Re: VPN Client access with 2621XM, NAT and static routes

dschuckman · ‎07-22-2005

Good afternoon,

Apparently I have a difficult or for lack of better words extremely confusing configuration that I am attempting to do. I have a case open with TAC right now but this case has been going on for 5 days now and I am trying to determine if anyone else might have some good information.

I am currently working with a customer that recently requested vpn access to there network. I am attempting to configure the router to use a local IAS server for authentication. I currently have the router configured with local authentication. I am authenticating to the usernames that I have declared on the device. However I am attempting, with out success, to authenticate to the IAS server. The IAS server is located at 10.10.1.201. I when connected locally through the VPn to the router I am able to ping 10.10.1.201 and access the device via remote desktop. However I do have to remove my access-list 110. I haven't quite determined how to permit the ipsec or tunnel traffic through the incoming acl on the outside interface. However when I change the crypto map authentication to look at userauthen it fails I still receive authoriztion from the router that displays a user box but can't get authentication from the IAs server I also don't see any logs in the IAS server for requests. Not sure whats going on. OK Summarized I have two issues access-list 110 doesn't allow my vpn traffic to access internal network or dns. Authentication to IAS server is unsuccesful. I know the IAS server is working properly as I have a very similiar configuration running on a second 2621 and on a pix 515 that authenticate to the server for testing as well. I have attached the configuration fomr the rotuer that is not working.

I have attached a copy of the configuration!

ehirsel · ‎07-23-2005

This link should be useful in configuring and IOS device to use Radius to authenticate vpn clients. Even though it details connections from the cisco ms win vpn client, it should provide you with a good starting point.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800946b7.shtml

I do have one question with regards to the route-map:

Where is 1.1.1.2? I noted that that address is on the subnet that loopback 0 is on - that is you have a /30 bit mask instead of a /32 bit mask on the loopback; normally you do use a /32 bit mask since they are logical interfaces. If the purpose of the route-map is to not nat for ipsec vpn connections, then you normally don't apply it to an interface and don't config the next-hop, instead you refer to in in the ip nat config area. You can find examples of this in the IOS addressing and services config guide (nat may be listed under the protocol independant services area).

Note that the router FA0/1 interface ip address needs to be defined as a radius client in the ISA config, since the router will be connecting to the radius server to authenticate remote clients. Insure that that address is defined properly and that the keys match.

You will need to insure that the isa radius service is running on the newer RFC ports 1812 and 1813; in the ms win etc\services file if the lines that begin with radius use the older rfc ports 1645/1646 then there is a port mismatch and your ios router will not be able to contact the radius service. So check that the ports on the isa host match what the ios device expects them to be.

I think that the route map may be a source of some of your issues too, so look there as well.

Let me know what you find and if you need any more help.