05-26-2003 09:02 AM - edited 02-21-2020 12:34 PM
Hello !
I am new with cisco routers. I am trying to learn everything by myself with the informations I can find on cisco.com, I did most of the work without asking for help (information you can find here is huge!)... but there is today something can not understand...
I am trying to configure our brand new 1721 router so people from our company can connect to the internal network via the last cisco VPN client for win XP, it is almost working (I get connected), but I can't ping or get "pinged". There is something I did not understand with VPN & NAT I think... could someone help me ?
Here is some of the show run:
Current configuration : 6060 bytes
!
version 12.2
!
aaa new-model
!
aaa authentication login xauth_list local
aaa authorization network VertigoForces local
aaa session-id common
ip subnet-zero
no ip source-route
!
ip name-server 193.252.19.3
ip name-server 193.252.19.4
no ip dhcp conflict logging
ip dhcp excluded-address 192.168.0.1
ip dhcp excluded-address 192.168.0.200
ip dhcp excluded-address 192.168.0.230
!
ip dhcp pool FastEthernet
network 192.168.0.0 255.255.255.0
dns-server 193.252.19.3 193.252.19.4
default-router 192.168.0.1
lease 90
!
ip audit notify log
ip audit po max-events 100
ip reflexive-list timeout 120
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VertigoForces
key xxxx
dns 193.252.19.3 193.252.19.4
pool OurVertigoForces
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set myset
!
!
!
crypto map mode client authentication list xauth_list
crypto map mode isakmp authorization list VertigoForces
crypto map mode client configuration address respond
crypto map mode 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
no ip address
ip tcp adjust-mss 1452
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1
ip address 10.10.10.1 255.255.255.0
ip access-group Eth1_DMZ->All in
ip access-group Eth1_All->DMZ out
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
full-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip access-group DroitsLanVertigo in
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group Dialer1_Internet->Vertigo in
ip access-group Dialer1_Vertigo->Internet out
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname xxxxxx
ppp chap password xxx
crypto map mode
!
ip local pool OurVertigoForces 192.168.1.1 192.168.1.10
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.10 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 Ethernet1
ip route 192.168.0.0 255.255.255.0 FastEthernet0
ip route 192.168.1.0 255.255.255.0 Dialer1
no ip http server
!
!
ip access-list extended Dialer1_Internet->Vertigo
evaluate iptraffic
permit tcp any eq www any eq www
permit tcp any any eq www
permit tcp any any eq 1723
permit udp any any eq isakmp
permit tcp any any eq 500
permit tcp any any eq 1701
permit udp any any eq 1701
ip access-list extended Dialer1_Vertigo->Internet
permit ip any any reflect iptraffic
ip access-list extended DroitsLanVertigo
permit tcp 192.168.0.0 0.0.0.255 any eq domain
permit udp 192.168.0.0 0.0.0.255 any eq domain
permit tcp 192.168.0.0 0.0.0.255 any eq www
permit tcp 192.168.0.0 0.0.0.255 any eq pop3
permit tcp 192.168.0.0 0.0.0.255 any eq smtp
permit tcp 192.168.0.0 0.0.0.255 any eq ftp-data
permit tcp 192.168.0.0 0.0.0.255 any eq ftp
permit tcp 192.168.0.0 0.0.0.255 any eq 22
permit tcp 192.168.0.0 0.0.0.255 any eq telnet
permit tcp 192.168.0.0 0.0.0.255 any eq finger
permit tcp 192.168.0.0 0.0.0.255 any eq ident
permit tcp 192.168.0.0 0.0.0.255 any eq nntp
permit tcp 192.168.0.0 0.0.0.255 any eq 143
permit tcp 192.168.0.0 0.0.0.255 any eq 443
permit tcp 192.168.0.0 0.0.0.255 any eq 1723
permit tcp 192.168.0.0 0.0.0.255 any eq 5631
permit udp 192.168.0.0 0.0.0.255 any eq 5632
permit ip host 192.168.0.2 any
permit ip any host 10.10.10.10
ip access-list extended Eth1_All->DMZ
permit ip any any reflect dmztraffic
ip access-list extended Eth1_DMZ->All
evaluate dmztraffic
deny ip any 192.168.0.0 0.0.0.255
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended addr-pool
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip any 192.168.1.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 deny ip any 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
radius-server authorization permit missing Service-Type
!
I will have to configure a WINS server asap, but I am waiting for the ping command to work between the vpn clients (192.168.1.x) and our LAN (192.168.0.x)...
Does someone see what's going wrong in my config ?
Thank you
Nicolas Anguelov
05-26-2003 10:58 PM
Try removing the access-lists off the interfaces, particularly the Dialer interface and the inside interface you're trying to ping across. You'll probably have to add the following to the "Dialer1_Internet->Vertigo " ACL:
> permit esp any any
> permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
> permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
When you have an inbound ACL on a crypto interface, you need to allow both the encrypted form AND the unencrypted form of the traffic in, currently you're only allowing ISAKMP (UDP 500) packets in.
Remove these:
> no ip nat inside source list 102 interface Dialer1 overload
> no access-list 102
and change ACL 101 to the following:
> access-list 101 permit ip 192.168.0.0 0.0.0.255 any
> access-list 101 permit ip 10.10.10.0 0.0.0.255 any
> access-list 101 deny ip any 192.168.1.0 0.0.0.255
That should get you closer. Overall I would simplify your config a bit, there's far too many things going on here to effectively troubleshoot. Only once everything works should you start applying all the ACL's and the like.
05-30-2003 08:22 AM
Ok! First I want to thank you! it solved some of the problem I get connected, I can ping but not everyone, which is really, really strange!!! I will try to explain the new problem:
First of all, our network is small, we have 3 subnets:
10.10.10.0/24 - DMZ, with 10.10.10.1 for default gateway, and a web server at 10.10.10.10
192.168.0.0/24 - our LAN with something like 20 computers/servers
192.168.1.0/24 - for VPN clients.
The VPN client is running on win XP pro
After the connection process, I can ping only 1 or 2 address on the 192.168.0.0 subnet, and not the others!!
If I first ping 192.168.0.6 (for example), I will be able to ping this address and this address only during the VPN session. The pings on other computers (alive of course) will fail (timeout)
If I first ping 192.168.0.230, I will be able to ping this address and this address only
Sometime I can ping both one of the computers AND the LANs default gateway (192.168.0.1)
Sometime I can ping both 10.10.10.10 and 10.10.10.1, sometime not.
I am unable to reach the web server 10.10.10.10 from internet explorer
Every successful ping has more than 110ms.
The number of bypassed packets on VPN client is huge.
I tried VPN clients 4.0.1, 3.6.4, 3.6.3, same results. I tried to decrease MTU, same results. I set DES instead of 3DES tried some debugs, but I did not find what is going wrong it is really frustrating
Does someone have any suggestion?
Nicolas Anguelov.
Here is some of the new config:
The router is 1721 bundle VPN with 2 ethernet WICs, IOS 12.2(13)T1
aaa new-model
!
aaa authentication login xauth_list local
aaa authorization network xxxxx local
aaa session-id common
!
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxx
dns 193.252.19.3 193.252.19.4
pool OurVertigoForces
acl 199
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map mode client authentication list xauth_list
crypto map mode isakmp authorization list VertigoForces
crypto map mode client configuration address respond
crypto map mode 10 ipsec-isakmp dynamic dynmap
!
interface Ethernet0
no ip address
ip tcp adjust-mss 1452
no ip mroute-cache
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
!
interface Ethernet1
ip address 10.10.10.1 255.255.255.0
ip access-group Eth1_DMZ->All in
ip access-group Eth1_All->DMZ out
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
full-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.0.1 255.255.255.0
ip access-group DroitsLanVertigo in
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
speed auto
full-duplex
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group Dialer1_Internet->Vertigo in
ip access-group Dialer1_Vertigo->Internet out
ip mtu 1492
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname fti/wwqpp7x@fti
ppp chap password 0 yRGyvzM
crypto map mode
!
ip local pool OurVertigoForces 192.168.1.1 192.168.1.10
ip nat inside source list 101 interface Dialer1 overload
ip nat inside source static tcp 10.10.10.10 80 interface Dialer1 80
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.10.10.0 255.255.255.0 Ethernet1
ip route 192.168.0.0 255.255.255.0 FastEthernet0
ip route 192.168.1.0 255.255.255.0 Dialer1
no ip http server
!
ip access-list extended Dialer1_Internet->Vertigo
evaluate iptraffic
permit tcp any eq www any eq www
permit tcp any any eq www
permit tcp any any eq 1723
permit udp any any eq isakmp
permit tcp any any eq 500
permit tcp any any eq 1701
permit udp any any eq 1701
permit esp any any
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended Dialer1_Vertigo->Internet
permit ip any any reflect iptraffic
permit esp any any
ip access-list extended DroitsLanVertigo
permit tcp 192.168.0.0 0.0.0.255 any eq domain
permit udp 192.168.0.0 0.0.0.255 any eq domain
permit tcp 192.168.0.0 0.0.0.255 any eq www
permit tcp 192.168.0.0 0.0.0.255 any eq pop3
permit tcp 192.168.0.0 0.0.0.255 any eq smtp
permit tcp 192.168.0.0 0.0.0.255 any eq ftp-data
permit tcp 192.168.0.0 0.0.0.255 any eq ftp
permit tcp 192.168.0.0 0.0.0.255 any eq 22
permit tcp 192.168.0.0 0.0.0.255 any eq telnet
permit tcp 192.168.0.0 0.0.0.255 any eq finger
permit tcp 192.168.0.0 0.0.0.255 any eq ident
permit tcp 192.168.0.0 0.0.0.255 any eq nntp
permit tcp 192.168.0.0 0.0.0.255 any eq 143
permit tcp 192.168.0.0 0.0.0.255 any eq 443
permit tcp 192.168.0.0 0.0.0.255 any eq 1723
permit tcp 192.168.0.0 0.0.0.255 any eq 5631
permit ip host 192.168.0.6 any
permit udp any any eq bootpc
permit udp any any eq bootps
permit ip any host 10.10.10.10
permit ip host 192.168.0.230 any
ip access-list extended Eth1_All->DMZ
permit ip any any reflect dmztraffic
ip access-list extended Eth1_DMZ->All
evaluate dmztraffic
deny ip any 192.168.0.0 0.0.0.255
permit ip any any
ip access-list extended addr-pool
ip access-list extended inacl
ip access-list extended key-exchange
ip access-list extended protocol
ip access-list extended timeout
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 deny ip any 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
access-list 199 permit ip any any
access-list 2000 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 2000 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
radius-server authorization permit missing Service-Type
06-03-2003 10:48 PM
Change access-list 101 (your NAT ACL) to the following:
access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 permit ip 10.10.10.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
You have to stop the VPN traffic from being NAT'd, otherwise you'll never be able to get to it.
06-04-2003 01:10 AM
It's working...
I understood yesterday what was wrong in my tests... I already had this command in access-list 101: deny ip any 192.168.1.0 0.0.0.255. My problem was that without WINS server installed, I wanted to validate VPN connection by trying to reach our internal web server, which was static NAT'd... When I removed static NAT, everything worked great...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide