# Cisco 1921 VPN *!Help Needed!*



## CiscoNewbie (Apr 21, 2011)

I have a new Cisco 1921 that I am setting up. I need to have a VPN set up to where I can RDP into my local network desktops from the outside interface using Cisco VPN Client. I have gotten it close where now the Client establishes the VPN with the router, but I cannot ping or rdp into the network connected to the inside interface. I have looked at all the guides and cannot seem to see what I am missing. Here is my code to help. Any assistance would be tremendously appreciated.


```
Building configuration...
Current configuration : 4498 bytes
!
! Last configuration change at 20:13:22 UTC Thu Apr 21 2011 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ITL-Router1
!
boot-start-marker
warm-reboot
boot-end-marker
!
enable secret 5 xxxxxxxx
enable password xxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.209
ip dhcp excluded-address 192.168.1.231 192.168.1.254
!
ip dhcp pool ITL-pool
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 64.89.70.2 64.89.74.2
!
!
ip domain name itl-llc.com
!
multilink bundle-name authenticated
!
!
license udi pid CISCO1921/K9 sn FTX14460190
!
!
username admin privilege 15 secret 5 xxxxxxxxxxx
username xxxxx secret 5 xxxxxxxxxxx
!
redundancy
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnclient
 key xxxxxxxx
 pool ippool
 acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/1
 ip address xxx.xxx.xxx.58 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
 !
!
ip local pool ippool 10.10.10.20 10.10.10.30
ip default-gateway xxx.xxx.xxx.57
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ITL-map-1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.57
!
access-list 23 permit any
access-list 100 deny   ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 100 permit ip any any
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
!
no cdp run
!
!
!
route-map ITL-map-1 permit 1
 match ip address 100
!
!
snmp-server community public RO
!
control-plane
 !
!
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 transport input ssh
line vty 5 15
 access-class 23 in
 transport input ssh
!
scheduler allocate 20000 1000
end
```


----------



## richardsims (May 7, 2011)

what is the purpose of ACL100? 
I see in the configuration it is related to a route-map and a nat rule.
I am not familiar with what this be configured for.
What ip network address is a PC on when they establish a connection to the VPN?
What ip network address are they connecting to when they try to RDP?
If they connect to the VPN and are assigned a 10.10.10.20 - .30 ip address and they need to RDP to the same network they you may not need the NAT.


----------

