cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1460
Views
0
Helpful
8
Replies

Easy VPN Server - Limited Remote LAN Connectivity

markdoughty
Level 1
Level 1

Hi,

I've been struggling with this for a few days now and I'm just about out of ideas.   Any advice would be much appreciated.

I'm trying to set up an Easy VPN server on an 837 adsl router to allow remote access from a windows PC running a Cisco VPN client.   The client connects to the router fine and the Windows PC gets an IP address.   However once connected I can only ping two switches which are on the remote LAN.  The PCs which are connected to the switches can't be accessed.  I can also ping the router itself, but strangely this only works after I have pinged one of the switches. (if I connect and ping the adsl router first it fails).    If I log into the IOS I can ping all the expected devices fine.

When I went into the SDM and tested the VPN connectivity I got the following message

"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."

I have tried adjusting the MTU sizes (with no effect), but I suspect this error may be a red herring as the ping is obviously only 32 bytes.

My config is below, any sugestions are welcome.

Thanks in advance.

Using 4124 out of 131072 bytes
!                            
version 12.3                 
no service pad               
service tcp-keepalives-in    
service tcp-keepalives-out   
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone 
service password-encryption                                  
service sequence-numbers                                     
!                                                            
hostname adsl_837                                            
!                                                            
boot-start-marker                                            
boot-end-marker                                              
!                                                            
security authentication failure rate 3 log                   
security passwords min-length 6                              
logging buffered 51200 debugging                             
logging console critical                                     
enable secret 5 #################              
enable password 7 ##############        
!                                                            
aaa new-model                                                
!                                                            
!                                                            
aaa authentication login userauthenicate local               
aaa authorization network groupauthorise local               
aaa session-id common                                        
ip subnet-zero                                               
no ip source-route                                           
ip dhcp excluded-address 10.10.128.1 10.10.128.192           
!                                                            
ip dhcp pool temp_pool                                       
   network 10.10.128.0 255.255.255.0                         
   dns-server 10.10.128.3                                    
   default-router 10.10.128.3                                
!                                                            
!                                                            
ip tcp synwait-time 10                                       
ip domain name ##########                                
ip name-server 208.67.222.222                                
no ip bootp server                                           
ip cef                                                       
ip ips po max-events 100                                     
ip ssh time-out 60                                           
ip ssh authentication-retries 2                              
ip ssh version 2                                             
no ftp-server write-enable                                   
!                                                            
!                                                            
username vpn_users privilege 15 password 7 #################      
!                                                                                 
!                                                                                 
!                                                                                 
crypto isakmp policy 10                                                           
encr 3des                                                                        
authentication pre-share                                                         
group 2                                                                          
crypto isakmp client configuration address-pool local remote_access_pool          
!                                                                                 
crypto isakmp client configuration group VPN_group                             
key ######################                                                   
pool remote_access_pool                                                          
save-password                                                                    
!                                                                                 
!                                                                                 
crypto ipsec transform-set VPN_transform_set esp-3des esp-sha-hmac                      
!                                                                                 
crypto dynamic-map SDM_DYNMAP_2 1                                                 
set transform-set VPN_transform_set                                                    
reverse-route                                                                    
!                                                                                 
!                                                                                 
crypto map SDM_CMAP_2 client authentication list userauthenicate                  
crypto map SDM_CMAP_2 isakmp authorization list groupauthorise                    
crypto map SDM_CMAP_2 client configuration address respond                        
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2                     
!                                                                                 
!                                                                                 
!                                                                                 
interface Null0                                                                   
no ip unreachables                                                               
!                                                                                 
interface Ethernet0                                                               
description Ethernet$FW_INSIDE$                                                  
ip address 10.10.128.3 255.255.255.0                                             
no ip redirects                                                                  
no ip unreachables                                                               
no ip proxy-arp                                                                  
ip nat inside                                                                    
ip virtual-reassembly                                                            
ip route-cache flow                                                              
no cdp enable                                                                    
hold-queue 100 out                                                               
!                                                                                 
interface ATM0                                                                    
no ip address                                                                    
no ip redirects                                                                  
no ip unreachables                                                               
no ip proxy-arp                                                                  
ip route-cache flow                                                              
no atm ilmi-keepalive                                                            
dsl operating-mode auto                                                          
pvc 0/38                                                                         
  encapsulation aal5mux ppp dialer                                                
  dialer pool-member 1                                                            
!                                                                                
!                                                                                 
interface FastEthernet1                                                           
no ip address                                                                    
duplex auto                                                                      
speed auto                                                                       
!                                                                                 
interface FastEthernet2                                                           
no ip address                                                                    
duplex auto                                                                      
speed auto                                                                       
!                                                                                 
interface FastEthernet3                                                           
no ip address                                                                    
duplex auto                                                                      
speed auto                                                                       
!                                                                                 
interface FastEthernet4                                                           
no ip address                                                                    
duplex auto                                                                      
speed auto                                                                       
!                                                                                 
interface Dialer0                                                                 
description $FW_OUTSIDE$                                                         
ip address negotiated                                                            
no ip redirects                                                                  
no ip unreachables                                                               
no ip proxy-arp                                                                  
ip nat outside                                                                   
ip virtual-reassembly                                                            
encapsulation ppp                                                                
ip route-cache flow                                                              
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname #################
ppp chap password 7 #################
crypto map SDM_CMAP_2
!
ip local pool remote_access_pool 10.10.128.4
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
!
logging trap debugging
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.10.128.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip any host 10.10.128.4
access-list 100 permit ip 10.10.128.0 0.0.0.255 any
access-list 110 remark IPsec_Rule
access-list 110 remark SDM_ACL Category=4
access-list 110 permit ip host 10.10.128.4 10.10.128.0 0.0.0.255 log
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 ############
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
end

8 Replies 8

Hi,

The pool for the VPN clients consist of a single IP correct?  10.10.128.4

This IP belongs to the internal LAN 10.10.128.0/24

It is recommended to assign an IP from a different L3 segment to the VPN clients.

Is there a special reason you assign an IP from the local subnet to the VPN client?

You're correct about the MTU issue, but I think you can try changing the VPN pool subnet.

Federico.

Hi,

Thanks for the quick reply.

The single IP address in the pool was intentional as I only ever need to connect 1 client at a time.

I have tried changing the pool (and access list) to a separate subnet but the results are exactly the same.   I can ping both switches on the remote side  and nothing else.

When you change the pool of VPN addresses to a different IP subnet, you need to make sure that the internal network has a route back to the pool pointing to the VPN sever.

So, let's say the new VPN pool is 1.1.1.1/32

The internal network should have a default gateway pointing to the 837 router, or there should be a route to 1.1.1.1/32 pointing to the router.

As well, if you change the pool, you should modify the statements on the ACL for NAT.

Federico.

Thanks for your time on this.

The default gateway on all of the  LAN PCs is the router.   (10.10.128.3)

I've changed the address pool to

ip local pool remote_access_pool 10.10.127.1

My access list 100 for the NAT is now:

access-list 100 remark SDM_ACL Category=2
access-list 100 deny   ip any host 10.10.127.1
access-list 100 deny   ip any host 10.10.128.4
access-list 100 permit ip 10.10.128.0 0.0.0.255 any

If I do 'show ip route all' while the VPN is up, there is a line which says

S       10.10.127.1/32 [1/0] via (my remote IP address)

so it looks like there is route setup correctly on the adsl router itself?

Unfortunately I can still only ping the switches.

I'm really stumped now on what to do next.

Cheers

So, from the VPN clients you can PING the switches (I assume they are on the 10.10.128.0/24 range)
The switches have a default gateway 10.10.128.3

You say that if you log into the 837, you can PING the PCs.
We know the VPN is fine and traffic is flowing since you can PING the switches from the VPN client.

What's with the PCs?
They also belong to 10.10.128.0/24 correct?
They also have a default gateway 10.10.128.3?


Federico.

Yes.  I can ping both switches from the VPN client.  (10.10.128.1 and 10.10.128.2).    I can also ping the router itself (10.10.128.3), but only after I have pinged the switches.   If I connect and then ping 10.10.128.3 it times out.   I then ping one of the switches which works. I can then connect to the router fine. (ping, ssh, https)

The PCs are all windows machines.  They all have static IP addresses in the 10.10.128.0/24 subnet.  They have a default gateway set of the router (10.10.128.3) and can access the internet.

I don't see why the switch and the PCs would be different?

I'm begining to think I might have to go and visit the site to get to the bottom of this one.

Do you have the ports of the switch that connects to the PCs on the same VLAN as the ports that connect to the 837?

Or is there any VLAN/trunk confguration on the switch?

Federico.

Well it wasn't me who setup the switches on site.  I'm told they are all on a single VLAN with no trunking.  I guess the next step is to take a look at those.  (At least I can get to them over the VPN).   Unfortuantly I don't have the login details for those handy so it will have to wait until Monday.

I'll let you know how I get on . . . .

Thanks for your help.   Let me know if you think of anything else.

Cheers

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: