12-10-2011 11:16 PM
Hey people. I originally had a site to site vpn between my pix 515e and RVS4000, but wanted to put my router on the edge of my network for greater QOS control. I've managed to get the tunnel up, but can't get any traffic across the tunnel. The RVS4000 says the tunnel is up, and when I do a "show crypto isakmp sa" on the 2621, I see a QM_IDLE which I believe it good.
My architecture is this:
LAN - RVS4000 (static public ip) ----internet------2621(dynamic public IP ((dhcp)) - LAN
Below is a copy of my 2621 config. My guess is I left something out, but can't put my finger on it. Any help is appreciated. Thanks!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname core_router
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
ip subnet-zero
ip cef
!
!
ip domain name craig.net
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
ip multicast-routing
ip audit po max-events 100
!
!
!
!
voice service voip
fax protocol pass-through g711ulaw
h323
sip
!
!
!
!
!
!
!
!
!
username craigrobertlee privilege 15 password 7 XXXXXXXXXXX
--More-- !
!
ip ssh time-out 60
ip ssh source-interface FastEthernet0/1
ip ssh rsa keypair-name craigkey
!
class-map match-any VOIP_TRAFFIC
match access-group 101
!
!
policy-map VOIP_POLICY
class VOIP_TRAFFIC
bandwidth 1000
class class-default
fair-queue
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXXXX address 174.79.X.X no-xauth
crypto isakmp keepalive 2800
!
!
crypto ipsec transform-set SET1 esp-3des esp-md5-hmac
!
crypto map ROGERS 10 ipsec-isakmp
set peer 174.79.X.X
set security-association idle-time 60
set transform-set SET1
match address 102
!
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
ip address dhcp
ip nat outside
speed 100
full-duplex
crypto map ROGERS
service-policy output VOIP_POLICY
!
interface FastEthernet0/1
ip address 192.168.0.1 255.255.255.252
ip nat inside
duplex auto
speed auto
!
interface Dialer1
no ip address
no cdp enable
!
ip nat inside source list 100 interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 192.168.1.0 255.255.255.0 192.168.0.2
ip route 192.168.2.0 255.255.255.0 192.168.0.2
ip route 192.168.3.0 255.255.255.0 192.168.0.2
!
!
access-list 10 permit 192.168.1.254
access-list 11 permit 192.168.1.10
access-list 12 permit 192.168.0.0 0.0.255.255
access-list 12 remark SSH_ACL
access-list 100 permit ip 192.168.0.0 0.0.255.255 any
access-list 100 remark Craig_Home_IP_Network
access-list 101 permit udp any eq 5060 any eq 5060
access-list 101 remark VOIP_ACL
access-list 102 permit ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
access-list 102 remark ROGERS_IP_NETWORK
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.15.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.3.255 any
no cdp run
!
route-map nonat permit 10
match ip address 110
!
snmp-server community craighome1 RO 11
snmp-server location Gear Closet
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps xgcp
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
--More-- snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps hsrp
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps config-copy
snmp-server enable traps envmon
snmp-server enable traps bgp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps rsvp
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps rtr
snmp-server enable traps syslog
snmp-server enable traps stun
snmp-server enable traps dlsw
snmp-server enable traps bstun
snmp-server enable traps dial
snmp-server enable traps dsp card-status
snmp-server enable traps atm subif
--More-- snmp-server enable traps pppoe
snmp-server enable traps ipmobile
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps voice poor-qov
snmp-server enable traps dnis
snmp-server host 192.168.1.10 version 2c craighome1
!
!
!
!
!
line con 0
login local
--More-- line aux 0
line vty 0 4
access-class 12 in
exec-timeout 0 0
login local
transport input ssh
line vty 5 15
access-class 12 in
exec-timeout 0 0
login local
transport input ssh
!
ntp clock-period 17180394
ntp server 192.43.244.18
!
end
Solved! Go to Solution.
12-11-2011 04:54 PM
Hi Robert,
You are using ACL 100 for NAT when you should be using either ACL 110 or the route map nonat, it looks like you meant to bypass NAT but forgot to apply it.
