cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
5
Replies
Beginner

VPN tunnel

Hello all,

Of course a have a question, otherwise i would not be here ;)

When i have the vpn tunnel up, i can't see the office network (192.168.1.0). I only get the ip address from the vpnpool.

Below part of the config i used (or should i post the entire config?);



aaa authentication login userauthen local
aaa authorization network groupauthor local

username admin privilege 15 secret xxx
username klaas password xxx
username george password xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0
!
crypto isakmp client configuration group vpnclient
key xxx
dns 8.8.8.8
domain test.local
pool ipvpnpool
acl 105
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set MySet
reverse-route
!
!
crypto map MyMap client authentication list userauthen
crypto map MyMap isakmp authorization list groupauthor
crypto map MyMap client configuration address respond
crypto map MyMap 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set MySet
match address 101
crypto map MyMap 20 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxx password xxx
crypto map MyMap
!
ip local pool ipvpnpool 192.168.253.10 192.168.253.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 103
!
access-list 23 remark Remote_Management
access-list 23 permit 192.168.1.0 0.0.0.255        (local network)
access-list 101 remark Cryptomap-IPSEC-VPN-BM
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark nat rules
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Advocate

You are using the same ACL

You are using the same ACL 101 for both crypto map and nat exemption - which is wrong.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Create a new ACL for nat exemption ( say 102) and have traffic between internal and vpn pool denied and everything else from internal allowed:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Then apply it to your NAT overload statement:

no ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload

PLEASE NOTE: you will lose internet access when making this change, so do it in a downtime and with access to the router internally.

5 REPLIES 5
VIP Advocate

You are using the same ACL

You are using the same ACL 101 for both crypto map and nat exemption - which is wrong.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Create a new ACL for nat exemption ( say 102) and have traffic between internal and vpn pool denied and everything else from internal allowed:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Then apply it to your NAT overload statement:

no ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload

PLEASE NOTE: you will lose internet access when making this change, so do it in a downtime and with access to the router internally.

Beginner

Thanks for your answer, seems

Thanks for your answer, seems logic to me. Don't know why i overlooked that.

Will try it next week when i'm on customer location.

Beginner

Hello Rahul,

Hello Rahul,

These ajustments didn't work, i still can not ping the internal network through the vpn tunnel.

This is the config after adding the 102 access-list;

Current configuration : 4220 bytes
!
! Last configuration change at 10:04:09 gmt Mon Feb 13 2017
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname GRDATA
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200
logging console critical
enable secret 5 $1$tOFw$lUhRf7A/Wob9gpfTITQ2k0
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 1 0
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
no ip domain lookup
ip domain name grdata.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C881-K9 sn FCZ2005C160
!
!
username admin privilege 15 secret 5 $1$mUyc$Tj9BqoPz4b6b9fjBk0rnU0
username klaas password 7 052C140A385A7E07415556
username george password 7 080F4D58080B1718425F58
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
!
crypto isakmp policy 2
 encr aes
 authentication pre-share
 group 2
crypto isakmp key xxx address 178.85.x.x
!
crypto isakmp client configuration group vpnclient
 key xxx
 dns 194.151.228.34
 domain grdata.local
 pool ipvpnpool
 acl 105
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 10
 set transform-set MySet
 reverse-route
!
!
crypto map MyMap client authentication list userauthen
crypto map MyMap isakmp authorization list groupauthor
crypto map MyMap client configuration address respond
crypto map MyMap 1 ipsec-isakmp
 set peer 178.85.x.x
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address 101
crypto map MyMap 20 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 no ip address
 ip virtual-reassembly in
 load-interval 30
 duplex full
 speed 100
 pppoe enable group global
 pppoe-client dial-pool-number 1
!
interface Vlan1
 ip address 192.168.1.248 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 ip tcp adjust-mss 1452
 load-interval 30
 no autostate
!
interface Dialer1
 mtu 1492
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly in
 ip verify unicast reverse-path
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username PPP password 7 05203621
 crypto map MyMap
!
ip local pool ipvpnpool 192.168.253.10 192.168.253.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 102 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
 match ip address 103
!
access-list 23 remark Remote_Management
access-list 23 permit 10.11.7.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 46.144.180.1 0.0.0.248
access-list 101 remark Cryptomap-IPSEC-VPN-BM
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark nat rules
access-list 103 deny   ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
 logging synchronous
 no modem enable
 escape-character 3
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 logging synchronous
 transport input ssh
 escape-character 3
!
scheduler allocate 20000 1000
!
end
VIP Advocate

What is the following crypto

What is the following crypto map used for?

crypto map MyMap 1 ipsec-isakmp
 set peer 178.85.x.x
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address 101

The reason I am asking this is because it seems to have the matching ACL for the VPN pool network.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Ideally, the VPN falls under the dynamic map and gets established. But this crypto map might be matching your return traffic and causing it to fail. Can you remove the static crypto map if it not being used?

Highlighted
Beginner

can you brief your query?

can you brief your query?