Questions

Cisco Easy VPN Server, Cannot go beyond router. NAT?

+
0 Votes
Locked

Cisco Easy VPN Server, Cannot go beyond router. NAT?

bchiarini
Dear all:

I used the SDM (v2.4) wizard to setup a Easy VPN Server on a Cisco 871 w/ Adv. IP.

I can establish a VPN connection with no problems from the WAN-side, ping the router (192.168.1.1) and talk with it, but cannot reach anything on the inside. I tried many things, even wiping out the config back to factory defaults and no success. Also tried using an IP pool with addresses on the LAN (192.168.1.1) with same exact results. I guess it has to do with inbound routing/NAT.

Please your assistance. This is my first contact with Cisco's router. Love them so far for all their flexibility, though the learning curve is long.....

RUNNING Config:
!This is the running config of the router: 192.168.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 [VALUE deleted]
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name diamond.local
ip name-server 65.106.1.196
ip name-server 192.168.1.10
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect name DEFAULT100 appfw DEFAULT100
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 dns
!
appfw policy-name DEFAULT100
application http
port-misuse p2p action reset alarm
port-misuse im action reset alarm
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.com
server permit name webmessenger.msn.com
audit-trail on
application im yahoo
service default action reset
service text-chat action reset
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name messenger.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail off
!
!
crypto pki trustpoint TP-self-signed-1154900791
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1154900791
revocation-check none
rsakeypair TP-self-signed-1154900791
!
!
crypto pki certificate chain TP-self-signed-
[SECTION deleted]
[USERS deleted]
!
!
class-map match-any sdm_p2p_kazaa
match protocol fasttrack
match protocol kazaa2
class-map match-any sdm_p2p_edonkey
match protocol edonkey
class-map match-any sdm_p2p_gnutella
match protocol gnutella
class-map match-any sdm_p2p_bittorrent
match protocol bittorrent
!
!
policy-map sdmappfwp2p_DEFAULT100
class sdm_p2p_edonkey
drop
class sdm_p2p_gnutella
drop
class sdm_p2p_kazaa
drop
class sdm_p2p_bittorrent
drop
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn-group-diamond
key [XXXXXXX]
pool SDM_POOL_1
crypto isakmp profile sdm-ike-profile-1
match identity group vpn-group-diamond
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address 67.106.209.18 255.255.255.240
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input sdmappfwp2p_DEFAULT100
service-policy output sdmappfwp2p_DEFAULT100
!
interface Virtual-Template1 type tunnel
description VPN
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.0.0.2 10.0.0.10
ip classless
ip route 0.0.0.0 0.0.0.0 67.106.209.17
!
ip flow-top-talkers
top 15
sort-by bytes
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 remark AOL Stream
access-list 100 deny ip any host 64.236.98.55
access-list 100 deny ip 67.106.209.16 0.0.0.15 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark AOL Stream
access-list 101 deny ip host 64.236.98.55 any
access-list 101 permit udp any host 67.106.209.18 eq non500-isakmp
access-list 101 permit udp any host 67.106.209.18 eq isakmp
access-list 101 permit esp any host 67.106.209.18
access-list 101 permit ahp any host 67.106.209.18
access-list 101 permit udp host 65.106.1.196 eq domain host 67.106.209.18
access-list 101 permit udp host 65.106.7.196 eq domain host 67.106.209.18
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 permit icmp any host 67.106.209.18 echo-reply
access-list 101 permit icmp any host 67.106.209.18 time-exceeded
access-list 101 permit icmp any host 67.106.209.18 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
  • +
    0 Votes
    taboga

    ...and after going around and around with it, I finally tried identifying a WINS Server in the TCP/IP properties of the network adapter and that solved it.

    Only takes a few seconds and might be worth a try.

    +
    0 Votes
    bchiarini

    Thank you for your answer. I'll give it a try, although I don't see how can that solve it since I cannot even ping my domain controller. Besides my DC does not have a WINS server setup.

    I setup my DC as both DNS and WINS server in the group policy associated with the VPN (vpn-group-diamond in the config). I'll try it out and let you know.

    +
    0 Votes
    bchiarini

    Made it worked. Changed the IP pool to 10.1.1.2-10 and was able to talk to the LAN. No access to Internet though, but solved after adding split-tunneling.

    SDM apparently adds by default rules in the ACL to deny any incoming traffic from the IPs I was using as pool.

    Is this the correct setup? Shouldn't it have worked without recurring to split-tunneling.

    Thank you guys.

    +
    0 Votes
    J.C.Alexandres

    Are you trying to access the devices inside the network using IPs or their names? Either way, based in the configuration you posted above, it seem to be an issue with routing, once you are passing packets across your connection, just add the DNS server (s), if you have any inside your network.

  • +
    0 Votes
    taboga

    ...and after going around and around with it, I finally tried identifying a WINS Server in the TCP/IP properties of the network adapter and that solved it.

    Only takes a few seconds and might be worth a try.

    +
    0 Votes
    bchiarini

    Thank you for your answer. I'll give it a try, although I don't see how can that solve it since I cannot even ping my domain controller. Besides my DC does not have a WINS server setup.

    I setup my DC as both DNS and WINS server in the group policy associated with the VPN (vpn-group-diamond in the config). I'll try it out and let you know.

    +
    0 Votes
    bchiarini

    Made it worked. Changed the IP pool to 10.1.1.2-10 and was able to talk to the LAN. No access to Internet though, but solved after adding split-tunneling.

    SDM apparently adds by default rules in the ACL to deny any incoming traffic from the IPs I was using as pool.

    Is this the correct setup? Shouldn't it have worked without recurring to split-tunneling.

    Thank you guys.

    +
    0 Votes
    J.C.Alexandres

    Are you trying to access the devices inside the network using IPs or their names? Either way, based in the configuration you posted above, it seem to be an issue with routing, once you are passing packets across your connection, just add the DNS server (s), if you have any inside your network.