03-01-2014 09:50 PM
Hello,
I have setup EZVPN but I'm unable to get return traffic from the head end router.
When I debug ICMP on an internal switch and ping the device from the client, I can see reply going to the IP address of the vpn client but it doesn't make it back to the client.
This isn't my strongest topic but as far as I can see all looks ok. Note that I have a number of internal networks defined in the spli tunnel ACL.
Any clues at what I'm doing wrong welcome.
Thanks
The config is as follows:
aaa new-model
!
!
aaa authentication login authen local
aaa authorization network author local
!
aaa session-id common
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
ip domain name yyyy.com
!
!
!
!
username xxxx password xxxx
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5
!
crypto isakmp client configuration group ezvpn-group
key xxxxx
dns 192.168.100.36
domain ppvh.com.au
pool ezvpn-pool
acl ezvpn-st-acl
pfs
max-logins 3
netmask 255.255.255.0
crypto isakmp profile ezvpn-isakmp-profile
self-identity address
match identity group ezvpn-group
client authentication list authen
isakmp authorization list author
client configuration address respond
keepalive 10 retry 3
!
!
crypto ipsec transform-set esp_aes256_sha esp-aes esp-sha-hmac
!
crypto dynamic-map ezvpn-map 10
set security-association lifetime seconds 28800
set transform-set esp_aes256_sha
set pfs group2
set isakmp-profile ezvpn-isakmp-profile
reverse-route
!
!
crypto map vpn-map 65000 ipsec-isakmp dynamic ezvpn-map
!
!
!
interface ATM0
no ip address
atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
ip address 192.168.100.1 255.255.255.240
ip nat inside
ip virtual-reassembly
speed auto
!
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
ip mtu 1486
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
no cdp enable
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxxx password xxxxxxxxx
ppp ipcp dns request
ppp ipcp route default
crypto map vpn-map
!
ip local pool ezvpn-pool 172.16.100.32 172.16.100.63
ip forward-protocol nd
ip route 192.168.100.16 255.255.255.240 192.168.100.2
ip route 192.168.100.32 255.255.255.240 192.168.100.2
ip route 192.168.200.0 255.255.255.0 192.168.100.2
ip route 192.168.201.0 255.255.255.0 192.168.100.2
!
no ip http server
no ip http secure-server
no ip nat service sip udp port 5060
ip nat inside source list 1 interface Dialer0 overload
ip dns server
!
ip access-list extended ezvpn-st-acl
permit ip 192.168.100.0 0.0.0.15 any
permit ip 192.168.100.16 0.0.0.15 any
permit ip 192.168.100.32 0.0.0.15 any
permit ip 192.168.200.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
!
logging history informational
access-list 1 permit 192.168.100.0 0.0.0.15
access-list 1 permit 192.168.100.16 0.0.0.15
access-list 1 permit 192.168.100.32 0.0.0.15
access-list 1 permit 192.168.200.0 0.0.0.255
access-list 1 permit 192.168.201.0 0.0.0.255
dialer-list 1 protocol ip permit
!
Solved! Go to Solution.
03-02-2014 06:42 AM
Hi,
So you see the ICMP echo reply on the internal SW, but they are not seen on the EzVPN client, right?
Do you see them on the EzVPN server?
For instance:
SW ---> EzVPN server -----> Internet -----> EzVPN client
What type of device is the server a Router or an ASA?
Please make sure to add the NAT exempt rule on the server, so that you except the return traffic from being proccesed by any NAT rule.
Also, does your SW point to the EzVPN server as the default-gateway? If not, please add a route for the remote network (s) pointing to such device.
HTH.
03-02-2014 06:42 AM
Hi,
So you see the ICMP echo reply on the internal SW, but they are not seen on the EzVPN client, right?
Do you see them on the EzVPN server?
For instance:
SW ---> EzVPN server -----> Internet -----> EzVPN client
What type of device is the server a Router or an ASA?
Please make sure to add the NAT exempt rule on the server, so that you except the return traffic from being proccesed by any NAT rule.
Also, does your SW point to the EzVPN server as the default-gateway? If not, please add a route for the remote network (s) pointing to such device.
HTH.
03-02-2014 02:51 PM
Hi Javier,
Yes I do see the ICMP on the internal switch. Also, if I ping the internal interface of the VPN router (Not ASA) from the client I also see the ICMP with a reply destined for the client.
So what I see is this:
Client >>> EZVPN Server (IOS rtr) >>> Internal Switch
Client xxx EZVPN Server (IOS rtr) <<< Internal Switch
Routing all looks OK.
I think the NAT exempt rule sound plausable here although I thought this was installed automatically? It seems to me that what is happening is that the return traffic isn't using the tunnel.
I'll need to refer to the doc to set up the nat exempt but I'll report back once I've tested it.
Thanks
Rhod
03-03-2014 08:03 AM
Rhod,
Just to clarify, do you have an ASA 5505 acting as the EzVPN client?
If so, then you are right, it will autmatically add the NAT exempt rule.
Are you sourcing the traffic from the client or server side?
03-09-2014 11:14 PM
Hi there,
The client is a laptop running the vpn client, so you were spot on when you suggested NAT exempt.
Basically I got this working by changing the nat rule as follows:
removing:
ip nat inside source list 1 interface Dialer0 overload
and adding:
ip access-list extended nonat
deny ip 192.168.100.0 0.0.0.15 172.16.100.0 0.0.0.255
deny ip 192.168.100.16 0.0.0.15 172.16.100.0 0.0.0.255
deny ip 192.168.100.32 0.0.0.15 172.16.100.0 0.0.0.255
deny ip 192.168.200.0 0.0.0.255 172.16.100.0 0.0.0.255
deny ip 192.168.201.0 0.0.0.255 172.16.100.0 0.0.0.255
permit ip 192.168.100.0 0.0.0.15 any
permit ip 192.168.100.16 0.0.0.15 any
permit ip 192.168.100.32 0.0.0.15 any
permit ip 192.168.200.0 0.0.0.255 any
permit ip 192.168.201.0 0.0.0.255 any
(where 172.16.100 is my vpn client pool)
ip nat inside source list nonat interface Dialer0 overload
Thanks for your help Javier
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide