Solved: VPN Local lan access

tu_amor66 · ‎09-05-2010

I have configure a cisco 861 as vpn server. I could you some help if someone can tell what's wrong? Clients can connect, but cannot access local lan resources for subnet 10.0.10.0

Building configuration...

Current configuration : 9770 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime

show-timezone
service timestamps log datetime msec localtime show-

timezone
service password-encryption
service sequence-numbers
!
hostname RT861W
!
boot-start-marker
boot system flash c860-universalk9-mz.124-24.T3.bin
boot-end-marker
!
logging message-counter syslog
logging buffered 4096 warnings
logging console critical
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
memory-size iomem 10
clock timezone EST -4
clock save interval 24
!
crypto pki trustpoint TP-self-signed-3796206546
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-

3796206546
revocation-check none
rsakeypair TP-self-signed-3796206546
!
!
crypto pki certificate chain TP-self-signed-

3796206546
certificate self-signed 01
30820259 308201C2 A0030201 02020101 300D0609

2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66

2D536967 6E65642D 43657274
69666963 6174652D 33373936 32303635 3436301E

170D3130 30363130 32323534
33395A17 0D323030 31303130 30303030 305A3031

312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469

66696361 74652D33 37393632
30363534 3630819F 300D0609 2A864886 F70D0101

01050003 818D0030 81890281
81009C68 0509FEBA BA0D4251 52AA3F1C DBB7CACB

138D0D3D 8017AB75 04AABD97
16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6

EB32858B 4385DE6C 3ED11616
2B997D14 C6C86431 9A956161 2D0581F4 767D60E1

82FF426A 911D503E 8995A69B
6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464

E6DA7E06 44F94B16 3EA57809
5B710203 010001A3 8180307E 300F0603 551D1301

01FF0405 30030101 FF302B06
03551D11 04243022 82205254 38363157 2E636F6C

6C696E73 2E316661 6D696C79
756E6974 65642E63 6F6D301F 0603551D 23041830

1680142C 21E7314B D28AFE1A
26115A1B F53AFB03 0ED1A830 1D060355 1D0E0416

04142C21 E7314BD2 8AFE1A26
115A1BF5 3AFB030E D1A8300D 06092A86 4886F70D

01010405 00038181 008CC48F
6A1BFB52 0F268B05 B977AE8E CA450936 8272D889

B46DE9FB 5680782C 59DA2354
04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22

C7BED922 73C35C32 54696F37
89E424C2 561FFF54 99573AC6 713E58D8 E3B67064

295D4331 845FCDEC F6CD8017
58006C58 F94A8771 78217788 FE63AA11 0E5DF6B1

1A8D0111 CDD87A1D CC
        quit
no ip source-route
no ip gratuitous-arps
ip dhcp smart-relay
ip dhcp bootp ignore
ip dhcp excluded-address 10.0.1.1 10.0.1.10
ip dhcp excluded-address 10.0.10.1 10.0.10.10
!
ip dhcp pool VLAN_10
   network 10.0.10.0 255.255.255.224
   default-router 10.0.10.1
   domain-name xxxxxx
   dns-server 10.0.10.1
!
ip dhcp pool VLAN_1
   network 10.0.1.0 255.255.255.224
   default-router 10.0.1.1
   domain-name xxxxxx
   dns-server 10.0.1.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect max-incomplete high 1100
ip inspect max-incomplete low 1100
ip inspect one-minute high 1100
ip inspect one-minute low 1100
ip inspect udp idle-time 60
ip inspect dns-timeout 10
ip inspect name FIREWALL tcp timeout 3600
ip inspect name FIREWALL udp timeout 15
ip inspect name FIREWALL ftp timeout 3600
ip inspect name FIREWALL rcmd timeout 3600
ip inspect name FIREWALL smtp alert on timeout 3600
ip inspect name FIREWALL sqlnet timeout 3600
ip inspect name FIREWALL tftp timeout 30
ip inspect name FIREWALL icmp timeout 15
ip inspect name FIREWALL ssh timeout 15
ip inspect name FIREWALL login audit-trail on
ip inspect name FIREWALL webster
ip inspect name FIREWALL skinny
ip inspect name FIREWALL router
ip inspect name FIREWALL cifs
ip inspect name FIREWALL cuseeme
ip inspect name FIREWALL dns
ip inspect name FIREWALL realaudio
ip inspect name FIREWALL rtsp
ip inspect name FIREWALL streamworks
ip inspect name FIREWALL vdolive
ip inspect name FIREWALL sip
ip inspect name FIREWALL pop3 alert on reset
ip inspect name FIREWALL ftps
ip inspect name FIREWALL isakmp
ip inspect name FIREWALL ipsec-msft
ip inspect name FIREWALL ntp
ip inspect name FIREWALL imap
ip inspect name FIREWALL imaps
ip inspect name FIREWALL imap3
ip inspect name FIREWALL pop3s
no ip bootp server
ip domain name xxxxxxxxx
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip name-server 74.128.19.102
ip name-server 74.128.17.114
!
!
license agent notify

http://10.0.10.11:9710/clm/servlet/HttpListenServlet

dummy dummy 2.0
!
!
username xxxx privilege 15 secret 5 xxxxxx
username xxxxx secret 5 xxxxx
!
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
crypto isakmp nat keepalive 3600
!
crypto isakmp client configuration group xxxxx
key xxxxxx
dns 10.0.10.5
domain xxxxxxxx
pool vpnpool
include-local-lan
netmask 255.255.255.224
!
!
crypto ipsec transform-set myset esp-aes 256 esp-

sha-hmac comp-lzs
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list

userauthen
crypto map clientmap isakmp authorization list

groupauthor
crypto map clientmap client configuration address

initiate
crypto map clientmap client configuration address

respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto ctcp port 6000
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
bridge irb
!
!
!
interface Loopback0
ip address 10.100.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
switchport mode trunk
!
interface FastEthernet4
description WAN$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip inspect FIREWALL out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface wlan-ap0
description Service module interface to manage the

embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip virtual-reassembly
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Service module interface to manage the

embedded AP
switchport mode trunk
!
interface Vlan1
description VLAN_1$FW_INSIDE$
ip address 10.0.1.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan10
description VLAN_10$FW_INSIDE$
ip address 10.0.10.1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface BVI1
description $FW_INSIDE$
ip address dhcp hostname WAPB
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no ip route-cache cef
no ip route-cache
!
router rip
version 1
network 10.0.0.0
!
ip local pool vpnpool 197.0.0.1 197.0.0.5
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
ip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
!
ip dns server
ip nat inside source list 1 interface FastEthernet4

overload
ip nat inside source list 2 interface FastEthernet4

overload
ip nat inside source static tcp 10.0.10.3 3389

interface FastEthernet4 3389
ip nat inside source static tcp 10.0.10.3 1723

interface FastEthernet4 1723
ip nat inside source static tcp 10.0.10.3 80

interface FastEthernet4 80
!
logging 10.0.10.1
access-list 1 permit 10.0.1.0 0.0.0.31
access-list 2 permit 10.0.10.0 0.0.0.31
access-list 199 permit gre any any
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp any any established
access-list 199 permit udp any any eq 3389
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 deny   tcp any any
access-list 199 deny   tcp 10.0.0.0 0.255.255.255 any
access-list 199 deny   tcp 172.16.0.0 0.15.255.255

any
access-list 199 deny   tcp 192.168.0.0 0.0.0.255 any
access-list 199 deny   udp 10.0.0.0 0.255.255.255 any
access-list 199 deny   udp 172.16.0.0 0.15.255.255

any
access-list 199 deny   udp 192.168.0.0 0.0.0.255 any
access-list 199 deny   icmp any any echo
access-list 199 deny   udp any any eq 135
access-list 199 deny   udp any any eq netbios-ns
access-list 199 deny   udp any any eq netbios-ss
access-list 199 deny   udp any any eq isakmp
access-list 199 deny   tcp any any eq telnet
access-list 199 deny   tcp any any eq smtp
access-list 199 deny   tcp any any eq nntp
access-list 199 deny   tcp any any eq 135
access-list 199 deny   tcp any any eq 137
access-list 199 deny   tcp any any eq 139
access-list 199 deny   tcp any any eq www
access-list 199 deny   tcp any any eq 443
access-list 199 deny   tcp any any eq 445
access-list 199 deny   ip any any
no cdp run

