| [Config] EZVPN Configuration Issue:Could not access remote lan Hi,
I am facing problem while configuring Cisco 877 router as EZVPN server that Cisco 1801 EZVPN client connect with the server but could not access EZVPN server lan and also lost internet connectivity at EZVPN Client side.I can ping only local IP of EZVPN server router and could not ping other local ips.After going through different posts at cisco support community and some other web sites I found that EZVPN Pool must be on separate subnet as compared to EZVPN server lan and also must have NAT exemption.But after adding this configuration I am still having same problem.
Here is the EZVPN server Configuration:
xxxx#sh run
Building configuration...
Current configuration : 7143 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret yyyyyy
!
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
!
!
aaa session-id common
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group testEZVPN
key xxxxx
domain testEZVPN.com
pool EZVPN-POOL
acl SPLIT_T
save-password
!
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
reverse-route
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
ip cef
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.10
!
!
ip domain name testEZVPN.com
ip host BLROGERS.PBX11 192.168.11.66
ip name-server xxxxxx
ip name-server yyyyyy
login block-for 30 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
ip mtu adjust
!
!
!
!
spanning-tree vlan 1 priority 8192
spanning-tree vlan 2 priority 8192
spanning-tree vlan 3 priority 8192
spanning-tree vlan 4 priority 8192
spanning-tree vlan 5 priority 8192
username xxxxx password yyyyyy
username vpnuser password zzzzzz
username ezvpn-wah password cccccccc
archive
log config
hidekeys
!
!
!
track 1 interface ATM0 line-protocol
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip address xxxxxxx
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
encapsulation aal5snap
!
!
interface FastEthernet0
switchport mode trunk
!
interface FastEthernet1
switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
peer default ip address pool PPTPCLIENT
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap chap
!
interface Vlan1
ip address xxxxxxx
ip access-group 103 in
ip nat outside
ip virtual-reassembly
crypto map INT_MAP
!
interface Vlan2
description USER
ip address 192.168.11.1 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description VOICE
ip address 192.168.11.65 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description SERVER
ip address 192.168.11.129 255.255.255.224
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
ip local pool EZVPN-POOL 192.168.10.10 192.168.10.100
ip route 0.0.0.0 0.0.0.0 xxxxx 100 track 1
ip route 0.0.0.0 0.0.0.0 yyyyyy
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxx 255.255.255.0 zzzzz
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxxx 255.255.255.255 yyyyyy
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.11.66 443 interface Vlan1 443
ip nat inside source static tcp 192.168.11.66 81 interface ATM0.1 81
ip nat inside source route-map nonat interface Vlan1 overload
ip nat inside source static udp 192.168.11.66 5060 146.255.3.45 48500 extendable
!
ip access-list extended SPLIT_T
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 103 remark VOIP-UNLIMITED
access-list 104 remark Voice-Control
access-list 104 permit udp host 192.168.11.66 any eq 5060
access-list 104 permit udp any any eq 5060
access-list 105 permit gre any any
access-list 105 permit udp any any eq 10000
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit udp any any eq isakmp
access-list 105 permit esp any any
access-list 105 permit ahp any any
access-list 106 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 106
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication USERLIST
escape-character 90
!
scheduler max-task-time 5000
ntp clock-period 17175125
ntp source ATM0.1
ntp peer xxxxx
ntp peer yyyyy
!
webvpn cef
end |
