07-29-2010 12:53 PM
Hi there,
I would appreciate if someone can help me to solve this problem: I'm trying to configure a VPN with Split Tunneling to access a servers' LAN. I've just configure the VPN server in a router with IOS and I'm trying to connect with a VPN Client of CISCO.
I can connect with the router VPN without problem (ping is working) but I'm not able to reach the server behind.
The topology is:
______________
------192.168.235.0/26--| |---- 192.168.2.150/30----
----LAN SERVER------| | ROUTER | |------WAN
------ 192.168.9.65/26---|_____________|---- 192.168.9.1/26-------
(secondary address) (secondary address)
I can reach the IPs on the router's after setting up the VPN without problems.
The configuration is the interfaces and the NAT is:
interface GigabitEthernet0/0
description LAN
ip address 192.168.235.1 255.255.255.192 secondary
ip address 192.168.9.65 255.255.255.192
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
!
!
interface GigabitEthernet0/1
description WAN sw01.mad2 Fa9/42
ip address 192.168.9.1 255.255.255.192 secondary
ip address 192.168.2.150 255.255.255.252
ip access-group 110 in
no ip redirects
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex full
speed 100
no cdp enable
crypto map dynmap
ip nat inside source static 192.168.235.2 192.168.9.2
ip nat inside source static 192.168.235.3 192.168.9.3
ip nat inside source static 192.168.235.4 192.168.9.4
.....
ip nat inside source static 192.168.235.61 192.168.9.61
ip nat inside source static 192.168.235.62 192.168.9.62
ip route 0.0.0.0 0.0.0.0 192.168.2.149
And the configuration for the VPN is: (I can connect to the router without problem so I think the problem is in part of NAT)
aaa authentication login vpn-login local
aaa authorization network g-groupname local
!
username user password user1.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
crypto isakmp xauth timeout 60
crypto isakmp client configuration group g-groupname
key xxxxxxxx
dns x.x.x.x
pool dynpool
acl 150
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list vpn-login
crypto map dynmap isakmp authorization list g-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
ip local pool dynpool 192.168.235.128 192.168.235.132
!
access-list 150 remark VPN
access-list 150 permit ip 192.168.235.0 0.0.0.255 any
access-list 150 permit ip 192.168.9.0 0.0.0.127 any
access-list 150 permit ip 192.168.2.150 0.0.0.3 any
How I've just said, I think the problem could be in the NAT but I don't know where...
I would appreciate any help.
Thanks in advance,
07-29-2010 01:19 PM
Is the "LAN SERVER" a different address range than either of the two that you have on your inside interface?
"Split tunneling" would mean you want to reach only certain networks through the VPN, but allow
the client to reach the rest of the Internet unencrypted. It is just a modification of a basic setup.
It looks like the basic setup is where the problem lies:
Your pool is handing out addresses which are not inside the inside interface range. Normally
you would give out addresses on 192.168.236.0/26 to your VPN clients (or the secondary block)
and allow proxy arp to help layer 2 devices find them.
Your addresses are in 192.168.236.128/26(+). This would require a router to have a block route
to the VPN's inside interface, or to do dynamic route injection into a protocol. Also you'll
need routes on the VPN to the "LAN SERVER block" not just a default route, and depending on the
platform you may need access-lists to punch holes through default security.
Unless the VPN is also the default router (???) in which case routing should be OK as long as you
are sure the traffic to 192.168.236.128/26(+) is not being routed to NULL0 somewhere then I would
look at access lists first.
07-30-2010 04:34 AM
Hello,
I've change the configuration. Now, VPN's user receive an IP from the interface range:
ip local pool dynpool 192.168.235.61 192.168.235.62
And I delete this to entries in NAT configuration:
no ip nat inside source static 192.168.235.62 213.190.9.62
no ip nat inside source static 192.168.235.61 213.190.9.61
Also, I've modified the list of network allow using the VPN Split Tunneling to:
access-list 150 remark VPN
access-list 150 permit ip 192.168.235.0 0.0.0.63 any
But, it doesn't work..
The routes are:
#sh ip route 192.168.235.62
Routing entry for 192.168.235.62/32
Known via "static", distance 1, metric 0
Routing Descriptor Blocks:
* x.x.x.x, via GigabitEthernet0/1
Route metric is 0, traffic share count is 1
It looks ok to me..
I believe that the problem is the NAT configuration, maybe I should make and exception in this translation:
ip nat inside source static 192.168.235.2 213.190.9.2
ip nat inside source static 192.168.235.3 213.190.9.3
..
What do you think?
Regarding to your question, I apologize but I don't understand what do you mean:
"Is the "LAN SERVER" a different address range than either of the two that you have on your inside interface?"
Many thanks,
El mensaje fue editado por: Ramon_Pelaez
08-04-2010 11:31 AM
Hi,
After the changes I did before, I realize that the acl with list of network allow using the VPN Split Tunneling was ok, so I've deleted my changes and finally the acl is:
access-list 150 remark VPN
access-list 150 permit ip 192.168.235.0 0.0.0.255 any
access-list 150 permit ip 213.190.9.0 0.0.0.127 any
access-list 150 permit ip 213.190.2.150 0.0.0.3 any
Also, I've checked that pool can be in a different address block, so I've changed to:
ip local pool dynpool 192.168.10.128 192.168.10.132
In the tests I did, I can do pings from the router to my computer (with the VPN session):
>tracert 192.168.235.1
Traza a 192.168.235.1 sobre caminos de 30 saltos como máximo.
1 57 ms 51 ms 59 ms 192.168.235.1
Trace complete.
And I can do ping from the router to the servers:
#traceroute 192.168.235.3
Type escape sequence to abort.
Tracing the route to 192.168.235.3
1 192.168.235.3 0 msec 0 msec 0 msec
But when I try to do ping from my computer to the servers, I can't reached:
>tracert 192.168.235.3
Traza a 192.168.235.3 sobre caminos de 30 saltos como máximo.
1 57 ms 51 ms 59 ms 192.168.2.150
2 * * *
3 * ^C
I tried few configurations but I can't solve this problem...
Maybe it's a problem with the routing, but how can I solved?
b.julin, you said:
"Your addresses are in 192.168.236.128/26(+). This would require a router to have a block route
to the VPN's inside interface, or to do dynamic route injection into a protocol. Also you'll
need routes on the VPN to the "LAN SERVER block" not just a default route, and depending on the
platform you may need access-lists to punch holes through default security."
But I don't know how, because how I explained before I checked the routes and it looks ok for me, should i write a new static route?
I've also realized that when I ping my computer from the router a new ARP entrance turned up, is it normal?
#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet my_public_IP 0 Incomplete ARPA
Internet 192.168.235.1 - 68ef.bd13.0e98 ARPA GigabitEthernet0/0
...
Many thanks,
08-04-2010 12:05 PM
I assume your computer is in the 192.168.10.X pool?
Try adding the 192.168.10.X addresses to the ACL. I don't know how that works exactly on a router as opposed to an ASA, but on ASA you either have to do that, or use "sysopt connection permit-vpn" (probably not available on the router).
Also you need to ensure the crypto-map is either an undefined (no match address statement) dynamic map, or is classifying traffic from the pool to the 135 network as tunnelled.
08-05-2010 03:32 AM
Regarding your questions,
I assume your computer is in the 192.168.10.X pool?
Yes, it is.
Try adding the 192.168.10.X addresses to the ACL. I don't know how that works exactly on a router as opposed to an ASA, but on ASA you either have to do that, or use "sysopt connection permit-vpn" (probably not available on the router).
I tried this before but it haven't worked.
Also you need to ensure the crypto-map is either an undefined (no match address statement) dynamic map, or is classifying traffic from the pool to the 135 network as tunnelled.
I assume it is correct but I copy here again in case you see something is wrong:
crypto isakmp client configuration group g-groupname
key xxxxxxxxxxx
dns x.x.x.x
pool dynpool
acl 150
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list vpn-login
crypto map dynmap isakmp authorization list g-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
ip local pool dynpool 192.168.10.128 192.168.10.132
!
interface GigabitEthernet0/1
crypto map dynmap
Thanks again,
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: