This is my first time setup a CISCO 1811 router as EASY VPN server. I have read http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bf2.pdf and did the similar configure.
When I used Cisco VPN Client 5.0.04.0300 to connect it from outside, it connected to the router successfully. The VPN client got assigned IP 172.16.0.2 from router.
But the big problem is I could not ping any IP inside, even could not ping the router internal VLAN interface 10.0.0.254
I checked the Client routing talbe, I saw the routing entry point to the VPN interface
C:\Documents and Settings\support>route print
10.0.0.0 255.255.255.0 172.16.0.3 172.16.0.3 1
I also checked all access list, no problem. So I really need help why I can not communicate with inside IPs.
I am confused by following quesiton:
1. Do I need set the IP pool for VPN clients in same subnet of inside subnet or nor? (I have VLAN 10.0.0.0 255.255.255.0 and 192.168.1.0 255.255.255.0 inside.)
2. Do I need configure any NAT for it?
I found following in that configuration guide PDF fiel
————————————-
PREREQUISITES
The sample configuration is based on the following assumptions:
? The IP address at the Cisco Easy VPN Server is static.
? The IP address at the Cisco Easy VPN Client is static or dynamic.
? All traffic, including Internet traffic, from the Cisco Easy VPN Client is forwarded to the hub.
? Traffic from the remote hosts is forwarded after applying Network Address Translation/Port
Address Translation (NAT/PAT).
——————————————
Did the last sentence mean I need configure NAT?
I really appreciate it if somebody can help me out! Thanks in advance.
Following are some configuration VPN related. Fa0 and Fa1 connect to Internet. Fa2 connects to internal VLAN 10 subnet and Fa5 connects VLAN 192 subnet.
aaa new-model
!
!
aaa authentication login vpn-authen local
aaa authentication ppp default local
aaa authorization network vpn-author local
!
!
aaa session-id common
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp xauth timeout 20
!
crypto isakmp client configuration group vpn-author
key velino
pool vpn-pool
!
!
crypto ipsec transform-set vpn-set esp-3des esp-md5-hmac
!
!
crypto dynamic-map vpn-dyn 1
set transform-set vpn-set
!
!
!
crypto map cisco client authentication list vpn-authen
crypto map cisco isakmp authorization list vpn-author
crypto map cisco client configuration address respond
crypto map cisco 1 ipsec-isakmp dynamic vpn-dyn
!
!
!
username cisco privilege 15 password 0 cisco
archive
log config
hidekeys
!
!
!
bridge irb
!
!
!
interface FastEthernet0
bandwidth 1544
ip address 21*.**.***.* 255.255.255.248
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
speed auto
full-duplex
crypto map cisco
!
interface FastEthernet1
bandwidth 1000
bandwidth receive 10000
ip address 65.*.*.* 255.255.255.248
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
switchport access vlan 192
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
!
interface Vlan1
no ip address
!
interface Vlan192
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map director
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map director
!
interface Async1
no ip address
encapsulation slip
!
!
ip local pool vpn-pool 172.16.0.1 172.16.0.3
ip route 0.0.0.0 0.0.0.0 2*.*.*.*
ip route 10.0.0.0 255.255.255.0 Vlan10
!
!
ip http server
ip nat inside source static tcp 192.168.1.171 25 2*.*.*.* 25 extendable
ip nat inside source static tcp 192.168.1.171 110 2*.*.*.* 110 extendable
.
.
.
ip nat inside source static udp 192.168.1.6 32001 21*.1*.1*.1* 32001 extendable
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
