Cisco 2611 Dynamic VPN

Unanswered Question

Hello,


I am trying to setup dynamic vpn on our cisco 2611 router but not able to get it working. I am able to connect and established the vpn tunnel but cannot access anything with in the LAN (not able to ping either). Here is the error. Thanks

*Mar 1 00:11:17.083: %SEC-6-IPACCESSLOGP: list outside denied udp 192.168.100.1

01(137) -> 192.168.0.20(137), 1 packet

*Mar 1 00:11:24.775: %SEC-6-IPACCESSLOGDP: list outside denied icmp 192.168.100

.101 -> 192.168.0.1 (8/0), 1 packet

cisco#ping 192.168.100.101


Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.100.101, timeout is 2 seconds:


*Mar 1 00:11:47.115: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p

acket.

(ip) vrf/dest_addr= /1.1.1.1, src_addr= 192.168.100.101, prot= 1.

...



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
ajagadee Thu, 01/24/2008 - 11:23

I see you have a route-map configured to bypass NAT but it is no applied anywhere. Remove the existing ip nat inside command and replace with one that has the route-map in it. For example:


"ip nat inside source route-map nonat interface fastEthernet FastEthernet0/0 overload"


After you do this, disconnect the VPN Clietn, do a "clear ip nat translations *", log back in and see if you can ping the LAN Addresses.


Regards,

Arul


** Please rate helfpul posts **

ajagadee Thu, 01/24/2008 - 13:14

Well, for your traffic from the LAN to go back to the VPN Client pool of IP Addresses, you need to bypass NAT.


So, you need to remove the existing "ip nat ..." configuration and configure the one that I had posted in my previous post.


That statement will make sure that NAT is bypassed only for VPN Client and all other traffic will get NATTed. Give it a shot and let me know how it goes.


Regards,

Arul


** Please rate all helpful posts **

Arul,


I did it but still no luck. Here is the error. *Mar 1 00:27:19.047: %SEC-6-IPACCESSLOGP: list outside denied udp 192.168.100.1

03(1643) -> 192.168.0.20(53), 1 packet

*Mar 1 00:27:22.635: %SEC-6-IPACCESSLOGP: list outside denied udp 192.168.100.1

03(1174) -> 192.168.0.20(53), 1 packet

Cisco#

*Mar 1 00:28:04.787: %SEC-6-IPACCESSLOGDP: list outside denied icmp 192.168.100

.102 -> 192.168.0.20 (8/0), 14 packets

ajagadee Thu, 01/24/2008 - 19:28

Interesting. Can you add this statement to your extended access-list and let me know if it works. Make sure the statement is before your Deny any any statement.


permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255


Regards,

Arul


** Please rate helpful posts **

Arul,


That acl allow me to ping successfully but still can't access anything inside the LAN. Also the public interface respond not the inside interface.

C:\ping 192.168.0.1


Pinging 192.168.0.1 with 32 bytes of data:


Reply from 1.1.1.1: bytes=32 time=804ms TTL=255

Reply from 1.1.1.1: bytes=32 time=402ms TTL=255

Reply from 1.1.1.1: bytes=32 time=583ms TTL=255

Reply from 1.1.1.1: bytes=32 time=303ms TTL=255

ajagadee Thu, 01/24/2008 - 20:24

Can you post your current configuration from the router. Also, did you do a "clear ip nat translations" and test the VPN Client.


Once you are VPNed into the router, can you post the outputs of "show cry is sa" and "show cry ips sa" when you try to access something on the LAN.


Regards,

Arul


** Please rate helpful posts **

interface: FastEthernet0/0

Crypto map tag: avi, local addr. 1.1.1.1


protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.100.102/255.255.255.255/0/0)

current_peer: 74.95.200.9:1152

PERMIT, flags={}

#pkts encaps: 71, #pkts encrypt: 71, #pkts digest 71

#pkts decaps: 184, #pkts decrypt: 184, #pkts verify 184

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0


local crypto endpt.: 1.1.1.1, remote crypto endpt.: 74.95.200.9

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: BFF48B33


inbound esp sas:

spi: 0x6AF3BD49(1794358601)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: avi

sa timing: remaining key lifetime (k/sec): (4518802/3533)

IV size: 8 bytes

replay detection support: Y


inbound ah sas:


inbound pcp sas:


outbound esp sas:

spi: 0xBFF48B33(3220474675)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: avi

sa timing: remaining key lifetime (k/sec): (4518818/3532)

IV size: 8 bytes

replay detection support: Y


outbound ah sas:


outbound pcp sas:




Attachment: 
ajagadee Thu, 01/24/2008 - 21:16

Ok, I still dont see this line configured as per Previous e mail.


permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255


The reason I ask you to do this is very simple, I dont remember the exact version, but IOS used to behave in such a way that after the packets are decrypted on the router, if there are any ACL applied inbound, the traffic will be inspected against the ACL. Since, you are not allowing permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255 explicitly on the ACL, traffic could be very well decrypted and denied by the ACL.


Regards,

Arul


** Please rate helpful posts **

ajagadee Thu, 01/24/2008 - 21:30

Great! :-))


Since we enable 192.168.100.0 to 192.168.0.0 is this secure? Well, in my world, I would consider it less secure but I have seen people argue both ways. So, if you think this is not secure in your environment, I would upgrade the chassis to a 12.4 Mainline code and then there should be no need to configure this ACL. I know the bug was fixed in some 12.3T Train but not sure which one. 12.4 should address this behavior.


Also, if you dont mind, can you let the forum know that the response resolve the issue, so it is beneficial for others when they run into similar issues. Thanks!


Regards,

Arul


** Please rate all helpful posts **

Actions

This Discussion