1841 as a EZVPN Remote in Client Mode

abolton291078 · ‎01-31-2014

I have just configured a 1841 router to connect to our central office as a hardware client in client mode, normal internal traffic works fine but when i try and access the subnet in the central office i get the following in the debug output.

the strange thing is these named access-list seem to dynamiclly generated as i can view them but not edit them.

*Jan 31 16:00:06.067: IPACL-DP: Pkt matched ACL: CC-VPN_internet-list seq: 10 Action: Deny

*Jan 31 16:00:06.067: IPACL-DP: Pkt matched punt/drop it

*Jan 31 16:00:06.067: IPACL-DP: Pkt matched ACL: CC-VPN_enterprise-list seq: 10 Action: Permit

*Jan 31 16:00:06.067: IPACL-DP: Pkt matched permit it

*Jan 31 16:00:06.067: IPACL-DP: Implicit deny all invoked

Here's the VPN part of the config

crypto ipsec client ezvpn CC-VPN

connect auto

group xxxx key xxxx

mode client

peer x.x.x.x

virtual-interface 1

username xxxx password xxxx

xauth userid mode local

interface FastEthernet0/0

ip address 10.255.255.248 255.255.255.240

ip nat inside

ip virtual-reassembly in

speed auto

full-duplex

crypto ipsec client ezvpn CC-VPN inside

interface FastEthernet0/1

ip address x.x.x.x 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto ipsec client ezvpn CC-VPN

interface Virtual-Template1 type tunnel

no ip address

tunnel mode ipsec ipv4

mvsheik123 · ‎01-31-2014

Hi,

Ezvpn clients download ACLs from Headend (server) router/ASA. You need to configure 'No nat' (NAT 0) on head end router/ASA from the internal networks to Ezvpn subnets.

hth

MS

abolton291078 · ‎01-31-2014

Hi there,

thanks for the advise although software clients work fine but i guess they do already get an IP address from the ASA VPN pool scope which is in the 192.168.255.0/255.255.255.0 range which is already configured on the ASA as nat0, the router is getting an IP from this range also but the LAN side is 10.255.255.240/255.255.255.240 so i added this to the same nat exempt rule but this hasn't resolved it, i would assume this shouldn't matter as the router is running in client mode so it should nat all traffic from the LAN to the assigned 192.168.255.x address which the ASA assigned it? may be i need a nat rule to nat the VPN interface to the LAN address?

Thanks

Sent from Cisco Technical Support iPad App

mvsheik123 · ‎01-31-2014

Hi,

Please post the configs so that forum members can help you with the issue.

Thx

MS

abolton291078 · ‎02-01-2014

Hi There,

Here is the config

!

! Last configuration change at 11:44:32 UTC Sat Feb 1 2014 by root

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxxxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxx

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

ip domain name xxxx.xxx

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1253001002

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1253001002

revocation-check none

rsakeypair TP-self-signed-1253001002

!

crypto pki certificate chain TP-self-signed-1253001002

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14E425FF F1A4D89E D7C0C912 17558948 07293153 1C301D06

03551D0E 04160414 E425FFF1 A4D89ED7 C0C91217 55894807 2931531C 300D0609

2A864886 F70D0101 05050003 81810037 3B2C8F5E 36A2D871 12BF7378 F1147C20

18DE2D47 BD8563A8 C73CC415 107FBC6B 7BB37101 03A9718E 51B5293E 767D4D3E

79779ACC D8D007E2 AE498F79 77B21669 8D1D4351 2043A7A9 9855A4F1 F21442E1

0393352D DA5074E6 AE69D75E C6A6B6AC 519C4B0C C9760814 0248D864 09331630

F77A4138 F4594F09 3ADCF7EB EFAFD0

quit

!

license udi pid CISCO1841 sn FCZ1103206S

username xxxx privilege 15 secret 5 xxxx

!

redundancy

!

controller E1 0/0/0

!

ip ssh version 2

!

crypto ipsec client ezvpn xxxx-CC

connect auto

group xxxx-Prod key xxxx

mode client

peer xxx.xxx.xxx.xxx

username xxxx password xxxx

xauth userid mode local

!

interface FastEthernet0/0

ip address 10.255.255.248 255.255.255.240

ip nat inside

ip virtual-reassembly in

speed auto

full-duplex

no mop enabled

crypto ipsec client ezvpn xxxx-CC inside

!

interface FastEthernet0/1

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto ipsec client ezvpn xxxx-CC

!

interface ATM0/1/0

no ip address

shutdown

no atm ilmi-keepalive

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 145.255.244.209 2

ip route 172.16.32.0 255.255.254.0 10.255.255.250

!

logging esm config

access-list 1 permit 172.16.32.0 0.0.1.255

access-list 1 permit 10.255.255.240 0.0.0.15

disable-eadi

!

control-plane

!

line con 0

line aux 0

line vty 0 4

exec-timeout 40 0

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

abolton291078 · ‎02-01-2014

for some reason the above config has just started working!

I just have one problem left that it seems to generate a access-list on the router shown below.

Extended IP access list xxxx-CC_enterprise-list

10 permit ip 10.255.255.240 0.0.0.15 any (12 matches)

but i have another subnet coming froma layer 3 switch wich is 172.16.32.0 0.0.1.255 and this can not access the tunnel until i manually edit the above access list but if the tunnel drops this is cleared