address 144
                set interface Ethernet0
                !
                !
                control-plane
                !
                !
                line con 0
                no modem enable
                transport preferred all
                transport output all
                line aux 0
                line vty 0 4
                password mar10
                transport preferred all
                transport input all
                transport output all
                !
                scheduler max-task-time 5000
                end
                ##########################################
                The ACL are:
                - 1 per ADSL
                - 101 per vpn pool
                - 125 per NAT
                - 144 per route-map to readdress traffic toward eth0.
                ###########################################

                SHOW IP ROUTE

                Gateway of last resort is 0.0.0.0 to network 0.0.0.0

                82.0.0.0/32 is subnetted, 1 subnets
                C 82.39.112.179 is directly connected, Dialer0
                10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
                C 10.100.100.0/24 is directly connected, Ethernet0
                S 10.100.200.10/32 [1/0] via 87.6.153.166
                192.168.100.0/32 is subnetted, 1 subnets
                C 192.168.100.1 is directly connected, Dialer0
                S* 0.0.0.0/0 is directly connected, Dialer0


                ##########################################

                IPCONFIG / ALL from my pc:



                ###########################################
                Attached Files

                Comment


                • #9
                  Re: help vpn

                  Hi davies...I have some news:
                  Behind the 837 router i have:
                  1 internal pc (test pc) with ip: 10.100.100.194
                  1 Router 2600 (fa0/0 = 10.100.100.1)
                  and behind this 2600 various pc + web server and dns server.
                  Now...
                  from my home pc i can ping the test pc (10.100.100.194) and from test pc i can ping my home pc when vpn is on. Perfect.
                  I cannot ping from my home pc the router2600 (10.100.100.1) neither dns or web server. Is a nat problem? How can i resolve it??
                  Thx for your great interesting

                  Comment

                  Working...
                  X