881W EasyVPN with Firewall

Unanswered Question
May 17th, 2012

Hello all,

I'm in the process of setting up a working VPN/Firewall setup on an 881W ISR.  I have the firewall, NAT, and VPN working, and I'm able to connect remotely to my router.  The problem I am having is that I none of my VPN cllients can connect to the internet.  I suspect that my firewall rules may have something to do with this.  Let me break-down what I have, and what I want to achieve:

1. My router is setup with VLAN1 (172.16.1.0/24) as the inside zone (in-zone), while my outside zone (out-zone) is FastEthernet4 (DHCP WAN Interface).  I also have a guest zone (guest-zone) VLAN12 (192.168.12.0/24) used for my guest SSID wireless, which is NATed to the outside zone.

2. I have my EasyVPN setup using a Virtual Template Interface that terminates at the WAN interface FastEthernet4 (something tells me this should be changed).  Should I terminate at VLAN1, or an interface or loopback on VLAN1?

3. I ultimately want the VPN users to be able to conenct to the local resources on VLAN1 only, while being able to get out to the internet.

I thank you in advance for any insight you may be able to bring.

Here is my configuration attached below:

R1-881W#show run

Building configuration...

Current configuration : 11449 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1-881W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1234567890

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1234567890

revocation-check none

rsakeypair TP-self-signed-1234567890

!

!

crypto pki certificate chain TP-self-signed-1234567890

certificate self-signed 01

  CERTIFICATE

        quit

no ip source-route

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.200

ip dhcp excluded-address 192.168.12.200 192.168.12.254

!

ip dhcp pool Private

   import all

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

   dns-server 172.16.1.1 255.255.255.0

!

ip dhcp pool Guest

   network 192.168.12.0 255.255.255.0

   default-router 192.168.12.1

   dns-server 192.168.12.1 255.255.255.0

!

!

ip cef

no ip bootp server

ip domain name lab.local

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip name-server 8.8.8.8

login block-for 120 attempts 5 within 60

login delay 3

!

no ipv6 cef

!

multilink bundle-name authenticated

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

!

!

username someuser privilege 15 secret 5 xxxxxxxxxxxxxxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group GROUPNAME

key somesharedkey

pool SDM_POOL_1

max-users 5

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group GROUPNAME

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP

match access-group name GUEST-TO-OUTSIDE_ACL

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

  inspect

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security guest-zone

zone security ezvpn-zone

zone-pair security ccp-zp-out-self source out-zone destination self

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

zone-pair security ccp-zp-guest-out source guest-zone destination out-zone

service-policy type inspect GUEST-TO-OUTSIDE_PMAP

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination guest-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn1 source guest-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description ISP Connection$FW_OUTSIDE$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet4

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface wlan-ap0

description Service module to manage the enbedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $FW_INSIDE$

ip address 172.16.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan11

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface Vlan12

description Guest Vlan$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security guest-zone

!

ip local pool SDM_POOL_1 172.168.1.100 172.168.1.120

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload

!

ip access-list extended GUEST-TO-OUTSIDE_ACL

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended NAT_ALLOWED

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWarning!  Authorized Access Only!^C

!

line con 0

password 7 xxxxxxxxxxxxxxx

logging synchronous

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

password 7 xxxxxxxxxxxxxxx

transport input telnet ssh

transport output telnet

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 2.8 (5 ratings)
malhyari Thu, 05/17/2012 - 13:56

Add ip nat inside on the vti interface . Be sure you have a valid zpf policy between the vpn and the outzone.

PatrickWare Thu, 05/17/2012 - 13:14

I'm also finding that I can't reach certain SSL web-management pages on my VLAN1 (172.16.1.0/24) network.  Not sure what is causing this.

EDIT:  I figured out that for my SSL web-management pages I had the wrong default gateway set.  Once I corrected this, they worked perfectly.

PatrickWare Fri, 05/18/2012 - 06:08

Thank you.  As for my other question about where to terminate the VPN tunnel, here is my current config:

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet4

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

Is there any reason why I shouldn't terminate the VPN tunnel at interface FastEthernet4 (WAN interface)?  If not, what would you recommend and why?

malhyari Fri, 05/18/2012 - 13:12

HI Patrik ,

currently all of the ipsec SAs will belong to the VTI and not physical interface since that you are using a DVTI implementation , so what do you mean by your queston ?

cheers.

Mohammad.

PatrickWare Fri, 05/18/2012 - 14:44

I guess I misunderstood the purpose of the "ip unnumbered FastEthernet4" statement under the VTI.  I changed it to point to VLAN1 anyway...

I'm still having trouble where VPN clients cannot browse the internet.  I gave the VTI a dns sever to give out.  I'm working on understanding the firewall rules for the ezvpn zone.  I got rid of all zone-pairs that connect the ezvpn zone to the guest zone as well.  I'll post my latest config shortly.

PatrickWare Fri, 05/18/2012 - 15:01

R1-881W#show run

Building configuration...

Current configuration : 11297 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname R1-881W

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxxxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

service-module wlan-ap 0 bootimage autonomous

!

crypto pki trustpoint TP-self-signed-1234567890

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1234567890

revocation-check none

rsakeypair TP-self-signed-1234567890

!

!

crypto pki certificate chain TP-self-signed-1234567890

certificate self-signed 01

  CERTIFICATE

        quit

no ip source-route

!

!

ip dhcp excluded-address 172.16.1.1 172.16.1.200

ip dhcp excluded-address 192.168.12.200 192.168.12.254

!

ip dhcp pool Private

   import all

   network 172.16.1.0 255.255.255.0

   default-router 172.16.1.1

   dns-server 172.16.1.1 255.255.255.0

!

ip dhcp pool Guest

   network 192.168.12.0 255.255.255.0

   default-router 192.168.12.1

   dns-server 192.168.12.1 255.255.255.0

!

!

ip cef

no ip bootp server

ip domain name lab.local

ip name-server 68.94.156.1

ip name-server 68.94.157.1

ip name-server 8.8.8.8

login block-for 120 attempts 5 within 60

login delay 3

!

no ipv6 cef

!

multilink bundle-name authenticated

parameter-map type regex ccp-regex-nonascii

pattern [^\x00-\x80]

!

!

username someuser privilege 15 secret 5 xxxxxxxxxxxxxxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group GROUPNAME

key GROUPKEY

dns 68.94.157.1

pool SDM_POOL_1

max-users 5

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group GROUPNAME

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh version 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP

match access-group name GUEST-TO-OUTSIDE_ACL

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 101

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect GUEST-TO-OUTSIDE_PMAP

class type inspect GUEST-TO-OUTSIDE_CMAP

  inspect

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  inspect

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security guest-zone

zone security ezvpn-zone

zone-pair security ccp-zp-out-self source out-zone destination self

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-self-out source self destination out-zone

zone-pair security ccp-zp-guest-out source guest-zone destination out-zone

service-policy type inspect GUEST-TO-OUTSIDE_PMAP

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface Loopback0

no ip address

!

interface Null0

no ip unreachables

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description ISP Connection$FW_OUTSIDE$

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface wlan-ap0

description Service module to manage the enbedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $FW_INSIDE$

ip address 172.16.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Vlan11

description $FW_INSIDE$

ip address 10.10.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface Vlan12

description Guest Vlan$FW_INSIDE$

ip address 192.168.12.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security guest-zone

!

ip local pool SDM_POOL_1 172.168.1.100 172.168.1.120

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 dhcp

no ip http server

ip http authentication local

ip http secure-server

!

!

ip dns server

ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload

!

ip access-list extended GUEST-TO-OUTSIDE_ACL

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended NAT_ALLOWED

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 255.255.255.255 any

access-list 101 permit ip 127.0.0.0 0.255.255.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner login ^CWarning!  Authorized Access Only!^C

!

line con 0

password 7 xxxxxxxxxxxxxxx

logging synchronous

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

password 7 xxxxxxxxxxxxxxx

transport input telnet ssh

transport output telnet

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

PatrickWare Fri, 05/18/2012 - 15:40

Doing more digging it looks like the local crypto endpoint is the IP of my WAN DHCP interface (FastEthernet4) when I have ip unnumbered vlan1 specified under my VTI.  Is this normal?

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

I changed the WAN IP to 12.34.56.78 for this example below:

R1-881W#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

12.34.56.78   192.168.1.102   QM_IDLE           2001    0 ACTIVE

IPv6 Crypto ISAKMP SA

R1-881W#show crypto ipsec sa

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr 12.34.56.78

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (172.168.1.100/255.255.255.255/0/0)

   current_peer 192.168.1.102 port 4108

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 6

     local crypto endpt.: 12.34.56.78, remote crypto endpt.: 192.168.1.102

     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4

     current outbound spi: 0x3E45F5DE(1044772318)

     inbound esp sas:

      spi: 0xE663CFEA(3865300970)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4502296/3407)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x3E45F5DE(1044772318)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel, }

        conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4502318/3407)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

Julio Carvaja Sat, 05/19/2012 - 00:45

Hello Patrick,

Can you change the following:

interface Virtual-Template1 type tunnel

ip unnumbered fastethernet 4

ip nat inside

ip virtual-reassembly

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

I would like you to add the following command:

Ip inspect log drop-pkt

This will show us all the logs regarding the firewall implementation,based on this we will know if the issue is do to the ZBFW...

Just do a show logging and we will see the logs but I do not think this is an issue with the ZBFW.

Regards,

DO rate al the helpful posts

Julio

PatrickWare Sat, 05/19/2012 - 17:41

Hello jcarvaja,

I made the changes, and here is some sample output below.  I tried web browsing with a VPN client, and I could not get to any websites, and there was NO output to the log when I tried to browse the web.

<190>554579: 3725687: *May 20 01:24:53.257 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137  192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:25:01.218   

<190>554580: 3725688: *May 20 01:25:23.421 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:25:31.375   

<190>554581: 3725689: *May 20 01:25:53.489 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:26:01.437   

<190>554582: 3725690: *May 20 01:26:32.409 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:26:40.359   

<190>554583: 3725691: *May 20 01:27:25.461 UTC: %FW-6-DROP_PKT: Dropping tcp session 12.34.56.78:51736 72.163.5.80:443  due to  RST inside current window with ip ident 0     172.16.1.1    19/05 19:27:33.421   

<190>554584: 3725692: *May 20 01:28:00.189 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:28:08.140   

<190>554585: 3725693: *May 20 01:28:30.389 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:28:38.343   

<190>554586: 3725694: *May 20 01:29:02.501 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:29:10.453   

<190>554587: 3725695: *May 20 01:30:04.809 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:30:12.765   

<191>554588: 3725696: *May 20 01:30:53.065 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled    172.16.1.1    19/05 19:31:00.328   

<190>554589: 3725697: *May 20 01:30:53.373 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137  due to  policy match failure with ip ident 0     172.16.1.1    19/05 19:31:01.328   

<189>554590: 3725698: *May 20 01:31:10.533 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up    172.16.1.1    19/05 19:31:18.500   

<188>554591: 3725699: *May 20 01:31:12.225 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=12.34.56.78, prot=50, spi=0x94040000(2483290112), srcaddr=192.168.1.109    172.16.1.1    19/05 19:31:20.187   

Julio Carvaja Tue, 05/22/2012 - 09:42

Hello Patrick,

Looks like the ZBFW is unable to  build a session with the unencrypted traffic.

Your Easy VPN users can connect to the Local LAN but they cannot go to the internet so this looks like a routing issue..

What happens if you disable the ZBFW? Does it work?

Regards,

Julio

chad.ciszewski Thu, 05/31/2012 - 12:44

Patrick -

Try changing your default route to theASA/PIX outside interface where the VPN terminates - ie,

you now have

ip route 0.0.0.0 0.0.0.0 dhcp

Try changing it to -

In this example 192.XXX.XXX.XXX is your public IP for the outside interface of your ASA -

ip route 0.0.0.0 0.0.0.0 192.XXX.XXX.XXX

ip route 192.XXX.XXX.XXX 255.255.255.255 dhcp

See if that works, once the tunnel is established, I do believe the ASA will route. 

rizwanr74 Thu, 05/31/2012 - 14:00

Hi Patrick,

your "GROUPNAME" missing acl variable for split-tunnel, so split the tunnel, your remote-vpn users will have access to web-browsing on their pc.

crypto isakmp client configuration group GROUPNAME

key somesharedkey

pool SDM_POOL_1

max-users 5

netmask 255.255.255.0

acl 99

access-list 99 permit ip 192.168.20.0 0.0.0.255

Please let me know, if this helps.

thanks

Rizwan Rafeek

PatrickWare Sat, 12/08/2012 - 20:03

I took some time away from this to do other things, but now have had the time to actually gett this working. 

Looks like I have it working finally.  I can reach the stuff on the inside and I can also NAT to the internet now. 

Here is what I did:

I changed this:

ip local pool SDM_POOL_1 172.168.1.100 172.168.1.120

and

ip access-list extended NAT_ALLOWED

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

to this:

ip local pool SDM_POOL_1 172.16.2.100 172.16.2.120

and

ip access-list extended NAT_ALLOWED

permit ip 172.16.1.0 0.0.0.255 any

permit ip 192.168.12.0 0.0.0.255 any

permit ip 172.16.2.0 0.0.0.255 any

Actions

Login or Register to take actions

This Discussion

Posted May 17, 2012 at 1:10 PM
Stats:
Replies:14 Avg. Rating:2.8
Views:1371 Votes:0
Shares:0

Related Content

Discussions Leaderboard