Solved: Re: 877W VPN client up, but no traffic

Nick Sinyakov · ‎04-25-2011

Hi cisco guru,

Help me please to solve VPN client traffic problem. I'm able to connect to cisco, but can't get network access, except router.

Also I'd like to block all P2P traffic except 1 IP 192.168.10.7.

Thanks

There is output of #show cry ipsec sa

interface: Virtual-Access4
Crypto map tag: Virtual-Access4-head-0, local addr a.a.a.a

   protected vrf: (none)
   local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.10.251/255.255.255.255/0/0)
   current_peer b.b.b.b port 56604
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 26, #pkts decrypt: 26, #pkts verify: 26
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

--More--              local crypto endpt.: a.a.a.a, remote crypto endpt.: b.b.b.b
--More--              path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access4
--More--              current outbound spi: 0x66870874(1720125556)
--More--
--More--              inbound esp sas:
--More--               spi: 0xBDA0E6DE(3181438686)
--More--                 transform: esp-3des esp-sha-hmac ,
--More--                 in use settings ={Tunnel, }
--More--                 conn id: 369, flow_id: Motorola SEC 1.0:369, crypto map: Virtual-Access4-head-0
--More--                 sa timing: remaining key lifetime (k/sec): (4543855/3494)
--More--                 IV size: 8 bytes
--More--                 replay detection support: Y
--More--                 Status: ACTIVE
--More--
--More--              inbound ah sas:
--More--
--More--              inbound pcp sas:
--More--
--More--              outbound esp sas:
--More--               spi: 0x66870874(1720125556)
--More--                 transform: esp-3des esp-sha-hmac ,
--More--                 in use settings ={Tunnel, }
--More--                 conn id: 370, flow_id: Motorola SEC 1.0:370, crypto map: Virtual-Access4-head-0
--More--                 sa timing: remaining key lifetime (k/sec): (4543859/3494)
--More--                 IV size: 8 bytes
--More--                 replay detection support: Y
--More--                 Status: ACTIVE
--More--
--More--              outbound ah sas:
--More--
--More--              outbound pcp sas:

And router's config:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
no service dhcp
!
hostname router
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 52000
logging console critical
enable secret 5 secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network local_auth if-authenticated
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1933852417
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1933852417
revocation-check none
rsakeypair TP-self-signed-1933852417
!
!
crypto pki certificate chain TP-self-signed-1933852417
certificate self-signed 01
30820252 308201BB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31393333 38353234 3137301E 170D3130 30383137 31323438
31365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 39333338
35323431 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C0D8 68540261 05ECA4BC 576BAD7D 23F29679 B60A7B38 35211BCF 78F2271C
2FDB24CC 949640B9 D68C9308 58BAAB0A 5FBD8123 6EF24910 42C12922 F2AE7C93
AD777AB3 DD923F06 CB6B6106 9C08AA81 E7CEB073 1F6BC114 B0B1756D ECF976CC
C0073FB2 2C056FD9 552348B0 7F361152 0DCB08C4 3EA559F5 575EF2F4 1A5FD373
509F0203 010001A3 7A307830 0F060355 1D130101 FF040530 030101FF 30250603
551D1104 1E301C82 1A6A6572 6963686F 2D727472 312E6A65 72696368 6F2E636F
2E6E7A30 1F060355 1D230418 30168014 E1FAAC42 6F70C504 3D678187 D2BFEF05
00D12F67 301D0603 551D0E04 160414E1 FAAC426F 70C5043D 678187D2 BFEF0500
D12F6730 0D06092A 864886F7 0D010104 05000381 8100A630 DFC4C826 E8C4CD12
4D8C4BB8 B9928B43 4C8B91A2 F6A400B5 97EB0BF7 7ACFE10A BA90056B 6E34FE2F
DAC133EC F0E847DD A7AA6B78 C01AE543 597E7149 85A17614 EEFEFF4B 076E1758
44A250D9 3DE2EF88 63233AF0 7D2DD2BD 1221D59C 0731CFE3 26B31F88 13F48ACC
ED2972C5 FCCF6D43 681BF350 CE01C5E9 41E9705A FCCE
      quit
dot11 syslog
!
dot11 ssid WIFI
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 secret
!
no ip source-route
ip cef
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name domain
ip dhcp-server 192.168.10.10
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
l2tp tunnel receive-window 256
!
password encryption aes
!
!
username admin privilege 15 secret 5 secret
username n1ck privilege 15 password 7 password
!
!
crypto isakmp policy 1
authentication pre-share
!
crypto isakmp policy 2
authentication pre-share
!
crypto isakmp policy 3
authentication pre-share
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
crypto isakmp key 6 key address c.c.c.c
crypto isakmp invalid-spi-recovery
crypto isakmp nat keepalive 10
!
crypto isakmp client configuration group EasyVPN
key 6 key
dns 192.168.10.10
domain domain
pool SDM_POOL_1
acl 100
save-password
include-local-lan
max-users 2
netmask 255.255.255.0
!
crypto isakmp client configuration group ASA
key 6 key
pool SDM_POOL_1
firewall are-u-there
include-local-lan
pfs
max-users 2
max-logins 1
netmask 255.255.255.0
!
crypto isakmp client configuration group VPN
key 6 key
pool DIAL-IN
acl 103
include-local-lan
max-users 2
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group EasyVPN
   match identity group ASA
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile CiscoCP_Profile2-ike-profile-1
   match identity group VPN
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 5
!
!
crypto ipsec transform-set ASA-IPSEC esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 900
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set security-association idle-time 1200
set transform-set ESP-3DES-SHA1
set isakmp-profile CiscoCP_Profile2-ike-profile-1
!
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
set peer c.c.c.c
set transform-set ASA-IPSEC
match address 160
!
crypto ctcp
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
!
class-map match-any P2P
description Limit P2P speed
match protocol edonkey
match protocol bittorrent
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
class-map match-any BLOCK
match protocol kazaa2
match protocol bittorrent
match protocol edonkey
match protocol gnutella
match protocol fasttrack
!
!
policy-map BLOCK_INTERNET
class BLOCK
bandwidth 8
!
!
bridge irb
!
!
interface Loopback0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
no ip redirects
no ip unreachables
no ip proxy-arp
pvc 0/100
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
switchport mode trunk
!
interface FastEthernet3
!
interface Virtual-Template1
description $FW_INSIDE$
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
peer default ip address dhcp
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2 pap
!
interface Virtual-Template2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Virtual-Template3 type tunnel
description $FW_INSIDE$
ip unnumbered Dialer0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template5 type tunnel
description $FW_INSIDE$
ip unnumbered BVI1
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Dot11Radio0
no ip address
ip flow ingress
ip route-cache flow
!
encryption mode ciphers tkip
!
ssid WIFI
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan2
description $FW_INSIDE$
ip address 192.168.11.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface Dialer0
description $OUTSIDE$$FW_OUTSIDE$
ip address negotiated
ip access-group sdm_dialer0_in in
ip access-group 101 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp pap sent-username username password 7 password
ppp ipcp dns request
ppp ipcp route default
crypto map SDM_CMAP_1
service-policy output BLOCK_INTERNET
!
interface Dialer1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
interface BVI1
description $FW_INSIDE$
ip address 192.168.10.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip local pool DIAL-IN 192.168.10.251 192.168.10.253
ip local pool SDM_POOL_1 192.168.10.50 192.168.10.51
no ip classless
ip forward-protocol nd
!
ip flow-cache timeout active 1
ip flow-export source Dot11Radio0
ip flow-export version 9
ip flow-export destination 192.168.10.200 9996
!
ip http server
ip http authentication local
ip http secure-server
ip dns server
ip nat inside source static tcp 192.168.10.19 443 interface Dialer0 443
ip nat inside source static tcp 192.168.10.8 5900 interface Dialer0 5900
ip nat inside source static udp a.a.a.a 500 interface Dialer0 500
ip nat inside source static tcp 192.168.10.130 9090 interface Dialer0 9090
ip nat inside source list NAT_INTERNET interface Dialer0 overload
ip nat inside source static udp a.a.a.a 4500 interface Dialer0 4500
ip nat inside source static tcp 192.168.10.9 1723 interface Dialer0 1723
ip nat inside source static udp 192.168.10.150 514 interface Dialer0 514
ip nat inside source static tcp 192.168.10.150 1468 interface Dialer0 1468
!
ip access-list extended NAT_INTERNET
deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended NAT_INTERNET_1
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended sdm_dialer0_in
remark CCP_ACL Category=1
permit ahp host c.c.c.c any
remark Allow all
permit ip any any
permit esp host c.c.c.c any
permit udp host c.c.c.c any eq isakmp
permit udp host c.c.c.c any eq non500-isakmp
permit ahp host c.c.c.c any
permit esp host c.c.c.c any
permit ip 192.168.17.0 0.0.0.255 192.168.10.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
deny   ip host 209.239.31.195 any log
deny   ip host 98.108.59.171 any log
!
logging trap debugging
logging 192.168.10.150
access-list 1 remark #NAT INTERNET USERS#
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip host 192.168.10.0 any
access-list 101 remark RULES FOR FW TO INTERNET
access-list 101 deny   ip any host 121.22.6.121 log
access-list 101 deny   ip any host 74.120.10.51 log
access-list 101 deny   ip any host 112.230.192.99 log
access-list 101 deny   ip any host 61.55.167.19 log
access-list 101 permit ip any any
access-list 101 deny   ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.17.0 0.0.0.255 any
access-list 101 remark Cisco_VPN_10000
access-list 101 permit tcp 119.224.0.0 0.0.255.255 any eq 10000 log
access-list 101 remark Cisco_VPN_500
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 remark Cisco_VPN_4500
access-list 101 permit udp any any eq isakmp log
access-list 101 permit tcp any host a.a.a.a eq 81
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip 169.254.0.0 0.0.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.0.2.0 0.0.0.255 any
access-list 101 deny   ip 198.18.0.0 0.1.255.255 any
access-list 101 deny   ip 224.0.0.0 0.15.255.255 any
access-list 101 remark OWA
access-list 101 permit tcp any any eq 443 log
access-list 101 remark VNC port
access-list 101 permit tcp 119.224.0.0 0.0.255.255 any eq 5900 log
access-list 101 remark CRM service 8081
access-list 101 permit tcp any any eq 8081 log
access-list 101 remark Syslog for ASA1
access-list 101 permit udp host c.c.c.c eq syslog any eq syslog
access-list 101 remark Syslog for ASA2
access-list 101 permit udp any any eq syslog
access-list 102 deny   tcp any any eq 445 log
access-list 103 remark CCP_ACL Category=4
access-list 103 permit ip 192.168.10.0 0.0.0.255 any
access-list 115 remark CCP_ACL Category=16
access-list 115 permit ip 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 120 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 130 permit ip 129.168.10.0 0.0.0.255 any
access-list 130 permit ip 192.168.10.0 0.0.0.255 any
access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
snmp-server ifindex persist
no cdp run
!
!
!
route-map nonat permit 10
match ip address 150
!
!
control-plane
!

!

line con 0
no modem enable
line aux 0
line vty 0 4
password 7 password
login authentication local
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Yudong Wu · ‎04-25-2011

1. use a "ip pool" for vpn client in a subnet which is not overlapped with any of your internal network.

Currently both IP pools are overlapped with subnet of interface BVI1.

2. Make sure VPN traffic is bypassed by NAT.

View solution in original post

Yudong Wu · ‎04-25-2011

blew is your NAT configuration

ip nat inside source list NAT_INTERNET interface Dialer0 overload

ip access-list extended NAT_INTERNET
deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any

So, if you are using a IP pool other than "192.168.10.x", you don't need do anything. VPN traffic won't be NAT-ed based on your current configuration.

By the way, for blocking P2P, you can do a seach on Cisco.com by "block p2p", you should find some example there.

View solution in original post

Yudong Wu · ‎04-26-2011

Sorry, my bad

You are using split tunnel. You need add 192.168.17.x network in ACL 100

access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip host 192.168.10.0 any

access-list 100 permit ip 192.168.17.0 0.0.0.255 any

View solution in original post

Yudong Wu · ‎04-25-2011

1. use a "ip pool" for vpn client in a subnet which is not overlapped with any of your internal network.

Currently both IP pools are overlapped with subnet of interface BVI1.

2. Make sure VPN traffic is bypassed by NAT.

Nick Sinyakov · ‎04-25-2011

Hi Yudong,

Thanks for reply. How I can ensure that VPN traffic is bypassing by NAT?

Yudong Wu · ‎04-25-2011

blew is your NAT configuration

ip nat inside source list NAT_INTERNET interface Dialer0 overload

ip access-list extended NAT_INTERNET
deny ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any

So, if you are using a IP pool other than "192.168.10.x", you don't need do anything. VPN traffic won't be NAT-ed based on your current configuration.

By the way, for blocking P2P, you can do a seach on Cisco.com by "block p2p", you should find some example there.

Nick Sinyakov · ‎04-25-2011

Cool. It working. I've create pool 192.168.17.50-51 and now I have access to network 192.168.10.0, but I thought if new pool will be from remote Site-to-site network so I will have access either 192.168.10.0 and 192.168.17.0 My mistake - just to 192.168.10.0

Can I get access to both networks?

Thanks

Yudong Wu · ‎04-25-2011

Ok. You have to use a subnet which is not used anyway in your network as IP pool for VPN client, saying 192.168.200.x. Then, if you would like the vpn client to access both 192.168.10.x (internal network) and 192.168.17.x (remote lan-2-lan vpn site), you need make the following change.

1. change your ip pool to 192.168.200.x

2. change your nat configuration as following

ip nat inside source list NAT_INTERNET interface Dialer0 overload

ip access-list extended NAT_INTERNET

deny ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255 <<<< add this

deny   ip 192.168.200.0 0.0.0.255 192.168.17.0 0.0.0.255 <<<< add this
deny   ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
deny   ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any

3. change ACL 160 as following

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 160 permit ip 192.168.200.0 0.0.0.255 192.168.17.0 0.0.0.255 <<<< add this

4. You need change the remote lan-2-lan vpn site acl as well to add the following

permit ip 192.168.17.0 0.0.0.255 192.168.200.0 0.0.0.255

after the above change, clear your lan-2-lan vpn tunnel to let it re-build.

Nick Sinyakov · ‎04-26-2011

Hi Yudong,

I've add it to both config's, but ping to 192.168.17.138 replies me

PING: transmit failed. General failure.

On secured networks tab in Cisco Client I've just 192.168.10.0 Is it correct?

Yudong Wu · ‎04-26-2011

Sorry, my bad

You are using split tunnel. You need add 192.168.17.x network in ACL 100

access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip host 192.168.10.0 any

access-list 100 permit ip 192.168.17.0 0.0.0.255 any

Nick Sinyakov · ‎04-26-2011

It's correct solution:

#show access-lists 103
Extended IP access list 103
10 permit ip 192.168.10.0 0.0.0.255 any
20 permit ip 192.168.17.0 0.0.0.255 any

And changed firewall for 192.168.9.0

Thanks a lot!

Yudong Wu · ‎04-26-2011

can you provide the following info?

1. current configuration

2. connect VPN client to this router and issue several ping to 192.168.17.x, then capture

show crypto ipsec sa

Yudong Wu · ‎04-27-2011

sorry for mis-reading, it looks like the issue has been resolved.

Please ignore my last post.