Re: Cisco 887 easy vpn client can not access remote Lan but only

naturescarekelvin · ‎10-27-2010

Hi guys, Just got a problem that I can not figure out:

I am using Cisco configuration professional to set up one easy vpn server on 887-K9,

vpn client can dial up the server successfully but can only ping router but on other lan. Any idea?

Looks like there is a nat issues between lan and vpn client?

Jennifer Halim · ‎10-28-2010

You would need to configure NAT exemption on the router.

For Easy VPN Client PAT/Client mode, you would need to configure NAT exemption with ACL deny remote LAN towards the IP Pool subnets.

For Easy VPN NEM (Network Extension mode), you would need to configure NAT exemption with ACL to deny remote LAN towards the Easy VPN Client LAN.

Example:

Easy VPN client/PAT mode:

Easy VPN server remote LAN: 192.168.1.0/24

Easy VPN client ip pool: 10.1.1.0/24

NAT exemption ACL:

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Easy VPN NEM (Network Extension Mode):

Easy VPN server remote LAN: 192.168.1.0/24

Easy VPN client LAN: 10.2.2.0/24

NAT exemption ACL:

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.2.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Hope that helps.

naturescarekelvin · ‎10-28-2010

Tried,

would not work.

Looks like the vpn client has been isolated, can only communicate with router,

I even try 2 clients, and these 2 can not access each other as well.

Jennifer Halim · ‎10-29-2010

Can you pls share the configuration of the easy vpn server. Thanks.

naturescarekelvin · ‎10-31-2010

1 12:09:32.975 11/01/10 Sev=Warning/2 CVPND/0xE3400013
AddRoute failed to add a route with metric of 0: code 160
Destination 192.168.0.255
Netmask 255.255.255.255
Gateway 10.1.1.2
Interface 10.1.1.1
Here is the log from vpn client

any idea?

Thanks for your great help!

Rabnawaz Anwar · ‎10-24-2012

Hi Jennifer,

I have the same problem that upon connecting EZVPN I could not access remote lan internal clients and also lost internet connectivity at EZVPN client side.I have followed thru ur configurations suggested in this post and add NAT exemption but still have the problem.

Please help....

Here is the EZVPN Server (Cisco 877 Router) configuration:

xxxx#sh run
Building configuration...

Current configuration : 7143 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
enable secret yyyyyy
!
aaa new-model
!
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
!
!
aaa session-id common

!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group testEZVPN
key xxxxx
domain testEZVPN.com
pool EZVPN-POOL
acl SPLIT_T
save-password
!
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
!
crypto dynamic-map INT_MAP 1
set security-association lifetime kilobytes 530000000
set security-association lifetime seconds 14400
set transform-set TRANSFORM-1
reverse-route
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
ip cef
!
!
ip dhcp excluded-address 192.168.11.1 192.168.11.10
!
!
ip domain name testEZVPN.com
ip host BLROGERS.PBX11 192.168.11.66
ip name-server xxxxxx
ip name-server yyyyyy
login block-for 30 attempts 3 within 30
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
vpdn logging
vpdn logging local
vpdn logging user
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
ip mtu adjust
!
!
!
!
spanning-tree vlan 1 priority 8192
spanning-tree vlan 2 priority 8192
spanning-tree vlan 3 priority 8192
spanning-tree vlan 4 priority 8192
spanning-tree vlan 5 priority 8192
username xxxxx password yyyyyy
username vpnuser password zzzzzz
username ezvpn-wah password cccccccc
archive
log config
hidekeys
!
!
!
track 1 interface ATM0 line-protocol
!
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.0
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point

ip address xxxxxxx
no ip unreachables
ip nat outside
ip virtual-reassembly
no snmp trap link-status
atm route-bridged ip
pvc 0/101
encapsulation aal5snap
!
!
interface FastEthernet0

switchport mode trunk
!
interface FastEthernet1

switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan2
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1200
peer default ip address pool PPTPCLIENT
compress mppc
ppp encrypt mppe auto
ppp authentication ms-chap chap
!
interface Vlan1
ip address xxxxxxx
ip access-group 103 in
ip nat outside
ip virtual-reassembly
crypto map INT_MAP
!
interface Vlan2
description USER
ip address 192.168.11.1 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan3
description VOICE
ip address 192.168.11.65 255.255.255.192
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
interface Vlan4
description SERVER
ip address 192.168.11.129 255.255.255.224
ip helper-address 192.168.11.130
ip nat inside
ip virtual-reassembly
!
ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
ip local pool EZVPN-POOL 192.168.10.10 192.168.10.100
ip route 0.0.0.0 0.0.0.0 xxxxx 100 track 1
ip route 0.0.0.0 0.0.0.0 yyyyyy
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxx 255.255.255.0 zzzzz
ip route xxxxx 255.255.0.0 yyyyy
ip route xxxxx 255.255.255.255 yyyyyy
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.11.66 443 interface Vlan1 443
ip nat inside source static tcp 192.168.11.66 81 interface ATM0.1 81
ip nat inside source route-map nonat interface Vlan1 overload
ip nat inside source static udp 192.168.11.66 5060 146.255.3.45 48500 extendable
!
ip access-list extended SPLIT_T
permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
!
access-list 103 remark VOIP-UNLIMITED

access-list 104 remark Voice-Control
access-list 104 permit udp host 192.168.11.66 any eq 5060
access-list 104 permit udp any any eq 5060
access-list 105 permit gre any any
access-list 105 permit udp any any eq 10000
access-list 105 permit udp any any eq non500-isakmp
access-list 105 permit udp any any eq isakmp
access-list 105 permit esp any any
access-list 105 permit ahp any any
access-list 106 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 106 permit ip 192.168.11.0 0.0.0.255 any
!
!
!
route-map nonat permit 10
match ip address 106
!
!
control-plane
!

!
line con 0
no modem enable
line aux 0
line vty 0 4
login authentication USERLIST
escape-character 90
!
scheduler max-task-time 5000
ntp clock-period 17175125
ntp source ATM0.1
ntp peer xxxxx
ntp peer yyyyy

!
webvpn cef
end

EZVPN Client (Cisco 1801 Router) Configuration:

xxxxx#sh run
Building configuration...

Current configuration : 2822 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxx
!
boot-start-marker
boot-end-marker
!
enable secret xxxx
enable password yyy
!
no aaa new-model
!
!
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.33 192.168.0.40
ip dhcp excluded-address 192.168.0.65 192.168.0.70
!
ip dhcp pool Data
   network 192.168.0.32 255.255.255.224
   default-router 192.168.0.33
   dns-server 192.168.0.1
   domain-name yyyyyy
   lease 8
!
ip dhcp pool Voice
   network 192.168.0.64 255.255.255.224
   default-router 192.168.0.65
   dns-server 192.168.0.1
   lease 8
!
!
ip domain name testEZVPN.com
!
multilink bundle-name authenticated
!
!
username xxxx
username yyyy
!
!
!
crypto ipsec client ezvpn testEZVPN
connect manual
group testEZVPN key test123
mode client
peer hhhhhh
username test password testezvpn
xauth userid mode local
!
archive
log config
hidekeys
!

interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/103
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
no cdp enable
!
interface FastEthernet0
description Connected to 3560Switch
ip address 192.168.0.1 255.255.255.252
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto ipsec client ezvpn testEZVPN inside
!
interface FastEthernet1
no cdp enable
!
interface FastEthernet2
no cdp enable
!
interface FastEthernet3
no cdp enable
!
interface FastEthernet4
no cdp enable
!
interface FastEthernet5
no cdp enable
!
interface FastEthernet6
no cdp enable
!
interface FastEthernet7
no cdp enable
!
interface FastEthernet8
no cdp enable
!
interface Vlan1
no ip address
shutdown
!
interface Dialer0
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp chap hostname pppppp
ppp chap password 7 051B120C2D
ppp pap sent-username qqqqqq password yyyy
ppp ipcp dns request accept
crypto ipsec client ezvpn testEZVPN
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.32 255.255.255.224 192.168.0.2
ip route 192.168.0.64 255.255.255.224 192.168.0.2
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list NAT interface Dialer0 overload
!
ip access-list standard NAT
permit 192.168.0.0 0.0.0.255
!
!
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
password xxxx
line aux 0
line vty 0 4
password yyyy
login
!
no process cpu extended
no process cpu autoprofile hog
end

Cisco 887 easy vpn client can not access remote Lan but only router