07-08-2013 04:06 AM - edited 03-11-2019 07:08 PM
Hi experts,
in my testing-environment, I'm having problems reaching hosts in the LAN when being connected through Cisco VPN Client while being at least able to successfully connect (with radius authentication). Accessing local hosts used to work fine until I added a site-to-site VPN connection (via cryptomap) and adjusted class-maps and policy-maps to send any internal traffic freely through the site-to-site-tunnel.
Would you mind giving me a hint what might help me reaching my hosts via Cisco VPN Client again?
Thanks in advance!
Here's my setup:
Router Ports:
Gig0/0: IP: 192.168.1.2 /24 (LAN1: 192.168.1.0 /24)
Gig0/1: IP: 111.111.111.111 /29 (WAN)
Site-to-site-Connection: Remote Peer: 123.123.123.123 with LAN2: 192.168.2.0 /24 ; via cryptomap
Cisco-VPN-Client: assigned IP Pool: 192.168.1.55 - 192.168.1.59 ; via virtual-template2
Here is the config:
version 15.1
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router_2
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 4096
!
aaa new-model
!
!
aaa authentication login LocalUserList local
aaa authentication login VPN_Authentication group radius
aaa authorization network VPN_Authorization local
!
!
!
!
!
aaa session-id common
!
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
!
dot11 syslog
no ip source-route
!
!
ip cef
!
!
!
ip flow-cache timeout inactive 10
ip flow-cache timeout active 5
no ip bootp server
ip domain name mydomain.lan
ip name-server 192.168.1.11
!
multilink bundle-name authenticated
!
!
!
!
license udi pid CISCO2821 sn XXXXXXXXXXX
username root privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
redundancy
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all VPN-TRAFFIC
match access-group name ACL-VPN-TRAFFIC
class-map type inspect match-all NTP-SERVICE
match access-group name ACL-NTP-SERVICE
class-map type inspect match-all PING-REPLY
match access-group name ACL-PING-REPLY
class-map type inspect match-all LAN1-to-LAN2-TRAFFIC
match access-group name ACL-LAN1-to-LAN2
class-map type inspect match-all LAN2-to-LAN1-TRAFFIC
match access-group name ACL-LAN2-to-LAN1
class-map type inspect match-all INTERNET-TRAFFIC
match access-group name ACL-LAN1-to-INTERNET
!
!
policy-map QoS-Force-BestEffort
class class-default
set dscp default
policy-map type inspect outside-to-router-policy
class type inspect PING-REPLY
drop
class type inspect VPN-TRAFFIC
pass
class type inspect NTP-SERVICE
inspect
class class-default
drop
policy-map type inspect inside-to-outside-policy
class type inspect LAN1-to-LAN2-TRAFFIC
pass
class type inspect INTERNET-TRAFFIC
inspect
class class-default
drop
policy-map type inspect outside-to-inside-policy
class type inspect LAN2-to-LAN1-TRAFFIC
pass
class class-default
drop
!
zone security inside
zone security outside
zone-pair security inside-to-outside source inside destination outside
service-policy type inspect inside-to-outside-policy
zone-pair security outside-to-inside source outside destination inside
service-policy type inspect outside-to-inside-policy
zone-pair security outside-to-router source outside destination self
service-policy type inspect outside-to-router-policy
!
crypto logging ezvpn
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXXXXXXX address 123.123.123.123
!
crypto isakmp client configuration group CISCO-CLIENT-VPN
key XXXXXXXXXXXXX
dns 192.168.1.11
domain mydomain.lan
pool CLIENT-VPN-POOL
acl 120
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CISCO-CLIENT-VPN
client authentication list VPN_Authentication
isakmp authorization list VPN_Authorization
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set TransformSet esp-3des esp-md5-hmac
!
crypto ipsec profile CLIENT-VPN-Profile-1
set transform-set TransformSet
!
!
crypto map SITE-TO-SITE-CRYPTOMAP 10 ipsec-isakmp
set peer 123.123.123.123
set transform-set TransformSet
match address VPN-TRAFFIC
!
!
!
!
!
interface GigabitEthernet0/0
description INSIDE
ip address 192.168.1.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex full
speed 100
no mop enabled
!
interface GigabitEthernet0/1
description OUTSIDE
ip address 111.111.111.111 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex full
speed 100
no mop enabled
crypto map SITE-TO-SITE-CRYPTOMAP
service-policy output QoS-Force-BestEffort
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security inside
tunnel mode ipsec ipv4
tunnel protection ipsec profile CLIENT-VPN-Profile-1
!
ip local pool CLIENT-VPN-POOL 192.168.1.55 192.168.1.59
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 111.111.111.111 permanent
!
ip access-list extended ACL-LAN1-to-LAN2
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
ip access-list extended ACL-LAN1-to-INTERNET
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended ACL-LAN2-to-LAN1
permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended ACL-NTP-SERVICE
permit udp any any eq ntp
ip access-list extended ACL-PING-REPLY
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
ip access-list extended ACL-VPN-TRAFFIC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
ip access-list extended VPN-TRAFFIC
permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
access-list 100 remark -=NO NAT FOR SITE-TO-SITE-TRAFFIC=-
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark
access-list 120 remark -=CLIENT VPN=-
access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.55
access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.56
access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.57
access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.58
access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.59
access-list 120 remark
no cdp run
!
!
!
!
!
!
radius server MYRADIUS
address ipv4 192.168.1.1 auth-port 1645 acct-port 1646
timeout 5
key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
line vty 5 15
!
scheduler allocate 20000 1000
end
07-08-2013 01:44 PM
Hello Peter,
So you do connect, you do get an IP address from the local pool set on the router right? you do see the status of the tunnel as up?
If the answers of the questions are yes, then proceed to the next, otherwise let me know..
Here is the first thing I want you to do
Add the following configuration:
parameter-map type inspect global
log dropped-packets enable
log summary flows 256 time-interval 30
So we can log as much information as possible
Then try to connect and try to connect to an inside machine
Finally provide us the output of:
show logging | include x.x.x.x (Your VPN Pool address being used by the client)
Julio Carvajal
Remember to rate all of the helpful posts. For this community that's as important as a thanks.
07-09-2013 07:04 AM
Hi Julio!
Thanks for your support.
I also enabled the log dropped-packets function during my investigations yesterday. Strange thing was, that I was able to see all packets, also that the incoming packets were passed successfully passed from the connected client (with its assigned IP address), but the destination of these packets was not the ip of the destination host itself, but the whole network (192.168.1.0 255.255.255.0). Also, there was no response traffic logged from inside to the connected client.
So desperately, I began removing one configuration line after another, resulting in a copy of a configuration I backed up before where I knew everything was working fine. I compared both configurations in WinMerge and they were absolutely equal, but I still wasn't able to ping a host. So I saved the config to startup conf and reloaded the router. DANG. Now it was working.
So I had no clue how this was possible. Maybe something went wrong during the runtime. Since it was working again, I started configuring everything again line for line until the point of activating the firewall. As soon as I assigned the inside and outside zones to the physical interfaces but left out the virtual-template, connection from the client got lost (of course). But after assigning the inside zone to the virtual-template (as I also did in the configuration above), it was working again.
Finally, I don't know where this came from. If someone is interested in the current running config (which is more or less equal, just some details differ from the config above), let me know.
After all, I'm happy everything is working again
Cheers!
07-09-2013 09:21 AM
Hello Peter,
Really strange thing,
Glad to know that is up and running..
Based on the tests you have performed I can tell you that the config seems to be good so it might be a software problem,
Lets keep an eye on it and see what happens okey?
Regards
Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide