Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Can connect using Cisco VPN Client but cannot connect to statically mapped

Status
Not open for further replies.

thad100g

MIS
Jan 10, 2014
1
US
I'm have an issue with a Cisco 2801 router with both Site to Site and remote access VPN configuration. The remote access clients can connect to the router without any issues, but when they try to access some internal server, that also have a static mapping, they cannot connect. One specific server is our mail server, and in order to get mail, they have to disconnect from the VPN. I've looked over the config several times and I've checked the ACL's and they look to be correct. Other hosts on the internal LAN can be accessed without any problems, it is just those that have static mapping. I've included the configuration below:

Current configuration : 12537 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname 2801
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging message-counter syslog
no logging buffered
no logging console
enable secret 5 $1$1H/E$Drbmp1hQwLTAHb7BDIkiK/
enable password 7 130812110348402B2F29213D
!
aaa new-model
!
!
aaa group server radius RADGRP
server 192.168.64.198 auth-port 1645 acct-port 1646
server 192.168.64.53 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login userauthen group RADGRP local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone EST -3
dot11 syslog
no ip source-route
!
!
!
!
ip cef
ip inspect name INSPECT_INCOMING ftp
ip inspect name INSPECT_INCOMING tcp
ip inspect name INSPECT_INCOMING udp
no ip bootp server
ip domain name doraeme.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-1789666664
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1789666664
revocation-check none
rsakeypair TP-self-signed-1789666664
!
!
crypto pki certificate chain TP-self-signed-1789666664
certificate self-signed 01
3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31373839 36363636 3634301E 170D3135 30383131 32313231
31395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37383936
36363636 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100900A 00A50923 3B1D9A77 62786859 9D84E185 CAECDE3E 36F8CB84 7C0DFF5E
86F49CDB D6208B56 41BB7293 3677A99C 1DF88FCF EF7D1C22 BEE87321 B3381201
DA094953 EC012030 C5442AF7 40D025B9 F53F18E0 815B2FCB 0C7D821A F00AC33E
0449A745 0B90E192 E3936897 1E055753 EBDC6DF1 F1A3FC41 2BEE4737 58C8CFEC
92B70203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603
551D1104 1A301882 166D6563 685F3238 30312E6D 65636874 726F6E2E 636F6D30
1F060355 1D230418 30168014 6F22A422 C8FA20AB AE90FBA8 D2292DC6 6181C624
301D0603 551D0E04 1604146F 22A422C8 FA20ABAE 90FBA8D2 292DC661 81C62430
0D06092A 864886F7 0D010104 05000381 810045BE 9A8A8357 63ED1675 103D38DA
9DDBBB95 9D437DEE 40D4900F CD85CA13 3449E3BB 41E9B342 0189EBEF 52B06124
DCE0D977 77F4B245 FEF5B2DB EDCD700E A785C8FB 428AD022 2BDBE5C8 F95808A4
C76E5379 4DB1F187 80478982 5016FB7A F24AD5A2 81050DE0 6067CF6F 4F9DCA2B
70969DCB 50DC416E BE00785C B13AC557 FAF2
quit
!
!
username administrator secret 5 $1$9C73$UTLhuWvFkobJimho0bGj/1
username CousinIT secret 5 $1$n1hs$7.LW5cAJGTe.LAA5YkYsW0
archive
log config
hidekeys
!
crypto keyring remotes
pre-shared-key address 0.0.0.0 0.0.0.0 key ciscoforpresident
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group doraemevpn
key 61Axxx14
dns 192.168.64.53 192.168.64.54
domain doraeme.com
pool ippool
acl VPN4-TRAFFIC
crypto isakmp profile L2L
keyring remotes
match identity address 0.0.0.0
crypto isakmp profile vpnclient
match identity group doraemevpn
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN10-TRAFFIC
crypto dynamic-map DYNMAP 20
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN20-TRAFFIC
crypto dynamic-map DYNMAP 30
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN30-TRAFFIC
crypto dynamic-map DYNMAP 40
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN40-TRAFFIC
crypto dynamic-map DYNMAP 50
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN50-TRAFFIC
crypto dynamic-map DYNMAP 60
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN60-TRAFFIC
crypto dynamic-map DYNMAP 70
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN70-TRAFFIC
crypto dynamic-map DYNMAP 80
set security-association lifetime seconds 86400
set transform-set ESP-3DES-SHA
set isakmp-profile L2L
match address VPN80-TRAFFIC
crypto dynamic-map DYNMAP 100
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclient
reverse-route
!
!
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP
!
!
!
ip tcp synwait-time 10
!
track 1 ip sla 1 reachability
!
!
!
interface FastEthernet0/0
description $$ETH-WAN$$FW_OUTSIDE$
ip address 176.16.40.194 255.255.255.0
ip access-group 105 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip inspect INSPECT_INCOMING in
ip inspect INSPECT_INCOMING out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map VPN
!
interface FastEthernet0/1
description $$ETH-WAN-BACKUP$$FW_OUTSIDE$
ip address 192.168.238.26 255.255.255.248
ip access-group 110 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map VPN
!
interface FastEthernet0/1/0
description $$ETH-LAN$$FW_INSIDE$
ip address 192.168.64.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
ip local pool ippool 192.168.4.61 192.168.4.70
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 176.16.40.193
ip route 0.0.0.0 0.0.0.0 192.168.238.25 10
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat pool FIBER_POOL 176.16.40.216 176.16.40.221 netmask 255.255.255.224
ip nat pool CABLE_POOL 192.168.238.26 192.168.238.26 netmask 255.255.255.248
ip nat inside source route-map CABLE pool CABLE_POOL overload
ip nat inside source route-map FIBER pool FIBER_POOL overload
ip nat inside source static 192.168.64.199 192.168.238.29 route-map Servers-CABLE
ip nat inside source static 192.168.64.200 192.168.238.30 route-map Servers-CABLE
ip nat inside source static 192.168.64.195 176.16.40.195 route-map Servers-FIBER
ip nat inside source static 192.168.64.196 176.16.40.196 route-map Servers-FIBER
ip nat inside source static 192.168.64.197 176.16.40.197 route-map Servers-FIBER
ip nat inside source static 192.168.64.198 176.16.40.198 route-map Servers-FIBER
ip nat inside source static 192.168.64.199 176.16.40.199 route-map Servers-FIBER
ip nat inside source static 192.168.64.200 176.16.40.200 route-map Servers-FIBER
!
ip access-list extended VPN10-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended VPN20-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.20.0 0.0.0.255
ip access-list extended VPN30-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.30.0 0.0.0.255
ip access-list extended VPN4-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.4.0 0.0.0.255
ip access-list extended VPN40-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.40.0 0.0.0.255
ip access-list extended VPN50-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.50.0 0.0.0.255
ip access-list extended VPN60-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.60.0 0.0.0.255
ip access-list extended VPN70-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.70.0 0.0.0.255
ip access-list extended VPN80-TRAFFIC
permit ip 192.168.64.0 0.0.0.255 192.168.80.0 0.0.0.255
!
ip radius source-interface FastEthernet0/1/0
ip sla 1
icmp-echo 8.8.8.8 source-interface FastEthernet0/0
threshold 500
frequency 10
ip sla schedule 1 life forever start-time now
access-list 1 permit 192.168.64.0 0.0.0.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 105 remark == [Assigned to FastEthernet0/0] ==
access-list 105 permit tcp any any established
access-list 105 permit udp any eq domain any
access-list 105 permit icmp any any
access-list 105 permit udp any host 176.16.40.194 eq isakmp
access-list 105 permit udp any host 176.16.40.194 eq non500-isakmp
access-list 105 permit esp any host 176.16.40.194
access-list 105 permit tcp any host 176.16.40.194 eq 22
access-list 105 permit tcp any host 176.16.40.199 eq smtp
access-list 105 permit tcp any host 176.16.40.199 eq 143
access-list 105 permit tcp any host 176.16.40.199 eq 325
access-list 105 permit tcp any host 176.16.40.199 eq www
access-list 105 permit tcp any host 176.16.40.199 eq 1352
access-list 105 permit tcp any host 176.16.40.200 eq smtp
access-list 105 permit tcp any host 176.16.40.200 eq www
access-list 105 permit tcp any host 176.16.40.200 eq 1352
access-list 105 permit tcp any host 176.16.40.200 eq 443
access-list 105 permit tcp any host 176.16.40.200 eq 143
access-list 105 permit tcp any host 176.16.40.200 eq 325
access-list 105 permit tcp any host 176.16.40.198 eq ftp
access-list 105 permit tcp any host 176.16.40.198 eq 18082
access-list 105 permit tcp any host 176.16.40.198 eq ftp-data
access-list 105 permit tcp any eq ftp-data host 176.16.40.198
access-list 105 permit tcp any host 176.16.40.197 eq www
access-list 105 permit tcp any host 176.16.40.197 eq 22
access-list 110 remark == [Assigned to FastEthernet0/1] ==
access-list 110 permit tcp any any established
access-list 110 permit udp any eq domain any
access-list 110 permit icmp any any
access-list 110 permit udp any host 192.168.238.26 eq isakmp
access-list 110 permit udp any host 192.168.238.26 eq non500-isakmp
access-list 110 permit esp any host 192.168.238.26
access-list 110 permit tcp any host 192.168.238.26 eq 22
access-list 110 permit tcp any host 192.168.238.29 eq smtp
access-list 110 permit tcp any host 192.168.238.29 eq 143
access-list 110 permit tcp any host 192.168.238.29 eq 325
access-list 110 permit tcp any host 192.168.238.29 eq www
access-list 110 permit tcp any host 192.168.238.29 eq 1352
access-list 110 permit tcp any host 192.168.238.30 eq smtp
access-list 110 permit tcp any host 192.168.238.30 eq www
access-list 110 permit tcp any host 192.168.238.30 eq 1352
access-list 110 permit tcp any host 192.168.238.30 eq 443
access-list 110 permit tcp any host 192.168.238.30 eq 143
access-list 110 permit tcp any host 192.168.238.30 eq 325
access-list 150 remark == [NAT Control List] ==
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.60.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.70.0 0.0.0.255
access-list 150 deny ip 192.168.64.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 150 deny ip host 192.168.64.200 any
access-list 150 deny ip host 192.168.64.199 any
access-list 150 deny ip host 192.168.64.198 any
access-list 150 deny ip host 192.168.64.197 any
access-list 150 permit ip 192.168.64.0 0.0.0.255 any
access-list 199 remark == [NAT Control List - Servers Only] ==
access-list 199 permit ip host 192.168.64.200 any
access-list 199 permit ip host 192.168.64.199 any
access-list 199 permit ip host 192.168.64.198 any
access-list 199 permit ip host 192.168.64.197 any
!
!
!
route-map Servers-FIBER permit 10
match ip address 199
match interface FastEthernet0/0
!
route-map Servers-CABLE permit 10
match ip address 199
match interface FastEthernet0/1
!
route-map CABLE permit 10
match ip address 150
match interface FastEthernet0/1
!
route-map FIBER permit 10
match ip address 150
match interface FastEthernet0/0
!
!
radius-server host 192.168.64.198 auth-port 1645 acct-port 1646 key 7 070C285F4D06485744
radius-server host 192.168.64.53 auth-port 1645 acct-port 1646 key 7 070C285F4D06485744
!
control-plane
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
password 7 130812110348402B2F29213D
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top