03-04-2007 04:36 PM - edited 02-21-2020 02:54 PM
It thought I had this working at one point but the config seems to have been hosed. I've looked at this so much I've confused myself. Can someone please tell be where I've gone wrong to get my VPN pool 192.168.5.x traffic back out to the internet? Sanity begs...
!
interface Loopback0
ip address 192.168.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description
ip address X.X.X.X X.X.X.X
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
ip local pool VPNPOOL 192.168.5.1 192.168.5.254
ip route 0.0.0.0 0.0.0.0 X.X.X.X permanent
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
!
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 permit ip 192.168.3.0 0.0.0.255 any
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
access-list 144 permit ip 192.168.5.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set interface Loopback0
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
03-04-2007 07:27 PM
Hi Chris,
The config looks good. Probably you need to capture the traffic and trace it as to where it is going and that could give us more information. As per the config, everything should be fine.
Regards,
Kamal
03-04-2007 09:18 PM
Kamal,
Thanks for the check. The only thing I did as far as changes is upgrade from a deferred 11.4.4 code to 11.4.10...which i then backed out to 10.4.9.T2. I do notice a couple things. Lots of hit counts on the deny .1 to .5 network but none on the .5 to any for internet traffic. i've done extended pings from .3 to internet and get hits and NAT translations. It seems like the missing link is the policy of forwarding traffic from .5 to the loopback .3 network. It seems the VPN traffic is trying to just go out the .1 network bypassing the policy. Any bugs?
Thanks again.
03-04-2007 11:27 PM
Correction... I went from deferred 12.4.2 code to 12.4.11T1 and then back down to 12.4.9T2. This is on a 851 BTW.
03-05-2007 12:45 AM
Hi Chris,
Starting from version 12.3T , the option "set interface
With newer codes, that is why it is suggested to use "set ip next-hop" instead of "set interface" .
Try this :
route-map VPN-Client permit 10
match ip address 144
no set interface loopback0
set ip next-hop 192.168.3.2
exit
*Please rate if helped.
-Kanihska
03-05-2007 08:51 AM
Kanihska,
Those changes didn't work. Ug! Whats a clean way to do a debug trace without killing the router? NAT is doing something wierd too.
sho access-lists 144
Extended IP access list 144
10 permit ip 192.168.5.0 0.0.0.255 any (9500 matches)
sho access-lists 100
Extended IP access list 100
10 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 (3408 matches)
20 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255
30 deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255 (512 matches)
40 permit ip 192.168.1.0 0.0.0.255 any (2750 matches)
50 permit ip 192.168.3.0 0.0.0.255 any
60 permit ip 192.168.5.0 0.0.0.255 any (4 matches)
sho access-lists 144
Extended IP access list 144
10 permit ip 192.168.5.0 0.0.0.255 any (9524 matches)
sho ip nat tr
Pro Inside global Inside local Outside local Outside global
udp public*** 192.168.5.255:137 192.168.5.3:137 192.168.5.3:137
udp public*** 192.168.5.255:137 192.168.5.4:137 192.168.5.4:137
udp public*** 192.168.5.255:138 192.168.5.3:138 192.168.5.3:138
udp public*** 192.168.5.255:138 192.168.5.4:138 192.168.5.4:138
03-05-2007 09:10 AM
Please turn on the debugs for :
debug ip policy 144
debug ip packet detail 144
Send me the output.
-Kanishka
03-05-2007 09:26 AM
Appreciate this help!
Trying to ping the outside DNS servers:
001154: *Feb 18 17:33:57.339 PST: IP: route map VPN-Client, item 10, permit
001155: *Feb 18 17:33:57.339 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001156: *Feb 18 17:34:00.747 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 60, FIB policy match
001157: *Feb 18 17:34:00.747 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001158: *Feb 18 17:34:00.747 PST: IP: route map VPN-Client, item 10, permit
001159: *Feb 18 17:34:00.747 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001160: *Feb 18 17:34:06.247 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 60, FIB policy match
001161: *Feb 18 17:34:06.247 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001162: *Feb 18 17:34:06.247 PST: IP: route map VPN-Client, item 10, permit
001163: *Feb 18 17:34:06.247 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001164: *Feb 18 17:34:09.731 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 68, FIB policy match
001165: *Feb 18 17:34:09.731 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001166: *Feb 18 17:34:09.731 PST: IP: route map VPN-Client, item 10, permit
001167: *Feb 18 17:34:09.731 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001168: *Feb 18 17:34:09.755 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match
001169: *Feb 18 17:34:09.755 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001170: *Feb 18 17:34:09.755 PST: IP: route map VPN-Client, item 10, permit
001171: *Feb 18 17:34:09.755 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001172: *Feb 18 17:34:09.759 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match
001173: *Feb 18 17:34:09.759 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001174: *Feb 18 17:34:09.759 PST: IP: route map VPN-Client, item 10, permit
001175: *Feb 18 17:34:09.759 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001176: *Feb 18 17:34:10.747 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match
001177: *Feb 18 17:34:10.747 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001178: *Feb 18 17:34:10.747 PST: IP: route map VPN-Client, item 10, permit
001179: *Feb 18 17:34:10.747 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001180: *Feb 18 17:34:10.751 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match
001181: *Feb 18 17:34:10.751 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001182: *Feb 18 17:34:10.751 PST: IP: route map VPN-Client, item 10, permit
001183: *Feb 18 17:34:10.751 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001184: *Feb 18 17:34:11.747 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 60, FIB policy match
001185: *Feb 18 17:34:11.747 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001186: *Feb 18 17:34:11.747 PST: IP: route map VPN-Client, item 10, permit
001187: *Feb 18 17:34:11.747 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001188: *Feb 18 17:34:12.767 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match
001189: *Feb 18 17:34:12.767 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001190: *Feb 18 17:34:12.767 PST: IP: route map VPN-Client, item 10, permit
001191: *Feb 18 17:34:12.767 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
001192: *Feb 18 17:34:12.783 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match
001193: *Feb 18 17:34:12.783 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2
001194: *Feb 18 17:34:12.783 PST: IP: route map VPN-Client, item 10, permit
001195: *Feb 18 17:34:12.783 PST: IP: FastEthernet4 to Loopback0 192.168.3.1
und all
03-05-2007 10:29 AM
Hi,
Try this :
interface FastEthernet4
no ip mroute-cache
exit
Now, turn on the debugs for :
debug ip packet detail 144
See if you get some more information.
-Kanishka
03-05-2007 10:29 AM
Also, check if you see any nat translation created.
sh ip nat translation
-Kanishka
03-05-2007 11:28 AM
very liitle comes out now doing a ping to a dns server and launching a browser...
001716: *Feb 18 19:34:17.722 PST: IP: tableid=0, s=192.168.5.7 (FastEthernet4), d=192.168.1.1 (Vlan1), routed via RIB
001717: *Feb 18 19:34:17.722 PST: IP: s=192.168.5.7 (FastEthernet4), d=192.168.1.1, len 41, rcvd 4
001718: *Feb 18 19:34:17.722 PST: TCP src=1136, dst=23, seq=2804798792, ack=1524246298, win=16075 ACK PSH
001719: *Feb 18 19:34:17.810 PST: IP: tableid=0, s=192.168.5.7 (FastEthernet4), d=192.168.1.1 (Vlan1), routed via RIB
001720: *Feb 18 19:34:17.810 PST: IP: s=192.168.5.7 (FastEthernet4), d=192.168.1.1, len 41, rcvd 4
001721: *Feb 18 19:34:17.810 PST: TCP src=1136, dst=23, seq=2804798793, ack=1524246299, win=16074 ACK PSH
001722: *Feb 18 19:34:17.998 PST: IP: tableid=0, s=192.168.5.7 (FastEthernet4), d=192.168.1.1 (Vlan1), routed via RIB
001723: *Feb 18 19:34:17.998 PST: IP: s=192.168.5.7 (FastEthernet4), d=192.168.1.1, len 42, rcvd 4
001724: *Feb 18 19:34:17.998 PST: TCP src=1136, dst=23, seq=2804798794, ack=1524246300, win=16073 ACK PSH
sho ip nat tr
Pro Inside global Inside local Outside local Outside global
udp PUBLIC:137 192.168.5.255:137 192.168.5.3:137 192.168.5.3:137
udp PUBLIC:137 192.168.5.255:137 192.168.5.4:137 192.168.5.4:137
udp PUBLIC:137 192.168.5.255:137 192.168.5.7:137 192.168.5.7:137
udp PUBLIC:138 192.168.5.255:138 192.168.5.3:138 192.168.5.3:138
udp PUBLIC:138 192.168.5.255:138 192.168.5.4:138 192.168.5.4:138
udp PUBLIC:138 192.168.5.255:138 192.168.5.7:138 192.168.5.7:138
sho access-lists 144
Extended IP access list 144
10 permit ip 192.168.5.0 0.0.0.255 any (15533 matches)
03-06-2007 05:58 PM
kaachary,
Do you think backing down to an older code would help? Problem didn't start till I went to these new 12.4.11 and .9 codes.
03-07-2007 02:06 AM
backing down to which code ? I mean..on which code it was working ?
-Kanishka
03-07-2007 08:59 AM
yes. it was on 12.4.2 or .4 code. It was defferred so that is how it got bumped to 12.4.11 and then back down to .9. should I go back to a 12.4.2 or .4 version to see if that fixes it.
03-07-2007 09:04 AM
Hi Chris,
this doesn't seem to be a bug, and should work in the present code. I still doubt, but Try downgrading if that fixes it.
-Kanishka
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide