VPN Clients can connect but can not see anything else (Cisco 881)

drichardson1982 · ‎01-06-2012

Hello all. This is my first post and question on the fourm so please let me know if you need additional information. I did a multitude of searches and can not seem to pin down the issue that I am having.

Once a client connects to my VPN (VPN Client 5) they can not see anything other than the outside interface. If I ping anything on the LAN for example I get a reply from the outside interface. I can not see any WAN either (even by IP) My LAN clients can see the clients within the VPN Pool. I would like all traffic to flow through the VPN. I have tried split tunneling to verify if the internet would work and local lan would stay connected. It does work but I was still unable to access anything on the remote netwok. I am not sure if I am missing a nat command or something simple... Any and ALL suggestions are more than welcome! Thank You in advance.

The current setup is as follows. 881 Router with windows 2008 radius authentication. The client is authenticating and reciving an IP address from the local ip pool. Please see below for the running config.

Building configuration...

Current configuration : 4357 bytes

!

! Last configuration change at 01:34:12 UTC Fri Jan 6 2012 by admin

!

version 15.1

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname XXXXXXX

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$UzW8$YIlSVw2t5OVcoyyGv6n.Y1

!

aaa new-model

!

aaa authentication login userauthen group radius local

aaa authorization network groupauthor local

!

aaa session-id common

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

ip source-route

!

ip cef

ip domain name XXXXXX

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin password 7 023C2603290D16

!

ip ssh time-out 60

ip ssh authentication-retries 2

ip ssh version 1

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group hsgroup

key XXXXXXXXXXXXX

dns 192.168.70.56

domain XXXXXXXXXX

pool pptp-pool

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

switchport trunk native vlan 100

switchport mode trunk

!

interface FastEthernet1

shutdown

!

interface FastEthernet2

shutdown

!

interface FastEthernet3

shutdown

!

interface FastEthernet4

ip address XXX.XXX.XXX.XXX 255.255.255.252

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map clientmap

!

interface Vlan1

no ip address

!

interface Vlan2

no ip address

!

interface Vlan100

ip address 192.168.70.2 255.255.255.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

!

interface Vlan200

ip address 192.168.80.1 255.255.255.0

ip access-group 120 in

ip access-group 121 out

ip helper-address 192.168.70.56

ip flow ingress

ip dns view-group 1

ip nat inside

ip virtual-reassembly in

!

ip local pool pptp-pool 192.168.90.100 192.168.90.150

no ip classless

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns view-list cf

ip nat inside source list 100 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.70.104 3389 XXX.XXX.XXX.XXX 3388 extendable

ip nat inside source static tcp 192.168.70.56 3389 XXX.XXX.XXX.XXX 3399 extendable

ip nat inside source static tcp 192.168.70.15 80 XXX.XXX.XXX.XXX 8080 extendable

ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX

!

logging esm config

access-list 100 permit ip 192.168.70.0 0.0.0.255 any

access-list 100 permit ip 192.168.80.0 0.0.0.255 any

access-list 120 permit udp any host 255.255.255.255 eq bootps

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.2

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.56

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.57

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.104

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.201

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.4

access-list 120 permit ip 192.168.80.0 0.0.0.255 host 192.168.70.5

access-list 120 deny ip 192.168.80.0 0.0.0.255 192.168.70.0 0.0.0.255

access-list 120 permit ip 192.168.80.0 0.0.0.255 any

access-list 121 permit ip any any

!

radius-server host 192.168.70.56 auth-port 1812 acct-port 1813 key 7 10465A154447564D1E543F3B757A60

!

control-plane

!

line con 0

password 7 081B6E162B121C

no modem enable

line aux 0

line vty 0 4

password 7 033E7953240438

transport input ssh

!

end

andrew.prince · ‎01-06-2012

re-write access-list 100 to have a deny from your internal LAN IP subnest to the VPN ip subnet first, then the rest of the existing acl.

Sent from Cisco Technical Support iPad App

drichardson1982 · ‎01-06-2012

does this look correct?

Extended IP access list 100

9 deny ip 192.168.70.0 0.0.0.255 192.168.90.0 0.0.0.255

10 permit ip 192.168.70.0 0.0.0.255 any

20 permit ip 192.168.80.0 0.0.0.255 any

This works but doesn't.

I can now ping my remote LAN

I can ping servers and devices.

I can browse to internal websites

I can not RDP to any servers on the LAN

I can not browse the internet through the tunnel

any thoughts?

andrew.prince · ‎01-06-2012

Can you ping servers on the LAN? Can the servers ping the VPN machines?

For you to browse the Internet you need to "hair pin" use your favourite search engine for that.

Sent from Cisco Technical Support iPad App

drichardson1982 · ‎01-06-2012

I can ping the servers on the LAN. The LAN servers can ping the VPN clients.

I can not RDP either way

I will take it one step at a time and look into the hair pin. <-- Thank you for that sometimes the keyword is all you need!!!

andrew.prince · ‎01-06-2012

What else apart from rdp does not work?

Sent from Cisco Technical Support iPad App

drichardson1982 · ‎01-06-2012

After doing a quick look it appears that is the only thing not working. I am sure the servers have RDP enabled and no firewall or anything blocking them on the windows side.

Dennis Leon · ‎01-06-2012

Try doing this and let me know if works if the RDP works:

interface Vlan100

ip tcp adjust-mss 1200

As for the Internet from the VPN client, just enable split tunneling with a standard ACL indicating which networks should the VPN client reach. Any other traffic from the VPN client (internet) will use its onw local internet connection.

Like this

access-list 80 permit ip 192.168.70.0 0.0.0.255

access-list 80 permit ip 192.168.80.0 0.0.0.255

crypto isakmp client configuration group hsgroup

acl 150

HIH.......D.

drichardson1982 · ‎01-07-2012

That didn't seem to change anything. I am not 100% what that command does?

I did not want to use split-tunnel as I wanted all the internet traffic to go thorugh the VPN due to content filtering requirements.

Thanks!

drichardson1982 · ‎01-10-2012

Update.

After looking into what we can and cannot do further we have found the following.

~From VPN side we can access fileshares and ping all machines on VLAN100

~From VPN side we can RDP to only 1 server on VLAN100. We can not RDP to any other machines on VLAN 100

(we have verified from other machines on VLAN100 can RDP to all machines on VLAN100 to ensure RDP was turned on and no Firewall restrictions were in place)

~From LAN I have all services to VPN side.

Any thoughts?

drichardson1982 · ‎01-11-2012

I did notice if i remove the nat forwarding entries I can RDP to the machines in question from the VPN tunnel. This does disable the ability to use RDP from the outside. Is there any way to have both working?

no ip nat inside source static tcp 192.168.70.104 3389 173.9.146.81 3388 extendable

no nat inside source static tcp 192.168.70.56 3389 173.9.146.81 3399 extendable

Feels like we are starting to make some progess!

drichardson1982 · ‎01-12-2012

Any one have any ideas? We are starting to get under the gun on this one.

Thanks again!!

drichardson1982 · ‎01-17-2012

We are still suck on this one...