Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
891
Views
0
Helpful
2
Replies

easy vpn problem

damir.juricic
Level 1
Level 1

‎08-18-2010 03:54 AM

Hi,

I'm having issues with Easy VPN.

Problem is following:

From VPN client connection to VPN server works, authenticates, gets an IP address,...

Problem starts when i try to ping local subnet or any other subnet, besides mine ofcourse, but here is the tricky part, i can ping any IP address that i want but with reply from public IP address. If i ping any other address after that i get request timed out??

For me this is definitely NAT issue, but frankly I don't see where!

Here is my config (I've placed only relevant stuff, other stuff is for voice, TACACS,...)


aaa authentication login VPN_USER local

aaa authorization network IPSEC_AUTH local


ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.250 192.168.10.254
!
ip dhcp pool PC_LAN
   network 192.168.10.0 255.255.255.0
   default-router 192.168.10.254
   dns-server x.x.x.x
   lease 365
!
!


crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key <key>
pool EzVPN
crypto isakmp profile <Profile>
   match identity group VPN
   client authentication list VPN_USER
   isakmp authorization list IPSEC_AUTH
   client configuration address respond
!
!
crypto ipsec transform-set AES_SHA esp-aes esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set AES_SHA
set isakmp-profile <Profile>
match address 140
reverse-route
!
!
!
crypto map VPN local-address Loopback500
crypto map VPN 1000 ipsec-isakmp dynamic DYNMAP
!
!
!
!
interface Loopback500
description Internet
ip address x.x.x.x 255.255.255.255
!
interface FastEthernet0/0
description Korisnicki LAN.unmanaged
ip address 192.168.10.254 255.255.255.0
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no snmp trap link-status
no cdp enable
service-policy output SHAPE_VPN
!
interface FastEthernet0/1
no ip address
no ip redirects
no ip unreachables
duplex full
speed auto
!
interface FastEthernet0/1.318
description Data_VPN
encapsulation dot1Q 318
ip address 10.20.192.250 255.255.255.248
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
service-policy output SHAPE_VPN
!
interface FastEthernet0/1.500
description Internet
encapsulation dot1Q 500
ip address 10.51.192.9 255.255.224.0
ip access-group 155 in
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
no cdp enable
crypto map VPN
service-policy output SHAPE_Internet
!

!
ip local pool EzVPN 192.168.50.2 192.168.50.30
no ip classless
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.51.192.1
ip route 172.16.110.0 255.255.255.0 10.20.192.249
ip route 192.168.0.0 255.255.0.0 10.20.192.249
!
!

ip nat inside source list 10 interface Loopback500 overload
ip nat inside source static tcp 192.168.10.49 50 x.x.x.x 50 extendable
ip nat inside source static udp 192.168.10.49 50 x.x.x.x 50 extendable
ip nat inside source static tcp 192.168.10.49 51 x.x.x.x 51 extendable
ip nat inside source static udp 192.168.10.49 51 x.x.x.x 51 extendable
ip nat inside source static tcp 192.168.10.1 80 x.x.x.x 80 extendable
ip nat inside source static tcp 192.168.10.251 443 x.x.x.x 443 extendable
ip nat inside source static udp 192.168.10.251 443 x.x.x.x 443 extendable
ip nat inside source static tcp 192.168.21.200 554 x.x.x.x 554 extendable
ip nat inside source static tcp 192.168.21.200 555 x.x.x.x 555 extendable
ip nat inside source static tcp 192.168.21.200 556 x.x.x.x 556 extendable
ip nat inside source static tcp 192.168.21.200 557 x.x.x.x 557 extendable
ip nat inside source static tcp 192.168.10.200 558 x.x.x.x 558 extendable
ip nat inside source static tcp 192.168.10.200 559 x.x.x.x 559 extendable
ip nat inside source static tcp 192.168.10.200 560 x.x.x.x 560 extendable
ip nat inside source static tcp 192.168.10.200 561 x.x.x.x 561 extendable
ip nat inside source static tcp 192.168.10.1 1433 x.x.x.x 1433 extendable
ip nat inside source static udp 192.168.10.1 1433 x.x.x.x 1433 extendable
ip nat inside source static tcp 192.168.10.49 1723 x.x.x.x 1723 extendable
ip nat inside source static udp 192.168.10.49 1723 x.x.x.x 1723 extendable
ip nat inside source static tcp 192.168.10.251 3306 x.x.x.x 3306 extendable
ip nat inside source static udp 192.168.10.251 3306 x.x.x.x 3306 extendable
ip nat inside source static tcp 192.168.10.1 3389 x.x.x.x 3389 extendable
ip nat inside source static udp 192.168.10.1 3389 x.x.x.x 3389 extendable
ip nat inside source static tcp 192.168.10.200 4080 x.x.x.x 4080 extendable
ip nat inside source static tcp 192.168.21.200 6080 x.x.x.x 6080 extendable
ip nat inside source static tcp 192.168.10.251 8080 x.x.x.x 8080 extendable
ip nat inside source static udp 192.168.10.251 8080 x.x.x.x 8080 extendable
ip nat inside source static tcp 192.168.10.49 32976 x.x.x.x 32976 extendable
ip nat inside source static udp 192.168.10.49 32976 x.x.x.x 32976 extendable

access-list 10 permit 192.168.0.0 0.0.255.255
access-list 10 permit 172.16.110.0 0.0.0.255

access-list 140 permit ip 192.168.50.0 0.0.0.255 any
access-list 140 permit ip any 192.168.50.0 0.0.0.255
access-list 155 remark ****** SQL_remote ******
access-list 155 permit tcp host x.x.x.x host x.x.x.x eq 1433
access-list 155 permit tcp host x.x.x.x host x.x.x.x eq 1433
access-list 155 permit tcp host x.x.x.x host x.x.x.x eq 1433
access-list 155 deny   tcp any host x.x.x.x eq 1433
access-list 155 permit ip any any

Any suggestions?

Damir

Labels:
0 Helpful
2 Replies 2

damir.juricic
Level 1
Level 1

‎08-18-2010 02:31 PM

I forgot to write back, i've figured it out.

In case someone has a similar issue, the problem was in nat as i suspected.

As i already mentioned, after pinging local subnet 192.168.10.1 from 192.168.50.x i keep getting replies from public ip address, which meant it tried to reach 192.168.50.x with public ip address, so i had to deny access to internet for traffic coming from 192.168.10.0/24 to 192.168.50.x

In other words traffic from 192.168.10.0 to 192.168.50.x should stay inside, not outside (Internet), and should not be natted.

so i created route map:

route-map NO_NAT permit 10

match address 110

set ip next-hop 10.51.192.1

access-list 110 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255 - deny traffic from 192.168.10.0 to 192.168.50.x to be natted, that is to go to the internet

access-list 110 permit ip 192.168.10.0 0.0.0.255 any - permit traffic from 192.168.10.0 to anywhere to be natted

and applied it to nat overload

ip nat inside source route-map NO_NAT interface loop500 overload

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to damir.juricic

‎08-22-2010 03:17 PM

I am glad that you figured out the problem and a working solution. Thank you for posting back to the forum indicating that you had solved it and what the solution was. It makes the forum more useful when people can read a problem and can read what was the solution to the problem.

HTH

Rick

HTH

Rick
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents