+ Reply to Thread
Results 1 to 6 of 6
  1. Member
    Join Date
    Dec 2012
    Posts
    41
    #1

    Default Need Help to access Remote Router from easy VPN server.

    I have configured router R2 as an easy VPN server so that users across the internet establish a VPN with R2 and the traffic is then routed from R2 through the internet to R1 where the LAN of interest is.

    I have been able to successfully setup the VPN between R2 and clients accross the internet (making R2 easy VPN server and clients using vpn client software) but cant get traffic out to R1.
    What I want to achieve is that once the VPN is established between remote users and R2 they can access R1 to be able to access the Lan (10.0.0.0)
    attached is a diagram of what i am trying to achieve. and my current configuration.

    R1 is setup properly (does not have any VPN setup) and I have no issues but my problem is that once i establish the vpn i cant access R1 or anything from R2.
    would appreciate any help.

    Configuration on R2:

    interface gi0/1
    ip address 216.160.160.8 255.255.255.0



    aaa new-model
    aaa authentication login default local
    aaa authentication login VPN-USER-AUTHENTICATION local
    aaa authorization exec default local
    aaa authorization B-GROUP local

    username xxx privilege 15 password cisco

    crypto isakmp policy 1
    authentication pre-share
    encryption 3des
    group 2


    crypto isakmp client configuration group BBgroup
    key 6 cisco
    pool B-POOL
    max-user 20
    acl 150

    ip local pool ML-POOL 192.168.1.1 192.168.1.20

    crypto ipsec transform-set BB-TRANSFORM-SET esp-3d3s 3sp-sha-hmac
    exit
    crypto isakmp profile B-PROFILE
    match identity group BBgroup
    client authentication list VPN-USER-AUTHENTICATION
    isakmp authorization B-GROUP
    client configuration address respond
    virtual-template 2

    crypto ipsec profile B-PROFILE-2
    set transform-set BB-TRANSFORM-SET
    set isakmp-profile B-PROFILE

    interface virtual-template 2 type tunnel
    ip nuumbered Gi0/1


    ip access-list 150 permit ip 192.168.1.0 0.0.0.255 any (PERMIT VPN USERS TO ACCESS ANY NETWORK)
    ip access-list 150 deny ip any any (DENY ANY OTHER TRAFFIC)

    ip route 10.0.0.0 255.255.255.0 216.140.140.2 (static route to the remote Lan on R1 with Internet interface of R1 as next hop)
    ip route 0.0.0.0. 0.0.0.0 216.160.160.254


    Configuration on R1:


    !
    interface GigabitEthernet0/0
    ip address 10.0.0.254 255.255.255.0
    ip nat inside
    ip virtual-reassembly in
    ip policy route-map PRIVATE-INGRESS

    interface GigabitEthernet0/1
    ip address 216.150.150.4 255.255.255.0 secondary
    ip address 216.140.140.2 255.255.255.224
    ip nat outside
    ip virtual-reassembly in

    !
    ip nat
    Attached Images Attached Images
    Last edited by ahmedahmed; 03-14-2013 at 05:16 PM.
    Reply With Quote Quote  

  2. SS -->
  3. DCD
    DCD is offline
    Senior Member DCD's Avatar
    Join Date
    Jan 2013
    Location
    San Francisco , Ca
    Posts
    437

    Certifications
    CCNA
    #2
    This is not my strong suit but should this (ip route 0.0.0.0. 0.0.0.0 216.160.160.254) be this (ip route 0.0.0.0. 0.0.0.0 216.140.140.2) since you are tunneling.
    Reply With Quote Quote  

  4. Member
    Join Date
    Mar 2010
    Posts
    67
    #3
    Heads up - I have no experience with setting up Easy VPN, only with site-to-site vpn.

    It is mentioned that there is no VPN between R2 and R1 and yet you are routing the 10.0.0.0 subnets directly out?

    If we forget about the VPN client, can you access R1 directly from R2?
    Reply With Quote Quote  

  5. Member
    Join Date
    Dec 2012
    Posts
    41
    #4
    Eten you are right. there is no VPN or direct connection between R1 and R2.
    What I want is that once the VPN is established between R2 and a remote Client (internet user) the client has the VPN pool ip address ie 192.168.1.2 the client can access the internet or any other remote network say located on R1.

    In my case I am able to establish the VPN between Client and R2 but cant get to the internet or any other network from the VPN connection.
    Reply With Quote Quote  

  6. Member
    Join Date
    Mar 2010
    Posts
    67
    #5
    If there is no VPN between R1 and R2, is the VPN pool IP being NAT'ed when you attempt to access internet? Do you see any translation on sh ip nat tran?

    For IOS routers, NAT can only be doing when traversing an interface going from ip nat inside to ip nat outside (or vice-versa). If your VPN users are coming in and egressing same interface (hairpin) and NAT is required, you need to do somthing like a nat on a loopback with PBR.

    I'm not sure if this is required for easy vpn setup - I'll leave it to the more experienced guys here.
    Reply With Quote Quote  

  7. Member
    Join Date
    Dec 2012
    Posts
    41
    #6
    After doing a lot of research I discovered VPN on a a stick, after the configuration my VPN is setup and active but my traffic is not get routed back to the internet as I want.
    i did show ip nat and no translations are taking place would appreciate some help.
    below is the new configuration I have.
    aaa new-model
    aaa authentication login userauthen local




    aaa authorization network groupauthor local
    aaa session-id common


    resource policy




    username user password 0 cisco


    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2




    crypto isakmp client configuration group vpnclient
    key cisco123
    pool ippool




    crypto ipsec transform-set myset esp-3des esp-md5-hmac






    crypto dynamic-map dynmap 10
    set transform-set myset
    reverse-route


    crypto map clientmap client authentication list userauthen
    crypto map clientmap isakmp authorization list groupauthor
    crypto map clientmap client configuration address respond
    crypto map clientmap 10 ipsec-isakmp dynamic dynmap


    interface Loopback0
    ip address 10.11.0.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly




    interface gi0/1
    ip address 216.x.x.x 255.255.255.0
    ip nat outside
    ip virtual-reassembly
    ip policy route-map VPN-Client
    duplex auto
    speed auto
    crypto map clientmap




    ip local pool ippool 192.168.1.1 192.168.1.2




    ip route 0.0.0.0 0.0.0.0 216.x.x..y




    ip nat inside source list 101 interface gi0/1 overload


    access-list 101 permit ip any any
    access-list 144 permit ip 192.168.1.0 0.0.0.255 any


    route-map VPN-Client permit 10
    match ip address 144
    set ip next-hop 10.11.0.2
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks