01-06-2012 05:53 AM
Hello all. This is my first post and question on the fourm so please let me know if you need additional information. I did a multitude of searches and can not seem to pin down the issue that I am having.
Once a client connects to my VPN (VPN Client 5) they can not see anything other than the outside interface. If I ping anything on the LAN for example I get a reply from the outside interface. I can not see any WAN either (even by IP) My LAN clients can see the clients within the VPN Pool. I would like all traffic to flow through the VPN. I have tried split tunneling to verify if the internet would work and local lan would stay connected. It does work but I was still unable to access anything on the remote netwok. I am not sure if I am missing a nat command or something simple... Any and ALL suggestions are more than welcome! Thank You in advance.
The current setup is as follows. 881 Router with windows 2008 radius authentication. The client is authenticating and reciving an IP address from the local ip pool. Please see below for the running config.
Building configuration...
Current configuration : 4357 bytes
!
! Last configuration change at 01:34:12 UTC Fri Jan 6 2012 by admin
!
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname XXXXXXX
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$UzW8$YIlSVw2t5OVcoyyGv6n.Y1
!
aaa new-model
!
!
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
!
!
ip cef
ip domain name XXXXXX
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
username admin password 7 023C2603290D16
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 1
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group hsgroup
key XXXXXXXXXXXXX
dns 192.168.70.56
domain XXXXXXXXXX
pool pptp-pool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
switchport trunk native vlan 100
switchport mode trunk
!
interface FastEthernet1
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
ip address XXX.XXX.XXX.XXX 255.255.255.252
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
no ip address
!
interface Vlan2
no ip address
!
interface Vlan100
ip address 192.168.70.2 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly in
!
interface Vlan200
ip address 192.168.80.1 255.255.255.0
ip access-group 120 in
ip access-group 121 out
ip helper-address 192.168.70.56
ip flow ingress
ip dns view-group 1
ip nat inside
ip virtual-reassembly in
!
ip local pool pptp-pool 192.168.90.100 192.168.90.150
no ip classless
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns view-list cf
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.70.104 3389 XXX.XXX.XXX.XXX 3388 extendable
ip nat inside source static tcp 192.168.70.56 3389 XXX.XXX.XXX.XXX 3399 extendable
ip nat inside source static tcp 192.168.70.15 80 XXX.XXX.XXX.XXX 8080 extendable
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
!
logging esm config
access-list 100 permit ip 192.168.70.0 0.0.0.255 any
access-list 100 permit ip 192.168.80.0 0.0.0.255 any
access-list 120 permit udp any host 255.255.255.255 eq bootps
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.2
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.56
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.57
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.104
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.201
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.4
access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.5
access-list 120 deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 120 permit ip 192.168.80.0 0.0.0.255 any
access-list 121 permit ip any any
!
!
!
!
radius-server host 192.168.70.56 auth-port 1812 acct-port 1813 key 7 10465A154447564D1E543F3B757A60
!
!
control-plane
!
!
line con 0
password 7 081B6E162B121C
no modem enable
line aux 0
line vty 0 4
password 7 033E7953240438
transport input ssh
!
end
01-06-2012 11:05 AM
re-write access-list 100 to have a deny from your internal LAN IP subnest to the VPN ip subnet first, then the rest of the existing acl.
Sent from Cisco Technical Support iPad App
01-06-2012 11:19 AM
does this look correct?
Extended IP access list 100
9 deny ip 192.168.70.0 0.0.0.255 192.168.90.0 0.0.0.255
10 permit ip 192.168.70.0 0.0.0.255 any
20 permit ip 192.168.80.0 0.0.0.255 any
This works but doesn't.
I can now ping my remote LAN
I can ping servers and devices.
I can browse to internal websites
I can not RDP to any servers on the LAN
I can not browse the internet through the tunnel
any thoughts?
01-06-2012 01:32 PM
Can you ping servers on the LAN? Can the servers ping the VPN machines?
For you to browse the Internet you need to "hair pin" use your favourite search engine for that.
Sent from Cisco Technical Support iPad App
01-06-2012 02:18 PM
I can ping the servers on the LAN. The LAN servers can ping the VPN clients.
I can not RDP either way
I will take it one step at a time and look into the hair pin. <-- Thank you for that sometimes the keyword is all you need!!!
01-06-2012 02:29 PM
What else apart from rdp does not work?
Sent from Cisco Technical Support iPad App
01-06-2012 02:54 PM
After doing a quick look it appears that is the only thing not working. I am sure the servers have RDP enabled and no firewall or anything blocking them on the windows side.
01-06-2012 08:12 PM
Try doing this and let me know if works if the RDP works:
interface Vlan100
ip tcp adjust-mss 1200
As for the Internet from the VPN client, just enable split tunneling with a standard ACL indicating which networks should the VPN client reach. Any other traffic from the VPN client (internet) will use its onw local internet connection.
Like this
access-list 80 permit ip 192.168.70.0 0.0.0.255
access-list 80 permit ip 192.168.80.0 0.0.0.255
crypto isakmp client configuration group hsgroup
acl 150
HIH.......D.
01-07-2012 01:58 PM
That didn't seem to change anything. I am not 100% what that command does?
I did not want to use split-tunnel as I wanted all the internet traffic to go thorugh the VPN due to content filtering requirements.
Thanks!
01-10-2012 05:25 AM
Update.
After looking into what we can and cannot do further we have found the following.
~From VPN side we can access fileshares and ping all machines on VLAN100
~From VPN side we can RDP to only 1 server on VLAN100. We can not RDP to any other machines on VLAN 100
(we have verified from other machines on VLAN100 can RDP to all machines on VLAN100 to ensure RDP was turned on and no Firewall restrictions were in place)
~From LAN I have all services to VPN side.
Any thoughts?
01-11-2012 06:08 AM
I did notice if i remove the nat forwarding entries I can RDP to the machines in question from the VPN tunnel. This does disable the ability to use RDP from the outside. Is there any way to have both working?
no ip nat inside source static tcp 192.168.70.104 3389 173.9.146.81 3388 extendable
no nat inside source static tcp 192.168.70.56 3389 173.9.146.81 3399 extendable
Feels like we are starting to make some progess!
01-12-2012 08:09 AM
Any one have any ideas? We are starting to get under the gun on this one.
Thanks again!!
01-17-2012 05:13 AM
We are still suck on this one...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide