Solved: Cisco 881 VPN Help

sjsteve33171 · ‎10-09-2015

Hi All,

I'm not cisco trained nor ever worked with cisco, im a complete newbie when it comes to Cisco platforms. We are a IT Support MSP and we've recently taken on a customer who has an office abroad using a Cisco 881 device with a Draytek router in the UK. Site to site connectivity is required. I've looked around and watched some youtube videos on how to setup the VPN and believe i have this in place using the below config on the cisco:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key ******** address *******
!
crypto ipsec transform-set sha3des esp-3des esp-sha-hmac
!
crypto map VPN 1 ipsec-isakmp
set peer **********
set transform-set sha3des
set pfs group2
match address UK

!

interface FastEthernet4
ip address <WAN IP> <WAN SUBNET>
ip access-group netbios in
ip access-group netbios out
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
crypto map VPN

!
interface Vlan1
ip address <WAN IP 2> <WAN SUBNET> secondary
ip address <LAN IP> 255.255.255.0
ip access-group netbios in
ip access-group netbios out
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
!

ip access-list extended UK
permit ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255
permit ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

The VPN shows it up and active but there is no traffic flow between the two and i have no idea why...

Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: <REMOTE WAN> port 500
IKEv1 SA: local <LOCAL WAN>/500 remote <REMOTE WAN>/500 Active
IPSEC FLOW: permit ip <REMOTE LAN>/255.255.255.0 <LOCAL LAN>/255.255.255.0
Active SAs: 0, origin: crypto map
IPSEC FLOW: permit ip <LOCAL LAN>/255.255.255.0 <REMOTE LAN>/255.255.255.0
Active SAs: 2, origin: crypto map

So it all looks fine, however if i try and ping the remote sites router over the remote LAN ip i get the following:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to <REMOTE IP>, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I also cannot ping from remote site into the Cisco lan.

I believe this is down to the cisco end, the Draytek is a basic router and no routing is able to be configured. It does it automatically. So the VPN is up, no traffic flow..

Please can someone point me in the right directoin?

Thank You

Karsten Iwen · ‎10-09-2015

The extra ip route doesn't harm although it's not needed. I like these extra routes as they can serve as a kind of "inline documentation" when used with an additional "name" keyword at the end.

Your NAT-ACL doesn't exclude the traffic. Just add the following:

ip access-list ext 102
  1 deny ip <local LAN> 0.0.0.255 <remote LAN> 0.0.0.255

View solution in original post

Karsten Iwen · ‎10-09-2015

1) The following line in the ACL is not needed and can be removed:

 permit ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

You only need to specify the traffic that your router needs to protect.

2) Your test seems to be wrong. If you ping from your router, by default the source IP is the publics interface IP address. The traffic from that IP to the remote LAN is not part of the crypto-definition. test it from a LAN-PC or specify the source interface when you ping from the router.

3) A possible problem is that you also have NAT configured, but you didn't exclude the VPN-traffic from NAT. Make sure your NAT-ACL has a deny statement at the beginning for the locat to remote-subnet.

sjsteve33171 · ‎10-09-2015

Hi Karsten,

Thanks for the pointer.

1) I have removed the permit as stated.

2) I wasn't aware of that, so thank you, makes perfect sense, i shall try and access a PC there.

3) Please could you look at the below and advise? By the looks of it im assuming its not excluded:

!
ip nat pool PORTFWD <LAN MACHINE> <LAN MACHINE> netmask 255.255.255.0 type rotary
ip nat inside source list 102 interface FastEthernet4 overload
ip nat inside source static tcp <LAN MACHINE> 25 <WAN IP> 25 extendable
ip nat inside source static tcp <LAN MACHINE> 110 <WAN IP> 110 extendable
ip nat inside source static tcp <LAN MACHINE> 3000 <WAN IP> 3000 extendable
ip nat inside source static udp <LAN MACHINE> 30000 <WAN IP> 30000 extendable
ip nat inside source static udp <LAN MACHINE> 30030 <WAN IP> 30030 extendable
ip nat inside source static tcp <LAN MACHINE> 5003 <WAN IP> 5003 extendable
ip nat inside source static udp <LAN MACHINE> 5003 <WAN IP> 5003 extendable
ip nat inside source static tcp <LAN MACHINE> 5090 <WAN IP> 5090 extendable
ip nat inside source static udp <LAN MACHINE> 5090 <WAN IP> 5090 extendable
ip nat inside source static tcp <LAN MACHINE> 6001 <WAN IP> 6001 extendable
ip nat inside source static tcp <LAN MACHINE> 6100 <WAN IP> 6100 extendable
ip nat inside source static udp <LAN MACHINE> 6100 <WAN IP> 6100 extendable
ip nat inside destination list 100 pool PORTFWD
ip route 0.0.0.0 0.0.0.0 <GATEWAY IP >
ip route <REMOTE LAN> 255.255.255.0 <REMOTE WAN>
!

access-list 102 permit ip <LOCAL LAN> 0.0.0.255 any

I'm assuming i need to

1) Remove ip route <REMOTE LAN> 255.255.255.0 <REMOTE WAN>

2) Adjust source-list 102 with a deny of some sort?

Thanks again

Karsten Iwen · ‎10-09-2015

The extra ip route doesn't harm although it's not needed. I like these extra routes as they can serve as a kind of "inline documentation" when used with an additional "name" keyword at the end.

Your NAT-ACL doesn't exclude the traffic. Just add the following:

ip access-list ext 102
  1 deny ip <local LAN> 0.0.0.255 <remote LAN> 0.0.0.255

sjsteve33171 · ‎10-09-2015

Hi Karsten,

You were exactly spot on! After adding that line into 102, i can now ping from UK to Abroad. Do i need to add another line for:

2 deny ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

To allow communication both ways or is that enough to work now?

The list currently shows:

access-list 102 deny ip <LOCAL LAN> 0.0.0.255 <REMOTE LAN> 0.0.0.255
access-list 102 permit ip <LOCAL LAN> 0.0.0.255 any

Karsten Iwen · ‎10-09-2015

2 deny ip <REMOTE LAN> 0.0.0.255 <LOCAL LAN> 0.0.0.255

is not needed. When coming from "nat inside" to "nat outside" (as per interface config) your router will never see a source of REMOTE-LAN. And only that's what needs to be specified.

sjsteve33171 · ‎10-09-2015

Ok Thank you Karsten, i've marked you as correct. If i could get you a few beers i would!

Thank You Again

Karsten Iwen · ‎10-09-2015

Great that it works! And I'll come back to you for the beer eventually ... ;-)

sjsteve33171 · ‎10-09-2015

Hi Karsten,

Sorry i have another issue!

Since fixed :)

Karsten Iwen · ‎10-09-2015

I don't really understand what your setup is and what communication fails. A little diagram could help.

sjsteve33171 · ‎10-09-2015

Couldn't telnet on TCP

I altered

access-list 100 permit udp any any range 30000 30030

to

access-list 100 permit udp any any

access-list 100 permit tcp any any

It done the trick.