04-24-2010 09:06 AM
Hi,
I've been struggling with this for a few days now and I'm just about out of ideas. Any advice would be much appreciated.
I'm trying to set up an Easy VPN server on an 837 adsl router to allow remote access from a windows PC running a Cisco VPN client. The client connects to the router fine and the Windows PC gets an IP address. However once connected I can only ping two switches which are on the remote LAN. The PCs which are connected to the switches can't be accessed. I can also ping the router itself, but strangely this only works after I have pinged one of the switches. (if I connect and ping the adsl router first it fails). If I log into the IOS I can ping all the expected devices fine.
When I went into the SDM and tested the VPN connectivity I got the following message
"A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets."
I have tried adjusting the MTU sizes (with no effect), but I suspect this error may be a red herring as the ping is obviously only 32 bytes.
My config is below, any sugestions are welcome.
Thanks in advance.
Using 4124 out of 131072 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname adsl_837
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 #################
enable password 7 ##############
!
aaa new-model
!
!
aaa authentication login userauthenicate local
aaa authorization network groupauthorise local
aaa session-id common
ip subnet-zero
no ip source-route
ip dhcp excluded-address 10.10.128.1 10.10.128.192
!
ip dhcp pool temp_pool
network 10.10.128.0 255.255.255.0
dns-server 10.10.128.3
default-router 10.10.128.3
!
!
ip tcp synwait-time 10
ip domain name ##########
ip name-server 208.67.222.222
no ip bootp server
ip cef
ip ips po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
no ftp-server write-enable
!
!
username vpn_users privilege 15 password 7 #################
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local remote_access_pool
!
crypto isakmp client configuration group VPN_group
key ######################
pool remote_access_pool
save-password
!
!
crypto ipsec transform-set VPN_transform_set esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_2 1
set transform-set VPN_transform_set
reverse-route
!
!
crypto map SDM_CMAP_2 client authentication list userauthenicate
crypto map SDM_CMAP_2 isakmp authorization list groupauthorise
crypto map SDM_CMAP_2 client configuration address respond
crypto map SDM_CMAP_2 65535 ipsec-isakmp dynamic SDM_DYNMAP_2
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description Ethernet$FW_INSIDE$
ip address 10.10.128.3 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname #################
ppp chap password 7 #################
crypto map SDM_CMAP_2
!
ip local pool remote_access_pool 10.10.128.4
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
ip http access-class 2
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip dns server
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
!
logging trap debugging
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.10.128.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 10.10.128.4
access-list 100 permit ip 10.10.128.0 0.0.0.255 any
access-list 110 remark IPsec_Rule
access-list 110 remark SDM_ACL Category=4
access-list 110 permit ip host 10.10.128.4 10.10.128.0 0.0.0.255 log
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 ############
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
end
04-24-2010 09:17 AM
Hi,
The pool for the VPN clients consist of a single IP correct? 10.10.128.4
This IP belongs to the internal LAN 10.10.128.0/24
It is recommended to assign an IP from a different L3 segment to the VPN clients.
Is there a special reason you assign an IP from the local subnet to the VPN client?
You're correct about the MTU issue, but I think you can try changing the VPN pool subnet.
Federico.
04-24-2010 09:40 AM
Hi,
Thanks for the quick reply.
The single IP address in the pool was intentional as I only ever need to connect 1 client at a time.
I have tried changing the pool (and access list) to a separate subnet but the results are exactly the same. I can ping both switches on the remote side and nothing else.
04-24-2010 09:46 AM
When you change the pool of VPN addresses to a different IP subnet, you need to make sure that the internal network has a route back to the pool pointing to the VPN sever.
So, let's say the new VPN pool is 1.1.1.1/32
The internal network should have a default gateway pointing to the 837 router, or there should be a route to 1.1.1.1/32 pointing to the router.
As well, if you change the pool, you should modify the statements on the ACL for NAT.
Federico.
04-24-2010 10:24 AM
Thanks for your time on this.
The default gateway on all of the LAN PCs is the router. (10.10.128.3)
I've changed the address pool to
ip local pool remote_access_pool 10.10.127.1
My access list 100 for the NAT is now:
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip any host 10.10.127.1
access-list 100 deny ip any host 10.10.128.4
access-list 100 permit ip 10.10.128.0 0.0.0.255 any
If I do 'show ip route all' while the VPN is up, there is a line which says
S 10.10.127.1/32 [1/0] via (my remote IP address)
so it looks like there is route setup correctly on the adsl router itself?
Unfortunately I can still only ping the switches.
I'm really stumped now on what to do next.
Cheers
04-24-2010 10:41 AM
So, from the VPN clients you can PING the switches (I assume they are on the 10.10.128.0/24 range)
The switches have a default gateway 10.10.128.3
You say that if you log into the 837, you can PING the PCs.
We know the VPN is fine and traffic is flowing since you can PING the switches from the VPN client.
What's with the PCs?
They also belong to 10.10.128.0/24 correct?
They also have a default gateway 10.10.128.3?
Federico.
04-24-2010 10:58 AM
Yes. I can ping both switches from the VPN client. (10.10.128.1 and 10.10.128.2). I can also ping the router itself (10.10.128.3), but only after I have pinged the switches. If I connect and then ping 10.10.128.3 it times out. I then ping one of the switches which works. I can then connect to the router fine. (ping, ssh, https)
The PCs are all windows machines. They all have static IP addresses in the 10.10.128.0/24 subnet. They have a default gateway set of the router (10.10.128.3) and can access the internet.
I don't see why the switch and the PCs would be different?
I'm begining to think I might have to go and visit the site to get to the bottom of this one.
04-24-2010 11:04 AM
Do you have the ports of the switch that connects to the PCs on the same VLAN as the ports that connect to the 837?
Or is there any VLAN/trunk confguration on the switch?
Federico.
04-24-2010 11:19 AM
Well it wasn't me who setup the switches on site. I'm told they are all on a single VLAN with no trunking. I guess the next step is to take a look at those. (At least I can get to them over the VPN). Unfortuantly I don't have the login details for those handy so it will have to wait until Monday.
I'll let you know how I get on . . . .
Thanks for your help. Let me know if you think of anything else.
Cheers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: