help vpn

This topic contains 8 replies, has 3 voices, and was last updated by Avatar mariox79 13 years, 5 months ago.

Viewing 9 posts - 1 through 9 (of 9 total)
  • Author
    Posts
  • Avatar
    mariox79
    Member
    #116662

    Can anyone help me to setup correctly a vpn ?
    I use at home pc a cisco vpn client. In my office instead, i have a cisco 837 that i configured to set up a vpn.
    The tunnel is up correctly and my home pc receive ip address from local pool configured on 837. But i cannot ping the lan pc behind the 837…why??
    This is my conf:
    Thx in advance!!!

    Building configuration…

    Current configuration : 4722 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname cisco-vpn
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$VAeI$mTduUojniuH.Xx5usgf57e
    !
    aaa new-model
    !
    !
    aaa authentication login LISTA-UTENTI-VPN local
    aaa authorization network GRUPPO-UTENTI-VPN local
    aaa session-id common
    !
    resource manager
    !
    ip subnet-zero
    no ip gratuitous-arps
    !
    !
    no ip dhcp use vrf connected
    !
    ip dhcp pool miopool
    import all
    network 10.100.100.0 255.255.255.0
    default-router 10.100.100.1
    dns-server 151.11.99.3
    !
    !
    ip dhcp update dns both
    ip cef
    ip name-server 151.11.99.3
    ip ddns update method DynDNS
    HTTP
    add http://mariox79:[email protected]@dyndns.org/nic/update^Vsystem=dyndns&hostname=xc0mvpn.dyndns.org&myip=&wildcard=OFF
    interval maximum 1 0 0 0
    !
    ip dhcp-client update dns server both
    !
    no ftp-server write-enable
    !
    !
    username mario password 0 miapwd
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 5
    !
    crypto isakmp policy 20
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
    !
    crypto isakmp client configuration group mariovpn
    key mariopass
    pool VPN-CLIENT-POOL
    acl 106
    !
    !
    crypto ipsec transform-set myset esp-des esp-md5-hmac
    crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
    !
    crypto ipsec profile CRYPTO-VPN
    !
    !
    crypto dynamic-map VPNDYNAMIC 1
    set transform-set myset
    reverse-route
    !
    !
    crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
    crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
    crypto map CRYPTO-VPN client configuration address respond
    crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
    !
    !
    !
    interface Ethernet0
    ip address 10.100.100.220 255.255.255.0
    ip access-group 105 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    no ip mroute-cache
    crypto map CRYPTO-VPN
    hold-queue 100 out
    !
    interface Ethernet2
    no ip address
    shutdown
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Dialer0
    ip ddns update hostname marioxx.dyndns.org
    ip ddns update DynDNS host members.dyndns.org
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip mroute-cache
    dialer pool 1
    no fair-queue
    ppp chap hostname TELECOM
    ppp chap password 0 pippo
    ppp pap sent-username TELECOM password 0 pippo
    crypto map CRYPTO-VPN
    !
    ip local pool VPN-CLIENT-POOL 10.100.100.28 10.100.100.30
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    no ip http secure-server
    !
    ip nat inside source list 125 interface Dialer0 overload
    !
    access-list 1 permit 10.100.100.0 0.0.0.255
    access-list 25 permit any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.0.0.255 any
    access-list 100 permit ip any any
    access-list 101 permit icmp any any echo-reply
    access-list 101 permit icmp any any time-exceeded
    access-list 101 permit icmp any any unreachable
    access-list 101 permit tcp any any eq 7954
    access-list 101 permit udp any any eq 23580
    access-list 101 permit udp any any eq 4673
    access-list 101 permit udp any any eq isakmp log
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 101 deny ip 10.100.100.0 0.0.0.255 any
    access-list 101 permit tcp any any eq 6881
    access-list 101 permit tcp any any eq www
    access-list 101 permit tcp any any eq 6882
    access-list 105 permit ip any any
    access-list 105 permit gre any any
    access-list 106 permit ip 10.100.100.0 0.0.0.255 any
    access-list 111 permit ip 10.100.100.0 0.0.0.255 any
    access-list 125 permit ip 10.100.100.0 0.0.0.255 any
    no cdp run
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    line vty 0 4
    password mar10
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    end

    Avatar
    theterranaut
    Member
    #285794

    Re: help vpn

    Hi Mario,
    you say you cannot ping a PC on the protected LAN.

    -is this PC pingable from the the ‘inside’?

    And, can you check what IP you get from the VPN? (ipconfig /all if you are on Windows)

    I also see you’ve used part of your internal network as your address pool for the vpn. (10.100.100.28 10.100.100.30,
    from your config). As a quick start, it might be worthwhile changing this for something completely different, such as
    10.100.200.0/24. On occasion I’ve had to do this, as routing seems to fail sometimes when you use a portion of your
    internal net. (I haven’t worked out why yet, but I think its to do with gateways).

    cheers,

    theterranaut

    Avatar
    mariox79
    Member
    #285939

    Re: help vpn

    thx for your interesting…
    Well:

    1. The home pc is not pingable from “inside office lan”
    2. My home pc receive correctly an ip address from ip local pool: 10.100.100.28 – 10.100.100.30

    I will try to change the local pool from 10.100.100.28-10.100.100.30 to 10.100.200.1-10.100.200.10
    as you suggest.
    Tomorrow i say you what happens…
    Thx for your interesting!!!
    Mario

    Avatar
    daviddavis
    Member
    #263612

    Re: help vpn

    Hi mariox79,

    I would find some service that is available from the inside network, like RDP. Enable terminal services (RDP) on the inside network. Take your remote VPN PC and put it on the inside network. Connect successfully with terminal services to the inside PC. Once you can do that, move that PC to the Internet and connect with VPN. Can you do the same terminal services connection that was successful on the inside? If not, check the IPCONFIG and the routing table on the router. Does it have both networks? Can it ping both the vpn device and the inside PC?

    I hope the username & password combination you posted below is not real. If so, I would change it.

    Also, check the checkbox in the advanced windows networking settings that says “use default gateway on remote network” for the vpn adaptor. This is what will allow you to connect to both the Internet and the home network at the same time. By default, this box is usually checked and you can only connect to the VPN network when connected to VPN (no Internet communications).

    Just some thoughts… Let us know how it goes.

    Thanks for the post!
    David

    Avatar
    mariox79
    Member
    #285940

    Re: help vpn

    Hi davis!
    Thx for your interesting…
    Well:
    1. I’m able to connect via remote desktop from lan pc to home pc and from home pc to lan pc.
    2. Obviously user and pwd are not true in the conf.
    3. I’m not able to find the option “use default gateway on remote network” (i’m using xp and i think that option is present on win98).
    4. I find a more simple conf on cisco site to create a vpn client-site but not still working:

    cisco-vpn#sh run
    Building configuration…

    Current configuration : 3574 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname cisco-vpn
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$VAeI$mTduUojgfdgdfgdfgg
    !
    aaa new-model
    !
    !
    aaa authentication login LISTA-UTENTI-VPN local
    aaa authorization network GRUPPO-UTENTI-VPN local
    aaa session-id common
    !
    resource manager
    !
    ip subnet-zero
    no ip gratuitous-arps
    !
    !
    !
    !
    ip dhcp update dns both
    no ip cef
    ip name-server 151.54.66.1
    ip name-server 10.100.100.3
    ip ddns update method DynDNS
    HTTP
    add http://mariox79:[email protected]@dyndns.org/nic/update^Vsystem=dyndns&hostname=myvpn.dyndns.org&myip=&wildcard=OFF
    interval maximum 1 0 0 0
    !
    ip dhcp-client update dns server both
    !
    no ftp-server write-enable
    !
    !
    username myuser password 0 mypass
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
    !
    crypto isakmp client configuration group xc0mvpn
    key pluto
    dns 10.100.100.3
    wins 10.100.100.3
    domain pluto.local
    pool VPN-CLIENT-POOL
    !
    !
    crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
    !
    crypto ipsec profile CRYPTO-VPN
    !
    !
    crypto dynamic-map VPNDYNAMIC 1
    set transform-set myset1
    reverse-route
    !
    !
    crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
    crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
    crypto map CRYPTO-VPN client configuration address respond
    crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
    !
    !
    !
    interface Ethernet0
    ip address 10.100.100.220 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    no ip mroute-cache
    !
    interface Ethernet2
    no ip address
    shutdown
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface Dialer0
    ip ddns update hostname xc0mvpn.dyndns.org
    ip ddns update DynDNS host members.dyndns.org
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip policy route-map VPN-client
    no ip mroute-cache
    dialer pool 1
    no fair-queue
    ppp chap hostname fff
    ppp chap password 0 ggg
    ppp pap sent-username fff password 0 ggg
    crypto map CRYPTO-VPN
    !
    ip local pool VPN-CLIENT-POOL 10.100.200.1 10.100.200.10
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    no ip http secure-server
    !
    ip nat inside source list 125 interface Dialer0 overload
    !
    access-list 1 permit 10.100.100.0 0.0.0.255
    access-list 1 permit 10.100.0.0 0.0.255.255
    access-list 102 permit tcp any any
    access-list 125 permit ip any any
    access-list 144 permit ip 10.100.200.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map VPN-client permit 10
    match ip address 144
    set interface Ethernet0
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    line vty 0 4
    password mar10
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    end

    Avatar
    mariox79
    Member
    #285941

    Re: help vpn

    Interesting news…
    Now i from home pc can ping 10.100.100.220 (eth interface of office router) but i can’t telnet on it (from office lan i can telnet on 10.100.100.220).
    And from my home pc i can’t access to web resources of my office.
    Is it an access-list problem??

    Avatar
    daviddavis
    Member
    #263623

    Re: help vpn

    Hi mariox79,

    I was going to tell you to remove the ACL’s and try it then but I don’t see any ACL’s applied with an ip access-group statement, anywhere in the confing. In that case, it can’t be an ACL restricting traffic.

    Once you are connected, please do a IPCONFIG /ALL on your remote VPN PC and your home resource you are trying to access. Then do a show ip route on the router. Copy and paste all that and post it up here. I suspect you have some kind of routing issue.

    The “use default gateway on remote host would only be used on the Microsoft VPN client connection. It is in Win XP, I attached some screenshots from my system. However, i don’t think this is the issue. What VPN client are you using on the remote VPN PC?

    Also, I should point out that ICMP is NOT considered IP. So, just because your ACL says permit ip any any, that doesn’t permit any ICMP (ping) traffic.

    Take a look-
    Router(config)#access-list 101 per ?
    <0-255> An IP protocol number
    ahp Authentication Header Protocol
    eigrp Cisco’s EIGRP routing protocol
    esp Encapsulation Security Payload
    gre Cisco’s GRE tunneling
    icmp Internet Control Message Protocol
    igmp Internet Gateway Message Protocol
    ip Any Internet Protocol
    ipinip IP in IP tunneling
    nos KA9Q NOS compatible IP over IP tunneling
    ospf OSPF routing protocol
    pcp Payload Compression Protocol
    pim Protocol Independent Multicast
    tcp Transmission Control Protocol
    udp User Datagram Protocol

    Router(config)#access-list 101 per icmp

    Avatar
    mariox79
    Member
    #285942

    Re: help vpn

    Hi davis,
    thx very much for your gentility and patience.

    I post the new sh run + sh ip route + ipconfig/all from my home pc:

    SHOW RUN:

    cisco-vpn#sh run
    Building configuration…

    Current configuration : 3954 bytes
    !
    version 12.3
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname cisco-vpn
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret 5 $1$VAeI$mTduUojniuH.X09olpsYGTm0
    !
    aaa new-model
    !
    !
    aaa authentication login LISTA-UTENTI-VPN local
    aaa authorization network GRUPPO-UTENTI-VPN local
    aaa session-id common
    !
    resource manager
    !
    ip subnet-zero
    no ip gratuitous-arps
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.100.100.220
    !
    ip dhcp pool home
    import all
    network 10.100.100.0 255.255.255.0
    default-router 10.100.100.220
    dns-server 81.114.147.36
    !
    !
    ip dhcp update dns both
    ip cef
    ip name-server 10.100.100.3
    ip name-server 81.114.147.36
    ip name-server 151.99.125.1
    ip ddns update method DynDNS
    HTTP
    add http://mariox79:[email protected]@dyndns.org/nic/update^Vsystem=dyndns&hostname=mario.dyndns.org&myip=&wildcard=OFF
    interval maximum 1 0 0 0
    !
    ip dhcp-client update dns server both
    !
    no ftp-server write-enable
    !
    !
    username mario password 0 miapwd
    !
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local VPN-CLIENT-POOL
    !
    crypto isakmp client configuration group mariovpn
    key ciccio
    dns 10.100.100.3
    wins 10.100.100.3
    domain mario.local
    pool VPN-CLIENT-POOL
    acl 101
    netmask 255.255.255.0
    !
    !
    crypto ipsec transform-set myset1 esp-3des esp-md5-hmac
    !
    crypto dynamic-map VPNDYNAMIC 1
    set transform-set myset1
    reverse-route
    !
    !
    crypto map CRYPTO-VPN client authentication list LISTA-UTENTI-VPN
    crypto map CRYPTO-VPN isakmp authorization list GRUPPO-UTENTI-VPN
    crypto map CRYPTO-VPN client configuration address respond
    crypto map CRYPTO-VPN 1 ipsec-isakmp dynamic VPNDYNAMIC
    !
    !
    !
    interface Ethernet0
    ip address 10.100.100.220 255.255.255.0
    no ip unreachables
    ip nat inside
    ip virtual-reassembly
    no ip mroute-cache
    crypto map CRYPTO-VPN
    !
    interface Ethernet2
    no ip address
    shutdown
    hold-queue 100 out
    !
    interface ATM0
    no ip address
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    pvc 8/35
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    !
    interface FastEthernet2
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet3
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet4
    no ip address
    duplex auto
    speed auto
    !
    interface Dialer0
    ip ddns update hostname xc0mvpn.dyndns.org
    ip ddns update DynDNS host members.dyndns.org
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    ip policy route-map VPN-client
    no ip mroute-cache
    dialer pool 1
    no fair-queue
    ppp chap hostname user
    ppp chap password 0 pwd
    ppp pap sent-username user password 0 pwd
    crypto map CRYPTO-VPN
    !
    ip local pool VPN-CLIENT-POOL 10.100.200.1 10.100.200.10
    ip classless
    ip route 0.0.0.0 0.0.0.0 Dialer0
    !
    ip http server
    no ip http secure-server
    !
    ip nat inside source list 125 interface Dialer0 overload
    ip nat inside source static tcp 10.100.100.205 80 interface Ethernet0 80
    !
    access-list 1 permit 10.100.100.0 0.0.0.255
    access-list 1 permit 10.100.200.0 0.0.0.255
    access-list 1 permit 10.100.0.0 0.0.255.255
    access-list 101 permit ip 10.100.100.0 0.0.0.255 10.100.200.0 0.0.0.255
    access-list 125 deny ip 10.100.100.0 0.0.0.255 10.100.200.0 0.0.0.255
    access-list 125 permit ip 10.100.100.0 0.0.0.255 any
    access-list 144 permit ip 10.100.200.0 0.0.0.255 any
    dialer-list 1 protocol ip permit
    no cdp run
    !
    route-map VPN-client permit 10
    match ip address 144
    set interface Ethernet0
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    transport preferred all
    transport output all
    line aux 0
    line vty 0 4
    password mar10
    transport preferred all
    transport input all
    transport output all
    !
    scheduler max-task-time 5000
    end
    ##########################################
    The ACL are:
    – 1 per ADSL
    – 101 per vpn pool
    – 125 per NAT
    – 144 per route-map to readdress traffic toward eth0.
    ###########################################

    SHOW IP ROUTE

    Gateway of last resort is 0.0.0.0 to network 0.0.0.0

    82.0.0.0/32 is subnetted, 1 subnets
    C 82.39.112.179 is directly connected, Dialer0
    10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
    C 10.100.100.0/24 is directly connected, Ethernet0
    S 10.100.200.10/32 [1/0] via 87.6.153.166
    192.168.100.0/32 is subnetted, 1 subnets
    C 192.168.100.1 is directly connected, Dialer0
    S* 0.0.0.0/0 is directly connected, Dialer0

    ##########################################

    IPCONFIG / ALL from my pc:

    [IMG]http://forums.petri.com/attachment.php?attachmentid=808&stc=1&d=1161243924[/IMG]

    ###########################################à

    Avatar
    mariox79
    Member
    #285943

    Re: help vpn

    Hi davies…I have some news:
    Behind the 837 router i have:
    1 internal pc (test pc) with ip: 10.100.100.194
    1 Router 2600 (fa0/0 = 10.100.100.1)
    and behind this 2600 various pc + web server and dns server.
    Now…
    from my home pc i can ping the test pc (10.100.100.194) and from test pc i can ping my home pc when vpn is on. Perfect.
    I cannot ping from my home pc the router2600 (10.100.100.1) neither dns or web server. Is a nat problem? How can i resolve it??
    Thx for your great interesting

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.