Solved: Re: Easy-VPN Server

Thomas Schmitt · ‎10-13-2010

Hello

I have a problem with Easy-VPN Server and I hope someone could know the solution.

There are one remote and one server, they are connected through DVTIs. This works fine, but I can’t access from server side nothing else then remote side. You can see the situation at the picture - for example the internet-server 200.1.1.1 is access able from LAN1, but not from LAN2.

Server side has nothing like split tunneling or something else, NAT is also configured. However the server doesn’t let any frame out that comes from LAN2 and is directed to something else than LAN1.

Does someone know the solution?

Server configuration is appended.

hostname Server

aaa new-model
aaa authorization network default local

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10

crypto isakmp client configuration group vpnGroup
key vpnKey
acl 112

crypto isakmp profile vi
match identity group vpnGroup
isakmp authorization list default
client configuration address respond
virtual-template 1
local-address lo 0

crypto ipsec transform-set set esp-3des esp-sha-hmac

crypto ipsec profile vi
set transform-set set
set isakmp-profile vi

interface FastEthernet0/0
ip address 10.0.1.1 255.255.255.0
interface Serial0/0
ip unnumbered Loopback0
interface Loopback0
ip address 2.2.2.1 255.255.255.255

interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel source Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi

ip route 0.0.0.0 0.0.0.0 Serial0/0 10

access-list 112 permit ip 10.0.0.0 0.0.7.255 any

ip nat inside source list 100 interface s0/0 overload

access-list 100 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.7.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any

Marcin Latosiewicz · ‎10-13-2010

Dmytro,

How's the NAT configured (which interfaces, what commands) and what is the pool assigned for ezvpn clients or are you using NEM?

I also wonder how NAT will work (purely funcitonality, not saying it's bad) if you're using NAT overload who already is using an ip unnumbred!

Nota bene, on DVTI you don't need to use tunnel source - ip unnumbered is OK and enough :-)

Marcin

View solution in original post

Marcin Latosiewicz · ‎10-13-2010

Dmytro,

How's the NAT configured (which interfaces, what commands) and what is the pool assigned for ezvpn clients or are you using NEM?

I also wonder how NAT will work (purely funcitonality, not saying it's bad) if you're using NAT overload who already is using an ip unnumbred!

Nota bene, on DVTI you don't need to use tunnel source - ip unnumbered is OK and enough :-)

Marcin

Thomas Schmitt · ‎10-13-2010

You are absolutely right.

PAT doesn't work over "ip unnumbered" interface ... I spend about 4 hour with this issue

thx

Could you explain one more thing about split tunneling please?

Based on the example above (netwoks 10.0.0.0 /24, 10.0.1.0 /24), I should create something like

access 112 permit ip 10.0.0.0 0.0.3.255 any

but I don't understand why is the destination address "any"? -Source address matches my LAN, destination is "any" - doesn't that mean "send whole traffic from LAN1 to Easy-VPN Server"?

I know, this is the right way and it works fine, but I dont understand why.

Marcin Latosiewicz · ‎10-14-2010

Dmytro,

It's just a question of "phrasing" if you will.

On ASA as far as I remember you can use a standard ACL.

IOS tho requires that you use extended ACLs and indeed the correct way to read acl 112 if it's applied as split tunneling ACL is:

put traffic from those subnets into the tunnel.

ie. "a destination on the client is source on the server" way to think ;-)

Marcin