Setup EasyVPN on 891 router - client can connect but can't acces

devin.ortego · ‎11-17-2011

Hi everyone, I have an 891 router currently configured as a central hub for several LAN to LAN VPN's and that is all working as it should. This morning I used the configuration professional wizard to setup EasyVPN so that a few remote users can gain access to our main 192.168.2.0 private network from anywhere.

I'm testing it using my iPhone as the VPN client and it connects to the router and pulls a proper IP from the pool I created (192.168.44.0) and can ping the fastethernet8 public IP but I am unable to ping or access anything on the 192.168.2.0 network. I'm sure the issue is due to NAT or an access issue list but that stuff is very confusing to me. You can see I attempted to add several entries pertaining to the 192.168.44.0 network but none of it has given me access. Can anyone with more experience please check out my config and give me some tips?

-----------------------------------------------------------------------------

!

aaa session-id common

!

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-3166474641

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3166474641

revocation-check none

rsakeypair TP-self-signed-3166474641

!

crypto pki certificate chain TP-self-signed-3166474641

certificate self-signed 01

3082024B 308201B4 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 33313636 34373436 3431301E 170D3131 30333330 30313337

35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31363634

37343634 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100D11B 5B164E87 7EC5F601 9BBA2A48 C0C863E0 8D95BDBE 17338555 D9FC38CB

9193D925 EC53BCE5 4A9747ED E645ED13 DA212CF4 1B53970C 31B39CAB 8815C84B

1126E742 396025DF 1C48EF12 6EDC67E7 3D72ED79 806F4F42 0D15A573 5653DD3B

65CB086F 2C87E1F3 959EC3A1 F314378F 2C0AB224 338DF905 E1BF168D A7A6D2BA

B5AD0203 010001A3 73307130 0F060355 1D130101 FF040530 030101FF 301E0603

551D1104 17301582 13636973 636F2E64 63676167 656E6379 2E636F6D 301F0603

551D2304 18301680 14CC1A25 AF32B312 469FA0D1 C952C976 9F999DC6 E3301D06

03551D0E 04160414 CC1A25AF 32B31246 9FA0D1C9 52C9769F 999DC6E3 300D0609

2A864886 F70D0101 04050003 81810058 59C9DDD6 EE0D53E1 ECD48A7B 013184BF

83A503C0 6011D45B 5040AB68 0A8ED9BE 5F52682C 0D6904A1 1E2CCAEC EFB46A15

E3930C05 93C63172 7053A817 F9AE773B 7E404C08 71D8E0F2 F6E3E682 1BBEED27

2C508EDC 80C82BA0 095582F5 4AAF0B70 C1A147ED CE46A76A 9F66B2A0 33DFED86

5B5C601F 9B2F0953 C42C2B47 E52742

quit

no ip source-route

!

ip dhcp excluded-address 192.168.2.1 192.168.2.55

!

ip dhcp pool ccp-pool1

import all

network 192.168.2.0 255.255.255.0

dns-server 12.230.141.xxx xxx.xxx.xxx.xx xxx.xxx.xx.xx

default-router 192.168.2.20

netbios-name-server 192.168.2.6

!

ip cef

no ip bootp server

ip domain name example.com

ip name-server 205.152.132.23

ip name-server 205.152.37.23

ip name-server 12.230.141.xxx

no ipv6 cef

!

multilink bundle-name authenticated

license udi pid CISCO891-K9 sn FTX142980CZ

!

username admin privilege 15 secret 5 $1$dIsB$/gxLnx1Tclc3Hwm7FvRr91

username devino secret 5 $1$Lj7/$JptIhpAB0ImG3rKhweBtp1

username bigdog secret 5 $1$7V/.$.9LKKF3yADk4UuWiDRe.x0

username aftonc secret 5 $1$MKWE$u79s5ARSr6H94aH/fGvZf/

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

crypto keyring spokes

pre-shared-key address 0.0.0.0 0.0.0.0 key xxxxxxxxxxxxx

!

crypto isakmp policy 10

encr 3des

authentication pre-share

!

crypto isakmp policy 11

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 60 periodic

!

crypto isakmp client configuration group remotevpnusers

key xxxxxxxxxxx

dns 12.230.141.xxx 12.230.141.xxx

wins 192.168.2.6

domain example.com

pool SDM_POOL_2

pfs

netmask 255.255.255.0

crypto isakmp profile L2L

description LAN-to-LAN for spoke router connections

keyring spokes

match identity address 0.0.0.0

crypto isakmp profile ciscocp-ike-profile-1

match identity group remotevpnusers

client authentication list ciscocp_vpn_xauth_ml_2

isakmp authorization list ciscocp_vpn_group_ml_2

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set myset esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

no crypto ipsec nat-transparency udp-encaps

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 7200

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

crypto dynamic-map dynmap 10

set security-association lifetime seconds 28800

set transform-set myset

set pfs group1

set isakmp-profile L2L

!

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

description $FW_OUTSIDE$$ES_WAN$

ip address 12.230.141.xxx 255.255.255.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map mymap

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet8

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface GigabitEthernet0

description $ES_LAN$$FW_INSIDE$

ip address 192.168.2.20 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 1$

ip address 10.10.10.1 255.255.255.248

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool SDM_POOL_1 192.168.2.10 192.168.2.15

ip local pool SDM_POOL_2 192.168.44.1 192.168.44.240

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 102 interface FastEthernet8 overload

ip nat inside source static tcp 192.168.2.2 443 12.230.141.xxx 443 route-map SER

VER reversible extendable

ip nat inside source static tcp 192.168.2.200 5367 12.230.141.xxx 5367 extendabl

e

ip route 0.0.0.0 0.0.0.0 12.230.141.xxx

!

logging trap debugging

access-list 10 permit 192.168.2.0 0.0.0.255

access-list 102 remark CCP_ACL Category=18

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.13.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.18.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.26.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.33.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 102 permit icmp 192.168.2.0 0.0.0.255 any

access-list 102 permit tcp 192.168.2.0 0.0.0.255 any

access-list 102 permit ip 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit tcp 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit icmp 192.168.44.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 permit ip 205.216.28.0 0.0.1.255 host 12.230.141.xxx

access-list 105 permit ip host 192.168.2.2 205.216.28.0 0.0.1.255

access-list 105 deny ip any any

no cdp run

!

route-map SERVER permit 10

match ip address 105

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

cisco#

Thotsaphon Lueangwattanaphong · ‎11-17-2011

Hi,

Please let me know.

1. What are Internal IP addresses you want to connect from remote access vpn?

2. What are IP addresses you assign to clients for remote access VPN?

Toshi

devin.ortego · ‎11-17-2011

The internal IP addresses will be anything from 192.168.2.1 to 192.168.2.254

Clients are assigned IP's from 192.168.44.1 to 192.168.44.254

Thanks

Thotsaphon Lueangwattanaphong · ‎11-17-2011

Hello,

Just add ACL to deny VPN traffic.

- Modify acl 102

- sequence 1

- deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255

Sent from Cisco Technical Support iPhone App

devin.ortego · ‎11-18-2011

Hi, thanks for the reply!

I'm not sure if I understand you correctly (sorry i'm new to this!) - I do have that line in acl 102 already. I tried moving it up to the first in the list and this still hasn't made a difference - still can not access or even ping 192.168.2.0 network from the 192.168.44.0. Maybe I'm not doing something right ?

Here is the output from 'sho crypto session' whenever I connect to the vpn with my iphone - that IPSEC flow does not look right to me:

Interface: Virtual-Access2

Username: devino

Profile: ciscocp-ike-profile-1

Group: remotevpnusers

Assigned address: 192.168.44.10

Session status: UP-ACTIVE

Peer: 166.137.14.14 port 15404

IKE SA: local 12.230.141.xxx/500 remote 166.137.14.14/15404 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.44.10

Active SAs: 2, origin: crypto map

And here is the output from one of my properly working Lan to Lan vpn's with the type of IPSEC flow I'm expecting:

Interface: FastEthernet8

Profile: L2L

Session status: UP-ACTIVE

Peer: 99.116.155.48 port 500

IKE SA: local 12.230.141.194/500 remote 99.116.155.48/500 Active

IPSEC FLOW: permit ip 192.168.2.0/255.255.255.0 192.168.33.0/255.255.255.0

Active SAs: 2, origin: dynamic crypto map

Thanks for your help!

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hi,

Sorry I missed reading your configuration carefully. Your configuration is there. Please post "sh access-list 102" when connecting remote access vpn and ping 192.168.2.x. I just want to make sure that the returned traffic won't get NAT process.

Toshi

devin.ortego · ‎11-18-2011

Thanks again!

cisco#sh access-list 102

Extended IP access list 102

10 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 (19987 matches)

20 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (19869 matches)

30 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 (58135 matches)

40 deny ip 192.168.2.0 0.0.0.255 192.168.13.0 0.0.0.255 (2046 matches)

50 deny ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255 (10850 matches)

60 deny ip 192.168.2.0 0.0.0.255 192.168.18.0 0.0.0.255 (14 matches)

70 deny ip 192.168.2.0 0.0.0.255 192.168.26.0 0.0.0.255

80 deny ip 192.168.2.0 0.0.0.255 192.168.33.0 0.0.0.255 (726 matches)

90 deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255

100 permit ip 192.168.2.0 0.0.0.255 any (27968 matches)

110 permit icmp 192.168.2.0 0.0.0.255 any

120 permit tcp 192.168.2.0 0.0.0.255 any

cisco#

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hi,

Please let me know how you test.

1. You already passed authentication process. Right?

2. Please "ping 192.168.2.x"for testing.

3. Please post "show access-list 102"

Toshi

devin.ortego · ‎11-18-2011

1. Yes, I put in the password in my client and it connects - I just can't go anywhere from there. The output from my show crypto session I posted above shows me connected as the username I am using to authenicate - devino.

2. Do you mean ping from my VPN client?

I will post the results as soon as you reply

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hello,

Yes Just make a connection to alive hosts. Ping is okay from your pc/iphone.

Toshi

devin.ortego · ‎11-18-2011

Ping to 192.168.2.243 (a known active PC on the LAN) results in 100% loss from my iphone when connected to the VPN. Here is the output of show access-list 102 after the ping:

cisco#show access-list 102

Extended IP access list 102

10 deny ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255 (28665 matches)

20 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255 (21369 matches)

30 deny ip 192.168.2.0 0.0.0.255 192.168.11.0 0.0.0.255 (63331 matches)

40 deny ip 192.168.2.0 0.0.0.255 192.168.13.0 0.0.0.255 (2299 matches)

50 deny ip 192.168.2.0 0.0.0.255 192.168.15.0 0.0.0.255 (11824 matches)

60 deny ip 192.168.2.0 0.0.0.255 192.168.18.0 0.0.0.255 (15 matches)

70 deny ip 192.168.2.0 0.0.0.255 192.168.26.0 0.0.0.255

80 deny ip 192.168.2.0 0.0.0.255 192.168.33.0 0.0.0.255 (2761 matches)

90 deny ip 192.168.2.0 0.0.0.255 192.168.44.0 0.0.0.255

100 permit ip 192.168.2.0 0.0.0.255 any (32612 matches)

110 permit icmp 192.168.2.0 0.0.0.255 any

120 permit tcp 192.168.2.0 0.0.0.255 any

cisco#

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hi,

It seems you are using ESP protocol to connect remote access vpn. Please do this for testing.

NAT Traversal enabled.

cisco(conf)#crypto ipsec nat-transparency udp-encaps

Toshi

devin.ortego · ‎11-18-2011

Okay, I entered that command. Seems like we may be making some progress! I can now ping that LAN's gateway (192.168.2.20) and my WINS and IIS servers from my iphone, but I still can't access some of our local applications through my phone's browser....getting timeouts. Hmmm.....

Thank you so much for your patience!

Thotsaphon Lueangwattanaphong · ‎11-18-2011

Hello,

I don't recommend you to test all apps via IPhone. Do it on your pc/notebook first. Safari is good but... (grin)

Toshi

devin.ortego · ‎11-18-2011

I agree and was just thinking the same thing I will do some more testing from other machines and give you an update. Thanks so much for all your help!

Setup EasyVPN on 891 router - client can connect but can't access LAN resources