VPN only flows in one direction

[mrfite]

The corp. office needs access to the regional office networks.

The regional offices can connect through the vpn to the corportate office and logon to the domain and see all the corporate resources. The corporate office users cannot access any of our regional offices by any means (ping, rdp, etc.)
The corporate office has a static address and uses a CISCO 2800 series router. All the regional offices use Cisco 800 series routers with dynamic ip's.

Below is the 2800 series config.
Building configuration...

Current configuration : 10060 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
enable secret X
enable password X
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
!
ip ips sdf location flash://128MB.sdf autosave
ip ips notify SDEE
ip ips name sdm_ips_rule
ip domain name yourdomain.com
!
!
!
crypto pki trustpoint TP-self-signed-xxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxx
revocation-check none
rsakeypair TP-self-signed-xxxx
!
!
crypto pki certificate chain TP-self-signed-xxxx
xxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 4
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxxx address x.x.x.X
crypto isakmp key xxxxxxx address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
crypto isakmp client configuration group remotevpn
key xx
dns 192.168.0.99
wins 192.168.0.99
domain xx
pool mypool
acl 180
!
crypto isakmp client configuration group storevpn
key xxx
dns 192.168.0.99
wins 192.168.0.99
domain xx
pool mypool
acl 180
crypto isakmp profile vi
match identity group storevpn
match identity group remotevpn
isakmp authorization list default
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto ipsec profile vi
set transform-set myset
set isakmp-profile vi
!
!
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile vi
!
!
crypto map SDM_CMAP_1 isakmp authorization list groupauthor
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel Store#1
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 102
crypto map SDM_CMAP_1 10000 ipsec-isakmp dynamic dynmap
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.252
!
interface FastEthernet0/0
description Corporate LAN$FW_INSIDE$
ip address 192.168.0.5 255.255.255.0
ip access-group 103 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
ip policy route-map static_no_nat
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description Corporate LAN$FW_outside$
ip address x.x.x.x 255.255.255.248
ip access-group 104 in
ip nat outside
ip virtual-reassembly
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel source FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
ip local pool mypool 172.16.10.1 172.16.10.254
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 120 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.0.101 3389 X.X.X.X 3389 extendable
ip nat inside source static tcp 192.168.0.102 25 X.X.X.X 25 extendable
ip nat inside source static tcp 192.168.0.102 110 X.X.X.X 110 extendable
ip nat inside source static tcp 192.168.0.102 443 X.X.X.X 443 extendable
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip X.X.X.X 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 permit udp host X.X.X.X host X.X.X.X eq non500-isakmp
access-list 101 permit udp host X.X.X.X host X.X.X.X eq isakmp
access-list 101 permit esp host X.X.X.X host X.X.X.X
access-list 101 permit ahp host X.X.X.X host X.X.X.X
access-list 101 deny ip 192.168.0.0 0.0.0.255 any
access-list 101 permit icmp any host X.X.X.X echo-reply
access-list 101 permit icmp any host X.X.X.X time-exceeded
access-list 101 permit icmp any host X.X.X.X unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any log
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 deny ip X.X.X.X 0.0.0.7 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 103 permit icmp any any
access-list 104 permit esp any any
access-list 104 permit udp any host X.X.X.X eq isakmp
access-list 104 permit udp any host X.X.X.X eq non500-isakmp
access-list 104 permit tcp any host X.X.X.X eq 3389
access-list 104 permit tcp any host X.X.X.X eq smtp
access-list 104 permit tcp any host X.X.X.X eq 443
access-list 104 permit tcp any host X.X.X.X eq pop3
access-list 104 permit tcp X.X.X.X 0.0.0.63 host X.X.X.X eq 22
access-list 104 permit tcp X.X.X.X 0.0.0.15 host X.X.X.X eq 22
access-list 104 permit tcp X.X.X.X 0.0.0.7 host X.X.X.X eq 22
access-list 104 permit tcp host X.X.X.X host X.X.X.X eq 22
access-list 104 permit tcp host X.X.X.X host X.X.X.X eq 22
access-list 120 deny ip 192.168.0.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
access-list 121 remark ACL used to prevent STATIC NAT TRANSLATION for VPN Client
s
access-list 121 permit ip host 192.168.0.101 172.16.10.0 0.0.0.255
access-list 121 permit ip host 192.168.0.102 172.16.10.0 0.0.0.255
access-list 180 permit ip 192.168.0.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 180 remark ACL for Split tunnel configuration VPN Client
route-map static_no_nat permit 10
match ip address 121
set ip next-hop 1.1.1.2
!
!
!
control-plane

!
line con 0
line aux 0
line vty 0 4
privilege level 15
password password
transport input ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

[Alterac]

You nat access list needs to be opened up to more than those two servers, (which I assume are your AD servers).

access-list 121 permit ip host 192.168.0.101 172.16.10.0 0.0.0.255
access-list 121 permit ip host 192.168.0.102 172.16.10.0 0.0.0.255


Try opening it up to 192.168.0.0 0.0.0.255 172.16.10.0 0.0.0.255

And then open it on the endpoint also, but in reverse.




----------------------------------
Bill

 

[mrfite]

Thanks for the help but that didn't work.

 

[mrfite]

When I perform a tracert from the Corporate Lan to a regional office it goes to the 2800 series router and then proceeds to the internet where the source is unreachable. Also when you run "show crypto isakmp peers" the internet address of the regional routers shows up but the Local address is the same for all of the routers and that is the internet address of the Corporate Router.

 

[Alterac]

Would you be able to put up a diagram, and the config from at least one endpoint?

Can you get to the clients from the servers, 192.168.0.101 or 192.168.0.102 ?


----------------------------------
Bill

 

[mrfite]

one of the regional router configs follows:
Building configuration...

Current configuration : 3298 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
!
boot-start-marker
boot-end-marker
!
no logging console
!
no aaa new-model
!
resource policy
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.254
!
ip dhcp pool CLIENT
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.0.99 192.168.0.100 216.165.129.158 216.170.153.146
lease 0 2
!
!
ip dhcp update dns
ip cef
no ip domain lookup
ip domain name XXXXXX
ip name-server 192.168.0.99
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key XXXX address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
crypto ipsec client ezvpn storevpn
connect auto
group storevpn key XXXX
mode client
peer X.X.X.X
xauth userid mode interactive
!
!
!
interface Loopback0
ip address 172.16.10.112 255.255.255.255
!
interface Ethernet0
description 285 LANside_INSIDE$
ip address 192.168.10.254 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly
no cdp enable
crypto ipsec client ezvpn storevpn inside
hold-queue 32 in
!
interface Ethernet1
description 285 Dynamic DSLside_outside
ip address dhcp
ip nat outside
ip virtual-reassembly
duplex auto
no cdp enable
crypto ipsec client ezvpn storevpn
!
interface Ethernet2
no ip address
shutdown
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
duplex auto
speed auto
!
ip route 0.0.0.0 0.0.0.0 dhcp
ip http server
ip http access-class 23
ip http authentication local
no ip http secure-server
ip http max-connections 4
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 102 deny ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 104 permit tcp X.X.X.X 0.0.0.63 any eq 22
access-list 104 permit tcp X.X.X.X 0.0.0.16 any eq 22
access-list 104 permit tcp X.X.X.X 0.0.0.7 any eq 22
!
control-plane

!
line con 0
exec-timeout 120 0
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
!
scheduler max-task-time 5000
end

 

[mrfite]

to answer your question, I cannot get to the clients from the Corporate Servers eventhough they can clearly see the Corporate Servers.

 

[Alterac]

On your corporate hub router, add the following to your crypto map

reverse-route

eg:

crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel Store#1
set peer x.x.x.x
set transform-set ESP-3DES-SHA
match address 102
reverse-route


Documentation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_rrie.html

----------------------------------
Bill

 

[burtsbees]

How can you set peer to an IP address that is always changing? Instead of site to site tunnels, you should probably set up remote access vpns in each of the remote sites, and just vpn in from a computer in corporate with the Cisco VPN client. You can easily register each of the remote sites IP addresses in dyndns.org (up to 5 for free), and that way you can just enter the domain name in the vpn client configurations. Let me know if this is what you want to do. Can you post a sh ver of the remote site routers?

Burt

 

[mrfite]

We need to access equipment that is also at the regional sites from the corporate office. That is why VPN software is not used. All the white papers I have read point to the very application I am trying to implement (one seemless lan), which is exactly what these routers were created for using VPN and Dynamic remote addresses.

 

[burtsbees]

Here is my point---you have to have a static IP address for the peer (set peer x.x.x.x). The dynamic address will change to something else and the router will no longer know how to get to it. Usually people these days do this over an MPLS backbone, or point-t-point T1 connections. I have a dynamic DSL connection at home going to a Cisco 2620XM, and I therefore had to make it a remote access vpn, and register the address with a domain name in dyndns.org with a DDNS config. Looks like I am missing something here... Could you maybe port the config of one of the 800's? It should be nearly identical...let's see the comparison...

Burt

 

[mrfite]

The White paper "Configuring an IPsec Router Dynamic
LAN?to?LAN Peer and VPN Clients: Document ID: 46242" by Cisco outlines the dynamic ip assigned remote sites, static ip central site connecting through a VPN to establish a Lan-to-Lan network. This is what I am trying to create. I have included the config for an 800 in a previous post in this thread under "regional router config".