!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 10 protocol ieee
bridge 10 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized

user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output all
line vty 0 4
access-class 104 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp server 192.43.244.18
end

Nagaraja Thanthry · ‎09-05-2010

Hello,

The issue is due to the NAT configurations. Please try the following:

no ip nat inside source list 1 interface FastEthernet4 overload

no ip nat inside source list 2 interface FastEthernet4 overload

access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7

access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255

access-list 101 permit ip 10.0.0.0 0.0.255.31 any

route-map Internet

match ip address 101

exit

ip nat inside source route-map Internet interface FastEthernet4 overload

This will ensure that the VPN clients can access all of the internal

resources. However, they will not be able to access the 10.0.10.3 server

using its private IP as you cannot use the route-map when you are using the

"interface" keyword. If you have a static IP assigned to your FastEthernet4

interface by the ISP, then you can use the below configuration:

access-list 102 deny ip host 10.0.10.3 197.0.0.0 0.0.0.7

access-list 102 deny ip host 10.0.10.3 10.0.0.0 0.0.255.255

access-list 102 permit ip host 10.0.10.3 any

route-map Server

match ip address 101

exit

no ip nat inside source static tcp 10.0.10.3 3389 interface FastEthernet4

3389

no ip nat inside source static tcp 10.0.10.3 1723 interface FastEthernet4

1723

no ip nat inside source static tcp 10.0.10.3 80 interface FastEthernet4 80

ip nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389

route-map Server

ip nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723

route-map Server

ip nat inside source static tcp 10.0.10.3 80 "FastEthernet4 ip" 80 route-map

Server

Hope this helps.

Regards,

NT

View solution in original post

Nagaraja Thanthry · ‎09-05-2010

Hello,

The issue is due to the NAT configurations. Please try the following:

no ip nat inside source list 1 interface FastEthernet4 overload

no ip nat inside source list 2 interface FastEthernet4 overload

access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7

access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255

access-list 101 permit ip 10.0.0.0 0.0.255.31 any

route-map Internet

match ip address 101

exit

ip nat inside source route-map Internet interface FastEthernet4 overload

This will ensure that the VPN clients can access all of the internal

resources. However, they will not be able to access the 10.0.10.3 server

using its private IP as you cannot use the route-map when you are using the

"interface" keyword. If you have a static IP assigned to your FastEthernet4

interface by the ISP, then you can use the below configuration:

access-list 102 deny ip host 10.0.10.3 197.0.0.0 0.0.0.7

access-list 102 deny ip host 10.0.10.3 10.0.0.0 0.0.255.255

access-list 102 permit ip host 10.0.10.3 any

route-map Server

match ip address 101

exit

no ip nat inside source static tcp 10.0.10.3 3389 interface FastEthernet4

3389

no ip nat inside source static tcp 10.0.10.3 1723 interface FastEthernet4

1723

no ip nat inside source static tcp 10.0.10.3 80 interface FastEthernet4 80

ip nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389

route-map Server

ip nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723

route-map Server

ip nat inside source static tcp 10.0.10.3 80 "FastEthernet4 ip" 80 route-map

Server

Hope this helps.

Regards,

NT

tu_amor66 · ‎09-05-2010

Thanks for your assistance, it worked like a charm.

Nagaraja Thanthry · ‎09-05-2010

Hello,

Glad that the issue is fixed. Thanks for the rating.

Regards,

NT

Edgar Collins · ‎07-12-2011

Nagaraia,

I have a question, what do I need to change in the route map to allow split tunneling for the VPN clients?