Help with VLANS & VPN Access 2

[captnops]

The folks at the Cisco switches forum were able to help me get our vlans setup properly, so I am hopeful that you folks can help with the routing portion.

I have a 2811 ISR that is my edge router and also hosts Cisco's Easy VPN server. I setup a pool of addresses for VPN clients that are off network. Right now our network is a single subnet 10.x.x.x and I have Nat'd the pool of VPN addresses to allow access to the internal LAN.

What changes to the router do I need to make to allow VPN clients access to the internal VLANS?

Thanks for the help

 

[unclerico]

awesome news.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[burtsbees]

Like I said...exclude the vpn pool from being natted...you said what the problem was in your first post...

"...and I have Nat'd the pool of VPN addresses to allow access to the internal LAN."

Wrong---the opposite needed to happen...EXCLUDE the vpn pool from NAT.

/

 

[captnops]

Thanks Burt. I am basically following an older config from another 2811 and that works fine. Could you give me a little more information on your last.

Thanks

 

[unclerico]

captnops, be sure to award a star to burt for helping you out on this!!!

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I have given both of you stars for all of your efforts!!!!

Let me know if I should open another thread for this, but
I have another question about an error that I am receiving: I am trying to install the Web SSL vpn and continue to ket an error when trying to install the package for the web ssl client. The error says:

Error Installing Package: Unknown error. This may occur if your router uses a LEFS file system. Converting it to use DOS file system may resolve this issue.

Thank you both again for all your efforts. I do greatly appreciate them.

 

[burtsbees]

Oooh...format the flash card...I have never done that, but I'll bet it is what you have to do.

With IPSEC---you do not want IPSEC traffic to be NATted back out, so you therefore exclude it from NAT, by either a route map, extended ACL (both of which for when the vpn pool is in the same subnet as the local LAN or any traffic that NEEDS to be NATted), or by its own ACL (PIX/ASA, commonly called "NONAT"). If the vpn pool is not even mentioned in the NAT ACL, you have also accomplished this.

The authentication data in IPSEC traffic is calculated based on info in the IP header, among other things (for transport mode, anyway, i.e. remote access VPN). When it gets NATted, the IP header obviously gets changed, making the newly calculated authentication data useless, since a different value is now going to be calculated, and the VPN packet is therefore dropped at the VPN server. This is why it needs to be excluded from NAT. In the server itself, the traffic would be NATted back out, so an acl in the server (router) is put in place to prevent the VPN traffic from being NATted back out.

PPTP (Microcrap) does not encrypt or encapsulate IP datagrams, so it works with NAT.

HTH

/

 

[captnops]

Thank you Burt for the additional information. Could I trouble you for an example as I thought I had it correct in my config.

Thanks again.

 

[burtsbees]

=~=~=~=~=~=~=~=~=~=~=~= PuTTY log 2009.05.22 13:42:02 =~=~=~=~=~=~=~=~=~=~=~=

Using keyboard-interactive authentication.
Password:
___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/
Edge>en
Password:
Edge#sh run
Building configuration...

Current configuration : 9673 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime localtime
service password-encryption
service sequence-numbers
!
hostname Edge
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging count
logging userinfo
logging buffered 64000 debugging
enable secret (REMOVED)
!
aaa new-model
!
!
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
!
aaa session-id common
clock timezone cst -6
clock summer-time CST recurring
no network-clock-participate slot 1
no network-clock-participate wic 0
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.68.68.1 10.68.68.70
!
ip dhcp pool t
import all
network 10.68.68.0 255.255.255.0
default-router 10.68.68.1
dns-server (REMOVED)
!
!
no ip bootp server
ip domain name directly_connected.com
ip host Switch 10.68.68.7
ip name-server (REMOVED)
ip name-server (REMOVED)
ip inspect log drop-pkt
ip inspect audit-trail
ip inspect dns-timeout 300
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW xdmcp
ip inspect name SDM_LOW x11
ip inspect name SDM_LOW wins
ip inspect name SDM_LOW who
ip inspect name SDM_LOW webster
ip inspect name SDM_LOW vqp
ip inspect name SDM_LOW uucp
ip inspect name SDM_LOW ttc
ip inspect name SDM_LOW tr-rsrb
ip inspect name SDM_LOW timed
ip inspect name SDM_LOW time
ip inspect name SDM_LOW telnets
ip inspect name SDM_LOW telnet
ip inspect name SDM_LOW tarantella
ip inspect name SDM_LOW tacacs-ds
ip inspect name SDM_LOW tacacs
ip inspect name SDM_LOW syslog-conn
ip inspect name SDM_LOW syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips sdf location flash://sigv5-SDM-S372.zip
ip ips notify SDEE
ip ips signature 2004 0 disable
ip ips name sdm_ips_rule
ip ddns update method TIMMAY!
HTTP
add

http://(REMOVED)@(REMOVED)/nic/update?system=(REMOVED)&hostname=<h>&myip=<a>

interval maximum 2 0 0 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-(REMOVED)
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-(REMOVED)
revocation-check none
rsakeypair TP-self-signed-(REMOVED)
!
!
crypto pki certificate chain TP-self-signed-(REMOVED)
certificate self-signed 01
(REMOVED)
quit
username (REMOVED) privilege 15 secret 5 (REMOVED)
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group (REMOVED)
key (REMOVED)
pool vpn_pool_1
acl SPLIT-TUNNEL
include-local-lan
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
!
interface ATM0/0
no ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
no atm ilmi-keepalive
dsl operating-mode auto
clock rate aal5 7000000
clock rate aal2 2600000
!
interface ATM0/0.1 point-to-point
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
pvc 0/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0/0
ip address 10.68.68.1 255.255.255.0
no ip redirects
no ip unreachables
ip accounting access-violations
ip mtu 1492
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Dialer0
description AT&T_1-877-722-3755_acc_number_(REMOVED)
ip ddns update hostname (REMOVED)
ip ddns update TIMMAY! host (REMOVED)
ip address negotiated
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip accounting access-violations
ip nat outside
ip inspect SDM_LOW in
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname (REMOVED)
ppp chap password (REMOVED)
ppp pap sent-username (REMOVED) password (REMOVED)
ppp ipcp dns request
ppp ipcp wins request
crypto map vpn_cmap_1
!
ip local pool vpn_pool_1 172.21.21.1 172.21.21.2
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http secure-client-auth
ip http max-connections 1
ip nat inside source list 101 interface Dialer0 overload
!
ip access-list extended SPLIT-TUNNEL
permit ip 10.68.68.0 0.0.0.255 172.21.21.0 0.0.0.3
!
kron occurrence daily in 1:0:0 recurring
policy-list clear_NAT
!
kron occurrence weekly in 7:0:0 recurring
policy-list clear_interface_counters
!
kron policy-list clear_NAT
cli clear ip nat trans *
!
kron policy-list clear_interface_counters
cli clear counters
!
logging filter nvram args ICMP Echo Req
logging history warnings
logging trap debugging
logging server-arp
logging 10.68.68.71
access-list 1 permit 10.0.0.0 0.255.255.255
access-list 101 deny ip any 172.21.21.0 0.0.0.3
access-list 101 permit ip 10.68.68.0 0.0.0.255 any
access-list 103 permit tcp host (REMOVED) any
access-list 103 deny ip host 207.46.197.32 any log
access-list 103 deny ip host 198.63.194.75 any log
access-list 103 deny icmp host 192.41.12.197 any unreachable log
access-list 103 deny icmp host 192.41.12.197 any log
access-list 103 deny ip host 192.41.12.197 any log
access-list 103 deny ip 10.0.0.0 0.255.255.255 any log
access-list 103 deny ip 172.16.0.0 0.15.255.255 any log
access-list 103 deny ip 192.168.0.0 0.0.255.255 any log
access-list 103 deny ip 127.0.0.0 0.255.255.255 any log
access-list 103 deny ip host 255.255.255.255 any log
access-list 103 deny ip host 0.0.0.0 any log
access-list 103 deny ip any host 10.68.68.10 log
access-list 103 permit tcp any any established
access-list 103 permit ip any any
access-list 105 permit ip host 10.68.68.3 (REMOVED)
access-list 105 permit ip host 10.68.68.1 (REMOVED)
access-list 105 permit ip host 10.68.68.5 (REMOVED)
access-list 105 permit ip host 10.68.68.7 (REMOVED)
access-list 105 deny ip any (REMOVED)
access-list 105 permit ip any any
access-list 130 remark permit FTP
access-list 130 remark FTP_access
access-list 130 permit tcp host (REMOVED) host 10.68.68.3 eq ftp
access-list 130 permit tcp host (REMOVED) host 10.68.68.3 eq 22
access-list 130 deny tcp any host 10.68.68.3 eq ftp
access-list 130 deny tcp any host 10.68.68.3 eq 22
access-list 130 permit ip any any
access-list 141 permit ip any any
dialer-list 1 protocol ip permit
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner motd ^C ___ _ ____ _ ___
/ \__/ \__/ \__/ \__/ \ Hey Rocky!
| _|@ @ __ | Watch me pull a hacker's IP
\________/ | | \________/ address out of my log files!
__/ _/
/) (o _/
\____/^C
alias exec sr show run
!
line con 0
logging synchronous
line aux 0
login ctrlc-disable
transport output none
line vty 0 4
transport input ssh
!
ntp clock-period 17180378
ntp master
ntp peer 10.68.68.7
ntp server (REMOVED) source Dialer0
!
end

Edge#exit

/

 

[captnops]

OK. This site to site VPN is killing me. Here is the config, can you folks see anything wrong?


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 52000
enable secret 5 (DELETED)
enable password (DELETED)
!
no aaa new-model
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
no dspfarm
!
!
!
!
!
username tmanger privilege 15 view root secret 5 (DELETED)
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key 6 (DELTED SHARED KEY) address 206.17.98.20
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set HEDI-VPN esp-3des esp-sha-hmac
!
crypto map HEDI-CRYPTO 10 ipsec-isakmp
set peer 206.17.98.20
set transform-set HEDI-VPN
match address 100
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
shutdown
duplex full
speed 100
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# (DELETED)
ip address 208.47.200.122 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map HEDI-CRYPTO
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.47.200.121
ip route 10.10.10.0 255.255.255.0 10.1.1.2
ip route 10.10.11.0 255.255.255.0 10.1.1.2
ip route 10.10.12.0 255.255.254.0 10.1.1.2
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 10.0.0.0 0.255.255.255 host 10.100.25.58
access-list 101 deny ip 10.0.0.0 0.255.255.255 host 10.100.25.58
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
snmp-server community ghdsi_public RO
!
!
!
!
route-map nonat permit 10
match ip address 101
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
password !admin!
login
!
scheduler allocate 20000 1000
end


Thanks

 

[unclerico]

1) you're missing your DH group under your isakmp policy
2) do the settings on the peer match exactly to the settings on this device??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

Thank you again for the assistance.

I have updated the configs and now am able to create the tunnel, but I am unable to RDP from my network to the other side of the tunnel.
Here is the updated config:


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname RH2811-B
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 (DELETED)
enable password (DELETED)
!
no aaa new-model
no network-clock-participate wic 0
!
dot11 syslog
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip cef
!
!
!
no ipv6 cef
multilink bundle-name authenticated
!
!
voice-card 0
no dspfarm
!
username tmanger privilege 15 view root secret 5 (DELETED)
archive
log config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
crypto isakmp key 6 (DELETED) address 206.17.98.20
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to206.17.98.20
set peer 206.17.98.20
set transform-set ESP-3DES-SHA
match address 102
!
!
!
controller T1 0/0/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.0
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
no mop enabled
!
interface FastEthernet0/1
ip address 10.2.1.1 255.255.255.0
shutdown
duplex full
speed 100
!
interface Serial0/0/0:0
description QWEST INTERNET CIRCUIT ID# (DELETED)
ip address 208.47.200.122 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.47.200.121
ip route 10.10.10.0 255.255.255.0 10.1.1.2
ip route 10.10.11.0 255.255.255.0 10.1.1.2
ip route 10.10.12.0 255.255.254.0 10.1.1.2
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Serial0/0/0:0 overload
!
access-list 100 permit ip 10.0.0.0 0.0.0.255 host 10.100.25.58
access-list 101 deny ip 10.0.0.0 0.255.255.255 host 10.100.25.58
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 102 remark IPSec Rule
access-list 102 permit ip 10.0.0.0 0.255.255.255 host 10.100.25.58
!
!
!
route-map nonat permit 10
match ip address 101

control-plane
!
line con 0
line aux 0
line vty 0 4
password
login
!
scheduler allocate 20000 1000
end

 

[unclerico]

I'm assuming that you are trying to RDP to 10.100.25.58

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

That is correct. That is the only host I need to get to on the clients network.

 

[unclerico]

what does the crypto ACL look like on the peer??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I do not know that, but their admin indicates that he is not even seeing the RDP traffic in the tunnel.

 

[unclerico]

add reverse-route to your isakmp policy and then run a traceroute to see where it goes.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

The trace appears to be dying inside my side of the router..

 

[unclerico]

did you add the reverse-route statement?? if you have and you issue a sh ip route you should see a host route in your routing table pointing to the 10.100.25.58

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[captnops]

I did issue the reverse-route statement and did a trace to 10.100.25.58.

I will do a sh ip route and see what it shows.

Thanks

 

[captnops]

It appears to have added a route via the VPN tunnel:

Gateway of last resort is 208.47.200.121 to network 0.0.0.0

1.0.0.0/24 is subnetted, 1 subnets
C 1.1.1.0 is directly connected, Loopback0
208.47.200.0/30 is subnetted, 1 subnets
C 208.47.200.120 is directly connected, Serial0/0/0:0
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
S 10.10.10.0/24 [1/0] via 10.1.1.2
C 10.1.1.0/24 is directly connected, FastEthernet0/0
S 10.10.11.0/24 [1/0] via 10.1.1.2
S 10.10.12.0/23 [1/0] via 10.1.1.2
S 10.100.25.58/32 [1/0] via 206.17.98.20
S* 0.0.0.0/0 [1/0] via 208.47.200.121