Re: VPN client access to HQ LAN problems

l.maxwell · ‎09-22-2003

HI,

The VPN client is able to authenticate with no problems and I can ping the Ethernet interface of the router and other devices once connected.

The problem arises when I try to get to the mail server. I try telnet to the internal IP of the server 192.0.0.5 on port 25 to ascertain that I can establish an SMTP connection, once I try this I can no longer ping anything on the LAN. If I disconnect the VPN session and connect again I can then ping the LAN devices again until I try to access the mail server.

As you will be able to see in the config below I have created an access list (ACL 101) for split tunnelling and no NAT rule (ACL 105) so that the traffic over the VPN does not NAT for connection to the mail server over the VPN

The Mail server has a 1 to 1 NAT set up for SMTP and this is working fine form all external sources the problem is when I am using a VPN client connection to it.

I have tried client versions 4.01 and 3.6.2 for the connection and the IOS version I am using is c1700-k9o3sy7-mz.122-13.T3

Regards

Leig maxwell

Are there any problems that may be apparent in either what is being attempted or possibly the IOS version etc?

aaa authentication login userauthen local

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

ip audit notify log

ip audit po max-events 100

ip cef

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnsession

key xxxxx

pool ippool

acl 101

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface ATM0

no ip address

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode auto

!

interface FastEthernet0

ip address 192.0.0.27 255.255.255.0

ip access-group 122 out

ip nat inside

speed auto

!

interface Dialer1

ip address 217.x.x.x 255.255.255.248

ip access-group 111 in

ip nat outside

ip inspect myfw out

encapsulation ppp

dialer pool 1

ppp chap hostname xxx

ppp chap password xxx

ppp pap sent-username xxx password xxx

crypto map clientmap

!

ip local pool ippool 192.168.1.0 192.168.1.254

ip nat pool branch 217.x.x.x 217.x.x.x netmask 255.255.255.248

ip nat inside source route-map nonat interface Dialer1 overload

ip nat inside source static 192.0.0.5 217.x.x.x

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.1.1.0 255.255.255.0 192.0.0.6

ip http server

ip pim bidir-enable

!

ip access-list extended protocol

ip access-list extended service

!

no logging trap

access-list 1 permit 192.0.0.0 0.0.0.255

access-list 1 permit 192.1.1.0 0.0.0.255

access-list 20 permit 62.6.171.128 0.0.0.15

access-list 20 permit 192.0.0.0 0.0.0.255

access-list 101 permit ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 deny ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 105 permit ip 192.0.0.0 0.0.0.255 any

access-list 111 permit tcp any host 217.x.x.x eq smtp

access-list 111 permit ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 192.0.0.0 0.0.0.255

access-list 111 permit tcp any any eq telnet

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any log

access-list 122 deny tcp any any eq telnet

access-list 122 permit ip any any

!

route-map nonat permit 10

match ip address 105

atdhingr · ‎09-22-2003

Have you been checking the : Transport|Allow Local LAN Access--checkbox

Thanks

Atul.

l.maxwell · ‎09-22-2003

I have not been using that option as the client needs not access anything on his LAN when connected to the HQ over the VPN tunnel.

Thanks

Leigh

svuorilehto · ‎09-24-2003

Hi!

>access-list 101 permit ip 192.0.0.0 0.0.0.255 192.168.1.0 0.0.0.255

Why do you enable split tunneling for this acl?? Split tunnel acl is used to denote traffic that's NOT sent to tunnel from client end...

Try taking that off...

SVu

iinis · ‎12-11-2003

Did you find a solution? It seems that the static NAT is processed before the VPN so that the mail server IP address is translated before it goes through the encryption process, so the client can no longer talk to the inside address. Is there an IOS fix for this "feature". It can be done on a PIX so there should be something to fix this on an IOS router. Can anyone help? I can't find any solutions on Cisco's site but this must be a common scenario.

You can fix it for dynamic NAT but not for static, as far as I can see.