Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN issues - no access to lan subnet

Status
Not open for further replies.
Ken09

Ken09

IS-IT--Management
Aug 20, 2009
15
US
I have a client VPN setup on a 2821 router. I can connect to VPN but have no access to internal subnets. Any help would be appreciated I have been struggling with this for days.

Current configuration : 52632 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-2821
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-3g.bin
boot-end-marker
!
security authenticatio
logging count
logging buffered 4096 debugging
logging console critical
logging monitor critical
enable secret **********
!
aaa new-model
!
!
aaa group server radius RadiusServers
server 172.16.2.11 auth-port 1812 acct-port 1813
!
aaa authentication login default local group RadiusServers
aaa authentication login RadiusServers group RadiusServers
aaa authentication login vty_line local
aaa authentication login console_line line none
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect max-incomplete high 4100
ip inspect max-incomplete low 4000
ip inspect one-minute high 4100
ip inspect one-minute low 4000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW https timeout 1800
ip inspect name DMZ_LOW smtp
ip inspect name DMZ_LOW udp
ip inspect name DMZ_LOW tcp
!
!
ip flow-cache timeout active 1
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
no ip bootp server
no ip domain lookup
ip domain name amerilife.com
ip ssh time-out 60
!
!
!
crypto pki trustpoint TP-self-signed-3553449798
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3553449798
revocation-check none
rsakeypair TP-self-signed-3553449798
!
!
username Administrator privilege 15 secret 5 $1$QbYY$quGRdckuG82DtYCN8IFb61
username Failsafe privilege 15 secret 5 $1$g9ud$PZtfNI0iO8Obfm/..D2oo/
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
key ********
dns 172.16.2.11 172.16.2.2
wins 172.16.2.11 172.16.2.2
domain alg.local
pool VPN_Pool
netmask 255.255.0.0
!
!
crypto ipsec transform-set trnsfrmset esp-aes esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-md5-hmac
!
crypto ipsec profile Profile_1
set security-association lifetime seconds 28800
set security-association idle-time 28800
set transform-set trnsfrmset SDM_TRANSFORMSET_1 SDM_TRANSFORMSET_2
!
!
crypto dynamic-map dynmap 1
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set security-association idle-time 14400
set transform-set trnsfrmset SDM_TRANSFORMSET_1
reverse-route
!
!
crypto map clientmap client authentication list RadiusServers
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface GigabitEthernet0/0
description Tampa LAN$ETH-LAN$
ip address 172.16.1.2 255.255.0.0
ip access-group sdm_gigabitethernet0/0_in in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Edge Link
ip address 63.236.108.70 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex full
speed 10
no mop enabled
crypto map clientmap
!
interface GigabitEthernet0/3/0
description Tampa DMZ
ip address 172.17.1.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
no negotiation auto
!
ip local pool VPN_Pool 172.16.80.1 172.16.80.254
ip classless
ip route 0.0.0.0 0.0.0.0 63.236.108.65 permanent
ip route 172.17.0.0 255.255.0.0 172.16.1.1 permanent
ip route 172.20.0.0 255.255.0.0 172.16.1.1
ip route 172.25.0.0 255.255.0.0 172.16.1.1 permanent
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 172.16.2.30 2000
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/1 overload
!
ip access-list extended sdm_gigabitethernet0/0_in
remark SDM_ACL Category=17
permit icmp any any log
permit ip any any
!
ip radius source-interface GigabitEthernet0/0
logging history errors
logging trap notifications
logging origin-id hostname
logging source-interface GigabitEthernet0/0
logging server-arp
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.16.0.0 0.0.255.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.20.0.0 0.0.255.255 log
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=17
access-list 100 permit icmp any any log
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip 192.168.80.0 0.0.0.255 any
access-list 101 permit ahp any host 63.236.108.70
access-list 101 permit esp any host 63.236.108.70
access-list 101 permit ip any 172.16.0.0 0.0.255.255
access-list 101 permit ip any 172.17.0.0 0.0.255.255
access-list 101 permit ip any 172.25.0.0 0.0.255.255
access-list 101 permit ip any 172.20.0.0 0.0.255.255
access-list 101 permit ip 172.16.80.0 0.0.0.255 any
access-list 101 permit icmp host 63.236.108.114 host 63.146.195.90
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.25.0.0 0.0.255.255 any
access-list 102 permit ip 172.20.0.0 0.0.255.255 any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 permit ip 172.17.0.0 0.0.255.255 any
access-list 102 permit ip 63.236.108.0 0.0.0.255 any
access-list 103 remark SDM_ACL Category=2
access-list 103 permit ip 172.16.0.0 0.0.255.255 any
access-list 104 remark SDM_ACL Category=2
access-list 104 permit ip 172.20.0.0 0.0.255.255 any log
access-list 104 deny ip any 172.16.90.0 0.0.1.255
access-list 104 deny ip 172.25.0.0 0.0.255.255 172.16.90.0 0.0.1.255
access-list 104 deny ip 172.17.0.0 0.0.255.255 172.16.90.0 0.0.1.255
access-list 104 deny ip 172.16.0.0 0.0.255.255 172.16.90.0 0.0.1.255
access-list 104 deny ip 172.25.0.0 0.0.255.255 172.16.55.0 0.0.0.255
access-list 104 deny ip 172.17.0.0 0.0.255.255 172.16.55.0 0.0.0.255
access-list 104 deny ip 172.16.0.0 0.0.255.255 172.16.55.0 0.0.0.255
access-list 105 remark SDM_ACL Category=2
access-list 105 deny ip 172.17.0.0 0.0.255.255 172.16.80.0 0.0.0.255
access-list 105 deny ip 172.16.0.0 0.0.255.255 172.16.80.0 0.0.0.255
access-list 105 deny ip 172.20.0.0 0.0.255.255 172.16.80.0 0.0.0.255
access-list 105 deny ip 172.25.0.0 0.0.255.255 172.16.80.0 0.0.0.255
access-list 105 deny ip 172.20.0.0 0.0.255.255 any
access-list 105 deny ip 172.25.0.0 0.0.255.255 any
access-list 105 deny ip 172.17.0.0 0.0.255.255 any
access-list 105 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 permit udp 172.17.0.0 0.0.255.255 any eq domain
access-list 150 permit udp any host 63.236.108.70 eq isakmp
access-list 150 permit udp any host 63.236.108.70 eq non500-isakmp
no cdp run
route-map SDM_RMAP_1 permit 1
!
route-map SDM_RMAP_2 permit 1
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
!
radius-server host 172.16.2.11 auth-port 1812 acct-port 1813
!
control-plane
!
!
!
scheduler allocate 20000 1000
!
end
 
Sort by date Sort by votes
Change this

crypto isakmp client configuration group default
netmask 255.255.0.0

to this

crypto isakmp client configuration group default
netmask 255.255.255.0

and redo acl 105---it would be easier than deleting the four bad lines and retyping them...

no access-list 105
access-list 105 deny ip any 172.16.80.0 0.0.0.255
access-list 105 deny ip 172.20.0.0 0.0.255.255 any
access-list 105 deny ip 172.25.0.0 0.0.255.255 any
access-list 105 deny ip 172.17.0.0 0.0.255.255 any
access-list 105 permit ip 172.16.0.0 0.0.255.255 any

I am assuming you don't want 172.17, .20 and .25.0.0/16 subnets getting out to the internet. Is this correct?

I would also clean up the other route-maps and the nat statements that are not being used.

/


tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Thank you for taking the time to review my config!

I have made the suggested changes. So far I still cannot ping the internal network 172.16.0.0/16.

In the end I will want the other subnets available to VPN users. 172.17, 20, & 25.0.0/16 I was focusing on 172.16.0.0 first.

I have been trying everything I can find on the internet with no luck. I had one person suggest I might need to setup VLans to get routing between the VPN ip pool and the internal subnet. But I don't know if that makes sense.

Please let me know if you see any thing else in the config I can try.

Thanks again,

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-2821
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-3g.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
logging console critical
logging monitor critical
!
aaa new-model
!
!
aaa group server radius RadiusServers
server 172.16.xx.xx auth-port 1812 acct-port 1813
!
aaa authentication login default local group RadiusServers
aaa authentication login RadiusServers group RadiusServers
aaa authentication login vty_line local
aaa authentication login console_line line none
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect max-incomplete high 4100
ip inspect max-incomplete low 4000
ip inspect one-minute high 4100
ip inspect one-minute low 4000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW https timeout 1800
ip inspect name DMZ_LOW smtp
ip inspect name DMZ_LOW udp
ip inspect name DMZ_LOW tcp
!
!
ip flow-cache timeout active 1
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
no ip bootp server
no ip domain lookup
ip domain name xxx.xxx
ip ssh time-out 60
!
!
!
crypto pki trustpoint TP-self-s
enrollment selfsigned
subject-name cn=IOS-Self-Signed-C
revocation-check none
rsakeypair TP-self-s
!
!
username xxx privilege xxx
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
key xxxxxxx
dns 172.16.2.11 172.16.2.2
wins 172.16.2.11 172.16.2.2
domain xxx.xxxx
pool VPN_Pool
acl 102
netmask 255.255.255.0
!
!
crypto ipsec transform-set trnsfrmset esp-aes esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-md5-hmac
!
crypto ipsec profile Profile_1
set security-association lifetime seconds 28800
set security-association idle-time 28800
set transform-set trnsfrmset SDM_TRANSFORMSET_1 SDM_TRANSFORMSET_2
!
!
crypto dynamic-map dynmap 1
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set security-association idle-time 14400
set transform-set trnsfrmset SDM_TRANSFORMSET_1
reverse-route
!
crypto dynamic-map vpndynmap 1
set transform-set 3DES-SHA
reverse-route
!
!
crypto map clientmap client authentication list RadiusServers
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel1
no ip address
!
interface GigabitEthernet0/0
description Tampa LAN$ETH-LAN$
ip address 172.16.1.2 255.255.0.0
ip access-group sdm_gigabitethernet0/0_in in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Edge Link
ip address xx.xx.xx.xx 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip policy route-map vnp-client
duplex full
speed 10
no mop enabled
crypto map clientmap
!
interface GigabitEthernet0/3/0
description Tampa DMZ
ip address 172.17.1.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
no negotiation auto
!
ip local pool VPN_Pool 192.168.80.1 192.168.80.254
ip classless
ip route 0.0.0.0 0.0.0.0 63.236.108.65 permanent
ip route 172.17.0.0 255.255.0.0 172.16.1.1 permanent
ip route 172.20.0.0 255.255.0.0 172.16.1.1
ip route 172.25.0.0 255.255.0.0 172.16.1.1 permanent
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 172.16.2.30 2000
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
ip nat inside source static network 172.17.1.15 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.10 xx.xx.xx.xx /32
!
ip access-list extended sdm_gigabitethernet0/0_in
remark SDM_ACL Category=17
permit ip any 192.168.80.0 0.0.0.255 log
permit ip 192.168.80.0 0.0.0.255 any log
permit icmp any any
permit ip any any
!
ip radius source-interface GigabitEthernet0/0
logging history errors
logging trap notifications
logging origin-id hostname
logging source-interface GigabitEthernet0/0
logging server-arp
logging 172.25.2.23
logging 172.25.55.172
access-list 1 permit any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.20.0.0 0.0.255.255 log
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=17
access-list 100 permit icmp any any log
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip 192.168.80.0 0.0.0.255 any log
access-list 101 permit icmp 192.168.80.0 0.0.0.255 any log
access-list 101 permit ahp any host xx.xx.xx.xx
access-list 101 permit esp any host xx.xx.xx.xx
access-list 101 permit ip any 172.16.0.0 0.0.255.255
access-list 101 permit ip any 172.17.0.0 0.0.255.255
access-list 101 permit ip any 172.25.0.0 0.0.255.255
access-list 101 permit ip any 172.20.0.0 0.0.255.255
access-list 101 permit ip 172.16.80.0 0.0.0.255 any
access-list 101 permit ip 72.5.65.0 0.0.0.255 any
access-list 101 permit tcp any host xx.xx.xx.xx eq 143
access-list 101 permit tcp any host xx.xx.xx.xx eq 443
access-list 101 permit tcp any host xx.xx.xx.xx eq www
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.25.0.0 0.0.255.255 any
access-list 102 permit ip 172.20.0.0 0.0.255.255 any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 permit ip 172.17.0.0 0.0.255.255 any
access-list 102 permit ip xx.xx.xx.xx 0.0.0.255 any
access-list 105 deny ip any 192.168.80.0 0.0.0.255
access-list 105 permit ip 172.16.0.0 0.0.255.255 any
access-list 109 deny ip any any log
access-list 110 permit udp 172.17.0.0 0.0.255.255 any eq domain
access-list 144 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 150 permit udp any host xx.xx.xx.xx eq isakmp
access-list 150 permit udp any host xx.xx.xx.xx eq non500-isakmp
no cdp run
route-map SDM_RMAP_1 permit 1
!
route-map SDM_RMAP_2 permit 1
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
!
radius-server host 172.16.xx.xx auth-port 1812 acct-port 1813

!
control-plane
!
!

 
Upvote 0 Downvote
This was added to the above config. Still not working.

ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/1 overload

 
Upvote 0 Downvote
access-list 105 deny ip any 192.168.80.0 0.0.0.255

See the mistake?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
I'm not sure I see anything wrong.

The NAT access-list confuses me because they are to define what gets NATed or not. To me they are kind of backwards to an access-list.

I tried this still not able to ping through.
access-list 105 permit ip any 192.168.80.0 0.0.0.255 ?


 
Upvote 0 Downvote
I see this in the syslog.

Information: list sdm_gigabitethernet0/0 permitted icmp 172.16.2.11 -> 192.168.80.35 (0/0), 60 packets

Seems that when I ping 172.16.2.11 the system is responding but it dosn't make it through the firewall to me.

 
Upvote 0 Downvote
WOW it looks like it's working!! At different times over the past week I have had this config but it didn't work.

I just turned off windows firewall on my client and it' working. I can ping both ways.

Thank you very much for helping me work through this problem.

Thank you,
Ken
 
Upvote 0 Downvote
I thought I figured out the problem yesterday but now I don't think so. Turning off the windows firewall was just a work around for the problem.

It looks like there is still a problem.

What is happening is, when I ping an internal ip it responds to me nat'ed behind the firewall external ip instead of routing through the vpn tunnel.

Please take a look at the NAT Access-list and route-map for me. I keep going over it and cannot figure it out. There is definately something I don't understand here.

I need to get internal ip's to route back to the remote client via the tunnel using the internal ip.

Thanks for you help,
 
Upvote 0 Downvote
This is the latest router config.

Nat exemption on working to send traffic through the vpn tunnel. Out bound traffic is being natted out behind router external ip.

