11-17-2011 01:11 PM - edited 03-04-2019 02:19 PM
Hi everyone, I have an 891 router currently configured as a central hub for several LAN to LAN VPN's and that is all working as it should. This morning I used the configuration professional wizard to setup EasyVPN so that a few remote users can gain access to our main 192.168.2.0 private network from anywhere.
I'm testing it using my iPhone as the VPN client and it connects to the router and pulls a proper IP from the pool I created (192.168.44.0) and can ping the fastethernet8 public IP but I am unable to ping or access anything on the 192.168.2.0 network. I'm sure the issue is due to NAT or an access issue list but that stuff is very confusing to me. You can see I attempted to add several entries pertaining to the 192.168.44.0 network but none of it has given me access. Can anyone with more experience please check out my config and give me some tips?
-----------------------------------------------------------------------------
!
!
aaa session-id common
!
!
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-3166474641
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3166474641
revocation-check none
rsakeypair TP-self-signed-3166474641
!
!
crypto pki certificate chain TP-self-signed-3166474641
certificate self-signed 01
3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33313636 34373436 3431301E 170D3131 30333330 30313337
35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31363634
37343634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D11B 5B164E87 7EC5F601 9BBA2A48 C0C863E0 8D95BDBE 17338555 D9FC38CB
9193D925 EC53BCE5 4A9747ED E645ED13 DA212CF4 1B53970C 31B39CAB 8815C84B
1126E742 396025DF 1C48EF12 6EDC67E7 3D72ED79 806F4F42 0D15A573 5653DD3B
65CB086F 2C87E1F3 959EC3A1 F314378F 2C0AB224 338DF905 E1BF168D A7A6D2BA
B5AD0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603
551D1104 17301582 13636973 636F2E64 63676167 656E6379 2E636F6D 301F0603
551D2304 18301680 14CC1A25 AF32B312 469FA0D1 C952C976 9F999DC6 E3301D06
03551D0E 04160414 CC1A25AF 32B31246 9FA0D1C9 52C9769F 999DC6E3 300D0609
2A864886 F70D0101 04050003 81810058 59C9DDD6 EE0D53E1 ECD48A7B 013184BF
83A503C0 6011D45B 5040AB68 0A8ED9BE 5F52682C 0D6904A1 1E2CCAEC EFB46A15
E3930C05 93C63172 7053A817 F9AE773B 7E404C08 71D8E0F2 F6E3E682 1BBEED27
2C508EDC 80C82BA0 095582F5 4AAF0B70 C1A147ED CE46A76A 9F66B2A0 33DFED86
5B5C601F 9B2F0953 C42C2B47 E52742
quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.2.1 192.168.2.55
!
ip dhcp pool ccp-pool1
import all
network 192.168.2.0 255.255.255.0
dns-server 12.230.141.xxx xxx.xxx.xxx.xx xxx.xxx.xx.xx
default-router 192.168.2.20
netbios-name-server 192.168.2.6
!
!
ip cef
no ip bootp server
ip domain name example.com
ip name-server 205.152.132.23
ip name-server 205.152.37.23
ip name-server 12.230.141.xxx
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX142980CZ
!
!
username admin privilege 15 secret 5 $1$dIsB$/gxLnx1Tclc3Hwm7FvRr91
username devino secret 5 $1$Lj7/$JptIhpAB0ImG3rKhweBtp1
username bigdog secret 5 $1$7V/.$.9LKKF3yADk4UuWiDRe.x0
username aftonc secret 5 $1$MKWE$u79s5ARSr6H94aH/fGvZf/
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxxxxxxxx
!
crypto isakmp policy 10
encr 3des
authentication pre-share
!
crypto isakmp policy 11
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 periodic
!
crypto isakmp client configuration group remotevpnusers
key xxxxxxxxxxx
dns 12.230.141.xxx 12.230.141.xxx
wins 192.168.2.6
domain example.com
pool SDM_POOL_2
pfs
netmask 255.255.255.0
crypto isakmp profile L2L
description LAN-to-LAN for spoke router connections
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group remotevpnusers
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 7200
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto dynamic-map dynmap 10
set security-association lifetime seconds 28800
set transform-set myset
set pfs group1
set isakmp-profile L2L
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description $FW_OUTSIDE$$ES_WAN$
ip address 12.230.141.xxx 255.255.255.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet8
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface GigabitEthernet0
description $ES_LAN$$FW_INSIDE$
ip address 192.168.2.20 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$
ip address 10.10.10.1 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip tcp adjust-mss 1452
!
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
!
ip local pool SDM_POOL_1 192.168.2.10 192.168.2.15
ip local pool SDM_POOL_2 192.168.44.1 192.168.44.240
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 102 interface FastEthernet8 overload
ip nat inside source static tcp 192.168.2.2 443 12.230.141.xxx 443 route-map SER
VER reversible extendable
ip nat inside source static tcp 192.168.2.200 5367 12.230.141.xxx 5367 extendabl
e
ip route 0.0.0.0 0.0.0.0 12.230.141.xxx
!
logging trap debugging
access-list 10 permit 192.168.2.0 0.0.0.255
access-list 102 remark CCP_ACL Category=18
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.13.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.26.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255
access-list 102 permit ip 192.168.2.0 0.0.0.255 any
access-list 102 permit icmp 192.168.2.0 0.0.0.255 any
access-list 102 permit tcp 192.168.2.0 0.0.0.255 any
access-list 102 permit ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit tcp 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit icmp 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 105 permit ip 205.216.28.0 0.0.1.255 host 12.230.141.xxx
access-list 105 permit ip host 192.168.2.2 205.216.28.0 0.0.1.255
access-list 105 deny ip any any
no cdp run
!
!
!
!
route-map SERVER permit 10
match ip address 105
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
cisco#
11-17-2011 07:26 PM
Hi,
Please let me know.
1. What are Internal IP addresses you want to connect from remote access vpn?
2. What are IP addresses you assign to clients for remote access VPN?
Toshi
11-17-2011 08:02 PM
The internal IP addresses will be anything from 192.168.2.1 to 192.168.2.254
Clients are assigned IP's from 192.168.44.1 to 192.168.44.254
Thanks
11-17-2011 08:13 PM
Hello,
Just add ACL to deny VPN traffic.
- Modify acl 102
- sequence 1
- deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255
Sent from Cisco Technical Support iPhone App
11-18-2011 06:49 AM
Hi, thanks for the reply!
I'm not sure if I understand you correctly (sorry i'm new to this!) - I do have that line in acl 102 already. I tried moving it up to the first in the list and this still hasn't made a difference - still can not access or even ping 192.168.2.0 network from the 192.168.44.0. Maybe I'm not doing something right ?
Here is the output from 'sho crypto session' whenever I connect to the vpn with my iphone - that IPSEC flow does not look right to me:
Interface: Virtual-Access2
Username: devino
Profile: ciscocp-ike-profile-1
Group: remotevpnusers
Assigned address: 192.168.44.10
Session status: UP-ACTIVE
Peer: 166.137.14.14 port 15404
IKE SA: local 12.230.141.xxx/500 remote 166.137.14.14/15404 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.44.10
Active SAs: 2, origin: crypto map
And here is the output from one of my properly working Lan to Lan vpn's with the type of IPSEC flow I'm expecting:
Interface: FastEthernet8
Profile: L2L
Session status: UP-ACTIVE
Peer: 99.116.155.48 port 500
IKE SA: local 12.230.141.194/500 remote 99.116.155.48/500 Active
IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.33.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
Thanks for your help!
11-18-2011 08:49 AM
Hi,
Sorry I missed reading your configuration carefully. Your configuration is there. Please post "sh access-list 102" when connecting remote access vpn and ping 192.168.2.x. I just want to make sure that the returned traffic won't get NAT process.
Toshi
11-18-2011 08:54 AM
Thanks again!
cisco#sh access-list 102
Extended IP access list 102
10 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 (19987 matches)
20 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (19869 matches)
30 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 (58135 matches)
40 deny ip 192.168.2.0 0.0.0.255 192.168.13.0 0.0.0.255 (2046 matches)
50 deny ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255 (10850 matches)
60 deny ip 192.168.2.0 0.0.0.255 192.168.18.0 0.0.0.255 (14 matches)
70 deny ip 192.168.2.0 0.0.0.255 192.168.26.0 0.0.0.255
80 deny ip 192.168.2.0 0.0.0.255 192.168.33.0 0.0.0.255 (726 matches)
90 deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255
100 permit ip 192.168.2.0 0.0.0.255 any (27968 matches)
110 permit icmp 192.168.2.0 0.0.0.255 any
120 permit tcp 192.168.2.0 0.0.0.255 any
cisco#
11-18-2011 09:02 AM
Hi,
Please let me know how you test.
1. You already passed authentication process. Right?
2. Please "ping 192.168.2.x"for testing.
3. Please post "show access-list 102"
Toshi
11-18-2011 09:09 AM
1. Yes, I put in the password in my client and it connects - I just can't go anywhere from there. The output from my show crypto session I posted above shows me connected as the username I am using to authenicate - devino.
2. Do you mean ping from my VPN client?
I will post the results as soon as you reply
11-18-2011 09:11 AM
Hello,
Yes Just make a connection to alive hosts. Ping is okay from your pc/iphone.
Toshi
11-18-2011 09:19 AM
Ping to 192.168.2.243 (a known active PC on the LAN) results in 100% loss from my iphone when connected to the VPN. Here is the output of show access-list 102 after the ping:
cisco#show access-list 102
Extended IP access list 102
10 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 (28665 matches)
20 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21369 matches)
30 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 (63331 matches)
40 deny ip 192.168.2.0 0.0.0.255 192.168.13.0 0.0.0.255 (2299 matches)
50 deny ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255 (11824 matches)
60 deny ip 192.168.2.0 0.0.0.255 192.168.18.0 0.0.0.255 (15 matches)
70 deny ip 192.168.2.0 0.0.0.255 192.168.26.0 0.0.0.255
80 deny ip 192.168.2.0 0.0.0.255 192.168.33.0 0.0.0.255 (2761 matches)
90 deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255
100 permit ip 192.168.2.0 0.0.0.255 any (32612 matches)
110 permit icmp 192.168.2.0 0.0.0.255 any
120 permit tcp 192.168.2.0 0.0.0.255 any
cisco#
11-18-2011 09:26 AM
Hi,
It seems you are using ESP protocol to connect remote access vpn. Please do this for testing.
NAT Traversal enabled.
cisco(conf)#crypto ipsec nat-transparency udp-encaps
Toshi
11-18-2011 09:39 AM
Okay, I entered that command. Seems like we may be making some progress! I can now ping that LAN's gateway (192.168.2.20) and my WINS and IIS servers from my iphone, but I still can't access some of our local applications through my phone's browser....getting timeouts. Hmmm.....
Thank you so much for your patience!
11-18-2011 09:41 AM
Hello,
I don't recommend you to test all apps via IPhone. Do it on your pc/notebook first. Safari is good but... (grin)
Toshi
11-18-2011 09:49 AM
I agree and was just thinking the same thing I will do some more testing from other machines and give you an update. Thanks so much for all your help!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide