Easy VPN server one-way traffic

[shaferbus]

It seems like this must be a NAT issue, but I can't seem to get it right.

I currently have a Cisco 871 router configured as an Easy VPN server at the main office, and a Cisco 851 at a remote site operating in Client mode.

I'm replacing the 871 with a new 881 with IOS 15.0, and setting it up with zone-based firewall and CCP has really tested my very limited experience with IOS.

I have everything (apparently) working correctly except that packets are not going through the tunnel from the 881 (192.168.16.x subnet) to the remote 851 (192.168.15.x subnet). I'm receiving packets, but not sending them, and I'm sure a fresh pair of eyes will spot my problem immediately (I hope!).

The VPN address pool is 192.168.17.50 - 192.168.17.55, and I had hoped that adding

deny 192.168.17.0 0.0.0.255

to Access-list 1 would prevent those addresses from being NAT'd so they would go through the tunnel, but no go.

Does anyone see where I'm going wrong?

Here's the config from the 881

version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname 881Router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 [Deleted]
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 :00
!
crypto pki trustpoint TP-self-signed-3318592508
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3318592508
 revocation-check none
 rsakeypair TP-self-signed-3318592508
!
!
crypto pki certificate chain TP-self-signed-3318592508
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33333138 35393235 3038301E 170D3131 30313232 32303036 
  34365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33313835 
  39323530 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100E910 E30ED344 E2845268 622B1D43 F83A2C0D CD06EB12 F6542F6F F5E31103 
  C2542752 96E59B96 6B0F0751 A62250D6 42C8EF0C F699F198 A284F1C1 BA6D2435 
  660B4113 20A4ED1C B012FDDD 0462D416 527362FA 6EBE7EF8 0F356B3A 925FD733 
  88C7D2DF 5282C9D7 C164502D 8255DA36 58C74061 29002D9A 93C77222 4659D458 
  1B1B0203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603 
  551D1104 1D301B82 19383831 526F7574 65722E73 68616665 72627573 2E6C6F63 
  616C301F 0603551D 23041830 168014B2 04A67419 0D5E8C31 75197A5B 044312C2 
  4C634430 1D060355 1D0E0416 0414B204 A674190D 5E8C3175 197A5B04 4312C24C 
  6344300D 06092A86 4886F70D 01010405 00038181 00622B2E EEF33B6B 6511AEFE 
  FC910C08 91FFD61D D8B21054 2F360343 46B87183 1E846FCD B971DF3E B6063085 
  8C041870 FB852AA3 BD1FF798 0AD8E7C3 A0799463 3C3F19B7 AF9E35EC 1E3002A7 
  E94D1154 3CB65366 0BA76384 10781557 7175674D B7B8C616 05E4BCD2 B992331C 
  47CB0DF7 EEDA8E4B 6AD4F407 DC4186F9 4F5BD491 2F
  	quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.16.1
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.16.0 255.255.255.0
   default-router 192.168.16.1 
!
ip dhcp pool server
   hardware-address 00c0.9f10.d8a6
!
ip dhcp pool drivecam
   host 192.168.16.3 255.255.255.0
   hardware-address 0016.41ef.439d
!
ip dhcp pool itservice
   host 192.168.16.4 255.255.255.0
   hardware-address 000d.6071.7798
!
ip dhcp pool drivers
   host 192.168.16.14 255.255.255.0
   hardware-address 0040.ca36.35b3
!
ip dhcp pool xerox
   host 192.168.16.13 255.255.255.0
   hardware-address 0000.f0a2.9947
!
ip dhcp pool sharp
   host 192.168.16.30 255.255.255.0
   hardware-address 0880.1fff.22b1
!
ip dhcp pool brother
   host 192.168.16.35 255.255.255.0
   hardware-address 0080.777c.5f70
!
ip dhcp pool phaser
   host 192.168.16.60 255.255.255.0
   hardware-address 0000.aaad.9445
!
ip dhcp pool STS-AP1
   host 192.168.16.31 255.255.255.0
   hardware-address 001b.2a6d.0812
!
ip dhcp pool switch
   host 192.168.16.254 255.255.255.0
   hardware-address 0014.bf57.e9cb
!
!
ip cef
no ip bootp server
ip domain name [Deleted]
ip name-server [Deleted]
ip name-server [Deleted]
ip name-server [Deleted]
ip port-map user-driver port tcp 8082 description Access Website
ip port-map user-RBS port tcp 8085 description Access Schedule
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn [Deleted]
!
!
username admin privilege 15 secret 5 [Deleted]
username stsvpn privilege 15 password 7 [Deleted]
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any DRIVER_ACCESS
 match protocol user-driver
 match protocol user-RBS
class-map type inspect match-any driver
 match class-map DRIVER_ACCESS
class-map type inspect match-all ccp-cls--1
 match class-map driver
 match access-group name driver
class-map type inspect match-any ping
 match protocol icmp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-all ccp-cls-ccp-permit-1
 match class-map ping
 match access-group name ping
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass log
 class type inspect ccp-cls-ccp-permit-1
  pass
 class class-default
  drop
policy-map type inspect ccp-policy-ccp-cls--1
 class type inspect ccp-cls--1
  inspect 
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone
 service-policy type inspect ccp-policy-ccp-cls--1
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group SHAFERVPN
 key [Deleted]
 dns 192.168.16.1 192.168.16.2
 wins 192.168.16.2
 domain [Deleted]
 pool SDM_POOL_1
 include-local-lan
 pfs
 max-users 4
crypto isakmp profile ciscocp-ike-profile-1
   match identity group SHAFERVPN
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address [Deleted] 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
 !
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
 !
!
ip local pool SDM_POOL_1 192.168.17.50 192.168.17.55
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.16.2 8082 interface FastEthernet4 8082
ip nat inside source static tcp 192.168.16.2 8085 interface FastEthernet4 8085
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 [Deleted]
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark CCP_ACL Category=1
 permit tcp any any eq 22
ip access-list extended driver
 remark CCP_ACL Category=128
 permit ip any host 192.168.16.2
ip access-list extended ping
 remark CCP_ACL Category=128
 permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
!
control-plane
 !
!

banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[shaferbus]

OK, here's the solution, courtesy of unclerico's answer in thread557-1590008 - here's your star!

When I created the NAT with CCP, it created the lines:

ip nat inside source list 1 interface FastEthernet4 overload
.
.
.
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.16.0 0.0.0.255

However, a route-map instead of an access-list is needed for VPN traffic to be routed properly. When I changed the above to:

ip nat inside source route-map NAT interface FastEthernet4 overload
.
.
.
access-list 150 permit ip 192.168.16.0 0.0.0.255 any
.
.
route-map NAT permit 10
match ip address NAT

traffic started flowing both ways. I still have a problem with "bypassed packets", but that's for another thread.

According to the Cisco documentation, CCP is supposed to prompt you to create a route map during VPN setup if a NAT is configured, but I built this config from scratch 3 times using CCP and I swear it did not... maybe the new version fixes this.

Perhaps someone more knowledgable than me (not hard to find in this forum LOL) would care to expand upon route-map vs. access-list in this circumstance for the benefit of future readers.

Thanks unclerico!