[c-nsp] Cisco Software Client -> Router VPN issue.

Networkers cisco at peakpeak.com
Mon Jan 5 10:38:02 EST 2009 

I¹m trying to solve a problem with setting up the remote VPN access using
the Cisco VPN software client.  I have gotten it to the point where a user
can remotely tunnel to the router from their Doze PC, log in, receive an
IP in the 10.x.x.x network, and ping something on the 192.168.100.x
network.

However, they can¹t surf to the outside internet over that tunneld
connection. 

I¹ve taken a look at
some sample configs on the Cisco site but they all seem to be similar to
this. My thinking is that the dial pool doesn¹t get NATed properly, but
I¹m unsure on what to do to the config to fix this.  Normal 192.168.100.x
Ethernet-connected PCs in the home office can surf and do everything just
fine.

Can someone offer a tidbit?

Thanks!
Chris


aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
username somebody password 0 my_password
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group SomeVPN
 key my_key
 pool ourpool
!
crypto ipsec transform-set trans1 esp-3des esp-sha-hmac
crypto ipsec transform-set trans2 esp-des esp-sha-hmac
crypto ipsec transform-set trans3 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set trans3
!
crypto map intmap client authentication list userauthen
crypto map intmap isakmp authorization list groupauthor
crypto map intmap client configuration address initiate
crypto map intmap client configuration address respond
crypto map intmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/0
 description Office LAN
 ip address 192.168.100.100 255.255.255.0
 ip nat inside
 no ip mroute-cache
!
interface Serial0/0
 ip address my_ip 255.255.255.252
 ip nat outside
 crypto map intmap
!
ip local pool ourpool 10.0.0.1 10.0.0.254
ip default-gateway upstream_ip
ip nat inside source route-map nonat interface Serial0/0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0
!
ip access-list extended NATRules
 deny   ip 192.168.100.0 0.0.0.255 10.0.0.0 0.0.0.255
 deny   ip 10.0.0.0 0.0.0.255 192.168.100.0 0.0.0.255
 permit ip 192.168.100.0 0.0.0.255 any
 permit ip 10.0.0.0 0.0.0.255 any
!
access-list 2 permit 10.0.0.0 0.0.0.255
access-list 2 permit 192.168.100.0 0.0.0.255
!
route-map nonat permit 11
 match ip address NATRules
!
end

More information about the cisco-nsp mailing list