05-17-2012 01:10 PM
Hello all,
I'm in the process of setting up a working VPN/Firewall setup on an 881W ISR. I have the firewall, NAT, and VPN working, and I'm able to connect remotely to my router. The problem I am having is that I none of my VPN cllients can connect to the internet. I suspect that my firewall rules may have something to do with this. Let me break-down what I have, and what I want to achieve:
1. My router is setup with VLAN1 (172.16.1.0/24) as the inside zone (in-zone), while my outside zone (out-zone) is FastEthernet4 (DHCP WAN Interface). I also have a guest zone (guest-zone) VLAN12 (192.168.12.0/24) used for my guest SSID wireless, which is NATed to the outside zone.
2. I have my EasyVPN setup using a Virtual Template Interface that terminates at the WAN interface FastEthernet4 (something tells me this should be changed). Should I terminate at VLAN1, or an interface or loopback on VLAN1?
3. I ultimately want the VPN users to be able to conenct to the local resources on VLAN1 only, while being able to get out to the internet.
I thank you in advance for any insight you may be able to bring.
Here is my configuration attached below:
R1-881W#show run
Building configuration...
Current configuration : 11449 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1-881W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
!
!
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
CERTIFICATE
quit
no ip source-route
!
!
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
!
ip dhcp pool Private
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 172.16.1.1 255.255.255.0
!
ip dhcp pool Guest
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1 255.255.255.0
!
!
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
!
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
!
!
username someuser privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUPNAME
key somesharedkey
pool SDM_POOL_1
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group GROUPNAME
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security guest-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination guest-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn1 source guest-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
!
ip local pool SDM_POOL_1 172.168.1.100 172.168.1.120
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
!
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
!
control-plane
!
banner login ^CWarning! Authorized Access Only!^C
!
line con 0
password 7 xxxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
05-17-2012 01:14 PM
I'm also finding that I can't reach certain SSL web-management pages on my VLAN1 (172.16.1.0/24) network. Not sure what is causing this.
EDIT: I figured out that for my SSL web-management pages I had the wrong default gateway set. Once I corrected this, they worked perfectly.
05-17-2012 01:56 PM
Add ip nat inside on the vti interface . Be sure you have a valid zpf policy between the vpn and the outzone.
05-18-2012 06:08 AM
Thank you. As for my other question about where to terminate the VPN tunnel, here is my current config:
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
Is there any reason why I shouldn't terminate the VPN tunnel at interface FastEthernet4 (WAN interface)? If not, what would you recommend and why?
05-18-2012 01:12 PM
HI Patrik ,
currently all of the ipsec SAs will belong to the VTI and not physical interface since that you are using a DVTI implementation , so what do you mean by your queston ?
cheers.
Mohammad.
05-18-2012 02:44 PM
I guess I misunderstood the purpose of the "ip unnumbered FastEthernet4" statement under the VTI. I changed it to point to VLAN1 anyway...
I'm still having trouble where VPN clients cannot browse the internet. I gave the VTI a dns sever to give out. I'm working on understanding the firewall rules for the ezvpn zone. I got rid of all zone-pairs that connect the ezvpn zone to the guest zone as well. I'll post my latest config shortly.
05-18-2012 03:01 PM
R1-881W#show run
Building configuration...
Current configuration : 11297 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname R1-881W
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-1234567890
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1234567890
revocation-check none
rsakeypair TP-self-signed-1234567890
!
!
crypto pki certificate chain TP-self-signed-1234567890
certificate self-signed 01
CERTIFICATE
quit
no ip source-route
!
!
ip dhcp excluded-address 172.16.1.1 172.16.1.200
ip dhcp excluded-address 192.168.12.200 192.168.12.254
!
ip dhcp pool Private
import all
network 172.16.1.0 255.255.255.0
default-router 172.16.1.1
dns-server 172.16.1.1 255.255.255.0
!
ip dhcp pool Guest
network 192.168.12.0 255.255.255.0
default-router 192.168.12.1
dns-server 192.168.12.1 255.255.255.0
!
!
ip cef
no ip bootp server
ip domain name lab.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
ip name-server 8.8.8.8
login block-for 120 attempts 5 within 60
login delay 3
!
no ipv6 cef
!
multilink bundle-name authenticated
parameter-map type regex ccp-regex-nonascii
pattern [^\x00-\x80]
!
!
username someuser privilege 15 secret 5 xxxxxxxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group GROUPNAME
key GROUPKEY
dns 68.94.157.1
pool SDM_POOL_1
max-users 5
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group GROUPNAME
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh version 2
!
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all GUEST-TO-OUTSIDE_CMAP
match access-group name GUEST-TO-OUTSIDE_ACL
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 101
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect GUEST-TO-OUTSIDE_PMAP
class type inspect GUEST-TO-OUTSIDE_CMAP
inspect
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
inspect
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security guest-zone
zone security ezvpn-zone
zone-pair security ccp-zp-out-self source out-zone destination self
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-self-out source self destination out-zone
zone-pair security ccp-zp-guest-out source guest-zone destination out-zone
service-policy type inspect GUEST-TO-OUTSIDE_PMAP
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-in-ezvpn2 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface Loopback0
no ip address
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description ISP Connection$FW_OUTSIDE$
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
no cdp enable
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module to manage the enbedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
interface Vlan11
description $FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
!
interface Vlan12
description Guest Vlan$FW_INSIDE$
ip address 192.168.12.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security guest-zone
!
ip local pool SDM_POOL_1 172.168.1.100 172.168.1.120
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
no ip http server
ip http authentication local
ip http secure-server
!
!
ip dns server
ip nat inside source list NAT_ALLOWED interface FastEthernet4 overload
!
ip access-list extended GUEST-TO-OUTSIDE_ACL
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
no cdp run
!
!
!
!
!
control-plane
!
banner login ^CWarning! Authorized Access Only!^C
!
line con 0
password 7 xxxxxxxxxxxxxxx
logging synchronous
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password 7 xxxxxxxxxxxxxxx
transport input telnet ssh
transport output telnet
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
05-18-2012 03:40 PM
Doing more digging it looks like the local crypto endpoint is the IP of my WAN DHCP interface (FastEthernet4) when I have ip unnumbered vlan1 specified under my VTI. Is this normal?
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
I changed the WAN IP to 12.34.56.78 for this example below:
R1-881W#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
12.34.56.78 192.168.1.102 QM_IDLE 2001 0 ACTIVE
IPv6 Crypto ISAKMP SA
R1-881W#show crypto ipsec sa
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 12.34.56.78
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.168.1.100/255.255.255.255/0/0)
current_peer 192.168.1.102 port 4108
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 151, #pkts decrypt: 151, #pkts verify: 151
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 6
local crypto endpt.: 12.34.56.78, remote crypto endpt.: 192.168.1.102
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x3E45F5DE(1044772318)
inbound esp sas:
spi: 0xE663CFEA(3865300970)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4502296/3407)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x3E45F5DE(1044772318)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4502318/3407)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
05-19-2012 12:45 AM
Hello Patrick,
Can you change the following:
interface Virtual-Template1 type tunnel
ip unnumbered fastethernet 4
ip nat inside
ip virtual-reassembly
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
I would like you to add the following command:
Ip inspect log drop-pkt
This will show us all the logs regarding the firewall implementation,based on this we will know if the issue is do to the ZBFW...
Just do a show logging and we will see the logs but I do not think this is an issue with the ZBFW.
Regards,
DO rate al the helpful posts
Julio
05-19-2012 05:41 PM
Hello jcarvaja,
I made the changes, and here is some sample output below. I tried web browsing with a VPN client, and I could not get to any websites, and there was NO output to the log when I tried to browse the web.
<190>554579: 3725687: *May 20 01:24:53.257 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:25:01.218
<190>554580: 3725688: *May 20 01:25:23.421 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:25:31.375
<190>554581: 3725689: *May 20 01:25:53.489 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:26:01.437
<190>554582: 3725690: *May 20 01:26:32.409 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:26:40.359
<190>554583: 3725691: *May 20 01:27:25.461 UTC: %FW-6-DROP_PKT: Dropping tcp session 12.34.56.78:51736 72.163.5.80:443 due to RST inside current window with ip ident 0 172.16.1.1 19/05 19:27:33.421
<190>554584: 3725692: *May 20 01:28:00.189 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:28:08.140
<190>554585: 3725693: *May 20 01:28:30.389 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:28:38.343
<190>554586: 3725694: *May 20 01:29:02.501 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:29:10.453
<190>554587: 3725695: *May 20 01:30:04.809 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:30:12.765
<191>554588: 3725696: *May 20 01:30:53.065 UTC: ISAKMP:(0):Support for IKE Fragmentation not enabled 172.16.1.1 19/05 19:31:00.328
<190>554589: 3725697: *May 20 01:30:53.373 UTC: %FW-6-DROP_PKT: Dropping udp session 192.168.1.109:137 192.168.1.255:137 due to policy match failure with ip ident 0 172.16.1.1 19/05 19:31:01.328
<189>554590: 3725698: *May 20 01:31:10.533 UTC: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up 172.16.1.1 19/05 19:31:18.500
<188>554591: 3725699: *May 20 01:31:12.225 UTC: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=12.34.56.78, prot=50, spi=0x94040000(2483290112), srcaddr=192.168.1.109 172.16.1.1 19/05 19:31:20.187
05-22-2012 02:51 AM
Did I mention that I always rate posts AFTER my problem is solved?
05-22-2012 09:42 AM
Hello Patrick,
Looks like the ZBFW is unable to build a session with the unencrypted traffic.
Your Easy VPN users can connect to the Local LAN but they cannot go to the internet so this looks like a routing issue..
What happens if you disable the ZBFW? Does it work?
Regards,
Julio
05-31-2012 12:44 PM
Patrick -
Try changing your default route to theASA/PIX outside interface where the VPN terminates - ie,
you now have
ip route 0.0.0.0 0.0.0.0 dhcp
Try changing it to -
In this example 192.XXX.XXX.XXX is your public IP for the outside interface of your ASA -
ip route 0.0.0.0 0.0.0.0 192.XXX.XXX.XXX
ip route 192.XXX.XXX.XXX 255.255.255.255 dhcp
See if that works, once the tunnel is established, I do believe the ASA will route.
05-31-2012 02:00 PM
Hi Patrick,
your "GROUPNAME" missing acl variable for split-tunnel, so split the tunnel, your remote-vpn users will have access to web-browsing on their pc.
crypto isakmp client configuration group GROUPNAME
key somesharedkey
pool SDM_POOL_1
max-users 5
netmask 255.255.255.0
acl 99
access-list 99 permit ip 192.168.20.0 0.0.0.255
Please let me know, if this helps.
thanks
Rizwan Rafeek
12-08-2012 08:03 PM
I took some time away from this to do other things, but now have had the time to actually gett this working.
Looks like I have it working finally. I can reach the stuff on the inside and I can also NAT to the internet now.
Here is what I did:
I changed this:
ip local pool SDM_POOL_1 172.168.1.100 172.168.1.120
and
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
to this:
ip local pool SDM_POOL_1 172.16.2.100 172.16.2.120
and
ip access-list extended NAT_ALLOWED
permit ip 172.16.1.0 0.0.0.255 any
permit ip 192.168.12.0 0.0.0.255 any
permit ip 172.16.2.0 0.0.0.255 any
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide