Remote Access VPN - Only access to some remote hosts

mikkel003 · ‎04-16-2014

Hi Guys

Really hope you can help me out here, I am kind of stock.

I have a Remote Access VPN to a router that seems to be working. The problem is that I only have access to some host in remote end.

The hosts I really need to access is the following:

Server - 192.168.18.240

Switch - 192.168.18.251

Switch - 192.168.18.252

But I can´t reach them, only all other hosts on the network. Their default gatway is 192.168.18.1 (the router)

What might be the problem?

-------------------------------------------------

Hostes on the network:

PUFESTI-R#sh arp | e Inc
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.18.1 - 442b.0346.244e ARPA Vlan1
Internet 192.168.18.20 58 f0f7.5557.c468 ARPA Vlan1
Internet 192.168.18.21 0 f0f7.5557.c472 ARPA Vlan1
Internet 192.168.18.100 29 0090.c2e3.6234 ARPA Vlan1
Internet 192.168.18.101 0 0040.48b2.534e ARPA Vlan1
Internet 192.168.18.171 62 0050.c2e4.00d7 ARPA Vlan1
Internet 192.168.18.172 57 0050.c2e4.00cf ARPA Vlan1
Internet 192.168.18.181 0 0090.e82c.482a ARPA Vlan1
Internet 192.168.18.182 0 0090.e82c.4594 ARPA Vlan1
Internet 192.168.18.240 0 0001.0516.e473 ARPA Vlan1
Internet 192.168.18.251 0 08d0.9f6c.61dd ARPA Vlan1
Internet 192.168.18.252 0 08d0.9f6c.61c7 ARPA Vlan1
Internet 217.156.34.161 0 0017.95e0.7bca ARPA FastEthernet4
Internet 217.156.34.167 - 442b.0346.2452 ARPA FastEthernet4
Internet 217.156.34.168 - 442b.0346.2452 ARPA FastEthernet4
Internet 217.156.34.169 - 442b.0346.2452 ARPA FastEthernet4

--------------------------------------------

Hosts I can reach on the network:

IP Ping Hostname Ports
192.168.18.1 66 ms [n/a] [n/s]
192.168.18.20 66 ms [n/a] [n/s]
192.168.18.100 68 ms [n/a] [n/s]
192.168.18.21 69 ms [n/a] [n/s]
192.168.18.101 69 ms [n/a] [n/s]
192.168.18.171 71 ms [n/a] [n/s]
192.168.18.172 71 ms [n/a] [n/s]
192.168.18.181 76 ms [n/a] [n/s]
192.168.18.182 78 ms [n/a] [n/s]

--------------------------------------------------

VPN info:

PUFESTI-R#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
217.156.34.167 87.104.81.49 QM_IDLE 2006 ACTIVE
217.156.34.167 89.249.1.238 QM_IDLE 2001 ACTIVE

IPv6 Crypto ISAKMP SA

PUFESTI-R#

PUFESTI-R#sh crypto ips sa

interface: FastEthernet4
Crypto map tag: outside_map, local addr 217.156.34.167

protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.18.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
current_peer 89.249.1.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2320, #pkts encrypt: 2320, #pkts digest: 2320
#pkts decaps: 2352, #pkts decrypt: 2352, #pkts verify: 2352
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 217.156.34.167, remote crypto endpt.: 89.249.1.238
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x952A4954(2502576468)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x7EC90F3A(2127105850)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000046, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4491363/2676)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x952A4954(2502576468)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000046, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4491346/2676)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:

interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 217.156.34.167

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.253.5/255.255.255.255/0/0)
current_peer 87.104.81.49 port 40425
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1088, #pkts encrypt: 1088, #pkts digest: 1088
#pkts decaps: 4087, #pkts decrypt: 4087, #pkts verify: 4087
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: 217.156.34.167, remote crypto endpt.: 87.104.81.49
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xE7B9F329(3887723305)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x1D30192F(489691439)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4437881/2919)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xE7B9F329(3887723305)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4438107/2919)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
PUFESTI-R#

---------------------------

Attached is running-config of the router.

Thanks in advance

Regards

Mikkel

Marvin Rhoads · ‎04-16-2014

The switches you cannot reach (192.168.18.240/251/252) are addressed from a range in your VPN DHCP pool (=192.168.18.200-254 once you take into account your exclusions):

ip dhcp excluded-address 192.168.17.1 192.168.17.199
ip dhcp excluded-address 192.168.18.1 192.168.18.199
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.18.0 255.255.255.0
   dns-server 8.8.8.8 208.67.222.222
   default-router 192.168.18.1

Try excluding those specific /32s as well:

mikkel003 · ‎04-21-2014

Hi Marvin

Thanks for the reply. Just got back from easter holiday.

The suggested did not help.

Any other ideas? Mayby some debug commands to use.

Regards

Mikkel

syed kazim abbas · ‎04-22-2014

i agreed with you Marvin, this is the problem and somethings may be wrong in consideration because vpn is good to go.

your VPN is based on this ACL:

ip access-list extended customer
 permit ip 192.168.18.0 0.0.0.255 10.2.0.0 0.0.0.255

it should be on other end:

ip access-list extended customer
 permit ip  10.2.0.0 0.0.0.255 192.168.18.0 0.0.0.255

Another thing keep in mind, the switches will be access only from this sub net hosts :10.2.0.0 0.0.0.255

HTH

mikkel003 · ‎04-27-2014

Hi

Thanks for the reply. I think that some things here is mixed up. The

ip access-list extended customer
 permit ip 192.168.18.0 0.0.0.255 10.2.0.0 0.0.0.255

Is used for LAN to LAN VPN connection, and this is working just fine.

The problem is in the Remote access VPN.

Can you tell me why DHCP exclutions could solve the problem? It makes no sense in my world.

Regards

Mikkel

David_Che · ‎04-28-2014

Hi Mikkel,

I do not think DHCP mis-configuration cause the issue, The remote ezVPN client(192.168.253.5) has setup the ipsec session without any issue. I think it is route issue, Did you forget to configure default gateway or default route on those 3 devices?

Regards,

David

syed kazim abbas · ‎04-28-2014

Hi mikkel003,

welcome

sorry, do not need to exclude, i did not look carefully before.

regards,

syed

"plz don't forget to rate for helpful post"