Help with VLANS & VPN Access 2

[captnops]

The folks at the Cisco switches forum were able to help me get our vlans setup properly, so I am hopeful that you folks can help with the routing portion.

I have a 2811 ISR that is my edge router and also hosts Cisco's Easy VPN server. I setup a pool of addresses for VPN clients that are off network. Right now our network is a single subnet 10.x.x.x and I have Nat'd the pool of VPN addresses to allow access to the internal LAN.

What changes to the router do I need to make to allow VPN clients access to the internal VLANS?

Thanks for the help

 

[unclerico]

can you post a scrubbed config??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[VinceWhirlwind]

Keep it simple.

You've already configured your 3560 to do Layer-3 for your internal network - inter-VLAN routing is therefore taken care of.

All you need now is:

- a subnet to join the 3560 to the 2811 (only two addresses required)
- on the 3560 a default route 0.0.0.0 0.0.0.0 --> pointing to your 2811.
- on the 2811 you need to configure routes for each of your internal routes pointing at your 3560, and a default route pointing out of your network.

 

[burtsbees]

Make sure the vpn pool is excluded from being NATted back out, i.e. denied in the NAT ACL. Let me know if you need a sample config...

Burt

 

[captnops]

Thanks for the help guys.

Unclerico: I assume you want a scrubbed config from the router. I will post that next.

Vince: When you say subnet to join the 2811 & 3560, you mean that I should created a seperate vlan with only those two hosts? Wouldn't I then need to trunk between the 3560 and 2811 (Requiring SVI's on the FE port on the 2811).

Burt: I believe I know how to accomplish what you are saying, but a sample config would be very helpful and welcome.

Thanks again

 

[captnops]

Here is my 2811 scrubbed config:
Current configuration : 11987 bytes
!
! Last configuration change at 12:49:39 EDT Wed Apr 29 2009 by tmanger
! NVRAM config last updated at 11:42:17 EDT Wed Apr 15 2009 by tmanger
!
version 12.4
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname ROUTER
!
boot-start-marker
boot-end-marker
!
card type t1 0 1
card type t1 0 3
logging buffered 4096 debugging

aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time EDT recurring
no network-clock-participate wic 1
no network-clock-participate wic 3
!
!
ip cef
!
!
ip host ROUTER 10.x.x.1
ip name-server 10.x.x.4
ip inspect audit-trail
ip inspect dns-timeout 200
ip inspect name fw cuseeme timeout 3600
ip inspect name fw rcmd timeout 3600
ip inspect name fw realaudio timeout 3600
ip inspect name fw tftp timeout 30
ip inspect name fw udp timeout 15
ip inspect name fw tcp timeout 3600
ip inspect name fw ftp timeout 3600
ip inspect name fw h323
ip inspect name fw vdolive
ip inspect name fw netshow
ip inspect name fw rtsp
ip inspect name fw sqlnet
ip inspect name fw streamworks
ip inspect name fw http urlfilter
no ip ips sdf builtin
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
no ip ips notify log
vpdn-template
!
!
frame-relay switching
!
voice-card 0
no dspfarm
!
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
controller T1 0/3/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key $XXXXXX$ address 199.41.253.14 no-xauth
!
crypto isakmp client configuration group GHDSIVPN
key xxxxxxxxxxx
dns 10.x.x.4
domain GHDSI.COM
pool POOL
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 5 ipsec-isakmp
set peer 199.41.253.14
set transform-set myset
match address 125
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Null0
no ip unreachables
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
ip virtual-reassembly
!
interface Loopback3
ip address 72.166.69.35 255.255.255.255
ip virtual-reassembly
!
interface Loopback4
no ip address
!
interface FastEthernet0/0
description $ETH-LAN$
ip address 10.x.x.1 255.x.x.x
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip policy route-map static
duplex full
speed 100
!
interface FastEthernet0/1
description $ETH-WAN$
ip address 204.17.65.226 255.255.255.248
ip access-group 111 in
ip flow ingress
ip flow egress
ip nat outside
ip inspect fw out
ip virtual-reassembly
duplex full
speed 100
crypto map clientmap
!
interface ATM0/0/0
description SNET DSL CIRCUIT #: 8602967218
no ip address
no ip mroute-cache
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
pvc 1/150
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Serial0/1/0:0
ip address 208.47.200.122 255.255.255.252
!
interface Serial0/3/0:0
description Qwest circuit ID DSI-12086845 PH#800-860-6849
no ip address
ip virtual-reassembly
encapsulation frame-relay IETF
!
interface Serial0/3/0:0.1 point-to-point
description PVC to Meriden
bandwidth 768
ip address 63.149.109.18 255.255.255.252
ip virtual-reassembly
frame-relay interface-dlci 16
!
interface Serial0/3/0:0.2 point-to-point
description Public Circuit
bandwidth 768
ip address 72.166.68.246 255.255.255.252
ip virtual-reassembly
frame-relay interface-dlci 17
!
ip local pool ippoool 192.168.254.1 192.168.254.50
ip route 0.0.0.0 0.0.0.0 204.17.65.225
ip route 10.10.10.49 255.255.255.255 72.168.68.246
ip route 10.10.10.49 255.255.255.255 72.166.68.248
ip route 10.10.10.49 255.255.255.255 72.166.68.230
ip route 10.10.20.0 255.255.255.0 63.149.109.17
ip route 10.120.1.0 255.255.255.240 10.10.10.135
ip route 65.115.10.14 255.255.255.255 72.166.68.25
ip route 172.30.30.0 255.255.255.0 10.10.10.135
ip route 172.30.31.254 255.255.255.254 10.10.10.135
ip route 172.30.151.0 255.255.255.0 10.10.10.135
!
ip flow-export version 5
ip flow-export destination 10.10.10.96 9996
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
ip nat inside source static tcp 10.x.x.4 25 204.17.65.226 25 route-map SDM_RMA
P_3 extendable
ip nat inside source static tcp 10.x.x.4 80 204.17.65.226 80 route-map SDM_RMA
P_7 extendable
ip nat inside source static tcp 10.x.x.4 443 204.17.65.226 443 route-map SDM_R
MAP_5 extendable
ip nat inside source static tcp 10.x.x.47 80 204.17.65.227 80 route-map SDM_RM
AP_8 extendable
ip nat inside source static tcp 10.x.x.47 443 204.17.65.227 443 route-map SDM_
RMAP_4 extendable
ip nat inside source static tcp 10.x.x.7 1433 204.17.65.227 1433 route-map SDM
_RMAP_2 extendable
ip nat inside source static tcp 10.x.x.7 2004 204.17.65.227 2004 route-map SDM
_RMAP_1 extendable
!
ip access-list extended group-lock
ip access-list extended idletime
ip access-list extended protocol
ip access-list extended tty66
!
logging history debugging
logging trap debugging
logging 10.10.10.96
logging 10.10.10.71
access-list 101 remark SDM_ACL Category=18
access-list 101 deny ip 10.x.x.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 101 deny ip 10.x.x.0 0.0.0.255 199.41.1.0 0.0.0.255
access-list 101 permit ip 10.x.x.0 0.0.0.255 any
access-list 111 permit tcp any host 204.17.65.227 eq www
access-list 111 permit tcp any host 204.17.65.227 eq 443
access-list 111 permit tcp any host 204.17.65.227 eq 2004
access-list 111 permit tcp any host 204.17.65.226 eq smtp
access-list 111 permit tcp any host 204.17.65.226 eq 443
access-list 111 permit esp any host 204.17.65.226
access-list 111 permit udp any host 204.17.65.226 eq non500-isakmp
access-list 111 permit icmp any any echo-reply
access-list 111 permit udp host 192.5.41.41 host 204.17.65.226 eq ntp
access-list 111 permit icmp any any echo
access-list 111 permit tcp any host 204.17.65.226 eq www
access-list 111 permit icmp any any traceroute
access-list 111 permit udp host 192.5.41.209 host 204.17.65.226 eq ntp
access-list 111 permit gre any host 204.17.65.226
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit udp any host 204.17.65.226 eq isakmp
access-list 111 permit icmp any any time-exceeded
access-list 111 permit tcp any host 204.17.65.226 eq 1723
access-list 111 permit ip 192.x.x.0 0.0.0.255 10.x.x.0 0.0.0.255
access-list 111 permit udp host 170.20.20.55 host 204.17.65.226 eq snmp
access-list 111 permit tcp 206.104.31.0 0.0.0.255 host 204.17.65.227 eq 1433
access-list 111 permit tcp 198.68.195.0 0.0.0.255 host 204.17.65.227 eq 1433
access-list 111 permit icmp any any unreachable
access-list 111 permit icmp any any packet-too-big
access-list 111 permit udp host 204.17.65.226 any eq non500-isakmp
access-list 111 permit tcp 65.115.10.0 0.0.0.255 host 204.17.65.226
access-list 111 permit udp 65.115.10.0 0.0.0.255 host 204.17.65.226 eq 23
access-list 111 deny ip 10.x.x.0.0 0.0.0.255 any
access-list 112 permit icmp any any echo-reply
access-list 112 permit icmp any any administratively-prohibited
access-list 112 permit icmp any any time-exceeded
access-list 112 permit icmp any any traceroute
access-list 112 permit icmp any any unreachable
access-list 112 permit icmp any any packet-too-big
access-list 112 permit icmp any any echo
access-list 115 remark SDM_ACL Category=16
access-list 115 permit ip 10.x.x.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 120 permit ip host 10.x.x.6 192.x.x.0 0.0.0.255
access-list 120 permit ip host 10.x.x.4 192.168.254.0 0.0.0.255
access-list 120 permit ip host 10.x.x.7 192.168.254.0 0.0.0.255
access-list 125 permit ip 10.x.x.0 0.0.0.255 199.41.1.0 0.0.0.255
snmp-server community XXXXXXXXpublic RO
snmp-server community xxxxxxxxprivate RW
snmp-server enable traps tty
snmp-server enable traps syslog

!
route-map static permit 10
match ip address 120
set ip next-hop 1.1.1.2
!
route-map SDM_RMAP_4 permit 1
match ip address 104
!
route-map SDM_RMAP_5 permit 1
match ip address 105
!
route-map SDM_RMAP_6 permit 1
match ip address 106
!
route-map SDM_RMAP_7 permit 1
match ip address 100
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
route-map SDM_RMAP_2 permit 1
match ip address 102
!
route-map SDM_RMAP_3 permit 1
match ip address 103
!
route-map SDM_RMAP_8 permit 1
match ip address 102
!
route-map SDM_RMAP_9 permit 1
match ip address 103
!
route-map nonat permit 10
match ip address 101
!

!
control-plane
!
no call rsvp-sync

!
dial-peer cor custom
!

!
line con 0
password 7 xxxxxxxxxxxxxxx
line aux 0
line vty 0 4
privilege level 15
password 7 xxxxxxxxxxxxxxxx
transport input telnet ssh
!
scheduler allocate 20000 1000
ntp clock-period 17180046
ntp update-calendar
ntp server 192.5.41.41
ntp server 10.x.x.4 source FastEthernet0/0 prefer
ntp server 192.5.41.209
!
end

RH2811-A#

 

[captnops]

Oh, and not to add any more yuk to the water, I have a second 2811 that I would like to add for redundancy that will connect to a backup T1 with another ISP, using HSRP and SLA.

Besides the HSRP and SLA setup, what changes would need to be made to allow this router to integrate into what we are working on above?

Thanks

 

[burtsbees]

I'll post a config tomorrow sometime...got busy...

Burt

 

[captnops]

Hey folks,

I am still having issues with this setup. I have connected a port on the 3560 to the router and given each an address outside of the vlans.

I cannot ping the router address from any host other than the 3560 which has a static route to that address. I have also added a static route to the router that points back to the 3560.

Do I need to add virtual interfaces to the routers ethernet port? If so, would that not negate the reasons for using the 3560 as a layer 3 switch to offload inter-vlan routing from the router.

Thanks

 

[unclerico]

The 3560 should be the gateway for each host in each VLAN. As for connecting the router to the switch, you can either a) create a VLAN and place the port connected to the router in that VLAN or b) make the port that the router is connected to a Layer3 port. The router should have routes back to the 3560 for all internal VLANs and the 3560 should have a default route to the router.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

Thank you Unclerico

Aside from enabling the port on the 3560 that connects to the router, is there anything else I have to do on the switch or router to make the port layer 3?

Should I have a static route on the router for each of the vlans? Or just to the connected port on the 3560?

Thanks for the help.

 

[unclerico]

on the switch you need to go under the port and issue no switchport and then of course issue ip address x.x.x.x y.y.y.y. If you have a bunch of subnets taht you will be routing for but only these two devices will be doing the routing, I would just enable RIP and let it do its thing. If you don't want a routing protocol then you will want a static route on the router for each subnet behind the 3560.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

Unclerico

I have setup the router and switch and given each a default gateway (the router is connected to our T1 via serial with ip address)

I have added the static routes and I am now able to sned/receive from all hosts on all vlans.

However, when I attempt to ping / tracert 4.2.2.2 from a workstation, I get a destination net unreachable error. I also cannot ping the routers internet (serial)connection from the 3560. Any thoughts?

 

[unclerico]

On the 3560, do you have your default route pointing to the router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I do. I am attaching the configs from the 3560 and 2811:

3560: (Non Configured interfaces removed)

Current configuration : 1977 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname RH3560-A
!
enable secret 5 $1$1B2P$KRVyscMVi0t802Ds8A7og1
enable password admin
!
no aaa new-model
ip subnet-zero
ip routing
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
!
interface FastEthernet0/1
no switchport
ip address 10.1.1.2 255.255.255.0
duplex full
speed 100
!
!
interface FastEthernet0/11
switchport access vlan 11
switchport mode access
duplex full
speed 100
!

interface GigabitEthernet0/2
description TRUNK TO SRW224-D
switchport trunk encapsulation dot1q
switchport mode trunk
spanning-tree portfast trunk
!
interface Vlan1
no ip address
!
interface Vlan10
description Infrastructure
ip address 10.10.10.254 255.255.255.0
!
interface Vlan11
description Servers
ip address 10.10.11.254 255.255.255.0
!
interface Vlan12
description Agents
ip address 10.10.12.254 255.255.254.0
ip helper-address 10.10.11.2
!
ip default-gateway 10.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.1.1
ip http server
!
control-plane
!
!


2811:

Current configuration : 2260 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered

no aaa new-model
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
no ipv6 cef
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
archive
log config
hidekeys
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip policy route-map STATIC
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
shutdown
duplex full
speed 100
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# DS1IT 14436097
ip address 208.47.200.122 255.255.255.252
ip access-group 120 in
ip nat outside
ip virtual-reassembly
!
ip default-gateway 208.47.200.121
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 10.1.1.2
ip route 10.10.11.0 255.255.255.0 10.1.1.2
ip route 10.10.12.0 255.255.254.0 10.1.1.2
!
!
ip http server
no ip http secure-server
ip nat inside source route-map NO-NAT interface Serial0/0/0:0 overload
ip nat inside source route-map STATIC interface FastEthernet0/0 overload
!
access-list 100 remark ALLOWS ACCESS TO LAN FROM VPN ADDRESS POOL
access-list 100 permit ip 10.10.0.0 0.0.255.255 192.168.254.0 0.0.0.255
access-list 110 remark DISALLOW NAT FOR VPN IP POOL OUTBOUND PUBLIC
access-list 110 deny ip 10.10.0.0 0.0.255.255 192.168.254.0 0.0.0.255
access-list 110 remark ALL LAN TRAFFIC OUTBOUND PUBLIC
access-list 110 permit ip 10.10.0.0 0.0.255.255 any
access-list 120 permit ip 10.10.0.0 0.0.255.255 any log
snmp-server community ghdsi_public RO
!
!
!
!
route-map STATIC permit 10
match ip address 100
!
route-map NO-NAT permit 10
match ip address 110
!
control-plane
!
!
scheduler allocate 20000 1000
end

 

[unclerico]

The problem is with your access-list 120 being applied inbound on your serial0/0/0:0 interface. Also, can you explain what exactly you are after by using this:

ip nat inside source route-map STATIC interface FastEthernet0/0 overload

as well as this under your f0/0 interface:

ip policy route-map STATIC

neither statement is interfering with anything, but depending on what you are or are not trying to do they may clutter your config and confuse you down the road.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I have removed the access list applied to the serial interface, but I still have no joy.

When I ping 4.2.2.2 from a workstation on VLAN 12, I get the destination net unreachable response from 10.1.1.1 which is the 2811 LAN interface (fa0/0).

Those two statements you referred to above are intended to allow VPN access to the internal LAN, and VPN users are given IP addresses from a pool that is outside the subnet that the VLANS exist within.

Thanks for the help.

 

[unclerico]

<face palm> you don't have a default route on your router. The ip default-gateway statement isn't doing what you think it is. Add in:

ip route 0.0.0.0 0.0.0.0 s0/0/0:0

That ACL 120 inbound on the s0/0/0:0 still would have caused problems.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[unclerico]

oh and your NO-NAT route-map should be the only thing that you need to permit VPN traffic inbound/outbound that is terminated on the 2811. Your second NAT statement can be removed. The STATIC route-map that is applied to your f0/0 interface really isn't doing anything since there are no actions being perormed to alter how the traffic is being routed.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

It works!!! Thank you for all your hard work and patience. I am now able to VPN into the router and see each VLAN!!!

I greatly appreciate it.