only icmp through vpn client

[zizoudevinci]

i have some trouble with my vpn client configuration
first the router is cisco 3725 with the ios
c3725-advsecurityk9-mz.124-25.bin
i made a test platform in GNS3 as follows using cisco SDM to perform the configuration as I did with my customer
PC1--------------------ISPRouter--------------------VpnRouter------------------PC2
PC1 to ISPRouter : 10.0.0.0/24
ISPRouter to VpnRouter : 61.24.178.0/24
ISPRouter to PC2 : 126.217.16.0/24
The configuration files
ISPRouter :
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ISPRouter
!
boot-start-marker
boot-end-marker
!
!
no aaa new-model
memory-size iomem 5
ip cef
!
interface Loopback0
ip address 61.24.178.37 255.255.255.255
!
interface FastEthernet0/0
ip address 10.0.0.1 255.255.255.0
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
duplex auto
speed auto
!
interface Serial1/0
ip unnumbered Loopback0
encapsulation ppp
serial restart-delay 0
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip route 0.0.0.0 0.0.0.0 61.24.178.76
!
ip http server
no ip http secure-server
!
control-plane
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
login
!
End
--------------------------------------
VpnRouter:
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GW
!
boot-start-marker
boot-end-marker
!
aaa new-model
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
memory-size iomem 5
ip cef
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco privilege 15 password 0 cisco
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group-mc
key cisco123
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface Loopback0
ip address 61.24.178.76 255.255.255.255
!
interface FastEthernet0/0
ip address 126.217.16.150 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial1/0
ip unnumbered loopback 0
ip nat outside
ip virtual-reassembly
encapsulation ppp
serial restart-delay 0
crypto map SDM_CMAP_1
!
interface Serial1/1
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/2
no ip address
shutdown
serial restart-delay 0
!
interface Serial1/3
no ip address
shutdown
serial restart-delay 0
!
ip local pool SDM_POOL_1 172.16.0.1 172.16.0.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial1/0
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface Serial1/0 overload
!
ip access-list standard ACL1
remark SDM_ACL Category=16
permit 126.217.16.0 0.0.0.255
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 126.217.16.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny ip 126.217.16.0 0.0.0.255 172.16.0.0 0.0.0.255
access-list 101 permit ip 126.217.16.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address 101
!
control-plane
!
line con 0
exec-timeout 120 0
line aux 0
line vty 0 4
!
End
--------------------------------------------------
With this configuration the VPN client can connect and the tunnel is up, I can ping the PC2 from PC1 but I cannot use any other protocol as FTP or HTTP or even windows share
So what I did I changed the configuration of the interface serial 1/0 like that and I deleted the loopbak0 interface
--------------------------------------------------
interface Serial1/0
ip address 61.24.178.76 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
serial restart-delay 0
crypto map SDM_CMAP_1
--------------------------------------------------
With this change everything is ok, I can ping the PC2 from PC1 and access all the protocol I want
But the problem is when I went to the apply it on the customer’s router the problem is still there, only ping is working , I don’t know where is the problem
Thanks for all the helping hand

 

[unclerico]

Confused...why wouldn't PC2 create an RA VPN connection into the ISPRouter?? What is the significance of each router here?? Is the VPNRouter actually a Remote Office router and the ISPRouter an HQ router?? I'll be honest, I'm surprised that you even got this to even work assuming that the configuration and toplogy is truly what you are working with.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[zizoudevinci]

Sorry man I forgot to specify the role of each equipment:
PC1 : is the mobile user using Cisco client VPN version 5.0.02.0090
PC2 : is acting as head quarter server
ISPRouter : is there just to create a network separating PC1 and VpnRouter and to simulate the real situation
VpnRouter : is the head quarter router acting as the VPN server

 

[unclerico]

In your production setup, is there a firewall behind the VpnRouter??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[zizoudevinci]

in the production network ther is no firewall, it's a flat network , the router is connected to layer 2 switch without any vlan

 

[unclerico]

can you post the config of the client's router??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[zizoudevinci]

the configuration of VpnRouter is same as the client's router , i replicate the configuration in GNS3 to see the behavior of the vpn

 

[burtsbees]

Uncle---think NAT and vpn pool...

/

 

[burtsbees]

I.E. the deny statement in acl 101 is backwards. The split-tunnel is correct...

access-list 101 deny ip any vpn_pool

/

 

[zizoudevinci]

here is the configuration if my client router, hope you will find it clear


!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router-MC
!
boot-start-marker
boot system flash c3725-advsecurityk9-mz.124-25.bin
boot-end-marker
!
no logging buffered

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco privilege 15 password 0 cisco
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group group-mc
key cisco123
pool SDM_POOL_1
acl 100
netmask 255.255.255.0
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
interface FastEthernet0/0
ip address 126.217.16.150 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface Serial0/0
no ip address
encapsulation ppp
clock rate 125000
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/1
no ip address
clock rate 125000
!
interface Serial0/2
mtu 1400
ip address 61.24.178.76 255.255.255.0
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map SDM_CMAP_1
!
ip local pool default 126.217.16.201 126.217.16.230
ip local pool SDM_POOL_1 172.16.0.1 172.16.0.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/2
!
ip http server
ip http port 6666
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface Serial0/2 overload
ip nat inside source static tcp 126.217.16.153 80 61.24.178.76 80 route-map SDM_RMAP_2 extendable
!
access-list 1 permit 61.24.178.16
access-list 1 permit 126.217.16.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 126.217.16.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip host 126.217.16.153 172.16.0.0 0.0.0.255
access-list 102 permit tcp host 126.217.16.153 eq

http://www any

route-map SDM_RMAP_2 permit 1
match ip address 102
!
control-plane
!
line con 0
line 33 48
line aux 0
line vty 0 4
!
end

 

[unclerico]

burt, every time i visited this thread my eyes went right to that ACL, but it looked ok to me. You are probably right though.

zizoudevinci, you should try what burt said and change the following:

access-list 101 deny ip any SDM_POOL_1
access-list 101 permit ip 127.217.16.0 0.0.0.255 any

route-map nonat permit 10
  match ip address 101

ip nat inside source route-map nonat interface s0/2 overload

also, just try removing acl 100 from the crypto client configuration.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)