1841 remote access vpn not working right. (nat/split tunnel issue maybe?!?)

isupport4u · ‎05-28-2011

hello there,

this is very strange, I have setup a remote access on our 1841 device, with split tunnel.

now i am able to connect via the vpn tunnel, and even ping and telnet into the cisco device, but when i try to ping any device past the 1841, the ping fails and no traffic is even been encrypted to go over the vpn traffic (looking at the vpn client statistics).

From the ciscos side, pings to the vpn client is failing, yet i see the vpn client in the routing table.

Any ideas to what i may be missing would be greatly appriciated.

Thanks,

J.

Here is my config:

cisco1841#sh run
Building configuration...

Current configuration : 7682 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname cisco1841
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $*********************
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip cef
!
!
!
!...
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip ips notify SDEE
!
!
crypto pki trustpoint TP-self-signed-2667044945
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2667044945
revocation-check none
rsakeypair TP-self-signed-2667044945
!
!
crypto pki certificate chain TP-self-signed-2667044945
certificate self-signed 01
xxxxxxxx
x
x
x
x
quit
username       xxxxxxx
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group XXXXXXX
key **************
dns 192.168.1.9 4.2.2.2
domain ***********
pool SDM_POOL_1
acl 150
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$INTF-INFO-FE 0$$FW_INSIDE$LAN
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1
description $ETH-WAN$$FW_OUTSIDE$WAN
ip address 69..x.x. 255.255.255.192
ip access-group 102 in
ip verify unicast reverse-path
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/0/0
shutdown
!
interface FastEthernet0/0/1
shutdown
!
interface FastEthernet0/0/2
shutdown
!
interface FastEthernet0/0/3
shutdown
!
interface Vlan1
no ip address
!
ip local pool SDM_POOL_1 192.168.2.2 192.168.2.12
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 69.x.x.x
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip any any
access-list 150 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
!
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

cisco1841#

andamani · ‎05-29-2011

Hi,

the configuration is fine.

Can you please check the internal network behind the router know the route to get to the client.I.e. route on L3 device, if any, for vpn client pointing to router.

Also you mentioned that the traffic is not passing through the VPN client when you try to ping. what do you see there? no increase in packets encrypt counter in the statistic of VPN client.

Do you see the network 192.168.1.0 in the secured routes of the route details of VPN client?

Hope this helps.

Regards,

Anisha

P.S.: please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

isupport4u · ‎05-29-2011

Hello Anisha,

Thanks for the reply, to answer your questions:

Can you please check the internal network behind the router know the route to get to the client.I.e. route on L3 device, if any, for vpn client pointing to router.

- Yes the router is able to ping all internal resources with no problem, all clients are pointing to the router as there gateway.

Also you mentioned that the traffic is not passing through the VPN client when you try to ping. what do you see there? no increase in packets encrypt counter in the statistic of VPN client.

- When i try to ping over the vpn tunnel, there are no packets that are being encrypted. it looks like the packet are going to the internet instead.

The only device i am able to ping and get packet increments is the routers ip address only, any other device i try to ping, no packet are being encrypted (no route to host i see on my device), yet in the routing table i am able to see the vpn clients ip address, but cannot ping them.

Do you see the network 192.168.1.0 in the secured routes of the route details of VPN client?

- Yes i do, which i why this is strange for me.

Thanks in advance and let me know if you have any other ideas?

Regards,

Jonathan

andamani · ‎05-29-2011

Hi,

Can you please attach the screen shot of the Route print from the client

Ping the internal host and check if the following counter is increasing:

Vpn client > Status > Statistics > Tunnel Details > packets > Encrypted and Decrypted and bypassed.

Also checkif the firewall on the client is dropping the packets. Try turning it off.

Hope this helps.

Regards.

Anisha

P.S.: please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

isupport4u · ‎05-30-2011

Hey there,

There is only a count in the bypassed, when trying to ping internal resources, except when pinging the router, only and only than i see packet encrypting and decrypting.

There is no firewall on the clients side.

J.