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-2821
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-3g.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
logging console critical
logging monitor critical
enable
!
aaa new-model
!
!
aaa group server radius RadiusServers
server 172.16.2.11 auth-port 1812 acct-port 1813
!
aaa authentication login default local group RadiusServers
aaa authentication login RadiusServers group RadiusServers
aaa authentication login vty_line local
aaa authentication login console_line line none
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect max-incomplete high 4100
ip inspect max-incomplete low 4000
ip inspect one-minute high 4100
ip inspect one-minute low 4000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW https timeout 1800
ip inspect name DMZ_LOW smtp
ip inspect name DMZ_LOW udp
ip inspect name DMZ_LOW tcp
!
!
ip flow-cache timeout active 1
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
no ip bootp server
no ip domain lookup
ip domain name xxx.xxx
ip ssh time-out 60
!
!
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
key xxxxxxxxx
dns 172.16.2.11 172.16.2.2
wins 172.16.2.11 172.16.2.2
domain xxx.xxx
pool VPN_Pool
acl 102
netmask 255.255.255.0
!
!
crypto ipsec transform-set trnsfrmset esp-aes esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-md5-hmac
!
crypto ipsec profile Profile_1
set security-association lifetime seconds 28800
set security-association idle-time 28800
set transform-set trnsfrmset SDM_TRANSFORMSET_1 SDM_TRANSFORMSET_2
!
!
crypto dynamic-map dynmap 1
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set security-association idle-time 14400
set transform-set trnsfrmset SDM_TRANSFORMSET_1
reverse-route
!
!
crypto map clientmap client authentication list RadiusServers
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel1
no ip address
!
interface GigabitEthernet0/0
description Tampa LAN$ETH-LAN$
ip address 172.16.1.2 255.255.0.0
ip access-group sdm_gigabitethernet0/0_in in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Edge Link
ip address xx.xx.xx.xx 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip policy route-map vnp-client
duplex full
speed 10
no mop enabled
crypto map clientmap
!
interface GigabitEthernet0/3/0
description Tampa DMZ
ip address 172.17.1.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
no negotiation auto
!
ip local pool VPN_Pool 192.168.80.1 192.168.80.254
ip classless
ip route 0.0.0.0 0.0.0.0 63.236.108.65 permanent
ip route 172.17.0.0 255.255.0.0 172.16.1.1 permanent
ip route 172.20.0.0 255.255.0.0 172.16.1.1
ip route 172.25.0.0 255.255.0.0 172.16.1.1 permanent
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 172.16.2.30 2000
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_3 interface GigabitEthernet0/1 overload
ip nat inside source static network 172.17.1.15 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.10 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.11 xx.xx.xx.xx /32
!
ip access-list extended sdm_gigabitethernet0/0_in
remark SDM_ACL Category=17
permit icmp any any log
permit ip any any
!
ip radius source-interface GigabitEthernet0/0
logging history errors
logging trap notifications
logging origin-id hostname
logging source-interface GigabitEthernet0/0
logging server-arp
logging 172.25.2.23
logging 172.25.55.172
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=17
access-list 100 permit icmp any any log
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.25.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 xx.xx.xx.xx 0.0.0.255
access-list 101 permit ahp any host xx.xx.xx.xx
access-list 101 permit esp any host xx.xx.xx.xx
access-list 101 permit ip any 172.16.0.0 0.0.255.255
access-list 101 permit ip any 172.17.0.0 0.0.255.255
access-list 101 permit ip any 172.25.0.0 0.0.255.255
access-list 101 permit ip any 172.20.0.0 0.0.255.255
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.25.0.0 0.0.255.255 any
access-list 102 permit ip 172.20.0.0 0.0.255.255 any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 permit ip 172.17.0.0 0.0.255.255 any
access-list 102 permit ip xx.xx.xx.xx 0.0.0.255 any
access-list 105 remark SDM_ACL Category=18
access-list 105 deny ip 172.16.0.0 0.0.255.255 192.168.80.0 0.0.0.255 log
access-list 105 permit ip 172.16.0.0 0.0.255.255 any
access-list 110 permit udp 172.17.0.0 0.0.255.255 any eq domain
access-list 144 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 150 permit udp any host xx.xx.xx.xx eq isakmp
access-list 150 permit udp any host xx.xx.xx.xx eq non500-isakmp
snmp-server community Palace RW
no cdp run
route-map SDM_RMAP_1 permit 1
!
route-map SDM_RMAP_2 permit 1
!
route-map SDM_RMAP_3 permit 1
match ip address 105
!
!
!
scheduler allocate 20000 1000
!
end

 
Upvote 0 Downvote
post the contents of sh route-map

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Here is my current config. I'm at the point I'm trying anything I read on the internet that kind of relates.

One thing I noticed was when I remove the "ip nat outside" the VPN works perfectly.

So, the problem is definately my route-map and nonat setup.

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname EDGE-2821
!
boot-start-marker
boot system flash c2800nm-advsecurityk9-mz.124-3g.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging count
logging buffered 4096 debugging
logging console critical
logging monitor critical
!
aaa new-model
!
!
aaa group server radius RadiusServers
server 172.16.2.11 auth-port 1812 acct-port 1813
!
aaa authentication login default local group RadiusServers
aaa authentication login RadiusServers group RadiusServers
aaa authentication login vty_line local
aaa authentication login console_line line none
aaa authorization network groupauth local
!
aaa session-id common
!
resource policy
!
clock timezone Eastern -5
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect max-incomplete high 4100
ip inspect max-incomplete low 4000
ip inspect one-minute high 4100
ip inspect one-minute low 4000
ip inspect tcp max-incomplete host 100 block-time 0
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW vdolive
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW https timeout 1800
ip inspect name DMZ_LOW smtp
ip inspect name DMZ_LOW udp
ip inspect name DMZ_LOW tcp
!
!
ip flow-cache timeout active 1
ip ips sdf location flash://sdmips.sdf
ip ips sdf location flash://256MB.sdf autosave
ip ips notify SDEE
no ip bootp server
no ip domain lookup
ip domain name xxx.xxx
ip ssh time-out 60
!
!
!
crypto pki trustpoint TP-self-signed-3
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3
revocation-check none
rsakeypair TP-self-signed-3
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
key 6 xxxx
dns 172.16.2.11 172.16.2.2
wins 172.16.2.11 172.16.2.2
domain xxx.xxx
pool VPN_Pool
acl 102
netmask 255.255.255.0
!
!
crypto ipsec transform-set trnsfrmset esp-aes esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-md5-hmac
!
crypto ipsec profile Profile_1
set security-association lifetime seconds 28800
set security-association idle-time 28800
set transform-set trnsfrmset SDM_TRANSFORMSET_1 SDM_TRANSFORMSET_2
!
!
crypto dynamic-map dynmap 1
set security-association lifetime kilobytes 86400
set security-association lifetime seconds 28800
set security-association idle-time 14400
set transform-set trnsfrmset SDM_TRANSFORMSET_1
reverse-route
!
!
!
crypto map clientmap client authentication list RadiusServers
crypto map clientmap isakmp authorization list groupauth
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Tunnel1
no ip address
!
interface GigabitEthernet0/0
description Tampa LAN$ETH-LAN$
ip address 172.16.1.2 255.255.0.0
ip access-group sdm_gigabitethernet0/0_in in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Edge Link
ip address xx.xx.xx.xx 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip inspect SDM_LOW out
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex full
speed 10
no mop enabled
crypto map clientmap
!
interface GigabitEthernet0/3/0
description Tampa DMZ
ip address 172.17.1.1 255.255.0.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
no negotiation auto
!
ip local pool VPN_Pool 192.168.80.1 192.168.80.254
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent
ip route 10.1.1.0 255.255.255.252 172.16.1.1
ip route 10.1.1.4 255.255.255.252 172.16.1.5
ip route 172.17.0.0 255.255.0.0 172.16.1.1 permanent
ip route 172.20.0.0 255.255.0.0 172.16.1.1
ip route 172.25.0.0 255.255.0.0 172.16.1.1 permanent
ip flow-export source GigabitEthernet0/0
ip flow-export version 5
ip flow-export destination 172.16.2.30 2000
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
ip nat inside source static network 172.17.1.15 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.10 xx.xx.xx.xx /32
ip nat inside source static network 172.17.1.11 xx.xx.xx.xx /32
!
ip access-list extended sdm_gigabitethernet0/0_in
remark SDM_ACL Category=17
permit icmp any any log
permit ip any any
!
ip radius source-interface GigabitEthernet0/0
logging history errors
logging trap notifications
logging origin-id hostname
logging source-interface GigabitEthernet0/0
logging server-arp
logging 172.25.2.23
logging 172.25.55.172
access-list 1 permit any
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 172.20.0.0 0.0.255.255 log
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 remark SDM_ACL Category=17
access-list 100 permit icmp any any log
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.25.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 101 permit ip 192.168.80.0 0.0.0.255 172.17.0.0 0.0.255.255
access-list 101 permit ahp any host xx.xx.xx.xx
access-list 101 permit esp any host xx.xx.xx.xx
access-list 101 permit ip 192.168.80.0 0.0.0.255 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 permit ip 172.25.0.0 0.0.255.255 any
access-list 102 permit ip 172.20.0.0 0.0.255.255 any
access-list 102 permit ip 172.16.0.0 0.0.255.255 any
access-list 102 permit ip 172.17.0.0 0.0.255.255 any
access-list 105 remark SDM_ACL Category=18
access-list 105 deny ip any 192.168.80.0 0.0.0.255 log
access-list 105 permit ip any any log
access-list 107 remark SDM_ACL Category=1
access-list 107 permit ip 172.16.0.0 0.0.255.255 192.168.80.0 0.0.0.255 log
access-list 110 permit udp 172.17.0.0 0.0.255.255 any eq domain
access-list 144 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 150 permit udp any host xx.xx.xx.xx eq isakmp
access-list 150 permit udp any host xx.xx.xx.xx eq non500-isakmp
no cdp run
!
route-map SDM_RMAP_1 permit 1
!
route-map SDM_RMAP_2 permit 1
!
route-map nonat permit 1
match ip address 105
!
 
Upvote 0 Downvote
The counters are static so I think the matches are from me moving the route-map to the inside interface temporarily. Testing anything at this point.

Thanks for the help!


EDGE-2821#sh route-map
route-map SDM_RMAP_1, permit, sequence 1
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map SDM_RMAP_2, permit, sequence 1
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map nonat, permit, sequence 1
Match clauses:
ip address (access-lists): 105
Set clauses:
Policy routing matches: 614743 packets, 206226207 bytes
 
Upvote 0 Downvote
ok, the first thing I would do is remove the other two route-maps and the associated nat statements in your config; you'll be left with your nonat route-map and the associated nat statement. I just want to make sure taht those are not fudging anything up.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
OK will do. I'm not sure if that will break anything so I'll have to do it after 6pm tonight.

Thanks
 
Upvote 0 Downvote
When I said "access-list 105 deny ip any 192.168.80.0 0.0.0.255

See the mistake?",

look at the IP address. Is it not supposed to be 172.16, not 192.168???

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Thanks guys you pointed me in the right direction and I understand it much better now.

I did a little testing and set match ip address 105 in all three of my route-maps and it worked. Internal IP's responded without being nat'ed.

So, the other route maps in my NAT table allowed NAT which was overriding my deny in route-map nonat using acl 105.

I've come to the conclusion that I only need one route-map with all of my access rules built into the ACL.

You guys where a great help!
Thank you both,
Ken


Here is my plan for tonight and I'm sure it will work based on my test.

Remove these statements:
no ip nat inside source route-map SDM_RMAP_2 interface GigabitEthernet0/1 overload
no ip nat inside source route-map nonat interface GigabitEthernet0/1 overload

no route-map SDM_RMAP_2 permit 1
no route-map nonat permit 1

Keep these statements:
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload)

route-map SDM_RMAP_1 permit 1

access-list 105 deny ip any 192.168.80.0 0.0.0.255 log
access-list 105 permit ip any any log

Add these statements:
route-map SDM_RMAP_1
match ip address 105



 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
567
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
345
sircles
sircles
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
408
GlobeTrekkerGal
GlobeTrekkerGal
F
  • Locked
  • Solved
some IP Phone not working over site-to-site OpenVPN, packets modified on other side of tunnel
Replies
1
Views
2K
FrankSider12
F
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
376
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top