cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2733
Views
5
Helpful
25
Replies

VPN on a Stick not working

orahman99
Level 1
Level 1

I have set up VPN on a stick on my router and my VPN is established but I cant get  to the internet after the client gets the VPN connection, my Nat translations are not taking place when i check using the show Nat commands.

What I require is that users connect to the router through a VPN (on cisco router) and then the VPN traffic get routed through the internet to a remote network so that I can control the internet activity of my clients.

Below is my configuration:

aaa new-model

aaa authentication login userauthen local

aaa authorization network groupauthor local

username user password 0 cisco

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group vpnclient

key cisco123

pool ippool

crypto ipsec transform-set myset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

interface gi0/1

ip address 216.x.x.x 255.255.255.0

ip nat outside

ip virtual-reassembly

ip policy route-map VPN-Client

duplex auto

speed auto

crypto map clientmap

ip local pool ippool 192.168.1.1 192.168.1.2

ip route 0.0.0.0 0.0.0.0 216.x.x..y

ip nat inside source list 101 interface gi0/1 overload

access-list 101 permit ip any any

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.11.0.2


25 Replies 25

Hello Portu,

I added the above configuration but did not work. here is the result of the show/debug commands:

Client statistics do show UDP port 4500 active.

1)show ip nat translations: no output.

2)yourname#show crypto session

Crypto session current status

Interface: GigabitEthernet0/1

Username: user

Group: vpnclient

Assigned address: 192.168.1.2

Session status: UP-ACTIVE

Peer: 71.17.105.24 port 1179

  IKEv1 SA: local y.y.y.8/4500 remote 71.17.105.24/1179 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.2

        Active SAs: 2, origin: dynamic crypto map

3)yourname#show access-list 144

Extended IP access list 144

    10 permit ip 192.168.1.0 0.0.0.255 any (492 matches)

yourname#

4)yourname#show access-list 101

Extended IP access list 101

    20 permit ip 192.168.1.0 0.0.0.255 any

yourname#

5)yourname#show ip cef exact-route 192.168.1.2 4.2.2.2

192.168.1.2 -> 4.2.2.2 => IP adj out of GigabitEthernet0/1, addr y.y.y.254

yourname#

yourname#

6)yourname#show crypto ipsec sa

interface: GigabitEthernet0/1

    Crypto map tag: clientmap, local addr y.y.y.8

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)

   current_peer 71.17.105.24 port 1179

     PERMIT, flags={}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: y.y.y.8, remote crypto endpt.: 71.17.105.24

     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

     current outbound spi: 0x23958620(597001760)

     PFS (Y/N): N, DH group: none

     inbound esp sas:

      spi: 0x879616B4(2274760372)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2011, flow_id: Onboard VPN:11, sibling_flags 80000040, crypto map: clientmap

        sa timing: remaining key lifetime (k/sec): (4244275/3293)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:

      spi: 0x23958620(597001760)

        transform: esp-3des esp-md5-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 2012, flow_id: Onboard VPN:12, sibling_flags 80000040, crypto map: clientmap

        sa timing: remaining key lifetime (k/sec): (4244287/3293)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

yourname#

7)yourname#show ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Peak translations: 0

Outside interfaces:

  GigabitEthernet0/1

Inside interfaces:

  Loopback0

Hits: 0  Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 1] access-list 101 interface GigabitEthernet0/1 refcount 0

Total doors: 0

Appl doors: 0

Normal doors: 0

Queued Packets: 0

yourname#

8)yourname#show ip policy

Interface      Route map

Gi0/1          VPN-Client

yourname#

9)debug ip policy: (when i ping the nexthop)

*Mar 18 19:54:12.091: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, FIB policy match

*Mar 18 19:54:12.091: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, PBR Counted

*Mar 18 19:54:12.091: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, g=10.11.0.2, len 60, FIB policy routed

*Mar 18 19:54:17.187: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, FIB policy match

*Mar 18 19:54:17.187: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, PBR Counted

*Mar 18 19:54:17.187: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, g=10.11.0.2, len 60, FIB policy routed

*Mar 18 19:54:22.687: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, FIB policy match

*Mar 18 19:54:22.687: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, PBR Counted

*Mar 18 19:54:22.687: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, g=10.11.0.2, len 60, FIB policy ro

10)debug ip policy (when accessing http://173.194.44.84 from client)

*Mar 18 20:04:14.991: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, FIB policy match

*Mar 18 20:04:14.991: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, PBR Counted

*Mar 18 20:04:14.995: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, g=10.11.0.2, len 48, FIB policy routed

*Mar 18 20:04:15.399: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, FIB policy match

*Mar 18 20:04:15.399: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, PBR Counted

*Mar 18 20:04:15.399: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, g=10.11.0.2, len 48, FIB policy routed

*Mar 18 20:04:15.619: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, FIB policy match

*Mar 18 20:04:15.619: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, PBR Counted

debug ip policy (when pinging 4.2.2.2 from client)

*Mar 18 20:05:41.927: IP: s=192.168.1.2 (GigabitEthernet0/1), d=4.2.2.2, len 60, FIB policy match

*Mar 18 20:05:41.927: IP: s=192.168.1.2 (GigabitEthernet0/1), d=4.2.2.2, len 60, PBR Counted

*Mar 18 20:05:41.927: IP: s=192.168.1.2 (GigabitEthernet0/1), d=4.2.2.2, g=10.11.0.2, len 60, FIB policy routed

11)yourname#debug ip access-list data-plane

yourname#

*Mar 18 20:38:00.307: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 20:38:00.307: IPACL-DP: Pkt matched punt/drop it

*Mar 18 20:38:05.727: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 20:38:05.727: IPACL-DP: Pkt matched permit it

*Mar 18 20:38:10.811: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 20:38:10.811: IPACL-DP: Pkt matched punt/drop it

*Mar 18 20:38:21.315: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny

*Mar 18 20:38:21.315: IPACL-DP: Pkt matched punt/drop it

*Mar 18 20:38:21.731: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 20:38:21.731: IPACL-DP: Pkt matched permit it

*Mar 18 20:38:22.047: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 20:38:22.047: IPACL-DP: Pkt matched permit it

*Mar 18 20:38:22.311: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 20:38:22.311: IPACL-DP: Pkt matched permit it

*Mar 18 20:38:25.071: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 20:38:25.071: IPACL-DP: Pkt matched permit it

*Mar 18 20:38:25.183: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit

*Mar 18 20:38:25.183: IPACL-DP: Pkt matched permit it

Great information!!

What is the IP address of the inside network?

Would you mind testing with the following command?

     no ip cef

Thanks.

OMG!!!!!!!!!!!!!

Portu,

I don't know how to thank you!!!

it is working now.

Please can you explain to me a bit of what might be happening here!!!

Words are not enough to thank you.

I happy to know that we finally got it working.

Before we open the Champagne, please provide the following output:

1- show ip arp

2- show ip cef

3- show version | inc 15.

Thanks

Hi Portu,           

Here are the show commands:

yourname#show ip arp

Protocol  Address          Age (min)  Hardware Addr   Type   Interface

Internet  10.10.10.1              -   e02f.6db0.5238  ARPA   GigabitEthernet0/0

Internet  10.10.10.5              1   b8ac.6f52.27fc  ARPA   GigabitEthernet0/0

Internet  216.y.y.6           0   Incomplete      ARPA

Internet  216.y.y.8           -   e02f.6db0.5239  ARPA   GigabitEthernet0/1

Internet  216.y.y.254         1   0012.017c.9b1a  ARPA   GigabitEthernet0/1

show

yourname#show ip cef

%IPv4 CEF not running

yourname#

yourname#show version | inc 15

Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)

System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M2.bin"

yourname#

Everything is working perfectly but,

I need to use the VPN client connection to RDP into another computer (1.1.1.1 internet ip) over the internet through  a second router that has my main Lan.

secondly I want only 1.1.1.0  to go through the tunnel any other traffic should use the normal internet (ie split tunnelling)

I created this split tunnel and it is working using (tracert to check on client)but my issue is I am not sure why I Cant access RDP on 1.1.1.0.

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

acl 102

access-list 102 permit tcp 1.1.1.0 0.0.0.255 any

On the router having the 1.1.1.0 network I have IPS and IOS firewal and the firewall is configured to allow RDP, https, http, etc from the outside and is being continuously accessed from outside..

but I am not sure why I can t access it using the VPN client through the internet.

would appreciate your input on this.!

Once again hats off to you!!!!

Obaid,

It's my pleasure

What happens when you try to access the RPD server?

This is going to be a long shot, but lets try the following:

interface g0/1

     ip tcp adjust-mss 1200

Let me know.

Portu.

Hi Portu,

Before I try this configuration I should tell you that I am able to RDP to another network (some random network on the internet) so I think it is not an issue with with this router.

Is it possible some signature on R1 the second(remote) router is seing the traffic as an attack or something as it is being translated( i will check the IPS log tomorrow)

the firewall is set to allow traffic from any ip on RDP or http(for a website) from the outside, I am not sure if something else is needed?.

Thirdly The internet IP on the VPN router is acctually a secondary IP on R1(from a secondary ISP) which uses ip sla to track so that once the primary internet is down.The secondary ISP only takes over(which is the ISP I am using to test the VPN router) when the primary ISP is down.

so:

For testing purpose, Since it is a backup internet I used it to test the VPN (to provide internet IP and next hop) and from my understanding R1 should not need it except when ISP 1 is down, or is it possible that the forewall or the IPS sees this as an attack or something?

Dear Obaid,

Nice info.

Check the Router's logs and make sure IPS is not dropping any packets.

Portu.

Thanks guys got it working perfectly!!

Awesome!!

I am glad to hear that

Great job Obaid!!! Keep it up!!!

Please rate any helpful posts and mark this as answered.

Hello Portu,

You are the best!! couldn't have figured this without your help.

I am not sure if you have the time but I need your help to consider another option to achieve the same case because there is a latency I want to avoid/reduce because of the VPN.

So once remote users over the internet rdp or http into 1.1.1.2 it gets natted to 2.2.2.3 where regualr nat takes place togo to the Lans say 10.0.0.2 server.

ie here is the traffic flow:

Remote user----------------(InternetRDP/http)--------(1.1.1.1)R2------------------Internet-------------------(2.2.2.2)R1-------Lan(10.0.0.0)

for R1:


ip name-server 10.0.0.1

interface gi0/0

ip address 10.0.0.254 255.255.255.0

interface gi0/1

ip address 2.2.2.2 255.255.255.0 (internet interface)

ip route 0.0.0.0 0.0.0.0  2.2.2.253

ip nat inside source static 2.2.2.3 10.0.0.2

ip nat inside source static 2.2.2.4 10.0.0.3

R2: (R2 only has one interface which is connected to the internet)


interface gi0/1

ip address 1.1.1.1 255.255.255.0

ip nat outside

ip virtual-reassembly

ip policy route-map Nat-on-Stick

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

access-list 144 permit ip 1.1.1.0 0.0.0.255 any


route-map VPN-Client permit 10

match ip address 144

set ip next-hop 10.11.0.2

ip nat inside source static 1.1.1.2 2.2.2.3

ip nat inside source static 1.1.1.3 2.2.2.4

Not sure but This is what I came up with!.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: