Whats wrong with this VPN configuration?

[octavian10]

Can someone please look at this running-config of a 2621 router that should be working as a VPN server. I am using Cisco VPN Client 4.0.5. I can connect to this router, it authenticates me, and builds the connection. The problen is I can not communicate with any internal computer nor can I ping anythig on the inside. I have setup VPN's on Concentrators and never have had this problem. Notice how this router does NAT, PAT, and stateful firewall inspection creativley named CBAC. The 2621 has one interface connected to a cable modem the ohther to the inside network, and is strictley used as a gateway to the internet. I have tried removing the CBAC but still no good.

Current configuration : 2977 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
no service dhcp
!
hostname ohio2621
!
!
username username privilege 15 secret 5 $1$.UWW$tuETisEwvnY9d5C8DaCvd0
clock summer-time EDT recurring
aaa new-model
!
!
aaa authentication login vpnauthenticate local
aaa authorization network somecompany local
aaa session-id common
ip subnet-zero
!
!
ip domain name somecompany.com
ip name-server 192.168.1.10
!
no ip bootp server
ip inspect tcp idle-time 300
ip inspect name CBAC smtp
ip inspect name CBAC tftp
ip inspect name CBAC ftp
ip inspect name CBAC http
ip inspect name CBAC realaudio
ip inspect name CBAC tcp
ip inspect name CBAC icmp
ip inspect name CBAC udp
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 20
crypto isakmp nat keepalive 20
crypto isakmp xauth timeout 45

!
crypto isakmp client configuration group somecompany
key somecompanykey
dns 192.168.1.10
domain somecompany.com
pool somecompany_pool
!
!
crypto ipsec transform-set easyclients esp-3des esp-sha-hmac
!
crypto dynamic-map dynamic_map 10
set transform-set easyclients
!
!
crypto map static_map client authentication list vpnauthenticate
crypto map static_map isakmp authorization list somecompany
crypto map static_map client configuration address initiate
crypto map static_map client configuration address respond
crypto map static_map 999 ipsec-isakmp dynamic dynamic_map
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
interface FastEthernet0/0
ip address xx.xxx.xxx.xx 255.255.255.128
ip access-group External_ACL in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect CBAC out
duplex auto
speed auto
no cdp enable
crypto map static_map
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255
no ip redirects
no ip unreachables
ip nat inside
duplex auto
speed auto
no cdp enable
!
ip local pool somecompany_pool 192.168.1.200 192.168.1.254
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static tcp 192.168.1.30 80 interface FastEthernet0/0 80
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.xxx
!
!
ip access-list extended External_ACL
permit tcp any host xx.xxx.xx.xxx eq www
permit udp any host xx.xxx.xx.xxx eq isakmp
permit esp any host xx.xx.xx.xxx
permit udp any host xx.xxx.xx.xxx eq non500-isakmp
deny ip any any
access-list 1 permit 192.168.1.11
access-list 1 permit 192.168.1.10
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
radius-server authorization permit missing Service-Type
!
!
line con 0
line aux 0
exec-timeout 5 0
line vty 0 4
exec-timeout 5 0
transport input telnet
transport output none
!
!
end

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[KiscoKid]

I think you need to define which traffic you want to encrypt under the dynamic crypto map:

crypto dynamic-map dynamic_map 10
match address 100

 

[octavian10]

Is the match address 100, representing my access list 100 that includes the 200 to 254 address's I have reserved for the VPN pool, or do I need to make a seperate access-list just for this address range?

Thaks a bunch for looking at this config, it's driving me crazy.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[KiscoKid]

I picked access list as I see you have setup a pool with 192.168.1.0/24 addresses being allocated from it for VPN clients. Access list 100 comprises the entire 192.168.1.0/24 subnet hence I figured you're likely to want to protect this traffic via your tunnel.

 

[octavian10]

Your right I will try this and hopefully it works. If not I will post back, thanks for yor help. Also do you know why this VPN setup disabled my login local command on all my lines ie: line con 0, line aux, and line vty 0 4. The router will no longer let me use the login local command on any of these lines.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)

 

[KiscoKid]

I've never heard of that before re: disabling login local whenever you enable IPSEC. Does standard enable password work if you enter 'login' under the lines

 

[octavian10]

No, it will not even let me use basic password login on any of the lines.
As soon as I enter the command aaa new-model the router wipes out any login paramaters I have set for any line, and will not let me reenable them.

"I hear and I forget. I see and I remember. I do and I understand."
- Confucius (551 BC - 479)