Announcement

Collapse
No announcement yet.

2811 VPN Configuration help

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • 2811 VPN Configuration help

    I have a 2811 router running as a VPN server for remote client access and running a site-to-site VPN with another company.

    The remote site location is not under our control. The goal is to allow the VPN users access to a node on the other end of the site-to-site VPN. As it is right now...only users that are locally connected to the routers inside interface through a switch (172.16.6.0) can connect to the remote node (10.200.1.2). The VPN users that are grabbing an IP from the VPN pool (172.16.100.0) are not able to ping the remote host. The other site is stating they have updated their firewall to allow connections from our VPN Pool.

    Is there something special we need to do in order to make sure traffic to the remote node (10.200.1.2) from the VPN pool works on our end?

    Here is our config.

    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname kamma
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096
    enable secret 5 $$$$$$$$$$$$$$$$$$$$$$$
    !
    aaa new-model
    aaa local authentication attempts max-fail 5
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    !
    !
    aaa session-id common
    no ip source-route
    ip tcp synwait-time 15
    !
    !
    ip cef
    no ip dhcp use vrf connected
    ip dhcp bootp ignore

    !
    ip dhcp pool DHCPSERVER
    network 172.16.6.0 255.255.255.0
    dns-server 216.183.32.6 216.183.32.7
    default-router 172.16.6.1
    !
    !
    ip domain name yourdomain.com
    ip name-server 216.183.32.6
    ip name-server 216.183.32.7
    !
    multilink bundle-name authenticated

    !
    crypto pki trustpoint TP-self-signed-351923016
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-351923016
    revocation-check none
    rsakeypair TP-self-signed-351923016
    !
    !
    crypto pki certificate chain TP-self-signed-351923016
    certificate self-signed 01
    quit
    !
    !
    username tlsn privilege 15 secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    username tcalvin privilege 15 secret 5 $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
    !
    !
    class-map type inspect match-any SDM_SSH
    match access-group name SDM_SSH
    class-map type inspect match-any SDM_HTTPS
    match access-group name SDM_HTTPS
    class-map type inspect match-any SDM_SHELL
    match access-group name SDM_SHELL
    class-map type inspect edonkey match-any sdm-app-edonkey
    match file-transfer
    match text-chat
    match search-file-name
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    hash md5
    authentication pre-share
    group 2
    !
    crypto isakmp policy 25
    encr 3des
    hash md5
    authentication pre-share
    crypto isakmp key %%%% address 222.222.222.222
    !
    crypto isakmp client configuration group ####
    key ####
    pool vpn_pool
    acl 155
    netmask 255.255.255.192
    !
    crypto isakmp client configuration group ^^^^
    key ^^^^
    pool learn_pool
    acl 165
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set office1-to-office2 esp-3des esp-md5-hmac
    !
    crypto dynamic-map dymap 10
    set transform-set ESP-3DES-SHA
    !
    !
    crypto map mymap isakmp authorization list sdm_vpn_group_ml_1
    crypto map mymap client configuration address respond
    crypto map mymap 20 ipsec-isakmp
    set peer 222.222.222.222
    set transform-set office1-to-office2
    match address 170
    crypto map mymap 65535 ipsec-isakmp dynamic dymap
    !
    !
    !
    !
    interface Tunnel1
    no ip address
    !
    interface FastEthernet0/0
    description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$FW_OUTSIDE$$ETH-LAN$
    ip address 172.16.6.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1300
    duplex auto
    speed auto
    no mop enabled
    !
    interface FastEthernet0/1
    description $ETH-WAN$$FW_INSIDE$
    ip address 77.77.77.254 255.255.255.192
    no ip unreachables
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no mop enabled
    crypto map mymap
    !
    interface Virtual-Template1 type tunnel
    no ip address
    tunnel mode ipsec ipv4
    !
    ip local pool vpn_pool 172.16.100.1 172.16.100.6
    ip local pool learn_pool 172.16.150.1 172.16.150.10
    ip route 0.0.0.0 0.0.0.0 77.77.77.253
    !
    ip flow-top-talkers
    top 5
    sort-by bytes
    !
    ip http server
    ip http access-class 50
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
    ip nat inside source static tcp 172.16.6.7 3389 77.77.77.254 3389 route-map SDM_RMAP_2 extendable
    !
    ip access-list extended SDM_HTTPS
    remark SDM_ACL Category=1
    permit tcp any any eq 443
    ip access-list extended SDM_SHELL
    remark SDM_ACL Category=1
    permit tcp any any eq cmd
    ip access-list extended SDM_SSH
    remark SDM_ACL Category=1
    permit tcp any any eq 22
    !
    logging trap debugging
    logging 88.88.88.88
    access-list 50 permit 172.16.100.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=2
    access-list 100 deny ip host 172.16.6.7 172.16.100.0 0.0.0.7
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.10
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.9
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.8
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.7
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.6
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.5
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.4
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.3
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.2
    access-list 100 deny ip host 172.16.6.7 host 172.16.150.1
    access-list 100 permit tcp host 172.16.6.7 eq 3389 any
    access-list 101 remark SDM_ACL Category=18
    access-list 101 deny ip any host 172.16.100.1
    access-list 101 deny ip any host 172.16.100.2
    access-list 101 deny ip any host 172.16.100.3
    access-list 101 deny ip any host 172.16.100.4
    access-list 101 deny ip any host 172.16.100.5
    access-list 101 deny ip any host 172.16.100.6
    access-list 101 deny ip any host 172.16.150.1
    access-list 101 deny ip any host 172.16.150.2
    access-list 101 deny ip any host 172.16.150.3
    access-list 101 deny ip any host 172.16.150.4
    access-list 101 deny ip any host 172.16.150.5
    access-list 101 deny ip any host 172.16.150.6
    access-list 101 deny ip any host 172.16.150.7
    access-list 101 deny ip any host 172.16.150.8
    access-list 101 deny ip any host 172.16.150.9
    access-list 101 deny ip any host 172.16.150.10
    access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.2
    access-list 101 deny ip 172.16.6.0 0.0.0.15 host 10.200.1.72
    access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.2
    access-list 101 deny ip 172.16.100.0 0.0.0.7 host 10.200.1.72
    access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.255
    access-list 101 deny ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
    access-list 101 deny tcp host 172.16.6.7 eq 3389 any
    access-list 101 permit ip 172.16.6.0 0.0.0.255 any
    access-list 155 permit ip 172.16.6.0 0.0.0.255 172.16.100.0 0.0.0.7

    access-list 165 permit ip 172.16.6.0 0.0.0.255 172.16.150.0 0.0.0.255
    access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.2
    access-list 170 permit ip 172.16.100.0 0.0.0.7 host 10.200.1.72
    access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.2
    access-list 170 permit ip 172.16.6.0 0.0.0.15 host 10.200.1.72
    !
    !
    route-map SDM_RMAP_1 permit 1
    description Disable NAT for VPN Clients
    match ip address 101
    !
    route-map SDM_RMAP_2 permit 1
    match ip address 100
    !
    !
    !
    control-plane
    !
    banner login ^C
    This system is restricted to authorized users for business purposes. Unauthorized
    access is a violation of the law. This service may be monitored for administrative
    and security reasons. By proceeding, you consent to this monitoring.
    ^C
    !
    line con 0
    exec-timeout 5 0
    logging synchronous
    line aux 0
    exec-timeout 0 0
    no exec
    transport output none
    line vty 0 4
    exec-timeout 5 0
    logging synchronous
    transport input ssh
    line vty 5 15
    exec-timeout 5 0
    logging synchronous
    transport input ssh
    !
    scheduler allocate 20000 1000
    !
    end

    ************************************************** *************
    The users on the vpn_pool can ping all nodes on the 172.16.6.0 network
    using a source address of the inside interface.

    The vpn_pool users cannot ping the 10.200.1.2 or the 10.200.1.72 nodes which are behind the Outside interface of 222.222.222.222 at the remote site.

    The remote site is suggesting it is a problem on our end.

    Any help would be greatly appreciated.
Working...
X