Cannot access remote machines

[burtsbees]

I have an IPSEC remote access VPN configured in my 2620XM. I tried allocating addresses from the same subnet as the remote network, but denying the addresses in the NAT acl (this used to work---I could RDC into my servers and everything). I don't know what has changed...I connect to the VPN, and get an IP address that I have set aside, and can ping most routers, but I cannot ping any devices on the same subnet as the routers. I never had split tunneling enabled before. I have static routes from all routers pointing to the VPN IP address pool, and can ping all around. Without me posting a config, can anyone think of any pointers? I will be happy to post a config, though. If anything, I can enable split-tunneling...

Burt

 

[brianinms]

I never use a VPN address pool that contains IP addresses in the same subnet as my internal network.

 

[burtsbees]

Well, the way I have it now, it is on a completely different subnet. Like I said, I never had any problems before. This is more or less a lab environment...
Thanks for the quick response, though.
I notice when I do a "route print" from the command line, I see the routes to the local machines, but on the VPN side, I cannot get out of the VPN server.
My topology is 2620XM---2503---2620---2620---2620
The 2503 is a frame relay switch, and my pc's/printer are connected to the third and fourth routers, each with their own Cat 2924 switch. When connected to the VPN, I cannot ping outside of the 2620XM.

Burt

 

[burtsbees]

Here's the config...

Edge#sh run
Building configuration...
Current configuration : 6914 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Edge
boot-start-marker
boot-end-marker
security authentication failure rate 2 log
security passwords min-length 6
logging count
logging userinfo
logging buffered 64000 debugging
enable secret 5 $1$PG24$m5c0/VGE18Jm886VHOP77/
aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common
resource policy
clock timezone cst -6
clock summer-time cst recurring 1 Sun Apr 2:00 1 Sun Nov 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
ip tcp synwait-time 10
ip tcp intercept list 151
no ip dhcp use vrf connected
no ip bootp server
ip domain name directly_connected.com
ip host BigSwitch 10.7.8.5
ip host TAS 192.168.3.2
ip host BAS 192.168.2.2
ip host IPPlus 192.168.69.2
ip host printer 10.0.0.2
ip host ftp 10.69.69.1
ip host vpn1 192.168.4.98
ip host vpn2 192.168.4.99
ip host comp 192.168.5.2
ip ddns update method xxxxx
HTTP
add

http://xxxx:xxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=2621xm.gotdns.com&myip=<a>

interval maximum 28 0 0 0
username xxxxxxxxxx privilege 15 secret 5 $1$ljnu$dGj873pY4XnIBJY1RtcU2.
username xxxxxxxxxx privilege 0 secret 5 $1$kgI6$fDw.Hxfjq5CdEh1fc8tdb/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxxxxxxx
key xxxxxxxxxxxxx
pool vpn_pool_1
max-users 2
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface Null0
no ip unreachables
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet0/0
description $FW_INSIDE$
no ip address
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
duplex auto
speed auto
no mop enabled
interface Serial0/1
description Frame Relay$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
encapsulation frame-relay
ip route-cache flow
no fair-queue
interface Serial0/1.1 point-to-point
ip address 192.168.3.1 255.255.255.252
ip nat inside
ip virtual-reassembly
frame-relay interface-dlci 102 IETF
interface Dialer0
description $FW_OUTSIDE$
ip ddns update xxxxx
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
rate-limit input access-group 110 256000 1500 2000 conform-action transmit exceed-action drop
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxx password xxxxxxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
interface Dialer1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip local pool vpn_pool_1 192.168.4.98 192.168.4.99
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.0.0.0 192.168.3.2
ip route 192.168.2.0 255.255.255.252 192.168.3.2
ip route 192.168.5.0 255.255.255.0 192.168.3.2
ip route 192.168.68.0 255.255.255.0 192.168.3.2
ip route 192.168.69.0 255.255.255.252 192.168.3.2
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map vpn_map_shit interface Dialer0 overload
ip nat inside source static tcp 10.69.69.1 21 interface Dialer0 21
logging dmvpn
logging history warnings
logging trap debugging
logging 10.12.16.67
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 permit ip 192.168.3.0 0.0.0.3 any
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.69.0 0.0.0.3 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 remark prevent_RFC1918_as_source
access-list 102 permit ip any any
access-list 112 remark rate_limit_ftp
access-list 112 permit tcp any host 10.69.69.1 eq ftp
access-list 113 remark prevent_ftp_to_LAN
access-list 151 permit ip any host 192.168.5.2
dialer-list 1 protocol ip permit
no cdp run
route-map vpn_map_shit permit 1
match ip address 101
control-plane
banner motd ^C _________-----_____
_____------ __ ----_
___---- ___------ \
----________ ---- \
-----__ | _____)
__- / \
_______----- ___-- \ /)\
------_______ ---____ \__/ /
-----__ \ -- _ /\
--__--__ \_____/ \_/\
----| / |
| |___________|
| | ((_(_)| )_)
| \_((_(_)|/(_)
\ (
\_____________)

!!!!!Uh oh...better turn back around there, boy...I log all hacking attempts!!!!!! ^C
line con 0
password xxxxxxxxxxxxxxxxxxxxx
logging synchronous
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxxxxxxx
transport input ssh
scheduler allocate 4000 1000
ntp clock-period 17180367
ntp server 64.113.32.5 source Dialer0
end

sh ip route...

Edge>sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

69.x.x.x/32 is subnetted, 1 subnets
C 69.x.x.x is directly connected, Dialer0
S 192.168.5.0/24 [1/0] via 192.168.3.2
S 10.0.0.0/8 [1/0] via 192.168.3.2
S 192.168.68.0/24 [1/0] via 192.168.3.2
192.168.69.0/30 is subnetted, 1 subnets
S 192.168.69.0 [1/0] via 192.168.3.2
192.168.2.0/30 is subnetted, 1 subnets
S 192.168.2.0 [1/0] via 192.168.3.2
151.x.x.x/32 is subnetted, 1 subnets
C 151.x.x.x is directly connected, Dialer0
192.168.3.0/30 is subnetted, 1 subnets
C 192.168.3.0 is directly connected, Serial0/1.1
S* 0.0.0.0/0 is directly connected, Dialer0

Any clues??? Thanks.

Burt

 

[burtsbees]

Bumpety-bump...

 

[burtsbees]

Bump again...

 

[burtsbees]

Yet another bump...am I being too impatient?

Burt

 

[burtsbees]

Fixed. For those who care, I added the command "include-local-lan"...

crypto isakmp client configuration group xxxxxxxxx
key xxxxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0

I also configured the VPN to use IP addresses from the same LAN my main server is connected to. Funny thing is that this subnet is 192.168.4.0/24, but I cannot ping or RDC into it. I can however ping and RDC into a different server on 10.0.0.0/8 LAN, and from there I can RDC and ping into the 192.168.4.0/24 LAN. Also, I cannot ssh into my edge router (where the vpn configuration is) unless I RDC into the server on the 10.0.0.0/8 LAN...hmmm...any guesses???

Burt

 

[brianinms]

One thing I noticed is that you aren't exempting your VPN address pool from Nat.

 

[burtsbees]

Yes I was...
when I was using 192.168.4.98 and .99, I did not include them in acl 101, which is my NAT acl...

ip local pool vpn_pool_1 192.168.4.98 192.168.4.99
access-list 101 permit ip 192.168.3.0 0.0.0.3 any
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.69.0 0.0.0.3 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
route-map vpn_map_stuff permit 1
match ip address 101
p nat inside source route-map vpn_map_stuff interface Dialer0 overload

 

[brianinms]

Oh okay, its just hard to tell as I would have assumed all networks were going to the internet.

 

[burtsbees]

They are, except for 192.168.4.0/24---one of the changes I made was putting the vpn pool in the same subnet as my home computer, and the printer and ftp server all in their own networks. I added to acl 101
access-list 101 deny ip any 192.168.4.96 0.0.0.3
to exclude 192.168.4.98 and .99 from being NATted, and the rest of the subnet is permitted so it can be natted.
May I ask why you don't put the vpn pool in the same subnet as your internal network? Security reasons?
Thanks for your input.

Burt

 

[brianinms]

I don't have a ton of experience with VPNs on a IOS router. However, I have configured hundreds of Pix's and ASA's with both site to site and remote access VPNs. I never use an internal network for the VPN pool because it can easily cause routing issues.

Can you post a copy of your current configuration? I am now curious and may have to lab it up.

 

[brianinms]

Here is a configuration example, just ignore the radius part

http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949ba.shtml

 

[burtsbees]

My topology goes like so...

Internet-2620XM-frame_switch-2620-2620-2620

Off of the 2620XM is a Catalyst 2924, off of which sits my home computer, 192.168.4.69. Off of the second 2620 (third router in the chain) is a second Cat2924, where my ftp server and printer sit on the 10.0.0.0/8 nw. Here's the config of the 2620XM...

Edge#sh run
Building configuration...

Current configuration : 6953 bytes
Last configuration change at 14:47:53 cst Wed Dec 12 2007 by xxxxxxxx
NVRAM config last updated at 14:47:53 cst Wed Dec 12 2007 by xxxxxxxxxxx
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname Edge
boot-start-marker
boot-end-marker
security authentication failure rate 2 log
security passwords min-length 6
logging count
logging userinfo
logging buffered 64000 debugging
enable secret 5 $1$PG24$m5c0/VGE18Jm886VHOP77/
aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common
resource policy
clock timezone cst -6
clock summer-time cst recurring 1 Sun Apr 2:00 1 Sun Nov 2:00
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
ip tcp synwait-time 10
ip tcp intercept list 151
no ip dhcp use vrf connected
ip dhcp pool yo
network 192.168.4.0 255.255.255.0
dns-server x.x.x.x x.x.x.x
no ip bootp server
ip domain name directly_connected.com
ip host BigSwitch 10.7.8.5
ip host TAS 192.168.3.2
ip host BAS 192.168.2.2
ip host IPPlus 192.168.69.2
ip host printer 10.0.0.2
ip host ftp 10.69.69.1
ip host vpn1 192.168.4.98
ip host vpn2 192.168.4.99
ip host comp 192.168.4.69
ip ddns update method xxxxxxxxx
HTTP
add

http://xxxxxxx:xxxxxxxxx@members.dyndns.org/nic/updatesystem=dyndns&hostname=xxxxx.xxxx.com&myip=<a>

interval maximum 28 0 0 0
username xxxxxxxxxx privilege 15 secret 5 $1$ljnu$dGj873pY4XnIBJY1RtcU2.
username xxxxxxxxxxx privilege 0 secret 5 $1$kgI6$fDw.Hxfjq5CdEh1fc8tdb/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group xxxxxxxxxxxx
key xxxxxxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
interface Null0
no ip unreachables
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
interface ATM0/0.1 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
no snmp trap link-status
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
interface FastEthernet0/0
description $FW_INSIDE$
ip address 192.168.4.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
interface Serial0/1
description Frame Relay$FW_INSIDE$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
encapsulation frame-relay
ip route-cache flow
no fair-queue
interface Serial0/1.1 point-to-point
ip address 192.168.3.1 255.255.255.252
ip nat inside
ip virtual-reassembly
frame-relay interface-dlci 102 IETF
interface Dialer0
description $FW_OUTSIDE$
ip ddns update xxxxxxx
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
rate-limit input access-group 110 256000 1500 2000 conform-action transmit exceed-action drop
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname xxxxxxxxxxxxxx
ppp chap password xxxxxxxxxxxxxx
ppp pap sent-username xxxxxxxxxxxxxxx password xxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
interface Dialer1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
ip local pool vpn_pool_1 192.168.4.41 192.168.4.42
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.0.0.0 255.0.0.0 192.168.3.2
ip route 192.168.2.0 255.255.255.252 192.168.3.2
ip route 192.168.5.0 255.255.255.0 192.168.3.2
ip route 192.168.68.0 255.255.255.0 192.168.3.2
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 10.69.69.1 21 interface Dialer0 21
ip nat inside source route-map vpn_map_stuff interface Dialer0 overload
logging dmvpn
logging history warnings
logging trap debugging
logging 10.12.16.67
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 101 deny ip any 192.168.4.40 0.0.0.3
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.3.0 0.0.0.3 any
access-list 101 permit ip 192.168.2.0 0.0.0.3 any
access-list 101 permit ip 192.168.5.0 0.0.0.255 any
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 remark prevent_RFC1918_as_source
access-list 102 permit ip any any
access-list 112 remark rate_limit_ftp
access-list 112 permit tcp any host 10.69.69.1 eq ftp
access-list 113 remark prevent_ftp_to_LAN
access-list 151 permit ip any host 192.168.5.2
dialer-list 1 protocol ip permit
no cdp run
route-map vpn_map_stuff permit 1
match ip address 101
control-plane
banner motd ^C _________-----_____
_____------ __ ----_
___---- ___------ \
----________ ---- \
-----__ | _____)
__- / \
_______----- ___-- \ /)\
------_______ ---____ \__/ /
-----__ \ -- _ /\
--__--__ \_____/ \_/\
----| / |
| |___________|
| | ((_(_)| )_)
| \_((_(_)|/(_)
\ (
\_____________)

!!!!!Uh oh...better turn back around there, boy...I log all hacking attempts!!!!!! ^C
line con 0
password xxxxxxxxxxxxxx
logging synchronous
line aux 0
line vty 0 4
password xxxxxxxxxxxxxxxxxx
transport input ssh
scheduler allocate 4000 1000
ntp clock-period 17180368
ntp server 64.113.32.5 source Dialer0
end

There is nor ever was any split tunneling configured. The "include-local-lan" under the crypto isakmp client configuration group allows for browsing the local lan without having to split-tunnel. I also have the netmask configured under the same for the vpn pool. I did at one time have the VPN pool as a different subnet, but I can't remember why I changed it...screwing around, I guess...
My next project is to encrypt all traffic between router 2 and 3 with an IPSEC tunnel, as they are connected with WIC-T1 cards.

See ya.

Burt