Router and VPN Client for Public Internet on a Stick...

chris.harwell · ‎03-04-2007

It thought I had this working at one point but the config seems to have been hosed. I've looked at this so much I've confused myself. Can someone please tell be where I've gone wrong to get my VPN pool 192.168.5.x traffic back out to the internet? Sanity begs...

!

interface Loopback0

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description

ip address X.X.X.X X.X.X.X

ip nat outside

ip virtual-reassembly

ip policy route-map VPN-Client

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_2

!

interface Vlan1

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

ip local pool VPNPOOL 192.168.5.1 192.168.5.254

ip route 0.0.0.0 0.0.0.0 X.X.X.X permanent

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 permit ip 192.168.3.0 0.0.0.255 any

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

access-list 144 permit ip 192.168.5.0 0.0.0.255 any

route-map VPN-Client permit 10

match ip address 144

set interface Loopback0

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

Kamal Malhotra · ‎03-04-2007

Hi Chris,

The config looks good. Probably you need to capture the traffic and trace it as to where it is going and that could give us more information. As per the config, everything should be fine.

Regards,

Kamal

chris.harwell · ‎03-04-2007

Kamal,

Thanks for the check. The only thing I did as far as changes is upgrade from a deferred 11.4.4 code to 11.4.10...which i then backed out to 10.4.9.T2. I do notice a couple things. Lots of hit counts on the deny .1 to .5 network but none on the .5 to any for internet traffic. i've done extended pings from .3 to internet and get hits and NAT translations. It seems like the missing link is the policy of forwarding traffic from .5 to the loopback .3 network. It seems the VPN traffic is trying to just go out the .1 network bypassing the policy. Any bugs?

Thanks again.

chris.harwell · ‎03-04-2007

Correction... I went from deferred 12.4.2 code to 12.4.11T1 and then back down to 12.4.9T2. This is on a 851 BTW.

kaachary · ‎03-05-2007

Hi Chris,

Starting from version 12.3T , the option "set interface " under route-map was enhanced such that, if the interface is not a P2P intf, the PBR will not drop the packet, but the packet will not be checked against the policy and will be forwarded normally.

With newer codes, that is why it is suggested to use "set ip next-hop" instead of "set interface" .

Try this :

route-map VPN-Client permit 10

match ip address 144

no set interface loopback0

set ip next-hop 192.168.3.2

exit

*Please rate if helped.

-Kanihska

chris.harwell · ‎03-05-2007

Kanihska,

Those changes didn't work. Ug! Whats a clean way to do a debug trace without killing the router? NAT is doing something wierd too.

sho access-lists 144

Extended IP access list 144

10 permit ip 192.168.5.0 0.0.0.255 any (9500 matches)

sho access-lists 100

Extended IP access list 100

10 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 (3408 matches)

20 deny ip 192.168.1.0 0.0.0.255 192.168.6.0 0.0.0.255

30 deny ip 192.168.1.0 0.0.0.255 192.168.7.0 0.0.0.255 (512 matches)

40 permit ip 192.168.1.0 0.0.0.255 any (2750 matches)

50 permit ip 192.168.3.0 0.0.0.255 any

60 permit ip 192.168.5.0 0.0.0.255 any (4 matches)

sho access-lists 144

Extended IP access list 144

10 permit ip 192.168.5.0 0.0.0.255 any (9524 matches)

sho ip nat tr

Pro Inside global Inside local Outside local Outside global

udp public*** 192.168.5.255:137 192.168.5.3:137 192.168.5.3:137

udp public*** 192.168.5.255:137 192.168.5.4:137 192.168.5.4:137

udp public*** 192.168.5.255:138 192.168.5.3:138 192.168.5.3:138

udp public*** 192.168.5.255:138 192.168.5.4:138 192.168.5.4:138

kaachary · ‎03-05-2007

Please turn on the debugs for :

debug ip policy 144

debug ip packet detail 144

Send me the output.

-Kanishka

chris.harwell · ‎03-05-2007

Appreciate this help!

Trying to ping the outside DNS servers:

001154: *Feb 18 17:33:57.339 PST: IP: route map VPN-Client, item 10, permit

001155: *Feb 18 17:33:57.339 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001156: *Feb 18 17:34:00.747 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 60, FIB policy match

001157: *Feb 18 17:34:00.747 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001158: *Feb 18 17:34:00.747 PST: IP: route map VPN-Client, item 10, permit

001159: *Feb 18 17:34:00.747 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001160: *Feb 18 17:34:06.247 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 60, FIB policy match

001161: *Feb 18 17:34:06.247 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001162: *Feb 18 17:34:06.247 PST: IP: route map VPN-Client, item 10, permit

001163: *Feb 18 17:34:06.247 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001164: *Feb 18 17:34:09.731 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 68, FIB policy match

001165: *Feb 18 17:34:09.731 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001166: *Feb 18 17:34:09.731 PST: IP: route map VPN-Client, item 10, permit

001167: *Feb 18 17:34:09.731 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001168: *Feb 18 17:34:09.755 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match

001169: *Feb 18 17:34:09.755 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001170: *Feb 18 17:34:09.755 PST: IP: route map VPN-Client, item 10, permit

001171: *Feb 18 17:34:09.755 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001172: *Feb 18 17:34:09.759 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match

001173: *Feb 18 17:34:09.759 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001174: *Feb 18 17:34:09.759 PST: IP: route map VPN-Client, item 10, permit

001175: *Feb 18 17:34:09.759 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001176: *Feb 18 17:34:10.747 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match

001177: *Feb 18 17:34:10.747 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001178: *Feb 18 17:34:10.747 PST: IP: route map VPN-Client, item 10, permit

001179: *Feb 18 17:34:10.747 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001180: *Feb 18 17:34:10.751 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match

001181: *Feb 18 17:34:10.751 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001182: *Feb 18 17:34:10.751 PST: IP: route map VPN-Client, item 10, permit

001183: *Feb 18 17:34:10.751 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001184: *Feb 18 17:34:11.747 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.111.16.30, len 60, FIB policy match

001185: *Feb 18 17:34:11.747 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001186: *Feb 18 17:34:11.747 PST: IP: route map VPN-Client, item 10, permit

001187: *Feb 18 17:34:11.747 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001188: *Feb 18 17:34:12.767 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match

001189: *Feb 18 17:34:12.767 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001190: *Feb 18 17:34:12.767 PST: IP: route map VPN-Client, item 10, permit

001191: *Feb 18 17:34:12.767 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

001192: *Feb 18 17:34:12.783 PST: IP: s=192.168.5.6 (FastEthernet4), d=68.4.16.30, len 68, FIB policy match

001193: *Feb 18 17:34:12.783 PST: CEF-IP-POLICY: fib for address 192.168.3.1 is with flag 2

001194: *Feb 18 17:34:12.783 PST: IP: route map VPN-Client, item 10, permit

001195: *Feb 18 17:34:12.783 PST: IP: FastEthernet4 to Loopback0 192.168.3.1

und all

kaachary · ‎03-05-2007

Hi,

Try this :

interface FastEthernet4

no ip mroute-cache

exit

Now, turn on the debugs for :

debug ip packet detail 144

See if you get some more information.

-Kanishka

kaachary · ‎03-05-2007

Also, check if you see any nat translation created.

sh ip nat translation

-Kanishka

chris.harwell · ‎03-05-2007

very liitle comes out now doing a ping to a dns server and launching a browser...

001716: *Feb 18 19:34:17.722 PST: IP: tableid=0, s=192.168.5.7 (FastEthernet4), d=192.168.1.1 (Vlan1), routed via RIB

001717: *Feb 18 19:34:17.722 PST: IP: s=192.168.5.7 (FastEthernet4), d=192.168.1.1, len 41, rcvd 4

001718: *Feb 18 19:34:17.722 PST: TCP src=1136, dst=23, seq=2804798792, ack=1524246298, win=16075 ACK PSH

001719: *Feb 18 19:34:17.810 PST: IP: tableid=0, s=192.168.5.7 (FastEthernet4), d=192.168.1.1 (Vlan1), routed via RIB

001720: *Feb 18 19:34:17.810 PST: IP: s=192.168.5.7 (FastEthernet4), d=192.168.1.1, len 41, rcvd 4

001721: *Feb 18 19:34:17.810 PST: TCP src=1136, dst=23, seq=2804798793, ack=1524246299, win=16074 ACK PSH

001722: *Feb 18 19:34:17.998 PST: IP: tableid=0, s=192.168.5.7 (FastEthernet4), d=192.168.1.1 (Vlan1), routed via RIB

001723: *Feb 18 19:34:17.998 PST: IP: s=192.168.5.7 (FastEthernet4), d=192.168.1.1, len 42, rcvd 4

001724: *Feb 18 19:34:17.998 PST: TCP src=1136, dst=23, seq=2804798794, ack=1524246300, win=16073 ACK PSH

sho ip nat tr

Pro Inside global Inside local Outside local Outside global

udp PUBLIC:137 192.168.5.255:137 192.168.5.3:137 192.168.5.3:137

udp PUBLIC:137 192.168.5.255:137 192.168.5.4:137 192.168.5.4:137

udp PUBLIC:137 192.168.5.255:137 192.168.5.7:137 192.168.5.7:137

udp PUBLIC:138 192.168.5.255:138 192.168.5.3:138 192.168.5.3:138

udp PUBLIC:138 192.168.5.255:138 192.168.5.4:138 192.168.5.4:138

udp PUBLIC:138 192.168.5.255:138 192.168.5.7:138 192.168.5.7:138

sho access-lists 144

Extended IP access list 144

10 permit ip 192.168.5.0 0.0.0.255 any (15533 matches)

chris.harwell · ‎03-06-2007

kaachary,

Do you think backing down to an older code would help? Problem didn't start till I went to these new 12.4.11 and .9 codes.

kaachary · ‎03-07-2007

backing down to which code ? I mean..on which code it was working ?

-Kanishka

chris.harwell · ‎03-07-2007

yes. it was on 12.4.2 or .4 code. It was defferred so that is how it got bumped to 12.4.11 and then back down to .9. should I go back to a 12.4.2 or .4 version to see if that fixes it.

kaachary · ‎03-07-2007

Hi Chris,

this doesn't seem to be a bug, and should work in the present code. I still doubt, but Try downgrading if that fixes it.

-Kanishka