cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
430
Views
0
Helpful
16
Replies
Beginner

Remote access VPN on IOS

Hello Brothers.

I've configured a remote access VPN on IOS but I don't got access to my servers at RDP port 3389.

I'm able to ping my servers!!!

Configuration from router.

crypto isakmp policy 10000
 encr aes
 authentication pre-share
 group 2
crypto isakmp client configuration group VPN_USERS_GROUP
 key 6 ##########
 dns 192.168.0.16
 wins 192.168.0.16
 domain mix.local
 pool VPN_ADDRESS
 acl VPN
 max-logins 1
 banner ^C*** ATENCAO ***
         ACESSO RESTRITO A PESSOAS AUTORIZADAS
crypto ipsec transform-set REMOTE_ACCESS_SET esp-aes esp-sha-hmac
 mode tunnel
crypto dynamic-map REMOTE_ACCESS_DYNMAP 65535
 set transform-set REMOTE_ACCESS_SET
 reverse-route
crypto map REMOTE_ACCESS_MAP client authentication list LOCAL_USERS
crypto map REMOTE_ACCESS_MAP isakmp authorization list VPN_USERS
crypto map REMOTE_ACCESS_MAP client configuration address respond
crypto map REMOTE_ACCESS_MAP 65535 ipsec-isakmp dynamic REMOTE_ACCESS_DYNMAP
 crypto map REMOTE_ACCESS_MAP

16 REPLIES 16
VIP Advisor

Hi

Hi

Could you paste your nat and ACL you have on your router?

Have you run a debug ip packet to see if your traffic is forwarded to your server when trying to rdp?

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Hi Francesco.

Hi Francesco.

Follow my NAT and ACL configuration:

ip nat inside source list PAT interface Dialer0 overload
!
ip access-list extended PAT
 deny   ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255
 permit ip any any
ip access-list extended VPN
 permit ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255

I didn't run no debug ip packet.

VIP Advisor

Could you confirm which

Could you confirm which subnet is your lan and which one vpn?


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Lan - 192.168.0.0/24

Lan - 192.168.0.0/24

VPN - 192.168.255.0/24

VIP Advisor

Ok thanks.

Ok thanks.

Your config seems ok. Did you run a wireshark on your server to see if traffic is coming on port rdp?

Is there a firewall set on that machine?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
VIP Advisor

Hi

Hi

First of all, regarding your nat statements. All of them are configured using command ip nat source without any specification of direction inside nor outside.

There are 2 of them using ip nat inside source. I would recommend to always use the same configuration like (example) ip nat inside source.

Now, when you're connected, if you access from internet to your Public IP on dialer0 using RDP, the traffic should be redirected to your internal server : 192.168.0.10

From your server, are you able to ping your vpn client? If you do a traceroute what's the path used?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Hi.

Hi.

Yes, I'm.

ping 192.168.255.251 -n 20

Pinging 192.168.255.251 with 32 bytes of data:
Reply from 192.168.255.251: bytes=32 time=62ms TTL=127
Reply from 192.168.255.251: bytes=32 time=140ms TTL=127
Reply from 192.168.255.251: bytes=32 time=253ms TTL=127
Reply from 192.168.255.251: bytes=32 time=60ms TTL=127
Reply from 192.168.255.251: bytes=32 time=205ms TTL=127
Request timed out.
Reply from 192.168.255.251: bytes=32 time=67ms TTL=127
Reply from 192.168.255.251: bytes=32 time=94ms TTL=127
Reply from 192.168.255.251: bytes=32 time=112ms TTL=127
Reply from 192.168.255.251: bytes=32 time=54ms TTL=127
Reply from 192.168.255.251: bytes=32 time=161ms TTL=127
Reply from 192.168.255.251: bytes=32 time=69ms TTL=127
Reply from 192.168.255.251: bytes=32 time=54ms TTL=127
Reply from 192.168.255.251: bytes=32 time=121ms TTL=127
Reply from 192.168.255.251: bytes=32 time=56ms TTL=127
Reply from 192.168.255.251: bytes=32 time=69ms TTL=127
Reply from 192.168.255.251: bytes=32 time=95ms TTL=127
Reply from 192.168.255.251: bytes=32 time=113ms TTL=127
Reply from 192.168.255.251: bytes=32 time=142ms TTL=127
Reply from 192.168.255.251: bytes=32 time=266ms TTL=127

Ping statistics for 192.168.255.251:
    Packets: Sent = 20, Received = 19, Lost = 1 (5% loss),
Approximate round trip times in milli-seconds:
    Minimum = 54ms, Maximum = 266ms, Average = 115ms
    
    
Microsoft Windows [Version 6.1.7601]                                            
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.                                                                              
tracert 192.168.255.251               
Tracing route to 192.168.255.251 over a maximum of 30 hops
 
1     1 ms    <1 ms    <1 ms  192.168.0.1
2   308 ms    58 ms    56 ms  192.168.255.251

Trace complete.                             

tracert 192.168.255.251

Tracing route to 192.168.255.251 over a maximum of 30 hops
1     1 ms    <1 ms    <1 ms  192.168.0.1        
2    59 ms    58 ms    53 ms  192.168.255.251               

Trace complete.

=====================================================================================

Microsoft Windows [versão 6.3.9600]
(c) 2013 Microsoft Corporation. Todos os direitos reservados.

ping 192.168.0.10 -n 20

Disparando 192.168.0.10 com 32 bytes de dados:
Resposta de 192.168.0.10: bytes=32 tempo=61ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=189ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=52ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=52ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=54ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=56ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=55ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=59ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=186ms TTL=127
Esgotado o tempo limite do pedido.
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=57ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=319ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=634ms TTL=127
Resposta de 192.168.0.10: bytes=32 tempo=146ms TTL=127

Estatísticas do Ping para 192.168.0.10:
    Pacotes: Enviados = 20, Recebidos = 19, Perdidos = 1 (5% de
             perda),
Aproximar um número redondo de vezes em milissegundos:
    Mínimo = 52ms, Máximo = 634ms, Média = 119ms

tracert 192.168.0.10

Rastreando a rota para 192.168.0.10 com no máximo 30 saltos

  1    51 ms    64 ms    53 ms  179.182.174.169
  2    52 ms    51 ms    52 ms  192.168.0.10

Rastreamento concluído.

VIP Advisor

Ok connectivity between

Ok connectivity between Anyconnect client and server is ok.

Let's check if router is forwarding rdp traffic to the server. I assume your anyconnect client has IP 192.168.255.251

access-list 100 permit ip host 192.168.0.10 host 192.168.255.251
access-list 100 permit ip host 192.168.255.251 host 192.168.0.10

debug ip packet 100 detail

Put output in  a text file and attach it to this post.

Thanks

PS: Please don't forget to rate and mark as correct answer if this answered your question


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Hello.

Hello.

In debug ip packet doesn't appear anything.

Look outputs from Wireshark.

Find the IP addresses 192.168.255.252 and 192.168.0.90, It was the servers that I tested.

VIP Advisor

On your 2nd capture from 192

On your 2nd capture from 192.168.255.252 to 192.168.0.90, I see that your client sent a SYN but never received a SYN,ACK from your server. Something is blocking on your server side.

On the 1st capture, I don't understand why we see a public IP 189.6.24.207 accessing your server. If there is a NAT, we should see this traffic as well but we don't. 

Could you explain more how did you took the traces?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Highlighted
Beginner

what is the ACL ? you

what is the ACL ? you configured for crypto?

Beginner

 acl VPN

 acl VPN

ip access-list extended VPN
 permit ip 192.168.0.0 0.0.0.255 192.168.255.0 0.0.0.255

VIP Advisor

Your config seems ok. Did you

Your config seems ok. Did you run a wireshark on your server to see if traffic is coming on port rdp?

Is there a firewall set on that machine?

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Beginner

Hello Brothers,

Hello Brothers,

I found out because I don't get access it. There was a PAT for server's IP address.

ip nat source static tcp 192.168.0.11 22 interface dialer 0 22

This server is available for public access.

Now how to do I do to have access through VPN without loss public access (without remove PAT)?

Maybe does below PAT work?

ip nat source static esp 192.168.0.11 interface dialer 0

Regards.