VPN - Cisco IOS VPN Client - problem

Archived from groups: comp.dcom.vpn (More info?)

Hello everybody,
I have tried to set up a VPN connection from Cisco VPN Client to Cisco
Router 2621 (64MB RAM/ 16MB Flash) - with enterprise IOS 12.2.
When I map a crypto map to the interface ( crypto map CRYPTOMAP to serial
0/0.1 ) - the nat stopped working and I havn't got a remonte connection to
my router and other services behind the router. When I got to the LAN I was
able to connect to router via ssh.

I don't know what is wrong. I have studied Cisco materials and some other
configs without any ideas.
Would You be so kind and help me with this configuration ?
Thanks a lot.

!
! Last configuration change at 08:16:20 CET Tue Feb 1 2005 by jskorka
! NVRAM config last updated at 22:57:51 CET Mon Jan 31 2005 by jskorka
!
version 12.2
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname VIV_2621
!
logging buffered 16000 debugging
logging monitor informational
aaa new-model
aaa authentication login default local
enable secret 5 $XXXXXXXXXX
!
username jskorka password 7 1234567890
clock timezone CET 1
clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
no ip source-route
!
!
ip domain-name aaa.com.pl
ip name-server 192.168.0.2
!
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh authentication-retries 4
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local local_vpn_pool
!
!
crypto ipsec transform-set VPN_TRANSFORMS ah-sha-hmac esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_USER_MAP 50
description Cryptographic dynamic map to VPN users
set transform-set VPN_TRANSFORMS
match address 115
!
!
crypto map CRYPTOMAP client configuration address initiate
crypto map CRYPTOMAP client configuration address respond
crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN_USER_MAP
!
call rsvp-sync
!
!
!
!
!
!
!
!
interface FastEthernet0/0
description connected to EthernetLAN
ip address 192.168.0.254 255.255.255.0
ip access-group msngg in
ip nat inside
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation frame-relay IETF
no fair-queue
frame-relay lmi-type ansi
!
interface Serial0/0.1 point-to-point
description connected to Internet
ip address 80.50.189.114 255.255.255.252
ip access-group ntp_serv out
ip nat outside
no cdp enable
frame-relay interface-dlci 99 IETF
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
ip local pool local_vpn_pool 192.168.5.1 192.168.5.254
ip nat pool VIV_2621_natpool 80.51.xxx.yyy 80.51.xxx.yyy netmask
255.255.255.240
ip nat inside source route-map nonat pool VIV_2621_natpool overload
ip nat inside source static tcp 192.168.0.254 1805 80.51.xxx.yyy 1805
extendable
ip nat inside source static tcp 192.168.0.254 5050 80.51.xxx.yyy 5050
extendable
ip nat inside source static tcp 192.168.0.254 1863 80.51.xxx.yyy 1863
extendable
ip nat inside source static tcp 192.168.0.254 1550 80.51.xxx.yyy 1550
extendable
ip nat inside source static tcp 192.168.0.3 80 80.51.xxx.yyy 80 extendable
ip nat inside source static tcp 192.168.0.230 8001 80.51.xxx.yyy 8001
extendable
ip nat inside source static tcp 192.168.0.40 80 80.51.xxx.zzz 80 extendable
ip nat inside source static tcp 192.168.0.10 20 80.51.xxx.zzz 20 extendable
ip nat inside source static tcp 192.168.0.10 21 80.51.xxx.yyy 21 extendable
ip nat inside source static tcp 192.168.0.230 5001 80.51.xxx.yyy 5001
extendable
ip nat inside source static tcp 192.168.0.230 5002 80.51.xxx.yyy 5002
extendable
ip nat inside source static tcp 192.168.0.230 5003 80.51.xxx.yyy 5003
extendable
ip nat inside source static tcp 192.168.0.57 9001 80.51.xxx.ccc 9001
extendable
ip nat inside source static udp 192.168.0.57 9001 80.51.xxx.ccc 9001
extendable
ip nat inside source static udp 192.168.0.57 9002 80.51.xxx.ccc 9002
extendable
ip nat inside source static tcp 192.168.0.57 9002 80.51.xxx.ccc 9002
extendable
ip nat inside source static tcp 192.168.0.57 9999 80.51.xxx.ccc 9999
extendable
ip nat inside source static udp 192.168.0.57 9999 80.51.xxx.ccc 9999
extendable
ip nat inside source static tcp 192.168.0.231 8002 80.51.xxx.yyy 8002
extendable
ip nat inside source static tcp 192.168.0.231 5011 80.51.xxx.yyy 5011
extendable
ip nat inside source static tcp 192.168.0.231 5012 80.51.xxx.yyy 5012
extendable
ip nat inside source static tcp 192.168.0.231 5013 80.51.xxx.yyy 5013
extendable
ip classless
ip route 0.0.0.0 0.0.0.0 Serial0/0.1
no ip http server
!
!
ip access-list extended msngg
deny tcp any 217.17.41.80 0.0.0.15 eq 8074
deny tcp any 217.17.41.80 0.0.0.15 eq 443
deny tcp any 207.46.104.0 0.0.3.255 eq 1863
deny tcp any 207.46.104.0 0.0.3.255 eq www
permit ip any any
ip access-list extended ntp_serv
deny udp any eq ntp any eq ntp
permit ip any any
access-list 90 permit any log
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 115 deny ip any 224.0.0.0 15.255.255.255
access-list 115 deny ip any host 192.168.0.255
access-list 115 permit ip any any
route-map nonat permit 10
description Policy routing for no natting VPN traffic
match ip address 101
!
!
dial-peer cor custom
!
!
!
!
banner login 
+---------------------------------------------------------------------------+
| WARNING !
|
| This computer system including all related equipment, network devices
|
| (specifically including Internet access), are provided only for
|
| authorized use. All computer systems may be monitored for all lawful
|
| purposes, including to ensure that their use is authorized, for
|
| management of the system, to facilitate protection against unauthorized
|
| access, and to verify security procedures, survivability and
|
| operational security. Monitoring includes active attacks by authorized
|
| personnel and their entities to test or verify the security of the
|
| system. During monitoring, information may be examined, recorded,
|
| copied and used for authorized purposes. All information including
|
| personal information, placed on or sent over this system may be
|
| monitored. Uses of this system, authorized or unauthorized, constitutes
|
| consent to monitoring of this system. Unauthorized use may subject you
|
| to criminal prosecution. Evidence of any such unauthorized use
|
| collected during monitoring may be used for administrative, criminal or
|
| other adverse action. Use of this system constitutes consent to
|
| monitoring for these purposes.
|
+---------------------------------------------------------------------------+

!
line con 0
exec-timeout 0 0
password 7 XXXXXX12345678
line aux 0
line vty 0 4
access-class 90 in
exec-timeout 5 0
password 7 XXXXXX12345678
transport input ssh
!
ntp clock-period 17180455
ntp server 217.153.69.35
ntp server 195.187.244.4
ntp server 193.110.120.9
end