This is what you have:
ip nat inside source list 100 interface FastEthernet0/0 overload
This is what you should have instead:
ip nat inside source list 110 interface FastEthernet0/0 overload
or
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Have fun,
Raga
12-11-2011 05:55 PM
Sure, I listed the steps a few days ago for a couple of friends:
Enable AAA:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
Create an isakmp Policy:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
create an IP pool:
ip local pool ippool 192.168.100.10 192.168.100.20
Create the split tunneling ACL (Allows the user to browse the Internet while connected with the VPN)
access-list 177 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
Create a VPN group:
crypto isakmp client configuration group VPN3000
key cisco123
domain cisco.com
pool ippool
acl 177
Create an IPSec Policy:
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
Create a Dynamic crypto map and set the transform set.
crypto dynamic-map dynmap 10
set transform-set 3des-sha
Create a crypto map, link the AAA and the dynamic crypto map
crypto map ROGERS client authentication list userauthen
crypto map ROGERS isakmp authorization list groupauthor
crypto map ROGERS client configuration address respond
crypto map ROGERS 1000 ipsec-isakmp dynamic dynmap
Add a NAT excemption for the VPN traffic:
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.100.0 0.0.0.255 (This line must go before the "permit")
And that should do it.
Have a good one.
12-13-2011 05:38 AM
Perhaps you are running a version that doesnt have that command?
I do have it :
R4(config)#crypto isakmp client configuration group vpnclient
R4(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list
number
auto-update Configure auto-upgrade
backup-gateway Specify backup gateway
banner Specify mode config banner
browser-proxy Configure browser-proxy
configuration Push configuration to the client
crypto Client group crypto aaa attribute list
dhcp Configure DHCP parameters
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy
configuration mode
firewall Enforce group firewall feature
group-lock Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key pre-shared key/IKE password
max-logins Set maximum simultaneous logins for users in
this group
max-users Set maximum number of users for this group
netmask netmask used by the client for local
connectivity
no Negate a command or set its defaults
pfs The client should propose PFS
pool Set name of address pool
save-password Allows remote client to save XAUTH password
smartcard-removal-disconnect Enables smartcard-removal-disconnect
split-dns DNS name to append for resolution
wins Specify WINS Addresses
R4(config-isakmp-group)# split-dns atw.local
R4(config-isakmp-group)#end
R4#
*Mar 1 00:15:44.567: %SYS-5-CONFIG_I: Configured from console by console
R4#sh ver
Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 07:38 by prod_rel_team
ROM: ROMMON Emulation Microcode
ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
R4 uptime is 15 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2691 (R7000) processor (revision 0.1) with 249856K/12288K bytes of memory.
Processor board ID XXXXXXXXXXX
R7000 CPU at 160MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
2 FastEthernet interfaces
3 Serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity enabled.
55K bytes of NVRAM.
16384K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Now, to test if you are indeed having a split DNS problem remove the ACL for split tunneling ACL
crypto isakmp client configuration group vpnclient
no acl 177
Then try to resolve local names. If it works then you might need to upgrade your IOS so that you can have the split dns functionality.
HTH
12-11-2011 09:48 AM
No one?
12-11-2011 04:54 PM
Hi Robert,
You are using ACL 100 for NAT when you should be using either ACL 110 or the route map nonat, it looks like you meant to bypass NAT but forgot to apply it.
This is what you have:
ip nat inside source list 100 interface FastEthernet0/0 overload
This is what you should have instead:
ip nat inside source list 110 interface FastEthernet0/0 overload
or
ip nat inside source route-map nonat interface FastEthernet0/0 overload
Have fun,
Raga
12-11-2011 05:32 PM
Thats exactly what it was. It dawned on me this morning that the two statements weren't actually doing anything. Now, with the current config, can you give me an example of also allowing VPN Clients (Cisco VPN Client) to connect? Thanks!
12-11-2011 05:55 PM
Sure, I listed the steps a few days ago for a couple of friends:
Enable AAA:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
Create an isakmp Policy:
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
create an IP pool:
ip local pool ippool 192.168.100.10 192.168.100.20
Create the split tunneling ACL (Allows the user to browse the Internet while connected with the VPN)
access-list 177 permit ip 192.168.0.0 0.0.0.255 192.168.100.0 0.0.0.255
Create a VPN group:
crypto isakmp client configuration group VPN3000
key cisco123
domain cisco.com
pool ippool
acl 177
Create an IPSec Policy:
crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac
Create a Dynamic crypto map and set the transform set.
crypto dynamic-map dynmap 10
set transform-set 3des-sha
Create a crypto map, link the AAA and the dynamic crypto map
crypto map ROGERS client authentication list userauthen
crypto map ROGERS isakmp authorization list groupauthor
crypto map ROGERS client configuration address respond
crypto map ROGERS 1000 ipsec-isakmp dynamic dynmap
Add a NAT excemption for the VPN traffic:
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.100.0 0.0.0.255 (This line must go before the "permit")
And that should do it.
Have a good one.
12-12-2011 12:40 PM
OK, I got the client to connect, and was able to browse. However, the client receives the DNS server that it is supposed to use, yet when you do an nslookup or perform any DNS resolutions, it uses the DNS server handed out by it's local router and not the one my router is sending the client. Below is the config. Is this normal?
crypto isakmp client configuration group vpnclient
key XXXXX
dns 192.168.1.252
domain atw.local
pool VPN_Client
acl 177
12-12-2011 12:46 PM
Robert,
Try adding this under the VPN client gruop configuration:
split-dns atw.local
12-12-2011 12:48 PM
If you are talking about adding it to the "crypto isakmp client configuration group vpnclient", that command isn't even available.
12-13-2011 05:38 AM
Perhaps you are running a version that doesnt have that command?
I do have it :
R4(config)#crypto isakmp client configuration group vpnclient
R4(config-isakmp-group)#?
ISAKMP group policy config commands:
access-restrict Restrict clients in this group to an interface
acl Specify split tunneling inclusion access-list
number
auto-update Configure auto-upgrade
backup-gateway Specify backup gateway
banner Specify mode config banner
browser-proxy Configure browser-proxy
configuration Push configuration to the client
crypto Client group crypto aaa attribute list
dhcp Configure DHCP parameters
dns Specify DNS Addresses
domain Set default domain name to send to client
exit Exit from ISAKMP client group policy
configuration mode
firewall Enforce group firewall feature
group-lock Enforce group lock feature
include-local-lan Enable Local LAN Access with no split tunnel
key pre-shared key/IKE password
max-logins Set maximum simultaneous logins for users in
this group
max-users Set maximum number of users for this group
netmask netmask used by the client for local
connectivity
no Negate a command or set its defaults
pfs The client should propose PFS
pool Set name of address pool
save-password Allows remote client to save XAUTH password
smartcard-removal-disconnect Enables smartcard-removal-disconnect
split-dns DNS name to append for resolution
wins Specify WINS Addresses
R4(config-isakmp-group)# split-dns atw.local
R4(config-isakmp-group)#end
R4#
*Mar 1 00:15:44.567: %SYS-5-CONFIG_I: Configured from console by console
R4#sh ver
Cisco IOS Software, 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Tue 17-Aug-10 07:38 by prod_rel_team
ROM: ROMMON Emulation Microcode
ROM: 2600 Software (C2691-ADVENTERPRISEK9-M), Version 12.4(15)T14, RELEASE SOFTWARE (fc2)
R4 uptime is 15 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
Cisco 2691 (R7000) processor (revision 0.1) with 249856K/12288K bytes of memory.
Processor board ID XXXXXXXXXXX
R7000 CPU at 160MHz, Implementation 39, Rev 2.1, 256KB L2, 512KB L3 Cache
2 FastEthernet interfaces
3 Serial(sync/async) interfaces
DRAM configuration is 64 bits wide with parity enabled.
55K bytes of NVRAM.
16384K bytes of ATA System CompactFlash (Read/Write)
Configuration register is 0x2102
Now, to test if you are indeed having a split DNS problem remove the ACL for split tunneling ACL
crypto isakmp client configuration group vpnclient
no acl 177
Then try to resolve local names. If it works then you might need to upgrade your IOS so that you can have the split dns functionality.
HTH
12-13-2011 08:12 AM
Aha, there is the culprit. I am running a 2621 (non XM version) which does not support 12.4. I am stuck at 12.3(26) as my highest. But, thats ok. I also figured out that the local network the client is coming from is on 192.168.1.0 which also resides on my side of the house. So, that network is never being put into the clients routing table because he/she already has it. I am either going to move some of my stuff away from that network or have the client move his. I never really paid attention to the helpful hints to avoid using the common private network spaces in my own because this sort of event would happen until now. But, do I choose a higher Class C, B? One wonders.....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide