Cisco Remote VPN Clients With Dynamic IP Can't Talk To Each Other

[DraconianDevil]

I have an interesting problem I've been scratching my head over and haven't found anyone yet who has had something similar. My Cisco skills aren't the best in the world, so I'm hoping somebody can give me a hand.

Local office:
Cisco 1841 running 12.4(22)T
Static IP on Internet-facing interface
172.20.0.0/16 LAN subnet

Remote office #1:
Cisco PIX 501 running 6.3(5)
Static IP on Internet-facing interface
192.168.4.0/24 LAN subnet

Remote office #2:
Cisco PIX 501 running 6.3(5)
Dynamic IP on Internet-facing interface
192.168.13.0/24 LAN subnet

Remote Laptop User
Windows XP SP3
Dynamic IP using Hotel Network/Sprint CDMA/802.11/etc
Cisco VPN Client Software ver. 5.0.03.0560
Connect to Local office using VPN address pool of 192.168.254.x


All remote offices and remote laptop users establish VPN connections only to the local office. Once connected, everyone can ping devices on the local network or at any remote office that has a STATIC IP address on the Internet-facing interface. Everyone at the local office or at a remote office with a STATIC IP can ping everyone else, including offices and laptop users with a DYNAMIC IP address.

The problem we have is that if you connect as a Dynamic IP client (using a PIX or the Cisco VPN Client software), you cannot ping any other office or user that connects with a Dyanmic IP. At first I thought it was a simple access list problem, but that doesn't appear to be it. I know a PIX will not allow you to pass traffic between different VPN tunnels, but I'm using an 1841 as my hub, which does not have that limitation.

If anyone can help me figure out why a remote laptop user can't talk to a remote office that has a dynamic IP on the Internet-facing interface, I would GREATLY appreciate it!

Here are the relevent parts of my configs.

*****************************
!Local Office 1841:
!
!
username VPNUSER password VPNPASSWORD
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp key CRYPTOKEY address 207.224.xxx.xxx no-xauth
!
crypto isakmp client configuration group CRYPTOGROUP
key CRYPTOPASSWORD
dns 172.20.0.2 172.20.0.3
domain domain.com
pool LOCAL_POOL
acl 111
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SDM_CMAP_1 client authentication list Client_VPN
crypto map SDM_CMAP_1 isakmp authorization list Client_VPN
crypto map SDM_CMAP_1 client configuration address respond
!
crypto map SDM_CMAP_1 5 ipsec-isakmp
description VPN Tunnel to Remote Office 1
set peer 207.224.xxx.xxx
set transform-set ESP-3DES-SHA
match address RO1-ACL
!
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface FastEthernet0/0
description Inside
ip address 172.20.0.1 255.255.0.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description Outside
ip address 70.167.xxx.xxx 255.255.255.252
ip nat outside
ip virtual-reassembly
speed 10
full-duplex
crypto map SDM_CMAP_1
!
ip local pool LOCAL_POOL 192.168.254.1 192.168.254.254
ip route 0.0.0.0 0.0.0.0 70.167.yyy.yyy
!
ip access-list extended RO1-ACL
permit ip 172.20.0.0 0.0.255.255 192.168.4.0 0.0.0.255
permit ip 192.168.13.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.254.0 0.0.0.255 192.168.4.0 0.0.0.255
!
access-list 111 remark ACL for Dynamic IP VPN Clients
access-list 111 permit ip 172.20.0.0 0.0.255.255 192.168.254.0 0.0.0.255
access-list 111 permit ip 192.168.4.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 111 permit ip 192.168.13.0 0.0.0.255 192.168.254.0 0.0.0.255
!
access-list 120 remark ACL for No-Nat Rules
access-list 120 deny ip 172.20.0.0 0.0.255.255 192.168.4.0 0.0.0.255
access-list 120 deny ip 172.20.0.0 0.0.255.255 192.168.13.0 0.0.0.255
access-list 120 deny ip 172.20.0.0 0.0.255.255 192.168.254.0 0.0.0.255
access-list 120 permit ip any any
!
route-map nonat permit 10
match ip address 120


******************************
!PIX 501 with a STATIC IP:

! DEFINE INTERFACE ATTRIBUTES
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

! FIXUP PROTOCOL DEFINITIONS
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

! VARIABLE DECLARATIONS
names
!
name 207.224.xxx.xxx OUT-IP
name 255.255.255.240 OUT-MASK
name 207.224.yyy.yyy NEXT-HOP
!
name 172.20.0.0 HQ-NETWORK
name 255.255.0.0 CLASS-B-MASK
name 70.167.xxx.xxx HQ-ROUTER
name 192.168.4.0 LOCAL-NETWORK
name 255.255.255.0 CLASS-C-MASK
name 192.168.4.1 IN-IP
name 0.0.0.0 ALL-ZEROS
name 255.255.255.255 ALL-ONES

! TRAFFIC TO BE INCLUDED IN ENCRYPTION PROCESS
access-list VPN_REMOTE permit ip LOCAL-NETWORK CLASS-C-MASK HQ-NETWORK CLASS-B-MASK
access-list VPN_REMOTE permit ip LOCAL-NETWORK CLASS-C-MASK 192.168.254.0 CLASS-C-MASK
access-list VPN_REMOTE permit ip LOCAL-NETWORK CLASS-C-MASK 192.168.13.0 CLASS-C-MASK

! VPN ACCESS-LIST TO NOT ALLOW NAT TO ANY OTHER VPN TUNNEL
access-list VPN_NONAT permit ip LOCAL-NETWORK CLASS-C-MASK HQ-NETWORK CLASS-B-MASK
access-list VPN_NONAT permit ip LOCAL-NETWORK CLASS-C-MASK 192.168.254.0 CLASS-C-MASK
access-list VPN_NONAT permit ip LOCAL-NETWORK CLASS-C-MASK 192.168.13.0 CLASS-C-MASK

!SET IP ADDRESSES FOR INTERNAL AND EXTERNAL INTERFACES
ip address inside IN-IP CLASS-C-MASK
ip address outside OUT-IP OUT-MASK

! ARP TIMEOUT SETTING
arp timeout 14400

! DEFINES POOL OF ADDRESSES USED FOR NAT
global (outside) 1 interface

! DO NOT NAT FOR VPN CLIENTS IN THIS ACCESS LIST
nat (inside) 0 access-list VPN_NONAT

! NAT ALL NON-VPN TRAFFIC
nat (inside) 1 ALL-ZEROS ALL-ZEROS 0 0

! DEFAULT ROUTE
route outside ALL-ZEROS ALL-ZEROS NEXT-HOP 1

! TIMEOUT SETTINGS
timeout xlate 0:05:00
timeout conn 12:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute

! ENABLES PROTECTION AGAINST FLOOD ATTACKS
floodguard enable

! ALLOW ENCRYPTED TRAFFIC ON VPN
sysopt connection permit-ipsec

! SET ENCRYPTION AND HASH TYPES
crypto ipsec transform-set TSET esp-3des esp-sha-hmac

!CRYPTO MAP FOR VPN
crypto map SA-HQ 1 ipsec-isakmp
crypto map SA-HQ 1 match address VPN_REMOTE
crypto map SA-HQ 1 set peer HQ-ROUTER
crypto map SA-HQ 1 set transform-set TSET

! ACTIVATE ALL ENCRYPTION AND AUTHENTICATION ON OUTSIDE INTERFACE
crypto map SA-HQ interface outside
isakmp enable outside

! SET PRE-SHARED KEY FOR VPN
isakmp key CRYPTOKEY address HQ-ROUTER netmask ALL-ONES
isakmp identity address
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption 3des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400


******************************
!PIX 501 with a DYNAMIC IP:

! DEFINE INTERFACE ATTRIBUTES
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100

! FIXUP PROTOCOL DEFINITIONS
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
no fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69

! VARIABLE DECLARATIONS
names
name 192.168.13.1 IN-IP
name 192.168.13.0 LOCAL-NETWORK
name 172.20.0.0 HQ-NETWORK
name 255.255.0.0 CLASS-B-MASK
name 255.255.255.0 CLASS-C-MASK
name 70.167.xxx.xxx HQ-ROUTER
name 0.0.0.0 ALL-ZEROS
name 255.255.255.255 ALL-ONES

!SET IP ADDRESSES FOR INTERNAL AND EXTERNAL INTERFACES
ip address outside dhcp setroute
ip address inside IN-IP CLASS-C-MASK
ip audit info action alarm
ip audit attack action alarm

! ARP TIMEOUT SETTING
arp timeout 14400

! DEFINES POOL OF ADDRESSES USED FOR NAT
global (outside) 1 interface

! NAT ALL NON-VPN TRAFFIC
nat (inside) 1 ALL-ZEROS ALL-ZEROS 0 0

! TIMEOUT SETTINGS
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute

! ENABLES PROTECTION AGAINST FLOOD ATTACKS
floodguard enable

! DEFINE INFORMATION FOR THIS DYNAMIC IP (EASY VPN) CLIENT TO CONNECT TO HQ
vpnclient server HQ-ROUTER
vpnclient mode network-extension-mode
vpnclient vpngroup CRYPTOGROUP password CRYPTOPASSWORD
vpnclient username VPNUSER password VPNPASSWORD
vpnclient enable

 

[brianinms]

I would use different vpn groups for Remote Access Users and EZVPN Clients. Under the group for EZVPN clients you need to include "mode network-extension" to allow the network to be bridged over.

 

[DraconianDevil]

brianinms,

Thanks so much for your response. I set up a seperate isakmp client configuration group for the hardware clients, along with a different IP pool and access list. From what I've been able to determine, the "mode network-extension" command goes on the client side rather than the server, and that was already there. While these changes certainly didn't hurt anything, I'm afraid they didn't improve matters either.

Please keep in mind that I can ping devices on the LAN side of the EZVPN clients from anywhere except another EZVPN client. So, referring back to my configs above, I can ping from LAN to LAN in the following situations:

LOCAL OFFICE <-> REMOTE OFFICE 1 : YES
LOCAL OFFICE <-> REMOTE OFFICE 2 : YES
LOCAL OFFICE <-> REMOTE LAPTOP : YES
REMOTE OFFICE 1 <-> REMOTE OFFICE 2 : YES
REMOTE OFFICE 1 <-> REMOTE LAPTOP : YES
REMOTE OFFICE 2 <-> REMOTE LAPTOP : NO

This is telling me that the network extension mode is working correctly. Your idea of putting the hardware and software EZVPN clients in different pools sounded promising and I appreciate the advice.

Any other ideas would be welcomed.