Easy VPN question

DevilWAH

Some help needed.

I have a router (3640) set up as a easy VPN server.

it has one interface active 192.168.5.46

on the same subnet is a ADSL router with 192.168.5.254 which is used as the default gateway for PC's and is the default route on the 3640.

and one PC with the IP address 192.168.5.48.

before I connect the VPN i can ping 4.2.2.2 from both the router and the PC.

however after I connect up the VPN every thing stops working?

When I try to ping 4.2.2.2 from the PC and use wire shart to capture the traffic on the VPN interface (ipaddess 10.0.10.x) i can see it sending traffic direct from 10.0.10.x to 4.2.2.2.

But I expected it to be from 10.0.10.x to 192.168.5.46 (the 3640 interface) I can see the traffic is getting encrypted as the counters are incressin, it just does not seem to get through to the 3640 and get decrypted?

what am i missing to make this work ?

cheers

!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization network VPN local
!
aaa session-id common
memory-size iomem 5
!
!
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username aaron privilege 15 secret 5 $1$NGd0$aA/uKN5QlGl/RyGpctJzC.
username stephen secret 5 $1$Krao$anMmQhuNsgsRNfBMTGJQm/
!
crypto isakmp policy 100
encr aes
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN_DHCP
!
crypto isakmp client configuration group VPN_ACCESS
key cisco
dns 8.8.8.8 8.8.4.4
domain devilwah.com
pool VPN_DHCP
netmask 255.255.255.0
!
!
crypto ipsec transform-set VPN1 esp-aes esp-sha-hmac
!
crypto dynamic-map VPND 10
set transform-set VPN1
reverse-route
!
!
crypto map VPNC client authentication list VPN
crypto map VPNC isakmp authorization list VPN
crypto map VPNC client configuration address respond
crypto map VPNC 10 ipsec-isakmp dynamic VPND
!
!
!
!
interface Ethernet0/0
ip address 192.168.5.46 255.255.255.0
full-duplex
crypto map VPNC
!
interface Ethernet0/1
no ip address
shutdown
half-duplex
!
interface Ethernet0/2
no ip address
shutdown
half-duplex
!
interface Ethernet0/3
no ip address
shutdown
half-duplex
!
ip local pool VPN_DHCP 10.0.10.10 10.0.10.20
ip http server
no ip http secure-server
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.5.254
!
!
control-plane
!
!
line con 0
privilege level 15
line aux 0
line vty 0 4
!
!
end

netdiag1.jpg

DevilWAH

oh now i get this, it's working fine,

just that the external ADSL router is not set upto NAT the 10.0.10.x range!!

or at least that is what I think it the problem. have to check. but that will ahve to wait a bit.

I am still a bit lost as to how to set this ip on the main live router though.

this runs CISCO IOS zonebased fire wall.

if I set up the VPN connection on the external interface, how do i configure what zone the VPN PC's belong to? do I have to set up a virtual interface and map the VPN to this, and then set up the zone on that ?