Solved: Re: IOS VPN with NAT…need ACL help?

k-brackley · ‎02-21-2003

What am I overlooking? I have tried other posts, investigated known bugs with 12.2(13)T1, etc. to apply workarounds, but maybe my other configuration choices are interfering with my VPN setup.

I can establish a connection, authenticate locally, just fine. Cisco VPN client 3.6.3 stats show that I am encrypting traffic on the protected networks, but I can't get any traffic through to internal hosts once I've connected.

I've removed the security tags and replaced all public IP addresses with bogus ones in hopes that someone can point me to the obvious!

Thanks much.

----------

Current configuration : 5508 bytes

!

! Last configuration change at 22:24:38 PST Thu Feb 20 2003 by kevin

!

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip domain name mydomain.com

ip name-server 199.13.28.12

ip name-server 199.13.29.12

!

ip inspect audit-trail

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Ethernet_0_1 tcp

ip inspect name Ethernet_0_1 udp

ip inspect name Ethernet_0_1 cuseeme

ip inspect name Ethernet_0_1 ftp

ip inspect name Ethernet_0_1 h323

ip inspect name Ethernet_0_1 rcmd

ip inspect name Ethernet_0_1 realaudio

ip inspect name Ethernet_0_1 smtp

ip inspect name Ethernet_0_1 streamworks

ip inspect name Ethernet_0_1 vdolive

ip inspect name Ethernet_0_1 sqlnet

ip inspect name Ethernet_0_1 tftp

ip inspect name Ethernet_0_1 http java-list 99

ip inspect name Ethernet_0_1 rtsp

ip inspect name Ethernet_0_1 netshow

ip inspect name Ethernet_0_0 tcp

ip inspect name Ethernet_0_0 ftp

ip inspect name Ethernet_0_0 udp

ip audit notify log

ip audit po max-events 100

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 20

!

crypto isakmp client configuration group vpngroup

key xxxxxxxxx

dns 199.13.28.12 199.13.29.12

domain mydomain.com

pool vpnpool

acl 110

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

mta receive maximum-recipients 0

!

interface Ethernet0/0

description connected to Internet

ip address 199.201.44.198 255.255.255.248

ip access-group 101 in

ip nat outside

ip inspect Ethernet_0_0 in

no ip route-cache

no ip mroute-cache

half-duplex

crypto map clientmap

!

interface Serial0/0

no ip address

shutdown

!

interface Ethernet0/1

description connected to Private

ip address 192.168.1.254 255.255.255.0

ip access-group 100 in

ip nat inside

ip inspect Ethernet_0_1 in

half-duplex

!

ip local pool vpnpool 192.168.2.201 192.168.2.210

ip nat translation timeout 119

!!

!!--removed next line for VPN configuration

!!ip nat inside source list 1 interface Ethernet0/0 overload

!!--replaced with the following line...

ip nat inside source route-map nonat interface Ethernet0/0 overload

ip nat inside source static 192.168.1.1 199.201.44.197

ip classless

ip route 0.0.0.0 0.0.0.0 199.201.44.193 permanent

ip http server

ip http access-class 7

ip http authentication local

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 5 permit 192.5.41.40

access-list 5 permit 192.5.41.41

access-list 5 deny any

access-list 7 permit 192.168.1.0 0.0.0.255

access-list 7 deny any

access-list 99 deny any

access-list 100 permit udp any eq rip any eq rip

access-list 100 permit tcp host 192.168.1.1 any eq www

access-list 100 permit ip host 192.168.1.1 any

access-list 100 permit tcp host 192.168.1.2 any eq www

access-list 100 permit ip host 192.168.1.2 any

access-list 100 deny ip host 192.168.1.253 any

access-list 100 permit ip any any

access-list 101 deny ip host 199.201.44.197 any

access-list 101 permit tcp any host 199.201.44.197 eq 22

access-list 101 permit tcp any host 199.201.44.197 eq www

access-list 101 permit tcp any host 199.201.44.197 eq 115

access-list 101 permit icmp any host 199.201.44.197

access-list 101 permit ip any host 199.201.44.198

access-list 101 permit tcp any host 199.201.44.197 eq 8000

access-list 101 permit tcp any host 199.201.44.197 eq 8080

access-list 101 permit tcp any host 199.201.44.197 eq 9090

access-list 101 permit udp any host 199.201.44.197 eq 7070

access-list 101 permit udp any host 199.201.44.197 eq 554

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 115 permit ip 192.168.1.0 0.0.0.255 any

!

route-map nonat permit 10

match ip address 115

!

line con 0

exec-timeout 0 0

password 7 XXXXXXXXXXXXXXX

line aux 0

line vty 0 4

password 7 XXXXXXXXXXXXXXXX

!

ntp clock-period 17208655

ntp source Ethernet0/0

ntp access-group peer 5

ntp access-group serve-only 7

ntp master 3

ntp server 192.5.41.41

ntp server 192.5.41.40

!

end

----------

gfullage · ‎02-23-2003

Config looks OK, you should be able to get to every internal host EXCEPT 192.168.1.1 with this setup. If you do a "sho cry ipsec sa" do you see Pkts Decaps incrementing, indicating you're seeing the traffic from the remote client? Do you see Pkts Encaps incrementing, indicating you're sending a reply back out to the client from the internal host.

As for 192.168.1.1, because you have this:

> ip nat inside source static 192.168.1.1 199.201.44.197

it overrides this:

> ip nat inside source route-map nonat interface Ethernet0/0 overload

for this host only, and so return traffic for just this host is still NAT'd even though you don't want it to be. To get around it you have to send traffic from this host through a loopback interface with no NAT enabled on it, this stops it being NAT'd and allows you to connect to it over the VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically you need to add this:

interface loopback 0

ip address 1.1.1.1 255.255.255.0

interface ethernet0/1

ip policy route-map static

route-map static permit 10

match address 120

set ip next-hop 1.1.1.2

access-list 120 permit ip host 192.168.1.1 192.168.2.0 0.0.0.255

View solution in original post

gfullage · ‎02-23-2003

Config looks OK, you should be able to get to every internal host EXCEPT 192.168.1.1 with this setup. If you do a "sho cry ipsec sa" do you see Pkts Decaps incrementing, indicating you're seeing the traffic from the remote client? Do you see Pkts Encaps incrementing, indicating you're sending a reply back out to the client from the internal host.

As for 192.168.1.1, because you have this:

> ip nat inside source static 192.168.1.1 199.201.44.197

it overrides this:

> ip nat inside source route-map nonat interface Ethernet0/0 overload

for this host only, and so return traffic for just this host is still NAT'd even though you don't want it to be. To get around it you have to send traffic from this host through a loopback interface with no NAT enabled on it, this stops it being NAT'd and allows you to connect to it over the VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically you need to add this:

interface loopback 0

ip address 1.1.1.1 255.255.255.0

interface ethernet0/1

ip policy route-map static

route-map static permit 10

match address 120

set ip next-hop 1.1.1.2

access-list 120 permit ip host 192.168.1.1 192.168.2.0 0.0.0.255

k-brackley · ‎02-26-2003

Thank you!!

I think part of my problem was two-fold. One, I would ping and it would take a couple of packets before the ARP would kick-in…and I assumed after the first couple of pings that I still didn’t have it set up correctly.

Another issue is that the IP INSPECT statements on my public and private interfaces is interfering with the VPN somehow…

As you've stated, the configuration was okay for other hosts other than my static NAT'd host...but when I was testing, I wouldn’t just test it by pinging other hosts, but by connecting through ftp, telnet, http, or ssh...(on other internal hosts that aren’t statically nat'd)...as soon as I attempted to do this, my encrypted tunnel would cease to function.

The VPN would stay connected, and from the client, data was being passed to the protected networks...just nothing would pass through to internal hosts, so I thought my VPN config was at fault...and after that, I never tested beyond the first host (static NAT)...

I now see that if I remove the IDS "inspect" statements from my public and private interfaces, I will maintain a connection.

I could be overloading things with the IOS I am testing, or there could be a conflict with VPN tunnels or an ACL except needed for this??

VPN and NAT are most important for me, so I’m willing to sacrifice this if not supported in combination.

JUSTIN LOUCKS · ‎02-27-2003

I noticed you use a lot of ip inspect statements in your router config here. I have a handful of Cisco 17xx routers with the FW/IPSec/IDS IOS on them, but I have not turned on any of this functionality yet as I am not sure how it is used. Can you suggest any reading for this or explain briefly what the 'ip inspect' statements on the interfaces and in the body of the config are doing? Also, what kind of performance hit does the router and traffic flow encounter with this turned on?

Thank you,

Justin Loucks

jloucks@cardlog.com

IOS VPN with NAT need ACL help?

IOS VPN with NATneed ACL help?