01-24-2008 10:34 AM - edited 02-21-2020 03:30 PM
Hello,
I am trying to setup dynamic vpn on our cisco 2611 router but not able to get it working. I am able to connect and established the vpn tunnel but cannot access anything with in the LAN (not able to ping either). Here is the error. Thanks
*Mar 1 00:11:17.083: %SEC-6-IPACCESSLOGP: list outside denied udp 192.168.100.1
01(137) -> 192.168.0.20(137), 1 packet
*Mar 1 00:11:24.775: %SEC-6-IPACCESSLOGDP: list outside denied icmp 192.168.100
.101 -> 192.168.0.1 (8/0), 1 packet
cisco#ping 192.168.100.101
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.101, timeout is 2 seconds:
*Mar 1 00:11:47.115: %CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC p
acket.
(ip) vrf/dest_addr= /1.1.1.1, src_addr= 192.168.100.101, prot= 1.
...
01-24-2008 11:23 AM
I see you have a route-map configured to bypass NAT but it is no applied anywhere. Remove the existing ip nat inside command and replace with one that has the route-map in it. For example:
"ip nat inside source route-map nonat interface fastEthernet FastEthernet0/0 overload"
After you do this, disconnect the VPN Clietn, do a "clear ip nat translations *", log back in and see if you can ping the LAN Addresses.
Regards,
Arul
** Please rate helfpul posts **
01-24-2008 11:47 AM
Arul,
You mean remove
ip nat inside source list 1 interface FastEthernet0/0 overload? I thought this line is for internet NAT ( 192.168.0.0). Thanks
01-24-2008 01:14 PM
Well, for your traffic from the LAN to go back to the VPN Client pool of IP Addresses, you need to bypass NAT.
So, you need to remove the existing "ip nat ..." configuration and configure the one that I had posted in my previous post.
That statement will make sure that NAT is bypassed only for VPN Client and all other traffic will get NATTed. Give it a shot and let me know how it goes.
Regards,
Arul
** Please rate all helpful posts **
01-24-2008 05:08 PM
Arul,
I did it but still no luck. Here is the error. *Mar 1 00:27:19.047: %SEC-6-IPACCESSLOGP: list outside denied udp 192.168.100.1
03(1643) -> 192.168.0.20(53), 1 packet
*Mar 1 00:27:22.635: %SEC-6-IPACCESSLOGP: list outside denied udp 192.168.100.1
03(1174) -> 192.168.0.20(53), 1 packet
Cisco#
*Mar 1 00:28:04.787: %SEC-6-IPACCESSLOGDP: list outside denied icmp 192.168.100
.102 -> 192.168.0.20 (8/0), 14 packets
01-24-2008 07:28 PM
Interesting. Can you add this statement to your extended access-list and let me know if it works. Make sure the statement is before your Deny any any statement.
permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
Regards,
Arul
** Please rate helpful posts **
01-24-2008 08:08 PM
Arul,
That acl allow me to ping successfully but still can't access anything inside the LAN. Also the public interface respond not the inside interface.
C:\ping 192.168.0.1
Pinging 192.168.0.1 with 32 bytes of data:
Reply from 1.1.1.1: bytes=32 time=804ms TTL=255
Reply from 1.1.1.1: bytes=32 time=402ms TTL=255
Reply from 1.1.1.1: bytes=32 time=583ms TTL=255
Reply from 1.1.1.1: bytes=32 time=303ms TTL=255
01-24-2008 08:24 PM
Can you post your current configuration from the router. Also, did you do a "clear ip nat translations" and test the VPN Client.
Once you are VPNed into the router, can you post the outputs of "show cry is sa" and "show cry ips sa" when you try to access something on the LAN.
Regards,
Arul
** Please rate helpful posts **
01-24-2008 09:06 PM
interface: FastEthernet0/0
Crypto map tag: avi, local addr. 1.1.1.1
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.102/255.255.255.255/0/0)
current_peer: 74.95.200.9:1152
PERMIT, flags={}
#pkts encaps: 71, #pkts encrypt: 71, #pkts digest 71
#pkts decaps: 184, #pkts decrypt: 184, #pkts verify 184
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.1.1.1, remote crypto endpt.: 74.95.200.9
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: BFF48B33
inbound esp sas:
spi: 0x6AF3BD49(1794358601)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: avi
sa timing: remaining key lifetime (k/sec): (4518802/3533)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBFF48B33(3220474675)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: avi
sa timing: remaining key lifetime (k/sec): (4518818/3532)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
01-24-2008 09:16 PM
Ok, I still dont see this line configured as per Previous e mail.
permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255
The reason I ask you to do this is very simple, I dont remember the exact version, but IOS used to behave in such a way that after the packets are decrypted on the router, if there are any ACL applied inbound, the traffic will be inspected against the ACL. Since, you are not allowing permit ip 192.168.100.0 0.0.0.255 192.168.0.0 0.0.0.255 explicitly on the ACL, traffic could be very well decrypted and denied by the ACL.
Regards,
Arul
** Please rate helpful posts **
01-24-2008 09:25 PM
It worked!. I remember I did added it but still didn't work that's why I removed it. Since we enable 192.168.100.0 to 192.168.0.0 is this secure? Thanks
01-24-2008 09:30 PM
Great! :-))
Since we enable 192.168.100.0 to 192.168.0.0 is this secure? Well, in my world, I would consider it less secure but I have seen people argue both ways. So, if you think this is not secure in your environment, I would upgrade the chassis to a 12.4 Mainline code and then there should be no need to configure this ACL. I know the bug was fixed in some 12.3T Train but not sure which one. 12.4 should address this behavior.
Also, if you dont mind, can you let the forum know that the response resolve the issue, so it is beneficial for others when they run into similar issues. Thanks!
Regards,
Arul
** Please rate all helpful posts **
01-25-2008 08:31 AM
Hello, For some reason I can't ping from the router to IP VPN pool when the client connected. Ex. 192.168.100.100. Firewall on windows has turned off but still can't ping. Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: