Cisco VPN Client Connection ZBFW problem on 2821 Router

Peterle123 · ‎07-08-2013

Hi experts,

in my testing-environment, I'm having problems reaching hosts in the LAN when being connected through Cisco VPN Client while being at least able to successfully connect (with radius authentication). Accessing local hosts used to work fine until I added a site-to-site VPN connection (via cryptomap) and adjusted class-maps and policy-maps to send any internal traffic freely through the site-to-site-tunnel.

Would you mind giving me a hint what might help me reaching my hosts via Cisco VPN Client again?

Thanks in advance!

Here's my setup:

Router Ports:

Gig0/0: IP: 192.168.1.2 /24 (LAN1: 192.168.1.0 /24)

Gig0/1: IP: 111.111.111.111 /29 (WAN)

Site-to-site-Connection: Remote Peer: 123.123.123.123 with LAN2: 192.168.2.0 /24 ; via cryptomap

Cisco-VPN-Client: assigned IP Pool: 192.168.1.55 - 192.168.1.59 ; via virtual-template2

Here is the config:

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router_2

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 4096

!

aaa new-model

!

aaa authentication login LocalUserList local

aaa authentication login VPN_Authentication group radius

aaa authorization network VPN_Authorization local

!

aaa session-id common

!

clock timezone CET 1 0

clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

dot11 syslog

no ip source-route

!

ip cef

!

ip flow-cache timeout inactive 10

ip flow-cache timeout active 5

no ip bootp server

ip domain name mydomain.lan

ip name-server 192.168.1.11

!

multilink bundle-name authenticated

!

license udi pid CISCO2821 sn XXXXXXXXXXX

username root privilege 15 secret 4 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

!

redundancy

!

ip tcp synwait-time 10

!

class-map type inspect match-all VPN-TRAFFIC

match access-group name ACL-VPN-TRAFFIC

class-map type inspect match-all NTP-SERVICE

match access-group name ACL-NTP-SERVICE

class-map type inspect match-all PING-REPLY

match access-group name ACL-PING-REPLY

class-map type inspect match-all LAN1-to-LAN2-TRAFFIC

match access-group name ACL-LAN1-to-LAN2

class-map type inspect match-all LAN2-to-LAN1-TRAFFIC

match access-group name ACL-LAN2-to-LAN1

class-map type inspect match-all INTERNET-TRAFFIC

match access-group name ACL-LAN1-to-INTERNET

!

policy-map QoS-Force-BestEffort

class class-default

set dscp default

policy-map type inspect outside-to-router-policy

class type inspect PING-REPLY

drop

class type inspect VPN-TRAFFIC

pass

class type inspect NTP-SERVICE

inspect

class class-default

drop

policy-map type inspect inside-to-outside-policy

class type inspect LAN1-to-LAN2-TRAFFIC

pass

class type inspect INTERNET-TRAFFIC

inspect

class class-default

drop

policy-map type inspect outside-to-inside-policy

class type inspect LAN2-to-LAN1-TRAFFIC

pass

class class-default

drop

!

zone security inside

zone security outside

zone-pair security inside-to-outside source inside destination outside

service-policy type inspect inside-to-outside-policy

zone-pair security outside-to-inside source outside destination inside

service-policy type inspect outside-to-inside-policy

zone-pair security outside-to-router source outside destination self

service-policy type inspect outside-to-router-policy

!

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key XXXXXXXXXX address 123.123.123.123

!

crypto isakmp client configuration group CISCO-CLIENT-VPN

key XXXXXXXXXXXXX

dns 192.168.1.11

domain mydomain.lan

pool CLIENT-VPN-POOL

acl 120

max-users 5

crypto isakmp profile vpn-ike-profile-1

match identity group CISCO-CLIENT-VPN

client authentication list VPN_Authentication

isakmp authorization list VPN_Authorization

client configuration address respond

virtual-template 2

!

crypto ipsec transform-set TransformSet esp-3des esp-md5-hmac

!

crypto ipsec profile CLIENT-VPN-Profile-1

set transform-set TransformSet

!

crypto map SITE-TO-SITE-CRYPTOMAP 10 ipsec-isakmp

set peer 123.123.123.123

set transform-set TransformSet

match address VPN-TRAFFIC

!

interface GigabitEthernet0/0

description INSIDE

ip address 192.168.1.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security inside

duplex full

speed 100

no mop enabled

!

interface GigabitEthernet0/1

description OUTSIDE

ip address 111.111.111.111 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security outside

duplex full

speed 100

no mop enabled

crypto map SITE-TO-SITE-CRYPTOMAP

service-policy output QoS-Force-BestEffort

!

interface Virtual-Template2 type tunnel

ip unnumbered GigabitEthernet0/0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security inside

tunnel mode ipsec ipv4

tunnel protection ipsec profile CLIENT-VPN-Profile-1

!

ip local pool CLIENT-VPN-POOL 192.168.1.55 192.168.1.59

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip nat inside source list 100 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 111.111.111.111 permanent

!

ip access-list extended ACL-LAN1-to-LAN2

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended ACL-LAN1-to-INTERNET

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended ACL-LAN2-to-LAN1

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended ACL-NTP-SERVICE

permit udp any any eq ntp

ip access-list extended ACL-PING-REPLY

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

ip access-list extended ACL-VPN-TRAFFIC

permit udp any any eq isakmp

permit ahp any any

permit esp any any

permit udp any any eq non500-isakmp

ip access-list extended VPN-TRAFFIC

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

!

access-list 100 remark -=NO NAT FOR SITE-TO-SITE-TRAFFIC=-

access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 100 remark

access-list 120 remark -=CLIENT VPN=-

access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.55

access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.56

access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.57

access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.58

access-list 120 permit ip 192.168.1.0 0.0.0.255 host 192.168.1.59

access-list 120 remark

no cdp run

!

radius server MYRADIUS

address ipv4 192.168.1.1 auth-port 1645 acct-port 1646

timeout 5

key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXX

!

control-plane

!

line con 0

line aux 0

line vty 0 4

line vty 5 15

!

scheduler allocate 20000 1000

end

Julio Carvajal · ‎07-08-2013

Hello Peter,

So you do connect, you do get an IP address from the local pool set on the router right? you do see the status of the tunnel as up?

If the answers of the questions are yes, then proceed to the next, otherwise let me know..

Here is the first thing I want you to do

Add the following configuration:

parameter-map type inspect global

log dropped-packets enable

log summary flows 256 time-interval 30

So we can log as much information as possible

Then try to connect and try to connect to an inside machine

Finally provide us the output of:

show logging | include x.x.x.x (Your VPN Pool address being used by the client)

Julio Carvajal

Remember to rate all of the helpful posts. For this community that's as important as a thanks.

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Peterle123 · ‎07-09-2013

Hi Julio!

Thanks for your support.

I also enabled the log dropped-packets function during my investigations yesterday. Strange thing was, that I was able to see all packets, also that the incoming packets were passed successfully passed from the connected client (with its assigned IP address), but the destination of these packets was not the ip of the destination host itself, but the whole network (192.168.1.0 255.255.255.0). Also, there was no response traffic logged from inside to the connected client.

So desperately, I began removing one configuration line after another, resulting in a copy of a configuration I backed up before where I knew everything was working fine. I compared both configurations in WinMerge and they were absolutely equal, but I still wasn't able to ping a host. So I saved the config to startup conf and reloaded the router. DANG. Now it was working.

So I had no clue how this was possible. Maybe something went wrong during the runtime. Since it was working again, I started configuring everything again line for line until the point of activating the firewall. As soon as I assigned the inside and outside zones to the physical interfaces but left out the virtual-template, connection from the client got lost (of course). But after assigning the inside zone to the virtual-template (as I also did in the configuration above), it was working again.

Finally, I don't know where this came from. If someone is interested in the current running config (which is more or less equal, just some details differ from the config above), let me know.

After all, I'm happy everything is working again

Cheers!

Julio Carvajal · ‎07-09-2013

Hello Peter,

Really strange thing,

Glad to know that is up and running..

Based on the tests you have performed I can tell you that the config seems to be good so it might be a software problem,

Lets keep an eye on it and see what happens okey?

Regards

Remember to rate all of the helpful posts. That's as important as a Thanks.
Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC