Re: Cisco 881 VPN: can't access local resources

knutjakobsen · ‎10-06-2010

hi,

I have a Cisco 881 and I want to use Easy VPN.

VLAN 1: 192.168.4.0

WAN: 10.0.0.0

VPN: 192.168.8.0

VPN connects and I get an IP of 192.168.8.100 from my pool. I can ping my cisco at VLAN1 (192.168.4.1), but I cannot access my local resources. I guess I miss a NAT configuration, so please guide me into the right place...

thanks in advance!

ohassairi · ‎10-06-2010

use the graphical wizard from web management interface

knutjakobsen · ‎10-07-2010

well, that didnt work well.

I did a re-run of the Easy VPN Wizard. After that I run the "test vpn server" and that also works, but when I try from my client computer, I got the Error 412. So now I'am 1 big step back in my setup......

Any ideas? This time I can't ANY EZVPN rules under "firewall".

What do I need to add?

knutjakobsen · ‎10-08-2010

anyone that can help?

I need to now which firewall-rules I need to configure, and I need to now the NAT rules.

Jennifer Halim · ‎10-08-2010

Here is how you would configure the NAT exemption:

access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.8.0 0.0.0.255

access-list 101 permit ip 192.168.4.0 any

ip nat inside source list 101 interface overload

Please kindly make sure that you remove other dynamic NAT statement if you have one.

Hope that helps.

knutjakobsen · ‎10-08-2010

that's great. I will try this later. Thanks!

but what firewall rules do I need? (outgoing --> in )

edit: After I re-run the EZVPN wizard, I cant connect at all to the vpn server because of missing firewall rules, and not only NAT rules.

Jennifer Halim · ‎10-09-2010

For firewall rules, I would need to see which type of firewall configuration you have configured, ie:

1) ACL?

2) CBAC?

3) ZBFW?

If you can post the config that would help.

knutjakobsen · ‎10-09-2010

the VPN pool is 10.1.1. net. (SDM2), I will delete 192.168.8.0

Current configuration : 12171 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$zAmu$pZfX8OsCLHrEUm8OmINKX1
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-2367260332
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2367260332
revocation-check none
rsakeypair TP-self-signed-2367260332
!
!
crypto pki certificate chain TP-self-signed-2367260332
certificate self-signed 01
   30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
   31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
   69666963 6174652D 32333637 32363033 3332301E 170D3130 30383133 31323135
   32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
   4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 33363732
   36303333 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
   8100AE82 3E293651 7361723A 3B455E28 1DA14F7C 5B63011F 9191EB20 DE6722D9
   97F7BCCD 9EBC3ED9 BBC8E0DE BCE54BED 41D1F00B A9E24811 265252DC 13CC3EC6
   E65C2B3A 4D8CB7CF 2B094789 086B5B14 527EFB3D 6E9339D8 3FA303C6 2710B774
   BEC0573F 461F4326 820ACF8D 74372B15 4CD7CCD5 07FBA595 6677410A 272B7CB5
   B2450203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
   551D1104 0E300C82 0A636973 636F2E70 69636F30 1F060355 1D230418 30168014
   E6CC7F83 40BD59B9 D895BE30 88897BF4 94F66187 301D0603 551D0E04 160414E6
   CC7F8340 BD59B9D8 95BE3088 897BF494 F6618730 0D06092A 864886F7 0D010104
   05000381 81003FD8 241644AC E6AAD3D2 37804720 730A12AD 9C29841C F4A204CB
   17F489C0 2B71500E ED69C41E 35EA9643 1C7EE676 6D24A1EB 8AB95B83 0504750B
   F9734E08 DE6B9AD0 72B49CDD 971B80F8 A8507F0B 8396A69A 8F195877 DB43B3F0
   8E78417A B5D21AA8 42554F7E F9286298 4F3FF9FB 34897799 03209B4D 0CFB0825
   35156FD0 7611
    quit
no ip source-route
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.10.201 192.168.10.254
ip dhcp excluded-address 192.168.4.1 192.168.4.149
ip dhcp excluded-address 192.168.4.211 192.168.4.254
!
ip dhcp pool ccp-pool1
    import all
    network 192.168.4.0 255.255.255.0
    dns-server 217.13.7.140
    default-router 192.168.4.1
!
ip dhcp pool ccp-pool2
    import all
    network 192.168.10.0 255.255.255.0
    dns-server 217.13.7.140
    default-router 192.168.10.1
!
!
ip cef
no ip bootp server
ip domain name pico
ip name-server 217.13.7.140
ip name-server 217.13.4.24
!
!
license agent notify http://192.168.10.101:9710/clm/servlet/HttpListenServlet dummy dummy 2.0
!
!
username admin privilege 15 secret 5 $1$Rks/$bdc0PDqolQ7ncKYBIv36v1
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group picomed
key *****
pool SDM_POOL_2
acl 101
crypto isakmp profile ciscocp-ike-profile-1
    match identity group picomed
    client authentication list ciscocp_vpn_xauth_ml_1
    isakmp authorization list ciscocp_vpn_group_ml_1
    client configuration address respond
    virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto ctcp port 10000
archive
log config
   hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_SSLVPN
match access-group name SDM_SSLVPN
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any vpn
match protocol ssp
match protocol isakmp
match protocol gdoi
match protocol ipsec-msft
match class-map SDM_GRE
match class-map SDM_SSLVPN
match protocol gtpv0
match protocol gtpv1
match protocol l2tp
match protocol pptp
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
match class-map vpn
match protocol login
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
match protocol tcp
match protocol udp
match protocol radius
match protocol ident
match protocol ace-svr
match protocol kerberos
match protocol tacacs
match protocol tacacs-ds
match protocol clp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any vpn-inn-1
match class-map vpn
match protocol udp
class-map type inspect match-all ccp-cls--2
match class-map vpn-inn-1
match access-group name vpn
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
   inspect
class class-default
   pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
   drop log
class type inspect ccp-protocol-http
   inspect
class type inspect ccp-insp-traffic
   inspect
class type inspect ccp-sip-inspect
   inspect
class type inspect ccp-h323-inspect
   inspect
class type inspect ccp-h323annexe-inspect
   inspect
class type inspect ccp-h225ras-inspect
   inspect
class type inspect ccp-h323nxg-inspect
   inspect
class type inspect ccp-skinny-inspect
   inspect
policy-map type inspect ccp-permit
class class-default
   drop
policy-map type inspect ccp-pol-outToIn
class type inspect CCP_PPTP
   pass
class class-default
   drop log
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 10.0.0.254 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
snmp trap ip verify drop-rate
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip flow ingress
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.4.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.8.100 192.168.8.200
ip local pool SDM_POOL_2 10.1.1.10 10.1.1.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 10.0.0.1 permanent
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_SSLVPN
remark CCP_ACL Category=0
permit tcp any any eq 4443
ip access-list extended vpn
remark CCP_ACL Category=128
permit ip any any
!
logging trap debugging
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 2 remark INSIDE_IF_Vlan2
access-list 2 remark CCP_ACL Category=2
access-list 2 remark NAT
access-list 2 permit 192.168.4.0 0.0.0.255
access-list 3 remark HTTP Access-class list
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.10.0 0.0.0.255
access-list 3 permit 192.168.4.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
no cdp run

!
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Jennifer Halim · ‎10-11-2010

From the configuration, it seems that the NAT configuration advised earlier has not been changed, and if you have changed the IP Pool to 10.1.1.0/24, please also change the ACL statement accordingly.

Currently you have:

ip nat inside source list 1 interface FastEthernet4 overload

Please change it to:

access-list 105 deny ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 105 permit ip 192.168.4.0 any

ip nat inside source list 105 interface FastEthernet4 overload

I would suggest that you remove the ZBFW configuration first to test the VPN connection as that only complicates the setup. Currently your ZBFW configuration is incorrect, and here is a sample configuration for ZBFW with VPN configuration:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_white_paper0900aecd8062a909.html

Timothy Quinn · ‎12-02-2010

This is exactly what I was trying to accomplish as well.

Minor typo in your configuration updates to append to Knut's configuration:

access-list 105 deny ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 105 permit ip 192.168.4.0 0.0.0.255 any

ip nat inside source list 105 interface FastEthernet4 overload

However, by accicdent I discovered that this will also work by editing the IPSec ACL:

access-list 101 deny ip 192.168.4.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 permit ip 192.168.4.0 0.0.0.255 any

Although both work, It feels better to me to stick the rule under IPSec although under the hood it is all probably the same master ACL

Thanks for your assistance!!!

Now if only I could get the Default Gateway to be accessible from VPN.... ( for another thread )

- JsD

Timothy Quinn · ‎12-06-2010

I am back tracking on my post. I am still having issues. It seems the first time I connect to VPN after configuring, it works fine. If i disconnect and re-connect, I get the issue again and it does not clear until I restart the router

Definitely sounds like a routing issue...

I will try to resolve this on a newer ticket.

Timothy Quinn · ‎12-07-2010

Update for those reading this thread. My issue is resolved here under discussion 3243266.

Looking at the configuration above, it is quite possible that this users configuration had the same issue as mine: Remove virtual tempate configuration from IPSec VPN.

- Tim