Re: VPN connected but can only access router on server end

jmuise1018 · ‎02-28-2006

using Easy VPN Server on Cisco 1801 (Cisco IOS Software, C180X Software (C180X-ADVIPSERVICESK9-M), Version 12.4(6)T, RELEASE SOFTWARE (fc1), tried with 12.4(4)T1 first) and Cisco VPN Client 4.6 I can establish a tunnel and access the router via telnet and SDM but cannot access anything else on the routers side of the network

part of config:

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

no ip source-route

!

ip cef

!

ip tcp synwait-time 10

no ip bootp server

ip domain name yourdomain.com

ip name-server 24.x.x.x

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group test

key test123

dns 24.222.x.x.x.0.5

pool SDM_POOL_1

acl 101

include-local-lan

netmask 255.255.255.0

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address 24.222.X.X 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$$ES_LAN$$FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

no ip route-cache cef

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.1.170 192.168.1.175

ip route 0.0.0.0 0.0.0.0 24.222.X.X (default gateway for ISP)

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 5 life 86400 requests 10000

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark SDM_ACL Category=2

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.170

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.171

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.172

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.173

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.174

access-list 100 deny ip 192.168.1.0 0.0.0.255 host 192.168.1.175

access-list 100 deny ip any host 192.168.1.170

access-list 100 deny ip any host 192.168.1.171

access-list 100 deny ip any host 192.168.1.172

access-list 100 deny ip any host 192.168.1.173

access-list 100 deny ip any host 192.168.1.174

access-list 100 deny ip any host 192.168.1.175

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 remark SDM_ACL Category=4

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

no cdp run

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

control-plane

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

spremkumar · ‎03-02-2006

hi

In the first point i would suggest to change the SDM_POOL from where you offer ips to the RAVPN Clients.

Just change the same to either on 10.x.x.x or 172.16.x.x network.Also change the ACL 101 accordingly allowing the VPN traffic to get encrypted.Matching the newly defined block and your local lan network and bind under the ISAKMP policy.

with your current network config the ACL 101 which you defined as the interesting traffic here to get encrypted mite be the possible cause for the inaccessiable issue.

regds

jmuise1018 · ‎03-20-2006

I tried changing things and still didn't work. I even tried some example config (reset router first) and they didn't work either. I put a FTP server in the inside of the router and when trying to connect the FTP log shows the VPN Client IP connecting but the server cannot reply, example:

(000016) 3/20/2006 13:13:29 PM - (not logged in) (192.168.0.220)> Connected, sending welcome message...

(000016) 3/20/2006 13:13:29 PM - (not logged in) (192.168.0.220)> 220-FileZilla Server version 0.9.12 beta

(000016) 3/20/2006 13:13:29 PM - (not logged in) (192.168.0.220)> could not send reply, disconnected.

pdesch · ‎04-25-2006

I have the exact same problem...did you get this fixed?

Fernando_Meza · ‎04-25-2006

I think you should try:

1.- removing any config relating to isakmp and crypto to start up fresh.

2.- When assigning the IP addresses ( Pool ) make sure you create a new subnet and also make sure your hosts on the internal network (behind the router ) know how to reach this subnet. Perform a traceroute which should reach the internal interface of the router.

3.- Don't use split tunneling on the first try to try asolating what the issue is.

4.- Test connecting from the VPN client and make sure you are authenticated and an IP address in the appropriate range has been allocated.

5.- If you are still unable to connect, then you might be hiting a bug even though I could not find any easy vpn server bug related to your particular IOS version

Hope this helps