Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1526
Views
23
Helpful
7
Replies

Cisco 881 VPN connected but no local lan access

Go to solution
Thomas.Lim
Level 1
Level 1

‎08-15-2016 02:06 AM

I am new to configure Cisco device. Manage to configure the Cisco 881 work as router and VPN.

But at remote computer, no local lan access

My Config as below;

Current configuration : 5442 bytes
!
! Last configuration change at 08:30:12 UTC Mon Aug 15 2016 by cisco
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 xxxxxxxxxxx
enable password 7 xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2833602029
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2833602029
 revocation-check none
 rsakeypair TP-self-signed-2833602029
!
!
crypto pki certificate chain TP-self-signed-2833602029
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32383333 36303230 3239301E 170D3136 30383034 31303235
  32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38333336
  30323032 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100FD21 EEA71109 0E9D4EDC 162D6DC1 04D293B4 718E04F6 768258D1 CF723901
  9BCA145B AD24F769 85C388E5 B95E06B1 CD5F115B 7BEC2CF0 498D9726 02F0143A
  61B742B1 912EBF91 7DBE18E7 A7299164 38C74E70 CB9B249A AF761A0E AFAA6D50
  8775C513 595CFF22 85CC24E1 3F5AE55E 00152187 EC937935 40579D65 00ED911A
  78A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 145EF67B F8BD4453 AFA39209 010393DA FFBA5168 5B301D06
  03551D0E 04160414 5EF67BF8 BD4453AF A3920901 0393DAFF BA51685B 300D0609
  2A864886 F70D0101 05050003 818100C5 661C7B88 DF646AA2 73093228 DDC1CB3F
  64E7D688 84B59724 20BB5A7A 6895EBD1 3BC9CD43 1475542C 787E8FDF 685B9B0E
  E31E94C7 37033236 821C2E72 414F1698 49D3504A 554BF3EB 09CEE466 97502648
  55F31AFA 7F063FEE 879E1D62 D6AA6C0D F90DA2C2 570F639A 8EE4A72D 9431365F
  89D6CDDA F14DCCF3 CE94804A AA95C5
        quit
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!


!
!
!
!
no ip bootp server
no ip domain lookup
ip cef
login block-for 10 attempts 10 within 10
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C881-K9 sn FGL201820WQ
!
!
username cisco privilege 15 password 7 xxxxxxxxx
username jhbpvpn secret 5 xxxxxxxx
!
!
!
!
no cdp run
!
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 3600
!
crypto isakmp client configuration group jhbpvpn
 key xxxxxxxx
 dns 10.249.8.36
 domain SGBP.COM
 pool VPN_CLIENT_POOL
 acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
 set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
!
!
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 10.10.10.180 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map EXT_MAP
!
interface Vlan1
 ip address 10.249.8.10 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
!
ip local pool VPN_CLIENT_POOL 10.249.20.220 10.249.20.230
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 10.249.8.36 80 10.10.10.180 80 extendable
ip route 0.0.0.0 0.0.0.0 10.10.10.177
!
ip access-list extended NAT
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 101 permit ip 10.249.8.0 0.0.0.255 any
access-list 110 permit ip 10.249.8.0 0.0.0.255 10.249.20.0 0.0.0.255
access-list 110 permit ip 10.249.20.0 0.0.0.255 10.249.8.0 0.0.0.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner motd ^CUNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 no modem enable
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 no modem enable
 transport output telnet
line aux 0
 exec-timeout 15 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 08114D5D1A0E0A051658
 login authentication local_auth
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
 transport output telnet ssh
!
scheduler allocate 20000 1000
!
!
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Luke Oxley
Level 1
Level 1
In response to Thomas.Lim

‎08-19-2016 05:42 AM

[@Thomas.Lim@xmjqhx.com],

Something is very much amiss here. Your "ip config" on the client machine does not show an adapter installed for Cisco VPN Client. You should have one with an IPv4 address in the 10.249.20.0 VPN pool range. This would explain why the ICMP requests are not being sent over the tunnel and seen by the ICMP debug. Not only this, but the router has no route to the VPN subnet when you're connected, this should be automatically added in upon connection establishment.
Give me a while to pick through the configuration and spin this up in my lab environment. I'll come back to you.

Kind regards,
Luke

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Luke Oxley
Level 1
Level 1

‎08-17-2016 02:46 AM

[@Thomas.Lim@xmjqhx.com],

Thanks for your post. FYI - I'd suggest editing your initial post and sanitising your configuration as you've left a few bits in there that should be private.
I've inspected your configuration for you and can see a few issues, lets start off with the most serious one, NAT. You have included a NONAT statement. As the traffic from the remote end is logically on the "outside", when the return traffic from the inside tries to go to the remote client the router will attempt to NAT it. This will not work as it'll be trying to communicate with the remote peer incorrectly. Secondly, you have incorrectly set your tunnel access control list, this will be advertising the wrong routes to the client.
To remedy these issues, please follow the steps below.
1. Remove incorrect access control lists.
no ip access-list extended NAT
no access-list 101
no access-list 110
2. Recreate access control lists in the correct manner. Remember, access control lists need to be ordered correctly to work as desired. Traffic if filtered through the ACL top down and will follow the first match, not the most specific.
access-list 110 permit ip 10.249.8.0 0.0.0.255 10.249.20.0 0.0.0.255
access-list 101 deny ip 10.249.8.0 0.0.0.255 10.249.20.0 0.0.0.255
access-list 101 permit ip 10.249.8.0 0.0.0.255 any
crypto isakmp client configuration group jhbpvpn
 acl 110
 exit
ip nat inside source list 101 interface FastEthernet4 overload
3. Clean up any old translations, save and reload.
clear ip nat translations *
copy run start
reload
After the unit comes back up after the reload, please connect the remote client VPN and test connectivity once again. This should resolve the issue. If this does not work, I have a few more things that we can look in to further. I look forward to hearing back from you.

Kind regards,
Luke Oxley

Go to solution
Thomas.Lim
Level 1
Level 1
In response to Luke Oxley

‎08-18-2016 02:23 AM

After removed incorrect access list and recreate access list. VPN from remote computer via cisco VPN Client not successful.

0 Helpful

Go to solution
Luke Oxley
Level 1
Level 1
In response to Thomas.Lim

‎08-18-2016 12:01 PM

[@Thomas.Lim@xmjqhx.com],

Great, thanks for letting me know. When you say not successful, do you mean that it didn't connect or that it did connect but couldn't ping the inside?
I believe this may be a reverse route injection issue which we can resolve easily, but to confirm this we need to go on to the next steps of troubleshooting. Leaving you access control lists as I advised, please can you report back to me with the following data;
1. Connect the remote client to the VPN and send me the output of an "ip config" and "route print" command. Then start a continuous ping (-t) going from the client to the IP address of the inside interface of the router. Leave this pinging while we continue with steps 2, 3 and 4.
2. With the remote client still connected and pinging, please send me the output of a "show ip route" command and "show ip int brief"
3. Now, we will see if the ICMP requests are even being encrypted and sent over the tunnel by the client. Run the following commands on the router and tell me if you see any ICMP echos being genereted in return for the ones coming from the client over the VPN.
debug ip icmp
term mon
4. Please confirm what version of Cisco VPN Client you are using and with the client connected go to the statistics tab and click on route detail, what networks are listed as secured routes?
5. Save your configuration and attach a sanitised version of the latest configuration, just so I have an up to date record of where we are.
Once I have the information from the points above, we should have a better understanding of what is not working exactly. I hope then we can resolve this for you.

Kind regards,
Luke

Go to solution
Thomas.Lim
Level 1
Level 1
In response to Luke Oxley

‎08-18-2016 09:02 PM

Noticed that now only can connect VPN by using Cisco VPN Client ver 5.0.06.0110
It is still can not ping local IP and can't RDP local computer

1. ipconfig and route print as follow;
Windows IP Configuration
Ethernet adapter Local Area Connection:
   Media State. . . . . . . . . . . : Media disconnected
PPP adapter XXXXXXX
   Connection-specific DNS Suffix . :
   IPv4 Address . . . . . . . . . . : 14.100.54.172
   Subnet Mask. . . . . . . . . . . : 255.255.255.255
   Default Gateway  . . . . . . . . : 0.0.0.0
Ethernet adapter Local Area Connection 2:
   Connection-specific DNS Suffix . : SGBP.COM
   IPv4 Address . . . . . . . . . . : 10.249.8.221
   Subnet Mask. . . . . . . . . . . : 255.0.0.0
   Default Gateway  . . . . . . . . :


IPv4 Route Table
===========================================================================
Active Routes:
Network Destination         Netmask         Gateway       Interface  Metric
          0.0.0.0           0.0.0.0        On-link    14.100.54.172      31
         10.0.0.0         255.0.0.0        On-link    10.249.20.221     286
       10.249.8.0     255.255.255.0        10.0.0.1   10.249.20.221     100
    10.249.20.221   255.255.255.255        On-link    10.249.20.221     286
   10.255.255.255   255.255.255.255        On-link    10.249.20.221     286
    14.100.54.172   255.255.255.255        On-link    14.100.54.172     286
     10.10.10.180   255.255.255.255        On-link    14.100.54.172     100
        127.0.0.0         255.0.0.0        On-link        127.0.0.1    4531
        127.0.0.1   255.255.255.255        On-link        127.0.0.1    4531
  127.255.255.255   255.255.255.255        On-link        127.0.0.1    4531
        224.0.0.0         240.0.0.0        On-link        127.0.0.1    4531
        224.0.0.0         240.0.0.0        On-link    14.100.54.172      31
        224.0.0.0         240.0.0.0        On-link    10.249.20.221     286
  255.255.255.255   255.255.255.255        On-link        127.0.0.1    4531
  255.255.255.255   255.255.255.255        On-link    14.100.54.172     286
  255.255.255.255   255.255.255.255        On-link    10.249.20.221     286
============================================================================
Persistent Routes:
  Network Address         Network   Gateway Address     Metric
          0.0.0.0         0.0.0.0       10.249.8.10     Default


2. show ip route and show ip int brief result as follow
JHBPRouter#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override

Gateway of last resort is 10.10.10.177 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.10.10.177
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.249.8.0/24 is directly connected, Vlan1
L        10.249.8.10/32 is directly connected, Vlan1
      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.10.10.176/29 is directly connected, FastEthernet4
L        10.10.10.180/32 is directly connected, FastEthernet4

JHBPRouter#show ip int brief
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0              unassigned      YES unset  up                    up
FastEthernet1              unassigned      YES unset  up                    up
FastEthernet2              unassigned      YES unset  up                    down
FastEthernet3              unassigned      YES unset  up                    down
FastEthernet4              10.10.10.180    YES NVRAM  up                    up
NVI0                       10.10.10.180    YES unset  up                    up
Vlan1                      10.249.8.10     YES NVRAM  up                    up

JHBPRouter#

3. debug ip icmp and term mon
JHBPRouter#debug ip icmp
ICMP packet debugging is on
JHBPRouter#term mon
% Console already monitors

4. Cisco VPN Client ver 5.0.06.0110
    Network : 10.249.8.0
Subnet Mask : 255.255.255.0

5.

Preview file
6 KB

Go to solution
Luke Oxley
Level 1
Level 1
In response to Thomas.Lim

‎08-19-2016 05:42 AM

[@Thomas.Lim@xmjqhx.com],

Something is very much amiss here. Your "ip config" on the client machine does not show an adapter installed for Cisco VPN Client. You should have one with an IPv4 address in the 10.249.20.0 VPN pool range. This would explain why the ICMP requests are not being sent over the tunnel and seen by the ICMP debug. Not only this, but the router has no route to the VPN subnet when you're connected, this should be automatically added in upon connection establishment.
Give me a while to pick through the configuration and spin this up in my lab environment. I'll come back to you.

Kind regards,
Luke

0 Helpful

Go to solution
Thomas.Lim
Level 1
Level 1
In response to Luke Oxley

‎08-22-2016 06:43 PM

The configuration "no mode tunnel" seems not accept by the device.

running configuration as below

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 no mode tunnel

or

no crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 no mode tunnel

still having configuration as

crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 mode tunnel

and Configuration below has auto added

line con 0
 exec-timeout 5 0
 login authentication local_auth
 no modem enable
 transport output telnet
line aux 0
 access-class sl_def_acl in
 exec-timeout 15 0
 ipv6 access-class sl_def_ipv6_acl in
 login authentication local_auth
 transport output telnet
line vty 0 4
 access-class sl_def_acl in
 privilege level 15
 password 7 107E080A16001D190857
 ipv6 access-class sl_def_ipv6_acl in
 login authentication local_auth
 transport input telnet ssh
 transport output telnet ssh
line vty 5 15
 access-class sl_def_acl in
 privilege level 15
 ipv6 access-class sl_def_ipv6_acl in
 transport input telnet ssh
 transport output telnet ssh

I found the reason why it is fail. That is my fault that I tap on this device with the existing local network which already has cisco PIX.

Go to solution
Luke Oxley
Level 1
Level 1
In response to Thomas.Lim

‎08-19-2016 05:59 AM

[@Thomas.Lim@xmjqhx.com],

OK - I've taken a closer look and can see some missing links. These may explain why traffic isn't being encrypted over the tunnel from the client. Please add the following lines of configuration to your headend.
crypto isakmp client configuration address-pool local VPN_CLIENT_POOL
crypto isakmp xauth timeout 60
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
 no mode tunnel

crypto dynamic-map EXT_DYNAMIC_MAP 10
 reverse-route
Also, when connecting to the VPN please ensure the client machine is logically on the outside of the router only. I can see from your "ip config" that it also has an address in the 10.249.8.0 range (internal subnet). If the client also has a leg in to that internal network when trying to connect to the VPN then it negates the point of the tunnel and may mess up the routing.
Let me know how you get along.

Kind regards,
Luke

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents