Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4266
Views
0
Helpful
4
Replies

Cisco 871w VPN access with Cisco VPN client

tanzeus129
Level 1
Level 1

‎02-01-2010 08:33 PM

I am trying to configure a Cisco 871W router to terminate connections from a Cisco VPN client.

I can successfully connect to the VPN Router using the Cisco VPN client version 4.8.02.10.

However ....I can't access ANY resources on the network.

I tried ping, traceroute and remote desktop... nothing

Have I messed up some ACL or is this a routing issue?

Is it a NAT issue?

Here is my config.......

Thanks in advance....

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dr0ff
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
enable password 7 *********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint T*********
enrollment selfsigned
subject-name *********
revocation-check none
rsakeypair *********
!
!
crypto pki certificate chain*********
certificate self-signed *********
dot11 syslog
!
dot11 ssid office
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode mbssid guest-mode
   wpa-psk ascii 7 *********

dot11 ssid office guest-mode
   authentication open
   wpa-psk ascii 7 *********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool Internal-net
   import all
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.1
   dns-server 1.2.3.4
   domain-name dr.off
   lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dr.off
ip name-server 1.2.3.4

!
!
!
!
username batman privilege 15 password 7 *********
username robin privilege 15 password 7*********
username joker privilege 4 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
key *********
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid office
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 deny   icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny   ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 *********
no modem enable
line aux 0
line vty 0 4
password 7 *********
!
scheduler max-task-time 5000
end

Labels:
0 Helpful
4 Replies 4

pudawat
Level 1
Level 1

‎02-02-2010 04:18 PM

HI Tan,

Just replace the line

ip nat inside source list 1 interface FastEthernet4 overload

with

ip nat inside route-map nonat interface FastEthernet4 overload

'
Thanks,
Pradhuman
0 Helpful

tanzeus129
Level 1
Level 1
In response to pudawat

‎02-02-2010 10:28 PM

I tried that command and received an error message

then I entered this command

ip nat inside source route-map nonat interface FastEthernet4 overload

there was no error but I can't access any resources on the LAN.

I can't even ping my default gateway.                192.168.25.2


Ethernet adapter Local Area Connection 8:

        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : Cisco Systems VPN Adapter
        Physical Address. . . . . . . . . xxxxxxxxxxx
        Dhcp Enabled. . . . . . . . . . . : No
        IP Address. . . . . . . . . . . . : 192.168.25.1
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.25.2

I can however ping the Public Internet address that I receive by DHCP from my ISP.

Can it be an ACL blocking all the traffic?

0 Helpful

tanzeus129
Level 1
Level 1
In response to tanzeus129

‎02-05-2010 08:29 AM

Ok

Got this to work.

I am replying in the thread so hopefully it will help someone else in the future.

Thanks to everyone that contributed.

After pudawat replied to add the parameter

ip nat inside route-map nonat interface FastEthernet4 overload

I found that I needed to add "source"

ip nat inside source route-map nonat interface FastEthernet4 overload

Then I enabled the logging on the VPN client and found

“AddRoute failed to add a route. code 87"

I then found the following:

http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24164731.html

I upgraded my VPN client to 5.0.06.0160

Connected immediately.

Thanks again to all....

here is the final working config:

------------------------------------------

version 12.4
no service pad
service timestamps debug datetime  msec
service timestamps log datetime msec
service  password-encryption
!
hostname dr0ff
!
boot-start-marker
boot-end-marker
!
enable  secret 5 *********
enable password 7 *********
!
aaa new-model
!
!
aaa  authentication login default local
aaa authentication login  remoteusers local
aaa authorization exec default local
aaa  authorization network remotegroup local
!
!
aaa session-id  common
!
crypto pki trustpoint T*********
enrollment  selfsigned
subject-name *********
revocation-check none
rsakeypair *********
!
!
crypto pki certificate chain*********
certificate self-signed *********
dot11 syslog
!
dot11 ssid  office
   vlan 1
   authentication open
   authentication  key-management wpa
   guest-mode mbssid guest-mode
   wpa-psk  ascii 7 *********

dot11 ssid office guest-mode
   authentication open
    wpa-psk ascii 7 *********
!
ip cef
no ip dhcp use vrf  connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip  dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool  Internal-net
   import all
   network 192.168.0.0 255.255.255.0
    default-router 192.168.0.1
   dns-server 1.2.3.4
   domain-name  dr.off
   lease 4
!
!
ip inspect name MYFW tcp
ip inspect  name MYFW udp
no ip domain lookup
ip domain name dr.off
ip  name-server 1.2.3.4

!
!
!
!
username batman privilege 15 password 7  *********
username robin privilege 15 password 7*********
username  joker privilege 4 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp  client configuration address-pool local dynpool
!
crypto isakmp  client configuration group remotegroup
key *********
pool  dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des  esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set  transform-1
reverse-route
!
!
crypto map dynmap client  authentication list remoteusers
crypto map dynmap isakmp  authorization list remotegroup
crypto map dynmap client configuration  address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
log config
  hidekeys
!
!
!
bridge irb
!
!
interface  FastEthernet0
spanning-tree portfast
!
interface  FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address  dhcp
ip access-group 101 in
ip inspect MYFW out
ip nat  outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex  auto
speed auto
no cdp enable
crypto map dynmap
!
interface  Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1  change 45
!
!
ssid office
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0  24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp  enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1  unicast-flooding
!
interface Vlan1
description Internal  Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface  BVI1
description Bridge to Internal Network
ip address  192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip  local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip  route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http  secure-server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit  udp any eq bootps any eq bootpc
permit icmp any any echo
permit  icmp any any echo-reply
permit icmp any any traceroute
permit  gre any any
permit esp any any
!
access-list 1 permit  192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0  0.0.0.255 any
access-list 101 deny   tcp any any eq telnet
access-list  101 permit tcp any any established
access-list 101 deny   tcp any  any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list  101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp  any any eq netbios-ss log
access-list 101 deny   icmp any any  fragments
access-list 101 permit icmp any any echo
access-list 101  permit icmp any any echo-reply
access-list 101 permit icmp any any  packet-too-big
access-list 101 permit icmp any any source-quench
access-list  101 permit icmp any any time-exceeded
access-list 101 deny   icmp  any any log
access-list 101 remark ** Permit all other traffic **
access-list  101 permit tcp any any
access-list 101 permit udp any any
access-list  110 deny   ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list  110 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat  permit 10
match ip address 110
!
!
control-plane
!
bridge  1 route ip
!
line con 0
password 7 *********
no modem  enable
line aux 0
line vty 0 4
password 7 *********
!
scheduler  max-task-time 5000
end

0 Helpful

pudawat
Level 1
Level 1
In response to tanzeus129

‎02-05-2010 09:46 AM

HI Tan,

I missed the command to add "source" in it.

The essence is to NAT-EXEMPT the traffic from the LAN network to the VPN local pool

Cheers!

Thanks,

Pradhuman

0 Helpful
Customers Also Viewed These Support Documents