06-09-2011 07:43 AM
Hi,
I am having problems with VPN Clients accesing internal resources. They connect using Cisco VPN Client, they connect correctly, an IP of the correct range is given and I have ping to the internal server, but no other type of access like terminal server. Ping to the internal's server ip is replied by public router ip interface instead of the internal server and I'm not sure if it should be in this manner. There isn't any ACL applied.
Debugging crypto ipsec I see this error when I do terminal server:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /public-ip, src_addr= 172.16.73.4, prot= 6
Here is the configuration related to vpn:
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Clients
key cisco
dns 4.2.2.2
pool vpn-clients
acl 101
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!Default gateway for internal resources
interface Vlan72
ip address 172.16.72.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
Regards.
ip local pool vpn-clients 172.16.73.2 172.16.73.10
!
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname XXXXX
ppp chap password 7 XXXXXXXX
ppp ipcp dns accept
ppp ipcp address accept
no cdp enable
crypto map mymap
access-list 101 permit ip 172.16.72.0 0.0.0.255 any
!
Solved! Go to Solution.
07-01-2011 09:00 AM
Hi Anotino,
Problem seems to be with the NAT config on the router. The NAT config now is below:
access-list 1 permit 172.16.72.0 0.0.0.255
route-map NAT_WAN1 permit 10
match ip address 1
match interface Dialer1
ip nat inside source route-map NAT_WAN1 interface Dialer1 overload
We need to modify it to look something like this:
access-list 100 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255
access-list 100 permit ip 172.16.72.0 0.0.0.255 any
route-map NAT_WAN1 permit 10
match ip address 100
ip nat inside source route-map NAT_WAN1 interface Dialer1 overload
This should ensure traffic going to the VPN clients pool goes un-NATed and hence you should be able to access the internal network using the private IP (172.16.72.2 for example).
Try this out and let me know if it fixes your problem.
Regards,
Prapanch
Message was edited by: Prapanch Ramamoorthy Small correction in the post!!
06-12-2011 12:39 AM
Hi,
Please share the output of sh run | in ip nat.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-12-2011 12:54 AM
Hi Anisha,
Here it is:
sh run | i (ip nat|interface)
interface Tunnel1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
ip nat outside
interface Virtual-Template2
interface GigabitEthernet0
ip nat outside
interface Vlan1
interface Vlan60
interface Vlan72
ip nat inside
interface Async1
interface Dialer1
ip nat outside
ip nat inside source route-map NAT_WAN1 interface Dialer1 overload
ip nat inside source route-map NAT_WAN2 interface FastEthernet8 overload
icmp-echo 80.58.0.33 source-interface Dialer1
icmp-echo 82.159.184.1 source-interface FastEthernet8
match interface Dialer1
match interface FastEthernet8
Regards.
06-12-2011 06:03 PM
Hi,
Please give the output of "sh route-map NAT_WAN1". Also please give the output of the access-list part of this route-map.
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-13-2011 04:21 AM
Hi,
route-map NAT_WAN1, permit, sequence 10
Match clauses:
ip address (access-lists): 1
interface Dialer1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Standard IP access list 1
10 permit 172.16.72.0, wildcard bits 0.0.0.255 (11 matches)
Regards,
Antonio.
06-13-2011 11:22 PM
Hi,
Can you try doing the following changes:
access-list 100 permit ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255
route-map NAT_WAN1permit 10
no match ip address 10
match ip address 100
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-14-2011 12:30 AM
Hi Anisha,
I've applied this commands but nothing changes, only ping works but not terminal server giving the same error:
%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /public-ip, src_addr= 172.16.73.4, prot= 6
It's very strange since ping is working but anything else is not.
Regards.
06-14-2011 02:25 AM
Make sure access-lists are properly configured for interesting traffic and crypto map is applied to the interface. This error indicates that the packets arrived are not encrypted. It means that either access-list or crypto map are not applied correctly
06-14-2011 03:20 AM
hi,
is the ping reply is coming from the internal server itself?
Please paste the output of "sh run | sec crypto"
Regards,
Anisha
P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.
06-15-2011 04:35 AM
The reply comes from the public ip.
Here is the show run | sec crypto
crypto pki trustpoint TP-self-signed-604859066
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-604859066
revocation-check none
rsakeypair TP-self-signed-604859066
crypto pki certificate chain TP-self-signed-604859066
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 36303438 35393036 36301E17 0D313130 34323031 34353335
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3630 34383539
30363630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B82E5097 EAB6BAFC EB141614 44228B6D 6C5AA306 FA24E698 201B9861 70AA464F
965B4C9E 50960910 0D9FE1F6 7879DAD1 8CBFF8CC 7D015C35 2C91D473 D1FCF62E
62A08CD2 632256AF CD227E8C 82A9109B 57FAEF09 E0D1B3C1 ED9E77C5 AF620415
108CF242 A6C94252 BD371CEB B937A966 D7BDBD9D 709BBB87 44E42CFB D447E747
02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D
11041830 16821468 6F6D656C 61622E63 6369656C 6162732E 6F726730 1F060355
1D230418 30168014 901C6722 7CF5486C 0693955D 64E110C5 6600F519 301D0603
551D0E04 16041490 1C67227C F5486C06 93955D64 E110C566 00F51930 0D06092A
864886F7 0D010104 05000381 81008D61 88971005 4E74622C ADB499F9 2D9C69BB
94AB400D 35854BB2 09DBEF63 55905388 26FCFC64 0C9B9ED5 9D6CC9DC 35AA1296
DCD02902 A58F5813 D780B012 4F55E137 43AF22B7 66581B9A 3BF245C3 5A052438
07195BEE 3EC71EDE DFB003A3 5F2F2D30 F5FB7A26 21BB2C0C 6638FCE2 60724732
E556C860 998A3E45 B5012C53 2155
quit
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration group VPN_Clients
key cisco
dns 4.2.2.2
pool vpn-clients
acl 101
netmask 255.255.255.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto map mymap
crypto map mymap
Regards,
06-30-2011 02:38 PM
Hi Antonio,
Please remove the command "crypto map mymap client configuration address initiate". We generally use only respond for giving out IP addresses.
Can you send me a sanitized version of your configurationa and also the exact IP address you are trying to access from the VPN client?
Regards,
Prapanch
07-01-2011 08:48 AM
Hi Prapanch,
Here is my running. I've hidden some ips and usernames for security reasons. But all the information related to VPN is present. The ip of the internal server is 172.16.72.2.
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname X
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 informational
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization network grouplist local
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone SPAIN 2
!
crypto pki trustpoint TP-self-signed-604859066
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-604859066
revocation-check none
rsakeypair TP-self-signed-604859066
!
!
ip source-route
!
!
ip dhcp excluded-address 10.10.10.1
!
!
ip cef
no ip bootp server
ip name-server 80.58.0.33
!
no ipv6 cef
!
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group PPTP_GROUP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 2
l2tp tunnel timeout no-session 15
!
!
!
!
!
track 1 ip sla 1 reachability
!
track 2 ip sla 2 reachability
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Clients
key cisco
dns 4.2.2.2
pool vpn-clients
acl 101
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Tunnel1
ip address 10.14.14.1 255.255.255.252
keepalive 1 3
tunnel source FastEthernet8
tunnel destination X.X.X.X
!
!
interface FastEthernet0
switchport access vlan 60
!
!
interface FastEthernet1
switchport access vlan 60
spanning-tree portfast
!
!
interface FastEthernet2
switchport access vlan 60
spanning-tree portfast
!
!
interface FastEthernet3
switchport access vlan 72
spanning-tree portfast
!
!
interface FastEthernet4
!
!
interface FastEthernet5
!
!
interface FastEthernet6
!
!
interface FastEthernet7
!
!
interface FastEthernet8
description WAN2
ip address X
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
!
!
interface Virtual-Template2
ip address 172.16.73.1 255.255.255.0
peer default ip address pool PPTP_POOL
ppp encrypt mppe 128 required
ppp authentication ms-chap-v2
!
!
interface GigabitEthernet0
description WAN1
no ip address
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
!
interface Vlan1
no ip address
!
!
interface Vlan60
ip address 192.168.60.107 255.255.255.0
ip tcp adjust-mss 1412
ipv6 enable
crypto map mymap
!
!
interface Vlan72
ip address 172.16.72.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip policy route-map PBR_WAN2
!
!
interface Async1
no ip address
encapsulation slip
!
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname X
ppp chap password 7 X
ppp ipcp dns accept
ppp ipcp address accept
no cdp enable
crypto map mymap
!
!
ip local pool vpn-clients 172.16.73.2 172.16.73.10
ip local pool PPTP_POOL 172.16.73.20 172.16.73.25
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source route-map NAT_WAN1 interface Dialer1 overload
ip nat inside source route-map NAT_WAN2 interface FastEthernet8 overload
ip route 0.0.0.0 0.0.0.0 Dialer1 track 1
ip route 0.0.0.0 0.0.0.0 82.159.184.1 2
ip route 80.58.0.33 255.255.255.255 Dialer1
!
ip access-list extended ALLOWED_WAN1
permit gre host X host X
ip access-list extended PBR_WAN2
permit tcp 172.16.72.0 0.0.0.255 any eq 443
ip access-list extended SELF_TO_WAN2_GRE
permit gre any any
ip access-list extended WAN1_TO_LAN2
permit ip any any
ip access-list extended WAN1_TO_SELF
permit icmp any any
ip access-list extended WAN2_TO_SELF
permit icmp any any echo
ip access-list extended WAN2_TO_SELF_GRE
permit gre any any
!
ip sla 1
icmp-echo 80.58.0.33 source-interface Dialer1
timeout 3000
threshold 3000
frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
icmp-echo 82.159.184.1 source-interface FastEthernet8
timeout 3000
threshold 3000
frequency 5
ip sla schedule 2 life forever start-time now
logging origin-id hostname
logging 172.16.72.2
access-list 1 permit 172.16.72.0 0.0.0.255
access-list 101 permit ip 172.16.72.0 0.0.0.255 any
access-list 102 permit ip 172.16.73.0 0.0.0.255 any
access-list 103 permit icmp any any echo
access-list 103 deny icmp any any
access-list 103 permit tcp any any eq 443
access-list 103 permit tcp any any eq 22
access-list 103 permit gre host 62.82.169.12 any
access-list 103 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
route-map NAT_WAN1 permit 10
match ip address 1
match interface Dialer1
!
route-map NAT_WAN2 permit 10
match ip address 1
match interface FastEthernet8
!
route-map PBR_WAN2 permit 10
match ip address PBR_WAN2
set ip next-hop verify-availability 82.159.184.1 1 track 2
set ip default next-hop 62.82.169.4
!
!
control-plane
!
!
!
line con 0
exec-timeout 0 0
logging synchronous
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
access-class 23 in
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
access-class 23 in
exec-timeout 0 0
privilege level 15
logging synchronous
transport input ssh
!
scheduler max-task-time 5000
end
07-01-2011 09:00 AM
Hi Anotino,
Problem seems to be with the NAT config on the router. The NAT config now is below:
access-list 1 permit 172.16.72.0 0.0.0.255
route-map NAT_WAN1 permit 10
match ip address 1
match interface Dialer1
ip nat inside source route-map NAT_WAN1 interface Dialer1 overload
We need to modify it to look something like this:
access-list 100 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255
access-list 100 permit ip 172.16.72.0 0.0.0.255 any
route-map NAT_WAN1 permit 10
match ip address 100
ip nat inside source route-map NAT_WAN1 interface Dialer1 overload
This should ensure traffic going to the VPN clients pool goes un-NATed and hence you should be able to access the internal network using the private IP (172.16.72.2 for example).
Try this out and let me know if it fixes your problem.
Regards,
Prapanch
Message was edited by: Prapanch Ramamoorthy Small correction in the post!!
07-01-2011 09:32 AM
It works!. You were right, it was a NAT problem not a IPSec as I thought.
I have changed my configuration to this:
Extended IP access list 104
10 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255 (657 matches)
20 permit ip 172.16.72.0 0.0.0.255 any (1 match)
route-map NAT_WAN1, permit, sequence 10
Match clauses:
ip address (access-lists): 104
interface Dialer1
Set clauses:
Policy routing matches: 0 packets, 0 bytes
Thanks.
07-01-2011 11:23 AM
Glad to know it worked Anotonio.
Regards,
Prapanch
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: