cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3791
Views
0
Helpful
14
Replies

VPN clients can't access internal resources

Antonio Macia
Level 3
Level 3

Hi,

I am having problems with VPN Clients accesing internal resources. They connect using Cisco VPN Client, they connect correctly, an IP of the correct range is given and I have ping to the internal server, but no other type of access like terminal server. Ping to the internal's server ip is replied by public router ip interface instead of the internal server and I'm not sure if it should be in this manner. There isn't any ACL applied.

Debugging crypto ipsec I see this error when I do terminal server:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /public-ip, src_addr= 172.16.73.4, prot= 6

Here is the configuration related to vpn:

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_Clients

key cisco

dns 4.2.2.2

pool vpn-clients

acl 101

netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map mymap client authentication list userlist

crypto map mymap isakmp authorization list grouplist

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!Default gateway for internal resources

interface Vlan72

ip address 172.16.72.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

Regards.

ip local pool vpn-clients 172.16.73.2 172.16.73.10

!

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname XXXXX

ppp chap password 7 XXXXXXXX

ppp ipcp dns accept

ppp ipcp address accept

no cdp enable

crypto map mymap

access-list 101 permit ip 172.16.72.0 0.0.0.255 any

!

1 Accepted Solution

Accepted Solutions

Hi Anotino,

Problem seems to be with the NAT config on the router. The NAT config now is below:

access-list 1 permit 172.16.72.0 0.0.0.255

route-map NAT_WAN1 permit 10

match ip address 1

match  interface Dialer1

ip nat inside source route-map NAT_WAN1 interface Dialer1 overload

We need to modify it to look something like this:

access-list 100 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255

access-list 100 permit ip 172.16.72.0 0.0.0.255 any

route-map NAT_WAN1 permit 10

match ip address 100

ip nat inside source route-map NAT_WAN1 interface Dialer1  overload

This should ensure traffic going to the VPN clients pool goes un-NATed and hence you should be able to access the internal network using the private IP (172.16.72.2 for example).

Try this out and let me know if it fixes your problem.

Regards,

Prapanch

Message was edited by: Prapanch Ramamoorthy Small correction in the post!!

View solution in original post

14 Replies 14

andamani
Cisco Employee
Cisco Employee

Hi,

Please share the output of sh run | in ip nat.

Regards,

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

Hi Anisha,

Here it is:

sh run | i (ip nat|interface)

interface Tunnel1

interface FastEthernet0

interface FastEthernet1

interface FastEthernet2

interface FastEthernet3

interface FastEthernet4

interface FastEthernet5

interface FastEthernet6

interface FastEthernet7

interface FastEthernet8

ip nat outside

interface Virtual-Template2

interface GigabitEthernet0

ip nat outside

interface Vlan1

interface Vlan60

interface Vlan72

ip nat inside

interface Async1

interface Dialer1

ip nat outside

ip nat inside source route-map NAT_WAN1 interface Dialer1 overload

ip nat inside source route-map NAT_WAN2 interface FastEthernet8 overload

icmp-echo 80.58.0.33 source-interface Dialer1

icmp-echo 82.159.184.1 source-interface FastEthernet8

match interface Dialer1

match interface FastEthernet8

Regards.

Hi,

Please give the output of "sh route-map NAT_WAN1". Also please give the output of the access-list part of this route-map.

Regards,

Anisha

P.S.: please mark this thread as answered if you  feel your query is resolved. Do rate helpful posts.

Hi,

route-map NAT_WAN1, permit, sequence 10

  Match clauses:

    ip address (access-lists): 1

    interface Dialer1

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

Standard IP access list 1

    10 permit 172.16.72.0, wildcard bits 0.0.0.255 (11 matches)

Regards,

Antonio.

Hi,

Can you try doing the following changes:

access-list 100 permit ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255

route-map NAT_WAN1permit 10

     no match ip address 10

     match ip address 100

Regards,

Anisha

P.S.: please mark this thread as answered if you   feel your query is resolved. Do rate helpful posts.

Hi Anisha,

I've applied this commands but nothing changes, only ping works but not terminal server giving the same error:

%CRYPTO-4-RECVD_PKT_NOT_IPSEC: Rec'd packet not an IPSEC packet. (ip) vrf/dest_addr= /public-ip, src_addr= 172.16.73.4, prot= 6

It's very strange since ping is working but anything else is not.

Regards.

Make sure access-lists are properly configured for interesting traffic and crypto map is applied to the interface. This error indicates that the packets arrived are not encrypted. It means that either access-list or crypto map are not applied correctly

hi,

is the ping reply is coming from the internal server itself?

Please paste the output of "sh run | sec crypto"

Regards,

Anisha

P.S.: please mark this thread as answered if  you   feel your query is resolved. Do rate helpful posts.

The reply comes from the public ip.

Here is the show run | sec crypto

crypto pki trustpoint TP-self-signed-604859066

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-604859066

revocation-check none

rsakeypair TP-self-signed-604859066

crypto pki certificate chain TP-self-signed-604859066

certificate self-signed 01

  3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36303438 35393036 36301E17 0D313130 34323031 34353335

  345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3630 34383539

  30363630 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100

  B82E5097 EAB6BAFC EB141614 44228B6D 6C5AA306 FA24E698 201B9861 70AA464F

  965B4C9E 50960910 0D9FE1F6 7879DAD1 8CBFF8CC 7D015C35 2C91D473 D1FCF62E

  62A08CD2 632256AF CD227E8C 82A9109B 57FAEF09 E0D1B3C1 ED9E77C5 AF620415

  108CF242 A6C94252 BD371CEB B937A966 D7BDBD9D 709BBB87 44E42CFB D447E747

  02030100 01A37430 72300F06 03551D13 0101FF04 05300301 01FF301F 0603551D

  11041830 16821468 6F6D656C 61622E63 6369656C 6162732E 6F726730 1F060355

  1D230418 30168014 901C6722 7CF5486C 0693955D 64E110C5 6600F519 301D0603

  551D0E04 16041490 1C67227C F5486C06 93955D64 E110C566 00F51930 0D06092A

  864886F7 0D010104 05000381 81008D61 88971005 4E74622C ADB499F9 2D9C69BB

  94AB400D 35854BB2 09DBEF63 55905388 26FCFC64 0C9B9ED5 9D6CC9DC 35AA1296

  DCD02902 A58F5813 D780B012 4F55E137 43AF22B7 66581B9A 3BF245C3 5A052438

  07195BEE 3EC71EDE DFB003A3 5F2F2D30 F5FB7A26 21BB2C0C 6638FCE2 60724732

  E556C860 998A3E45 B5012C53 2155

        quit

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp client configuration group VPN_Clients

key cisco

dns 4.2.2.2

pool vpn-clients

acl 101

netmask 255.255.255.0

crypto ipsec transform-set myset esp-aes esp-sha-hmac

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

crypto map mymap client authentication list userlist

crypto map mymap isakmp authorization list grouplist

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

crypto map mymap

crypto map mymap

Regards,

Hi Antonio,

Please remove the command "crypto map mymap client configuration address initiate". We generally use only respond for giving out IP addresses.

Can you send me a sanitized version of your configurationa and also the exact IP address you are trying to access from the VPN client?

Regards,

Prapanch

Hi Prapanch,

Here is my running. I've hidden some ips and usernames for security reasons. But all the information related to VPN is present. The ip of the internal server is 172.16.72.2.

version 15.0

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname X

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 informational

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login userlist local

aaa authentication ppp default local

aaa authorization network grouplist local

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone SPAIN 2

!

crypto pki trustpoint TP-self-signed-604859066

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-604859066

revocation-check none

rsakeypair TP-self-signed-604859066

!

!

ip source-route

!

!

ip dhcp excluded-address 10.10.10.1

!

!

ip cef

no ip bootp server

ip name-server 80.58.0.33

!

no ipv6 cef

!

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group PPTP_GROUP

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 2

l2tp tunnel timeout no-session 15

!

!

!

!

!

track 1 ip sla 1 reachability

!

track 2 ip sla 2 reachability

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_Clients

key cisco

dns 4.2.2.2

pool vpn-clients

acl 101

netmask 255.255.255.0

!

!

crypto ipsec transform-set myset esp-aes esp-sha-hmac

!

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

!

crypto map mymap client authentication list userlist

crypto map mymap isakmp authorization list grouplist

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

!

interface Tunnel1

ip address 10.14.14.1 255.255.255.252

keepalive 1 3

tunnel source FastEthernet8

tunnel destination X.X.X.X

!

!

interface FastEthernet0

switchport access vlan 60

!

!

interface FastEthernet1

switchport access vlan 60

spanning-tree portfast

!

!

interface FastEthernet2

switchport access vlan 60

spanning-tree portfast

!

!

interface FastEthernet3

switchport access vlan 72

spanning-tree portfast

!

!

interface FastEthernet4

!

!

interface FastEthernet5

!

!

interface FastEthernet6

!

!

interface FastEthernet7

!

!

interface FastEthernet8

description WAN2

ip address X

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1412

duplex auto

speed auto

!

!

interface Virtual-Template2

ip address 172.16.73.1 255.255.255.0

peer default ip address pool PPTP_POOL

ppp encrypt mppe 128 required

ppp authentication ms-chap-v2

!

!

interface GigabitEthernet0

description WAN1

no ip address

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

!

!

interface Vlan1

no ip address

!

!

interface Vlan60

ip address 192.168.60.107 255.255.255.0

ip tcp adjust-mss 1412

ipv6 enable

crypto map mymap

!

!

interface Vlan72

ip address 172.16.72.1 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip policy route-map PBR_WAN2

!

!

interface Async1

no ip address

encapsulation slip

!

!

interface Dialer1

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname X

ppp chap password 7 X

ppp ipcp dns accept

ppp ipcp address accept

no cdp enable

crypto map mymap

!

!

ip local pool vpn-clients 172.16.73.2 172.16.73.10

ip local pool PPTP_POOL 172.16.73.20 172.16.73.25

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source route-map NAT_WAN1 interface Dialer1 overload

ip nat inside source route-map NAT_WAN2 interface FastEthernet8 overload

ip route 0.0.0.0 0.0.0.0 Dialer1 track 1

ip route 0.0.0.0 0.0.0.0 82.159.184.1 2

ip route 80.58.0.33 255.255.255.255 Dialer1

!

ip access-list extended ALLOWED_WAN1

permit gre host X host X

ip access-list extended PBR_WAN2

permit tcp 172.16.72.0 0.0.0.255 any eq 443

ip access-list extended SELF_TO_WAN2_GRE

permit gre any any

ip access-list extended WAN1_TO_LAN2

permit ip any any

ip access-list extended WAN1_TO_SELF

permit icmp any any

ip access-list extended WAN2_TO_SELF

permit icmp any any echo

ip access-list extended WAN2_TO_SELF_GRE

permit gre any any

!

ip sla 1

icmp-echo 80.58.0.33 source-interface Dialer1

timeout 3000

threshold 3000

frequency 5

ip sla schedule 1 life forever start-time now

ip sla 2

icmp-echo 82.159.184.1 source-interface FastEthernet8

timeout 3000

threshold 3000

frequency 5

ip sla schedule 2 life forever start-time now

logging origin-id hostname

logging 172.16.72.2

access-list 1 permit 172.16.72.0 0.0.0.255

access-list 101 permit ip 172.16.72.0 0.0.0.255 any

access-list 102 permit ip 172.16.73.0 0.0.0.255 any

access-list 103 permit icmp any any echo

access-list 103 deny   icmp any any

access-list 103 permit tcp any any eq 443

access-list 103 permit tcp any any eq 22

access-list 103 permit gre host 62.82.169.12 any

access-list 103 deny   ip any any

dialer-list 1 protocol ip permit

no cdp run

!

!

!

!

route-map NAT_WAN1 permit 10

match ip address 1

match interface Dialer1

!

route-map NAT_WAN2 permit 10

match ip address 1

match interface FastEthernet8

!

route-map PBR_WAN2 permit 10

match ip address PBR_WAN2

set ip next-hop verify-availability 82.159.184.1 1 track 2

set ip default next-hop 62.82.169.4

!

!

control-plane

!

!

!

line con 0

exec-timeout 0 0

logging synchronous

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 0 0

privilege level 15

logging synchronous

transport input ssh

line vty 5 15

access-class 23 in

exec-timeout 0 0

privilege level 15

logging synchronous

transport input ssh

!

scheduler max-task-time 5000

end

Hi Anotino,

Problem seems to be with the NAT config on the router. The NAT config now is below:

access-list 1 permit 172.16.72.0 0.0.0.255

route-map NAT_WAN1 permit 10

match ip address 1

match  interface Dialer1

ip nat inside source route-map NAT_WAN1 interface Dialer1 overload

We need to modify it to look something like this:

access-list 100 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255

access-list 100 permit ip 172.16.72.0 0.0.0.255 any

route-map NAT_WAN1 permit 10

match ip address 100

ip nat inside source route-map NAT_WAN1 interface Dialer1  overload

This should ensure traffic going to the VPN clients pool goes un-NATed and hence you should be able to access the internal network using the private IP (172.16.72.2 for example).

Try this out and let me know if it fixes your problem.

Regards,

Prapanch

Message was edited by: Prapanch Ramamoorthy Small correction in the post!!

It works!. You were right, it was a NAT problem not a IPSec as I thought.

I have changed my configuration to this:

Extended IP access list 104

    10 deny ip 172.16.72.0 0.0.0.255 172.16.73.0 0.0.0.255 (657 matches)

    20 permit ip 172.16.72.0 0.0.0.255 any (1 match)

route-map NAT_WAN1, permit, sequence 10

  Match clauses:

    ip address (access-lists): 104

    interface Dialer1

  Set clauses:

  Policy routing matches: 0 packets, 0 bytes

Thanks.

Glad to know it worked Anotonio.

Regards,

Prapanch

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: