Re: VPN client connected to 1721 router with VPN server & NAT

anguelov · ‎05-26-2003

Hello !

I am new with cisco routers. I am trying to learn everything by myself with the informations I can find on cisco.com, I did most of the work without asking for help (information you can find here is huge!)... but there is today something can not understand...

I am trying to configure our brand new 1721 router so people from our company can connect to the internal network via the last cisco VPN client for win XP, it is almost working (I get connected), but I can't ping or get "pinged". There is something I did not understand with VPN & NAT I think... could someone help me ?

Here is some of the show run:

Current configuration : 6060 bytes

!

version 12.2

!

aaa new-model

!

aaa authentication login xauth_list local

aaa authorization network VertigoForces local

aaa session-id common

ip subnet-zero

no ip source-route

!

ip name-server 193.252.19.3

ip name-server 193.252.19.4

no ip dhcp conflict logging

ip dhcp excluded-address 192.168.0.1

ip dhcp excluded-address 192.168.0.200

ip dhcp excluded-address 192.168.0.230

!

ip dhcp pool FastEthernet

network 192.168.0.0 255.255.255.0

dns-server 193.252.19.3 193.252.19.4

default-router 192.168.0.1

lease 90

!

ip audit notify log

ip audit po max-events 100

ip reflexive-list timeout 120

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VertigoForces

key xxxx

dns 193.252.19.3 193.252.19.4

pool OurVertigoForces

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 1

set transform-set myset

!

crypto map mode client authentication list xauth_list

crypto map mode isakmp authorization list VertigoForces

crypto map mode client configuration address respond

crypto map mode 1 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

no ip address

ip tcp adjust-mss 1452

no ip mroute-cache

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Ethernet1

ip address 10.10.10.1 255.255.255.0

ip access-group Eth1_DMZ->All in

ip access-group Eth1_All->DMZ out

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

full-duplex

no cdp enable

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

ip access-group DroitsLanVertigo in

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

speed auto

full-duplex

no cdp enable

!

interface Dialer1

ip address negotiated

ip access-group Dialer1_Internet->Vertigo in

ip access-group Dialer1_Vertigo->Internet out

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname xxxxxx

ppp chap password xxx

crypto map mode

!

ip local pool OurVertigoForces 192.168.1.1 192.168.1.10

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.10 80 interface Dialer1 80

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.10.10.0 255.255.255.0 Ethernet1

ip route 192.168.0.0 255.255.255.0 FastEthernet0

ip route 192.168.1.0 255.255.255.0 Dialer1

no ip http server

!

ip access-list extended Dialer1_Internet->Vertigo

evaluate iptraffic

permit tcp any eq www any eq www

permit tcp any any eq www

permit tcp any any eq 1723

permit udp any any eq isakmp

permit tcp any any eq 500

permit tcp any any eq 1701

permit udp any any eq 1701

ip access-list extended Dialer1_Vertigo->Internet

permit ip any any reflect iptraffic

ip access-list extended DroitsLanVertigo

permit tcp 192.168.0.0 0.0.0.255 any eq domain

permit udp 192.168.0.0 0.0.0.255 any eq domain

permit tcp 192.168.0.0 0.0.0.255 any eq www

permit tcp 192.168.0.0 0.0.0.255 any eq pop3

permit tcp 192.168.0.0 0.0.0.255 any eq smtp

permit tcp 192.168.0.0 0.0.0.255 any eq ftp-data

permit tcp 192.168.0.0 0.0.0.255 any eq ftp

permit tcp 192.168.0.0 0.0.0.255 any eq 22

permit tcp 192.168.0.0 0.0.0.255 any eq telnet

permit tcp 192.168.0.0 0.0.0.255 any eq finger

permit tcp 192.168.0.0 0.0.0.255 any eq ident

permit tcp 192.168.0.0 0.0.0.255 any eq nntp

permit tcp 192.168.0.0 0.0.0.255 any eq 143

permit tcp 192.168.0.0 0.0.0.255 any eq 443

permit tcp 192.168.0.0 0.0.0.255 any eq 1723

permit tcp 192.168.0.0 0.0.0.255 any eq 5631

permit udp 192.168.0.0 0.0.0.255 any eq 5632

permit ip host 192.168.0.2 any

permit ip any host 10.10.10.10

ip access-list extended Eth1_All->DMZ

permit ip any any reflect dmztraffic

ip access-list extended Eth1_DMZ->All

evaluate dmztraffic

deny ip any 192.168.0.0 0.0.0.255

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended addr-pool

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 deny ip any 192.168.1.0 0.0.0.255

access-list 102 permit ip 10.10.10.0 0.0.0.255 any

access-list 102 deny ip any 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

radius-server authorization permit missing Service-Type

!

I will have to configure a WINS server asap, but I am waiting for the ping command to work between the vpn clients (192.168.1.x) and our LAN (192.168.0.x)...

Does someone see what's going wrong in my config ?

Thank you

Nicolas Anguelov

gfullage · ‎05-26-2003

Try removing the access-lists off the interfaces, particularly the Dialer interface and the inside interface you're trying to ping across. You'll probably have to add the following to the "Dialer1_Internet->Vertigo " ACL:

> permit esp any any

> permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

> permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

When you have an inbound ACL on a crypto interface, you need to allow both the encrypted form AND the unencrypted form of the traffic in, currently you're only allowing ISAKMP (UDP 500) packets in.

Remove these:

> no ip nat inside source list 102 interface Dialer1 overload

> no access-list 102

and change ACL 101 to the following:

> access-list 101 permit ip 192.168.0.0 0.0.0.255 any

> access-list 101 permit ip 10.10.10.0 0.0.0.255 any

> access-list 101 deny ip any 192.168.1.0 0.0.0.255

That should get you closer. Overall I would simplify your config a bit, there's far too many things going on here to effectively troubleshoot. Only once everything works should you start applying all the ACL's and the like.

anguelov · ‎05-30-2003

Ok! First I want to thank you! it solved some of the problem… I get connected, I can ping… but not everyone, which is really, really strange!!! I will try to explain the new problem:

First of all, our network is small, we have 3 subnets:

10.10.10.0/24 - DMZ, with 10.10.10.1 for default gateway, and a web server at 10.10.10.10

192.168.0.0/24 - our LAN with something like 20 computers/servers

192.168.1.0/24 - for VPN clients.

The VPN client is running on win XP pro

After the connection process, I can ping only 1 or 2 address on the 192.168.0.0 subnet, and not the others!!

If I first ping 192.168.0.6 (for example), I will be able to ping this address and this address only during the VPN session. The pings on other computers (alive of course) will fail (timeout)…

If I first ping 192.168.0.230, I will be able to ping this address and this address only…

Sometime I can ping both one of the computers AND the LAN’s default gateway (192.168.0.1)…

Sometime I can ping both 10.10.10.10 and 10.10.10.1, sometime not.

I am unable to reach the web server 10.10.10.10 from internet explorer…

Every successful ping has more than 110ms.

The number of “bypassed packets” on VPN client is huge.

I tried VPN clients 4.0.1, 3.6.4, 3.6.3, same results. I tried to decrease MTU, same results. I set DES instead of 3DES… tried some debugs, but I did not find what is going wrong…it is really frustrating…

Does someone have any suggestion?

Nicolas Anguelov.

Here is some of the “new” config:

The router is 1721 bundle VPN with 2 ethernet WICs, IOS 12.2(13)T1

aaa new-model

!

aaa authentication login xauth_list local

aaa authorization network xxxxx local

aaa session-id common

!

vpdn enable

!

vpdn-group pppoe

request-dialin

protocol pppoe

!

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group xxxxxx

key xxxxxx

dns 193.252.19.3 193.252.19.4

pool OurVertigoForces

acl 199

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map mode client authentication list xauth_list

crypto map mode isakmp authorization list VertigoForces

crypto map mode client configuration address respond

crypto map mode 10 ipsec-isakmp dynamic dynmap

!

interface Ethernet0

no ip address

ip tcp adjust-mss 1452

no ip mroute-cache

half-duplex

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Ethernet1

ip address 10.10.10.1 255.255.255.0

ip access-group Eth1_DMZ->All in

ip access-group Eth1_All->DMZ out

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

full-duplex

no cdp enable

!

interface FastEthernet0

ip address 192.168.0.1 255.255.255.0

ip access-group DroitsLanVertigo in

ip nat inside

ip tcp adjust-mss 1452

no ip mroute-cache

speed auto

full-duplex

no cdp enable

!

interface Dialer1

ip address negotiated

ip access-group Dialer1_Internet->Vertigo in

ip access-group Dialer1_Vertigo->Internet out

ip mtu 1492

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname fti/wwqpp7x@fti

ppp chap password 0 yRGyvzM

crypto map mode

!

ip local pool OurVertigoForces 192.168.1.1 192.168.1.10

ip nat inside source list 101 interface Dialer1 overload

ip nat inside source static tcp 10.10.10.10 80 interface Dialer1 80

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 10.10.10.0 255.255.255.0 Ethernet1

ip route 192.168.0.0 255.255.255.0 FastEthernet0

ip route 192.168.1.0 255.255.255.0 Dialer1

no ip http server

!

ip access-list extended Dialer1_Internet->Vertigo

evaluate iptraffic

permit tcp any eq www any eq www

permit tcp any any eq www

permit tcp any any eq 1723

permit udp any any eq isakmp

permit tcp any any eq 500

permit tcp any any eq 1701

permit udp any any eq 1701

permit esp any any

permit ip 192.168.1.0 0.0.0.255 any

ip access-list extended Dialer1_Vertigo->Internet

permit ip any any reflect iptraffic

permit esp any any

ip access-list extended DroitsLanVertigo

permit tcp 192.168.0.0 0.0.0.255 any eq domain

permit udp 192.168.0.0 0.0.0.255 any eq domain

permit tcp 192.168.0.0 0.0.0.255 any eq www

permit tcp 192.168.0.0 0.0.0.255 any eq pop3

permit tcp 192.168.0.0 0.0.0.255 any eq smtp

permit tcp 192.168.0.0 0.0.0.255 any eq ftp-data

permit tcp 192.168.0.0 0.0.0.255 any eq ftp

permit tcp 192.168.0.0 0.0.0.255 any eq 22

permit tcp 192.168.0.0 0.0.0.255 any eq telnet

permit tcp 192.168.0.0 0.0.0.255 any eq finger

permit tcp 192.168.0.0 0.0.0.255 any eq ident

permit tcp 192.168.0.0 0.0.0.255 any eq nntp

permit tcp 192.168.0.0 0.0.0.255 any eq 143

permit tcp 192.168.0.0 0.0.0.255 any eq 443

permit tcp 192.168.0.0 0.0.0.255 any eq 1723

permit tcp 192.168.0.0 0.0.0.255 any eq 5631

permit ip host 192.168.0.6 any

permit udp any any eq bootpc

permit udp any any eq bootps

permit ip any host 10.10.10.10

permit ip host 192.168.0.230 any

ip access-list extended Eth1_All->DMZ

permit ip any any reflect dmztraffic

ip access-list extended Eth1_DMZ->All

evaluate dmztraffic

deny ip any 192.168.0.0 0.0.0.255

permit ip any any

ip access-list extended addr-pool

ip access-list extended inacl

ip access-list extended key-exchange

ip access-list extended protocol

ip access-list extended timeout

!

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 deny ip any 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 199 permit ip 192.168.0.0 0.0.0.255 any

access-list 199 permit ip 10.10.10.0 0.0.0.255 any

access-list 199 permit ip any any

access-list 2000 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 2000 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

radius-server authorization permit missing Service-Type

gfullage · ‎06-03-2003

Change access-list 101 (your NAT ACL) to the following:

access-list 101 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

You have to stop the VPN traffic from being NAT'd, otherwise you'll never be able to get to it.

anguelov · ‎06-04-2003

It's working...

I understood yesterday what was wrong in my tests... I already had this command in access-list 101: deny ip any 192.168.1.0 0.0.0.255. My problem was that without WINS server installed, I wanted to validate VPN connection by trying to reach our internal web server, which was static NAT'd... When I removed static NAT, everything worked great...