Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco EZVPN 800 Router Connects but No Flow!

Status
Not open for further replies.

travis06

IS-IT--Management
Oct 13, 2008
9
US
Hello, I've been attempting to get my EZVPN server functioning on my 800 series router for several weeks with no luck.

I have the configuration working to the point where the VPN client authenticates and successfully connects, but once connected, am not able to ping or telnet to any internal servers.

I want split tunneling setup so public traffic does not have to venture over the VPN.

Internal Network = 192.168.1.0 0.0.0.255
VPN Network = 192.168.5.0 0.0.0.255

Current Setup: Internet - > Router (Running EZVPN Server) -> Internal Servers

The router is running on a dynamic IP, I know it is best practice to have a VPN on static. Thus, I have several ports for the internal servers NAT-ed to the internal IP of that server.

Here is my config for review... I removed a bit to allow posting (10k char) to this forum...

---------------


no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 208.67.222.222 208.67.220.220
!
!
ip cef
ip inspect max-incomplete low 220
ip inspect max-incomplete high 500
ip inspect one-minute high 800
ip inspect one-minute low 632
ip inspect hashtable-size 2048
ip inspect tcp idle-time 18000
ip inspect tcp max-incomplete host 250 block-time 0
ip inspect tcp reassembly queue length 512
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip bootp server
!
password encryption aes
!
!
username xxx
!
crypto logging session
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 xxx address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group vpn
key 6 xxx
dns 192.168.1.1
pool SDM_POOL_1
acl 103
max-users 2
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpn
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map Map1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
!
crypto map MAP1 client authentication list userlist
crypto map MAP1 isakmp authorization list grouplist
crypto map MAP1 client configuration address respond
!
crypto ctcp port 10000
archive
log config
logging enable
notify syslog contenttype plaintext
hidekeys
!
!
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh version 2
!
bridge irb
!
!
interface Loopback0
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
ip route-cache flow
load-interval 30
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip local pool SDM_POOL_1 192.168.5.100 192.168.5.255
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http port 1025
ip http access-class 4
no ip http secure-server
ip nat pool DHCP 192.168.1.1 192.168.1.255 netmask 255.255.255.0
ip nat inside source static tcp 192.168.1.40 3389 interface FastEthernet4 3389
ip nat inside source static udp 192.168.1.50 88 interface FastEthernet4 88
ip nat inside source static udp 192.168.1.50 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.1.50 3074 interface FastEthernet4 3074
ip nat inside source static tcp 192.168.1.40 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.1.40 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.40 6001 interface FastEthernet4 6001
ip nat inside source static tcp 192.168.1.40 6002 interface FastEthernet4 6002
ip nat inside source static tcp 192.168.1.40 6004 interface FastEthernet4 6004
ip nat inside source static tcp 192.168.1.40 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.40 53 interface FastEthernet4 53
ip nat inside source static tcp 192.168.1.40 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.1.40 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.1.40 143 interface FastEthernet4 143
ip nat inside source static tcp 192.168.1.40 110 interface FastEthernet4 110
ip nat inside source static esp 192.168.1.1 interface FastEthernet4
ip nat inside source static udp 192.168.1.40 53 interface FastEthernet4 53
ip nat inside source static udp 192.168.1.1 500 interface FastEthernet4 500
ip nat inside source static tcp 192.168.1.1 4500 interface FastEthernet4 4500
ip nat inside source static udp 192.168.1.1 4500 interface FastEthernet4 4500
ip nat inside source static tcp 192.168.1.1 10000 interface FastEthernet4 10000
ip nat inside source static 192.168.1.40 interface FastEthernet4
ip nat inside source list 105 interface FastEthernet4 overload
!
ip access-list extended sdm_bvi1_in
remark SDM_ACL Category=1
permit tcp any any
permit icmp any any
permit udp any any
permit ip any any
!
logging history size 75
no logging trap
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 deny any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.2.0 0.0.0.255
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 3 deny any
access-list 4 remark HTTP Access-class list
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.2.0 0.0.0.255
access-list 4 permit 192.168.1.0 0.0.0.255
access-list 4 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 deny ip any any log
access-list 102 permit tcp any any eq 3389
access-list 102 permit tcp any any eq 3074
access-list 102 permit udp any any eq 3074
access-list 102 permit tcp any any eq www
access-list 102 permit udp any any eq domain
access-list 102 permit tcp any any eq domain
access-list 102 permit tcp any any eq 6400
access-list 102 permit tcp any any eq 143
access-list 102 permit tcp any any eq 5900
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq ftp
access-list 102 permit tcp any any eq ftp-data
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq isakmp
access-list 102 permit esp any any
access-list 102 permit ahp any any
access-list 102 permit tcp any any eq 10000
access-list 102 permit tcp any any eq pop3
access-list 102 permit tcp any any eq 6001
access-list 102 permit tcp any any eq 22
access-list 102 permit tcp any any eq 6002
access-list 102 permit tcp any any eq 6004
access-list 102 remark Auto generated by SDM for NTP (123) 24.20.30.232
access-list 102 permit udp host 24.20.30.232 eq ntp any eq ntp
access-list 102 remark Auto generated by SDM for NTP (123) 129.119.80.126
access-list 102 permit udp host 129.119.80.126 eq ntp any eq ntp
access-list 102 permit udp any eq bootps any eq bootpc
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny tcp any any log
access-list 102 deny tcp any any
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
tftp-server nvram:startup-config
!
control-plane

bridge 1 route ip
end
 
Change this line
access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
to this
access-list 105 deny ip any 192.168.5.0 0.0.0.255

You cn do this by entering priv exec mode, config t, then ip access-list extended 105. You will get this prompt
router(config-ext-nacl)#
then you type
Edge(config-ext-nacl)#no 10
Edge(config-ext-nacl)#10 deny ip any 192.168.5.0 0.0.0.255

Burt


 
Burt -

Thanks for replying...

After I posted I found a post similar to this and the ACL change was suggested as you did.

Unfortunately, this did not fix the problem. I still feel NAT is not returning the packets back to the VPN client because if you watch the statistics on the VPN client, the sent is incrementing constantly while the replies are at 0 and stay there.

Thanks,
Travis
 
Test what connection? The FE4 connection to the internet? If so, yes, everything else on the router functions as expected. Just stuck on the VPN.

Thanks,
Travis
 
What I have also done in the past which has worked was put the vpn pool in the same subnet as the LAN, but exclude the pool from NAT. For example,
ip local pool VPN_POOL 192.168.1.8 192.168.1.11
access-list 101 deny ip any 192.168.1.8 0.0.0.3
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
route-map VPN_AND_NAT permit 1
match address 101
ip nat inside source route-map VPN_AND_NAT int fa4 overload
Use a route map to point to the NAT acl...
Since you need 254 hosts for the vpn pool, you can always subnet a 10 dot address range (but that would require a lot of changing). I would experiment with a vpn pool of just 3 or 4 addresses just to see if this fixes your issue, and if it does, you can decide what to do from there.
PIX and ASA's always make the vpn pool its own subnet, but with routers, it can be different, whether it's a buggy IOS, the particular router platform, or something else that would cause this to happen. I just know it's what I have done for my 2620XM at home for the vpn into my home network and the regular 2620 here at work for the work vpn, both remote access. The work router has Advanced Security 12.4 IOS, and my home router has Advanced Enterprise 12.4 (10). I know...overkill...lol...but they make one hell of a good firewall!

Burt
 
Jeez I've jacked with this thing for about two hours and still nothing. I'm ready to just tear the config all the way down to nothing and see if the VPN works.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top