Need help to make my EZVPN work!

Difan Zhao · ‎08-03-2008

Very standard EZVPN configuration...

EZVPN clients can connect with the server (871 router) and they can ping the router however they can't ping computers inside the LAN but these computers can ping EZVPN clients without problems. Somebody please help! Thanks!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname CCSPHOMERTR

!

boot-start-marker

boot-end-marker

!

enable secret xxx

!

aaa new-model

!

aaa authentication login LOGIN_AUTHEN local

aaa authorization console

aaa authorization exec EXEC_AUTHOR local

aaa authorization network NETWORK_AUTHOR local

!

aaa session-id common

!

crypto isakmp policy 100

encr aes

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPN_GROUP

key XXXXXXXX

dns 10.0.0.254

domain pc-pro.ca

pool IPPOOL_EZVPN

acl ACL_EZVPN_SPLIT

!

crypto ipsec transform-set IPSEC_TRANS_EZVPN esp-aes esp-md5-hmac

!

crypto dynamic-map EZVPN_DYNAMIC_MAP 1

set transform-set IPSEC_TRANS_EZVPN

reverse-route

!

crypto map VPN_MAP client authentication list LOGIN_AUTHEN

crypto map VPN_MAP isakmp authorization list NETWORK_AUTHOR

crypto map VPN_MAP client configuration address respond

crypto map VPN_MAP 65535 ipsec-isakmp dynamic EZVPN_DYNAMIC_MAP discover

!

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.1 10.0.0.3

ip dhcp excluded-address 10.0.0.254

!

ip dhcp pool VLAN10_IP_POOL

network 10.0.0.0 255.255.255.0

default-router 10.0.0.254

dns-server 10.0.0.254

domain-name pc-pro.ca

!

ip dhcp pool VISTA_IP_POOL

host 10.0.0.3 255.255.255.0

client-identifier 0100.1a92.d12a.de

default-router 10.0.0.254

dns-server 10.0.0.254

domain-name pc-pro.ca

!

no ip bootp server

ip domain name pc-pro.ca

!

multilink bundle-name authenticated

!

username support privilege 15 secret xxx

archive

log config

hidekeys

!

ip ssh rsa keypair-name RSA_SSH

!

interface FastEthernet0

switchport access vlan 10

!

interface FastEthernet1

switchport access vlan 10

!

interface FastEthernet2

switchport access vlan 10

!

interface FastEthernet3

switchport access vlan 10

!

interface FastEthernet4

ip address dhcp

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map VPN_MAP

!

interface Vlan1

no ip address

!

interface Vlan10

ip address 10.0.0.254 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool IPPOOL_EZVPN 10.255.255.1 10.255.255.253

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source list ACL_NAT interface FastEthernet4 overload

ip nat inside source static tcp 10.0.0.2 22 interface FastEthernet4 2222

!

ip access-list extended ACL_EZVPN_SPLIT

permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255

ip access-list extended ACL_NAT

deny ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

!

control-plane

!

line con 0

exec-timeout 60 0

authorization exec EXEC_AUTHOR

login authentication LOGIN_AUTHEN

no modem enable

line aux 0

line vty 0 4

exec-timeout 60 0

authorization exec EXEC_AUTHOR

logging synchronous

login authentication LOGIN_AUTHEN

transport input ssh

!

scheduler max-task-time 5000

!

webvpn cef

end

Marwan ALshawi · ‎08-03-2008

change ur split tunnel to the following

Access-list 10 permit ip 10.0.0.0 0.0.0.255

should work now now

then

crypto isakmp client configuration group EZVPN_GROUP

acl 10

good luck

Please, if helpful Rate

Difan Zhao · ‎08-04-2008

Thank you for your quick reply! However it still doesn't work...

Here is my config now:

crypto isakmp client configuration group EZVPN_GROUP

key XXXXXXXX

dns 10.0.0.254

domain pc-pro.ca

pool IPPOOL_EZVPN

acl 1

!

access-list 1 permit 10.0.0.0 0.0.0.255

By the way the standard access-list can't specify "ip" in the list. It's the not the problem, right?

I don't think the split-tunneling works because after the connection the client doesn't show the "secured routes" to 10.0.0.0. Instead it shows 0.0.0.0 255.255.255.255, just like no split tunneling at all. I also tried no split tunneling but it doesn't work too... Please advice. Thanks!

Marwan ALshawi · ‎08-04-2008

do the following

keep the split tunnel ACL as i told u i mean the new one

first change the client pool to

ip local pool IPPOOL_EZVPN 10.200.200.1 10.200.200.253

then change the nating as follow

ip nat inside source route-map NATING interface FastEthernet4 overload

route-map NATING permit 10

match ip address ACL_NAT

ip access-list extended ACL_NAT

deny ip 10.0.0.0 0.0.0.255 10.200.200.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

about the ip in the spilt tunnel dont worry

do as i told u befor simple standerd one

and let me

good luck

Difan Zhao · ‎08-04-2008

Here is my config now:

crypto isakmp client configuration group EZVPN_GROUP

key XXXXXXXX

dns 10.0.0.254

domain pc-pro.ca

pool IPPOOL_EZVPN

acl 1

!

ip local pool IPPOOL_EZVPN 10.200.200.1 10.200.200.253

!

access-list 1 permit 10.0.0.0 0.0.0.255

!

route-map ROUTE_MAP_NAT permit 10

match ip address ACL_NAT

!

ip access-list extended ACL_NAT

deny ip 10.0.0.0 0.0.0.255 10.200.200.0 0.0.0.255

permit ip 10.0.0.0 0.0.0.255 any

Still don't work... The split tunneling standard ACL doesn't seem to work. Please see the attachment. Anyway the split tunneling shouldn't be the problem, right? Even without the split tunneling it still won't work...

However if I use "tracert" I do get reply from the router (10.0.0.254) but no further reply. It seems like the router itself doesn't know how to forward the ping...

Please help! Thanks!

Difan Zhao · ‎08-04-2008

I just tried an extended ping on the router. I specified the source interface as F4 (external interface) and pinged an internal IP 10.0.0.3 and it couldn't go through. Is that normal? Normal ping works...

CCSPHOMERTR#ping

*Aug 4 20:58:30.420: %SYS-5-CONFIG_I: Configured from console by support on consol

Protocol [ip]:

Target IP address: 10.0.0.3

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: fastethernet 4

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:

Packet sent with a source address of 70.64.22.2

.....

Success rate is 0 percent (0/5)

CCSPHOMERTR#ping 10.0.0.3

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Marwan ALshawi · ‎08-04-2008

hi dear

keep the config as i told and as u have dont after change

only one thing i want u to change it

the split tunnel

this one i have just tried it and its working

acce-list 100 permit ip 10.0.0.0 0.0.0.255 any

then

go to ur vpn group configuration

do

no acl 10

then

acl 100

and let me know

by the way make an loopbak interface any try to ping it after u change the split tunnel to acl 100

good luck

Difan Zhao · ‎08-04-2008

Still the same... I don't think it's because of split-tunneling. I should be able to ping the internal network even without split tunneling.

crypto isakmp client configuration group EZVPN_GROUP

key XXXXXXXX

dns 10.0.0.254

domain pc-pro.ca

pool IPPOOL_EZVPN

acl 101

!

access-list 101 permit ip 10.0.0.0 0.0.0.255 any

Marwan ALshawi · ‎08-04-2008

then fix the router problem

and now ur vpn config should be fin

good luck

if u need any more help just post here

please, if helpful rate