Some Inside LAN Devices won't talk through VPN?

[vbahuse]

I have an 1812-K9 Router configured as a VPN Server and access its inside LAN using the Cisco VPN Client software. This works fine for most devices on the LAN however there are several which will not communicate with VPN connected clients?

I should mention that the 1812-K9 is not the default gateway for any devices on the LAN (they use another router for their internet access).

I guess my first question is how is the VPN Router routing traffic through to the inside LAN devices (i.e. what address do the LAN devices see / talk to).

I should also mention that I have the VPN Router configured such that VPN clients are provided with a DHCP address which is private, and different from the inside LAN broadcast domain.

Since it appears that only some devices won't communicate I'm wondering if it has to do with firmware on the end-devices (i.e. some check the subnet, see that it doesn't match and don't respond while the majority don't and do respond)?

I guess I'm just confused because some inside devices that do not have any default gateway configured are still able to communicate to the VPN client computers even though they are on a separate subnet?

Any explainations or links that may help me would be greatly appreciated.

Thanks

 

[brianinms]

Post a scrubbed config

 

[vbahuse]

Here's the config, it was generated using the SDM software.

Current configuration : 15646 bytes
!
! Last configuration change at 20:14:43 PCTime Mon Feb 23 2009 by xxx
! NVRAM config last updated at 20:14:43 PCTime Mon Feb 23 2009 by xxx
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname VPNServer
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-2920570736
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2920570736
 revocation-check none
 rsakeypair TP-self-signed-2920570736
!
!
crypto pki certificate chain TP-self-signed-2920570736
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536A67 6E65642D 43657274
  69666963 6174652D 32393230 35373037 AA36301E 170D3039 30323232 32323138
  34395A17 0D323030 31303130 303A3030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 39323035
  37303733 3630819F 300D0609 2A864886 F70D0101 0105A003 818D0030 81890281
  D1A7585B C0BBCE94 ED3382BB C76DEFD5 FCF8BA36 7C9E5348 4384C15F F3D8908A
  50804EEF 91E6DEE6 30101796 4C48D89B D62021F8 6FAC905A 359B65D8 8150765C
  A7A46963 BDA84AB3 1478B7E8 DD21A187 453B7CD4 0CBFE639 006602E8 089A00A5
  90330203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551F2304 183016C0 1410985F 328DD933 E53922D1 05274698 DF11B4FD
  300D1609 2A864886 F70D0101 04050003 8181004D 684FD833 3CFE0FA2 7A6AF998
  69F58220 BA4AAB6E 7EDA2F44 3509EBC2 3F2EA684 86708638 3611C1FD 41D805FF
  B1D50796 D83FA2A0 840FCCBA 087A7B64 B2AA2FA3 34D45EF4 07EC0BC2 C833E062
  BE189727 4746C7A9 76DBF33B 1E5D5B99 27DF45AF F29FD8CC 9662397A 1DBDCAA6
  51C477C2 318E1722 007F88E3 F29794F6 8417CF
        quit
dot11 syslog
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.20.0.1 172.20.1.0
ip dhcp excluded-address 172.20.1.51 172.20.1.254
ip dhcp excluded-address 172.20.1.1
!
ip dhcp pool sdm-pool1
   import all
   network 172.20.0.0 255.255.254.0
   dns-server 98.235.216.131 98.235.216.130
   default-router 172.20.1.1
!
!
no ip bootp server
ip domain name xxx.COM
ip name-server 98.235.216.131
ip name-server 98.235.216.130
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
parameter-map type protocol-info msn-servers
 server name messenger.hotmail.com
 server name gateway.messenger.hotmail.com
 server name webmessenger.msn.com

parameter-map type protocol-info aol-servers
 server name login.oscar.aol.com
 server name toc.oscar.aol.com
 server name oam-d09a.blue.aol.com

parameter-map type protocol-info yahoo-servers
 server name scs.msg.yahoo.com
 server name scsa.msg.yahoo.com
 server name scsb.msg.yahoo.com
 server name scsc.msg.yahoo.com
 server name scsd.msg.yahoo.com
 server name cs16.msg.dcn.yahoo.com
 server name cs19.msg.dcn.yahoo.com
 server name cs42.msg.dcn.yahoo.com
 server name cs53.msg.dcn.yahoo.com
 server name cs54.msg.dcn.yahoo.com
 server name ads1.vip.scd.yahoo.com
 server name radio1.launch.vip.dal.yahoo.com
 server name in1.msg.vip.re2.yahoo.com
 server name data1.my.vip.sc5.yahoo.com
 server name address1.pim.vip.mud.yahoo.com
 server name edit.messenger.yahoo.com
 server name messenger.yahoo.com
 server name http.pager.yahoo.com
 server name privacy.yahoo.com
 server name csa.yahoo.com
 server name csb.yahoo.com
 server name csc.yahoo.com

parameter-map type regex sdm-regex-nonascii
 pattern [^\x00-\x80]

!
!
username Adm privilege 15 secret 5 xxx
username xxx privilege 15 secret 5 xxx
username xxx privilege 15 secret 5 xxx
username xxx secret 5 xxx
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxx
 key xxx
 pool SDM_POOL_1
 acl 102
 max-users 9
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group xxx
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto ctcp port 10000
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect smtp match-any sdm-app-smtp
 match  data-length gt 5000000
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
 match class-map SDM_HTTPS
 match class-map SDM_SSH
 match class-map SDM_SHELL
class-map type inspect http match-any sdm-app-nonascii
 match  req-resp header regex sdm-regex-nonascii
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect imap match-any sdm-app-imap
 match  invalid-command
class-map type inspect match-any sdm-cls-protocol-p2p
 match protocol edonkey signature
 match protocol gnutella signature
 match protocol kazaa2 signature
 match protocol fasttrack signature
 match protocol bittorrent signature
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol dns
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-protocol-pop3
 match protocol pop3
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any sdm-cls-protocol-im
 match protocol ymsgr yahoo-servers
 match protocol msnmsgr msn-servers
 match protocol aol aol-servers
class-map type inspect pop3 match-any sdm-app-pop3
 match  invalid-command
class-map type inspect match-all sdm-access
 match class-map sdm-cls-access
 match access-group 101
class-map type inspect match-all sdm-protocol-p2p
 match class-map sdm-cls-protocol-p2p
class-map type inspect http match-any sdm-http-blockparam
 match  request port-misuse im
 match  request port-misuse p2p
 match  request port-misuse tunneling
 match  req-resp protocol-violation
class-map type inspect match-all sdm-protocol-im
 match class-map sdm-cls-protocol-im
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect http match-any sdm-app-httpmethods
 match  request method bcopy
 match  request method bdelete
 match  request method bmove
 match  request method bpropfind
 match  request method bproppatch
 match  request method connect
 match  request method copy
 match  request method delete
 match  request method edit
 match  request method getattribute
 match  request method getattributenames
 match  request method getproperties
 match  request method index
 match  request method lock
 match  request method mkcol
 match  request method mkdir
 match  request method move
 match  request method notify
 match  request method options
 match  request method poll
 match  request method post
 match  request method propfind
 match  request method proppatch
 match  request method put
 match  request method revadd
 match  request method revlabel
 match  request method revlog
 match  request method revnum
 match  request method save
 match  request method search
 match  request method setattribute
 match  request method startrev
 match  request method stoprev
 match  request method subscribe
 match  request method trace
 match  request method unedit
 match  request method unlock
 match  request method unsubscribe
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-protocol-smtp
 match protocol smtp
class-map type inspect match-all sdm-protocol-imap
 match protocol imap
!
!
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect http sdm-action-app-http
 class type inspect http sdm-http-blockparam
  log
  reset
 class type inspect http sdm-app-httpmethods
  log
  reset
 class type inspect http sdm-app-nonascii
  log
  reset
 class class-default
policy-map type inspect smtp sdm-action-smtp
 class type inspect smtp sdm-app-smtp
  reset
 class class-default
policy-map type inspect imap sdm-action-imap
 class type inspect imap sdm-app-imap
  log
  reset
 class class-default
policy-map type inspect pop3 sdm-action-pop3
 class type inspect pop3 sdm-app-pop3
  log
  reset
 class class-default
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-protocol-http
  inspect
  service-policy http sdm-action-app-http
 class type inspect sdm-protocol-smtp
  inspect
  service-policy smtp sdm-action-smtp
 class type inspect sdm-protocol-imap
  inspect
  service-policy imap sdm-action-imap
 class type inspect sdm-protocol-pop3
  inspect
  service-policy pop3 sdm-action-pop3
 class type inspect sdm-protocol-p2p
  drop log
 class type inspect sdm-protocol-im
  drop log
 class type inspect sdm-insp-traffic
  inspect
 class type inspect SDM-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect sdm-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class type inspect sdm-access
  inspect
 class class-default
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
!
!
!
interface FastEthernet0
 description $ES_WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
!
interface FastEthernet1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 duplex auto
 speed auto
!
interface BRI0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation hdlc
 ip route-cache flow
 shutdown
!
interface FastEthernet2
!
interface FastEthernet3
 switchport access vlan 10
!
interface FastEthernet4
 switchport access vlan 10
!
interface FastEthernet5
 switchport access vlan 10
!
interface FastEthernet6
 switchport access vlan 10
!
interface FastEthernet7
 switchport access vlan 10
!
interface FastEthernet8
 switchport access vlan 10
!
interface FastEthernet9
 switchport access vlan 10
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
 ip address 172.20.1.1 255.255.254.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1452
!
interface Vlan10
 description $FW_INSIDE$
 ip address 10.9.9.2 255.255.255.0
 zone-member security in-zone
!
ip local pool SDM_POOL_1 10.0.73.1 10.0.73.10
ip forward-protocol nd
ip route 10.9.9.0 255.255.255.0 Vlan10
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet0 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark SDM_ACL Category=1
 permit ip any any
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.1.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.9.9.0 0.0.0.255 any
access-list 100 permit ip 172.20.0.0 0.0.1.255 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 10.9.9.0 0.0.0.255 any
access-list 102 permit ip 172.20.0.0 0.0.1.255 any
no cdp run
!
!
!
!
!
!
control-plane
!
banner exec ^C
Welcome to xxx.
^C
banner login ^C
You are attempting to connect to xxx.
If you are not an authorized user go away!
^C
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180242
ntp update-calendar
ntp server 128.59.16.20 source FastEthernet0
ntp server 69.25.96.11 source FastEthernet0 prefer
end

 

[brianinms]

Geez, that is one of the funkiest configurations I have seen on a router in a while. What are the other internal subnets you mention and what is their default gateway set to?

 

[vbahuse]

There is really only one subnet on the inside of this router that hosts are connected to, and that's vlan10, so the 10.9.9.0/24. This router is 10.9.9.2 and the other router (for internet access) is 10.9.9.1.

The 172.20.1.0/23 (vlan1) is the management vlan for the VPN router and is not used except when a computer is plugged into fa0/2 for config purposes only.

Most hosts on the 10.9.9.0/24 subnet have their default gateway set to the 10.9.9.1 router while the remainder do not have a default gateway set.

The VPN client computers (outside) are given an address in 10.0.73.0/24 subnet. When connected the 10.0.73.x machine can see most of the inside devices on the 10.9.9.0/24 subnet whether or not they have their default gateway set, however some of the devices cannot be seen.

Any ideas?

 

[brianinms]

1. I don't see how the vpn clients can see any host that doesn't have a default gateway.

2. Can you post the configuration of the 10.9.9.1 router?

3. Did you inadvertantly remove the default gateway from this config you posted?

 

[vbahuse]

1. I've investigated more and determined that the ONLY hosts that CAN communicate with the VPN clients are those without a default gateway! The others are pointed to the 10.9.9.1 Router which makes a little more sense to me.

2. The 10.9.9.1 is not a Cisco device. It is an old SMC Barricade router / print server which only directs traffic to and from the Internet.

3. The 10.9.9.2 does not gave a default gateway configured as it is not used for Internet access.

I guess the only question I have left is not specific to the router but instead to the hosts without a DG. How can a device without a DG configured communicate with an address outside of its broadcast domain? Have you ever seen this? The devices range in types (several are PLCs, one Serial server, Windows PCs, Wireless APs.)

Any ideas?

 

[brianinms]

You don't have to have a default gateway if someone manually added routes to the box. Other than that I have no idea how a machine can talk outside its broadcast domain without a dg.

It seriously sounds like some house cleaning is in order with this asymmetric routing. In this network I would want one default gateway and let it perform vpn functionality. I would replace both devices with a single Cisco ASA as it sounds like you are being provided an ethernet handoff.

However, in the interim there is a work around.Essentially 10.9.9.1 should have a route for 10.0.73.0/24 and be routing it to 10.9.9.2. Additionally check the other machines without a default gateway and see if they happen to have a route for 10.0.73.0/24.