Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4317
Views
0
Helpful
3
Replies

Remote access ipsec vpn - can't ping past vlan interface

matthew.king
Level 1
Level 1

‎07-02-2011 07:05 PM

Hi Guys,

I have configured a Cisco 881 with a remote acccess ipsec vpn. The VPN authentication works fine, and connects fine.once connected i can see the route is available, split tunneling is working and i can ping the Vlan interface on the router, however i can't ping past that. i've been looking over all the obvious things like NAT rules and and return routes, everything looks fine. Thers is also a site to site vpn configured that is working fine. Any ideas???

Router#show run

Building configuration...

Current configuration : 4156 bytes

!

! Last configuration change at 11:46:09 AEST Sun Jul 3 2011 by matt

!

version 15.0

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

logging count

logging buffered 16384

enable secret 5 <SNIP>

!

aaa new-model

!

!

aaa authentication login rtr-remote local

aaa authentication login LOCAL local

aaa authorization network rtr-remote local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone AEST 10

!

!

ip source-route

!

!

!

!

ip cef

no ip bootp server

no ip domain lookup

no ipv6 cef

!

!

license udi pid CISCO881-K9 sn FGL150821W4

!

!

username <SNIP> password 7 <SNIP>

!

!

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key <SNIP> address <SNIP>

crypto isakmp client configuration address-pool local VPN_POOL

!

crypto isakmp client configuration group VPN_GROUP

key <SNIP>

dns 192.168.1.21 4.2.2.2

domain <SNIP>

pool VPN_POOL

acl 140

!

crypto ipsec security-association lifetime seconds 86400

!

crypto ipsec transform-set 3des-sha-hmac esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac

!

crypto dynamic-map VPN_MAP 1

set transform-set vpn1

reverse-route

!

!

crypto map VPN_MAP client authentication list LOCAL

crypto map VPN_MAP isakmp authorization list rtr-remote

crypto map VPN_MAP client configuration address respond

crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_MAP

crypto map VPN_MAP 2 ipsec-isakmp

set peer <SNIP>

set transform-set 3des-sha-hmac

set pfs group2

match address 101

!

crypto map static-map 1 ipsec-isakmp dynamic VPN_MAP

!

bridge irb

!

!

!

!

interface FastEthernet0

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet1

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet2

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet3

switchport access vlan 10

spanning-tree portfast

!

interface FastEthernet4

ip address <SNIP> 255.255.255.240

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map VPN_MAP

!

interface Virtual-Template2 type tunnel

ip unnumbered BVI10

tunnel mode ipsec ipv4

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

bridge-group 10

bridge-group 10 spanning-disabled

!

interface BVI10

no ip address

ip nat inside

ip virtual-reassembly

shutdown

!

ip local pool VPN_POOL 192.168.211.1 192.168.211.30

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 110 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.1.21 25 <SNIP> 25 extendable

ip route 0.0.0.0 0.0.0.0 <SNIP>

ip route 192.168.2.0 255.255.255.0 <SNIP>

!

logging trap warnings

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255

access-list 110 deny   ip 192.168.2.0 0.0.0.255 192.168.211.0 0.0.0.255

access-list 110 deny   ip 192.168.211.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny   ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 140 permit ip 192.168.1.0 0.0.0.255 any

access-list 199 permit ip 192.168.211.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

line con 0

exec-timeout 30 0

logging synchronous

login authentication LOCAL

no modem enable

line aux 0

line vty 0 4

exec-timeout 30 0

logging synchronous

login authentication LOCAL

!

scheduler max-task-time 5000

end

Router#

Labels:
0 Helpful
3 Replies 3

matthew.king
Level 1
Level 1

‎07-03-2011 12:09 AM

Sorted... i got onto the Cisco TAC and the configuration was fine. There is an issue with CEF with IPSEC VPN's on some IOS. CEF was disabled and it came good straight away.

0 Helpful

lgijssel
Level 9
Level 9
In response to matthew.king

‎07-04-2011 05:22 AM

Indeed your config looks fine except for a small remark:

The acl 110 (NAT exemption) is longer than necessary

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255

access-list 110 deny   ip 192.168.2.0 0.0.0.255 192.168.211.0 0.0.0.255

access-list 110 deny   ip 192.168.211.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 deny   ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

This would also suffice:

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255

access-list 110 deny   ip 192.168.2.0 0.0.0.255 192.168.211.0 0.0.0.255

access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

Expl: NAT exemption only needs to be performed for inside address ranges.

Or even shorter:

access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.0.0 0.0.255.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

Private ip's are not routed on the Internet so you are not taking risks.

IPsec and NAT are both performed before routing as you can see here:

http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml

This  is why the static route for 192.168.2.0 can also be omitted. This traffic is matched by acl 110 and 101.

regards,

Leo

regards,

Leo

0 Helpful

matthew.king
Level 1
Level 1
In response to lgijssel

‎07-04-2011 03:44 PM

Leo,

Thanks for your response! I will be configuring the VPN to have access to the site at the other end of the site to site VPN, so this entry will have to remain:

access-list 110 deny   ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255

I will go through and make the changes you have suggested, thanks for taking the time to read through!

Matt

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents