12-02-2010 05:59 PM - edited 03-04-2019 10:39 AM
Good Day,
I have configured my Cisco 881 and finally got past the "Cannot see my network" with IPSec VPN issue.
I have a usecase where I need to access the gateway from the VPN Session.
When I connect to the VPN using Cisco VPN Client 4.8x, I do not get back a Default Gateway on the VPN Adapter. When I try to ping my LAN Gateway IP (10.20.30.1) it does not respond and I cannot access it with any other tools.
I am pretty sure this is a very ACL issue and it makes sense to hide the gateway by default but the big question is how do I configure my router to see the Gateway and be able to access it from the VPN session?
Please see my cleaned configuration attached.
Network Info:
Thanks in advance for your assistance!
Regards,
- JsD
Solved! Go to Solution.
12-07-2010 04:43 PM
Pls kindly mark this post as answered so others facing the same issue can follow the workaround provided based on your final configuration.
Great update and explaination btw. Thanks for that.
12-06-2010 08:11 AM
Update - I am actually having issues getting to physical hosts on Cisco 881 LAN too. This is a show stopper for me and now I am completely stuck.
Does anybody have any advise on how to get Easy VPN working on a Cisco 881???
12-06-2010 12:24 PM
Hi,
Please post the router config in this thread, its not clear on Notepad.
Regards,
Mohamed
12-06-2010 12:29 PM
No problem. Here is the configuration from the attachment above:
Building configuration...
Current configuration : 8573 bytes
!
! Last configuration change at 20:08:52 PCTime Thu Dec 2 2010 by superuser
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpngate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-15289216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-15289216
revocation-check none
rsakeypair TP-self-signed-15289216
!
!
!
!
!
ip dhcp excluded-address 10.20.0.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.255.254
ip dhcp excluded-address 10.20.30.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.30.254
!
ip dhcp pool ccp-pool1
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server 192.168.2.1
!
!
ip cef
no ip bootp server
ip domain name mynetwork.ca
ip name-server 192.168.2.1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn XXXXXXXXXX
!
!
username XXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
username XXXXX secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sjptest1
key XXXXXXXXXXXXXXXXXXXXXX
dns 192.168.2.1
pool SDM_POOL_1
acl 103
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group sjptest1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 10.30.99.99 255.255.255.0
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.68.222 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.30.1 255.255.0.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 10.20.40.10 10.20.40.50
ip local pool SDM_POOL_2 10.1.1.10 10.1.1.20
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.68.1
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.20.30.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.20.30.0 0.0.0.255
access-list 2 permit 192.168.68.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 22
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 443
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq cmd
access-list 100 deny tcp any host 192.168.68.222 eq telnet
access-list 100 deny tcp any host 192.168.68.222 eq 22
access-list 100 deny tcp any host 192.168.68.222 eq www
access-list 100 deny tcp any host 192.168.68.222 eq 443
access-list 100 deny tcp any host 192.168.68.222 eq cmd
access-list 100 deny udp any host 192.168.68.222 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.20.30.0 0.0.0.255 any
access-list 101 permit ip 192.168.68.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 22
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 443
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq cmd
access-list 102 deny tcp any host 10.20.30.1 eq telnet
access-list 102 deny tcp any host 10.20.30.1 eq 22
access-list 102 deny tcp any host 10.20.30.1 eq www
access-list 102 deny tcp any host 10.20.30.1 eq 443
access-list 102 deny tcp any host 10.20.30.1 eq cmd
access-list 102 deny udp any host 10.20.30.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=4
access-list 103 deny ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
access-list 103 permit ip 10.20.30.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
bla bla bla
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 101 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
12-06-2010 12:41 PM
Hi,
Please change ACL1 to the following ACL:
access-list 100 deny ip 10.20.30.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 deny ip 192.168.68.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip any any
ip nat inside source list 100 interface fastethernet4 overload.
Let us know if this solves your problem,
Regards,
Mohamed
12-06-2010 01:26 PM
Is there a typo?
access-list 100 deny ip 10.20.20.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 deny ip 192.168.68.0 0.0.0.255 10.1.1.0 0.0.0.255
access-list 100 permit ip any any
Should that not be 10.20.30.0 ?
FYI - a support tech is on my Router right now so I will let him know of
the second deny rule to test it out...
- Tim
On Mon, Dec 6, 2010 at 3:41 PM, msobier123 <
12-06-2010 05:27 PM
Well, there are a number of errors in the configuration:
1) Split tunnel ACL 103 has been incorrectly configured. ACL 103 should really be assigned to your NAT policy.
In this case, I would create a new ACL (leaving ACL 103 as we can re-use this for your NAT policy):
access-list 150 permit ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
crypto isakmp client configuration group sjptest1
no acl 103
acl 150
2) As advised earlier, NAT policy is incorrect. Currently you are assigning standard ACL 1 to your nat policy. You would need to configure extended ACL with deny statement for the traffic between your internal subnet to your ip pool subnet (ie: exactly what ACL 103 has defined).
ip nat inside source list 103 interface FastEthernet4 overload
no ip nat inside source list 1 interface FastEthernet4 overload
Hope that helps
12-06-2010 08:07 PM
I have updated my running config with the configurations as suggested.
I also added Mohamed's suggested ACE.
Still no luck though. On a fresh re-boot of the router, I can ping the gateway and physically connected servers the first time I connect with VPN Client. However, after I disconnect and re-connect the client, I can not ping any more. The only way to be able to ping the Router or server again is to restart the router.
Thanks for your attention to this.
Main Changes:
- Removed ACL 1
- Created ACL 150 and assigned it to tunnel
- Altered ACL 103 slightly and assigned it to NAT on FastEthernet 4
- Removed SDM_POOL_2 which was not in use
Here is my current running config:
!
! Last configuration change at 20:08:52 PCTime Thu Dec 2 2010 by superuser
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpngate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-15289216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-15289216
revocation-check none
rsakeypair TP-self-signed-15289216
!
!
!
!
!
ip dhcp excluded-address 10.20.0.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.255.254
ip dhcp excluded-address 10.20.30.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.30.254
!
ip dhcp pool ccp-pool1
import all
network 10.20.30.0 255.255.255.0
default-router 10.20.30.1
dns-server 192.168.2.1
!
!
ip cef
no ip bootp server
ip domain name mynetwork.ca
ip name-server 192.168.2.1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn XXXXXXXXXXXXXXXXXX
!
!
username sjpc1ad privilege 15 secret 5 XXXXXXXXXXXXXXXXXX
username tquinn secret 5 XXXXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sjptest1
key XXXXXXXXXXXXXXXXXX
dns 192.168.2.1
pool SDM_POOL_1
acl 150
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group sjptest1
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 10.30.99.99 255.255.255.0
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.68.222 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.30.1 255.255.0.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 10.20.40.10 10.20.40.50
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 103 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.68.1
!
logging trap debugging
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.20.30.0 0.0.0.255
access-list 2 permit 192.168.68.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 22
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 443
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq cmd
access-list 100 deny tcp any host 192.168.68.222 eq telnet
access-list 100 deny tcp any host 192.168.68.222 eq 22
access-list 100 deny tcp any host 192.168.68.222 eq www
access-list 100 deny tcp any host 192.168.68.222 eq 443
access-list 100 deny tcp any host 192.168.68.222 eq cmd
access-list 100 deny udp any host 192.168.68.222 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.20.30.0 0.0.0.255 any
access-list 101 permit ip 192.168.68.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 22
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 443
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq cmd
access-list 102 deny tcp any host 10.20.30.1 eq telnet
access-list 102 deny tcp any host 10.20.30.1 eq 22
access-list 102 deny tcp any host 10.20.30.1 eq www
access-list 102 deny tcp any host 10.20.30.1 eq 443
access-list 102 deny tcp any host 10.20.30.1 eq cmd
access-list 102 deny udp any host 10.20.30.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark NAT ACL
access-list 103 deny ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
access-list 103 deny ip 192.168.68.0 0.0.0.255 10.20.40.0 0.0.0.255
access-list 103 permit ip 10.20.30.0 0.0.0.255 any
access-list 150 remark Split Tunnel
access-list 150 permit ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
no cdp run
!
!
!
!
!
control-plane
!
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
bla bla bla
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 101 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
- Tim
12-06-2010 08:54 PM
Apart from ping, have you tested any other connectivity between the vpn client and the internal servers? Can you please test other protocols to see if it's problem with the tunnel or only problem with pings.
Also, when it's not working, can you please share the output of the following from the router (while the vpn is still connected and you try to access the internal network):
show cry isa sa
show cry ipsec sa
Thanks.
12-06-2010 10:11 PM
I did try arp and vnc. Both work with fresh reboot of Router and both also fail after re-connect of vpn client.
Please find attached the output logs for "show cry isa sa" and "show cry ipsec sa":
12-06-2010 10:15 PM
[+] Attachments
Late night fat finger ... sorry.
Attachments:
- Tim
12-06-2010 10:49 PM
Perfect, I think i found what the problem is
Your internal subnet and your ip pool are configured in the same subnet:
Internal subnet:
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.30.1 255.255.0.0
VPN Pool subnet:
ip local pool SDM_POOL_1 10.20.40.10 10.20.40.50
And since you didn't specify the mask, it will default to /8 for the 10.x.x.x major subnet.
So 10.20.30.0/16 and 10.20.40.0/8 overlaps with each other.
I would suggest that you configure a totally unique VPN pool subnet: 172.16.40.0/24 for example.
Then:
1) Assign the new ACL to your VPN group configuration, and removing the old pool.
2) Configure split tunnel ACL 150 to include the new pool:
access-list 150 permit ip 10.20.30.0 0.0.0.255
3) Lastly to configure the NAT ACL 103 to deny those traffic:
ip access-list extended 130
5 deny ip 10.20.30.0 0.0.0.255
Hope this time it helps.
12-07-2010 01:36 PM
I updated my config to have it simplified and following your suggestions. No luck unfortunately. Same symptoms.
Network Info:
Attachements:
Jennifer - Would you like some updated cry sa dumps based on the new config?
For brevity of this thread, I will only post config inline if requested.
- Tim
12-07-2010 03:47 PM
[Update] The issue was resolved by a Cisco Tech
The issue was related to using Virtual Templates for IPSec VPN. Lawrence from Cisco reverted my config back to using the old fashion way of doing IPSec VPNs and it worked perfectly.
I am normalizing his configuration and will post my final configuration shortly for closure.
- Tim
12-07-2010 04:01 PM
Great to hear and thanks for the update.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide