Allow local lan to IPSEC VPN Clients

BoostedR36MK3 · ‎06-29-2013

I configured my Router running Advanced secuity to allow VPN connections in and that part seems to be working. The clients can access the internet fine while connected but can not reach any of the local lan. I have been trying all sorts of different things but nothin seems to work. I can ping in either direction. The VPN client can ping a local server and the local server can ping the client. The local server can also ssh to the client. the client can not reach the web server on any of the servers or ssh to anything on the local lan. Any Ideas? I am thinking that the ssh is getting stuck into NAT but why is the web server on port 80 not working? It should not be getting stuffed into the NAT rules coming in on the VPN Ip's. Any of the other computers on the local network can access this same web server so i know it is up and working. I am assuming since the server can ssh to the VPN client that the routers are working correctly. Just not sure why the client cant reach the services on the local networks.

Router#sh run

Building configuration...

%The cable modem firmware does not support RIP relay

Current configuration : 8871 bytes

!

! Last configuration change at 02:49:40 CDT Sat Jun 29 2013 by root

version 15.1

service timestamps debug datetime msec

service timestamps log datetime localtime

service password-encryption

!

hostname Router

!

boot-start-marker

boot system flash:c2800nm-advsecurityk9-mz.151-4.M2.bin

boot-end-marker

!

no logging buffered

no logging console

no logging monitor

enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx

!

aaa new-model

!

aaa authentication login LOCAL_DB local

aaa authorization network LOCAL_DB_GROUP local

!

aaa session-id common

!

clock timezone CST -6 0

clock summer-time CDT recurring

!

dot11 syslog

no ip source-route

!

ip cef

ip dhcp excluded-address 192.168.1.1 192.168.1.30

!

ip dhcp pool INTERNAL

network 192.168.1.0 255.255.255.0

default-router 192.168.1.1

dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

domain-name home.local

lease 30

!

ip inspect log drop-pkt

ip inspect max-incomplete low 8000

ip inspect udp idle-time 360

ip inspect dns-timeout 10

ip inspect tcp idle-time 7200

ip inspect tcp block-non-session

ip inspect tcp max-incomplete host 250 block-time 1

ip inspect tcp reassembly queue length 1024

ip inspect tcp reassembly timeout 120

ip inspect name FW-OUT-IN http

ip inspect name FW-OUT-IN imaps

ip inspect name FW-OUT-IN ssh

ip inspect name FW-OUT-IN isakmp

ip inspect name FW-IN-OUT tcp

ip inspect name FW-IN-OUT ftp

ip inspect name FW-IN-OUT h323

ip inspect name FW-IN-OUT rcmd

ip inspect name FW-IN-OUT http

ip inspect name FW-IN-OUT netshow

ip inspect name FW-IN-OUT realaudio

ip inspect name FW-IN-OUT rtsp

ip inspect name FW-IN-OUT sqlnet

ip inspect name FW-IN-OUT streamworks

ip inspect name FW-IN-OUT tftp

ip inspect name FW-IN-OUT udp

ip inspect name FW-IN-OUT vdolive

ip inspect name FW-IN-OUT imaps

ip name-server xxx.xxx.xxx.xxx

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

parameter-map type inspect global

log dropped-packets enable

!

crypto pki token default removal timeout 0

!

license udi pid CISCO2821 sn XXXXXXXXXX

username XXXXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXX

username XXXXXXX password 7 XXXXXXXXXXXXXXXXXXXX

!

redundancy

!

policy-map global_policy

class class-default

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 3600

crypto isakmp keepalive 10

!

crypto isakmp client configuration group HOME

key XXXXXXXXXXXX

dns 8.8.8.8 8.8.4.4

domain XXXXXXXXXXX

pool VPN_POOL

acl 110

!

crypto ipsec transform-set VPN_SET esp-aes esp-sha-hmac

!

crypto dynamic-map CLIENT_MAP 1

set transform-set VPN_SET

reverse-route

!

crypto map VPN_VPN client authentication list LOCAL_DB

crypto map VPN_VPN isakmp authorization list LOCAL_DB_GROUP

crypto map VPN_VPN client configuration address respond

crypto map VPN_VPN 100 ipsec-isakmp dynamic CLIENT_MAP

!

interface GigabitEthernet0/0

description Local-LAN

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

no ip route-cache

ip tcp adjust-mss 1452

ip policy route-map Cable_Lan

duplex full

speed auto

no cdp enable

!

interface GigabitEthernet0/1

description Local-LAN

ip address 192.168.3.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

no ip route-cache cef

ip tcp adjust-mss 1452

duplex full

speed auto

no cdp enable

!

interface Cable-Modem0/0/0

ip dhcp client client-id ascii Router

ip dhcp client lease 5 0 0

ip address dhcp

ip access-group FIREWALL in

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip inspect FW-OUT-IN in

ip inspect FW-IN-OUT out

ip nat outside

ip virtual-reassembly in

crypto map VPN_VPN

!

interface ATM0/1/0

no ip address

shutdown

no atm ilmi-keepalive

hold-queue 224 in

!

ip local pool VPN_POOL 192.168.4.20 192.168.4.30

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns server

ip nat inside source list INTERNAL interface Cable-Modem0/0/0 overload

ip nat inside source static tcp 192.168.1.3 143 interface Cable-Modem0/0/0 143

ip nat inside source static tcp 192.168.1.3 993 interface Cable-Modem0/0/0 993

ip nat inside source static tcp 192.168.1.3 25 interface Cable-Modem0/0/0 25

ip nat inside source static tcp 192.168.1.3 587 interface Cable-Modem0/0/0 587

ip nat inside source static tcp 192.168.1.3 22 interface Cable-Modem0/0/0 22

ip nat inside source list INTERNAL2 interface Cable-Modem0/0/0 overload

ip nat inside source static tcp 192.168.1.3 80 173.31.XXX.XXX 80 extendable

ip default-network 0.0.0.0

ip route 0.0.0.0 0.0.0.0 173.31.XXX.XXX 254

!

ip access-list extended FIREWALL

permit udp host 10.XXX.XXX.XXX eq bootps any eq bootpc

permit tcp any 173.31.0.0 0.0.255.255 eq www log

permit tcp any 173.31.0.0 0.0.255.255 eq 143 log

permit tcp any 173.31.0.0 0.0.255.255 eq pop3 log

permit tcp any 173.31.0.0 0.0.255.255 eq 993 log

permit tcp any 173.31.0.0 0.0.255.255 eq 587 log

permit tcp any 173.31.0.0 0.0.255.255 eq smtp log

permit tcp any 173.31.0.0 0.0.255.255 eq 22 log

permit udp any 173.31.0.0 0.0.255.255 eq 5000 log

permit udp any 173.31.0.0 0.0.255.255 eq isakmp log

permit gre any 173.31.0.0 0.0.255.255 log

permit esp any 173.31.0.0 0.0.255.255 log

permit udp any 173.31.0.0 0.0.255.255 eq non500-isakmp

permit icmp any 173.31.0.0 0.0.255.255 echo-reply

permit icmp any any <-- Temp rule for testing.......

permit tcp any 192.168.4.0 0.0.0.255 log

permit ip any 192.168.4.0 0.0.0.255 log

permit udp any 192.168.4.0 0.0.0.255 log

deny ip any any log

ip access-list extended INTERNAL

deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip any any

ip access-list extended INTERNAL2

deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

deny ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

permit ip any any

!

logging trap debugging

logging 192.168.1.XXX

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 110 permit ip 192.168.3.0 0.0.0.255 192.168.4.0 0.0.0.255

!

control-plane

!

line con 0

session-timeout 7

exec-timeout 5 0

password 7 XXXXXXXXXXXXXXXX

line aux 0

session-timeout 7

access-class 50 in

exec-timeout 5 0

password 7 XXXXXXXXXXXXXXXX

transport input all

line vty 0 4

session-timeout 7

access-class 50 in

password 7 XXXXXXXXXXXXXXXX

transport input all

!

scheduler allocate 20000 1000

end

BoostedR36MK3 · ‎06-30-2013

I no longer need help with this. I configured everything differently to use route maps/acls to determine the static NAT translations and also determine the split tunnel. I also discarded INTERNAL2 as there was no need for it.