Solved: Cannot Access Remote Network Through VPN

android555 · ‎08-01-2011

Hi,

I am trying to set up a router to allow vpn access to my office network. The router is connected to the Internet via vdsl using pppoe.
There is also a public facing webserver in the office that needs to be accessible.

I can access the webserver from the Internet and the vpn connects successfully. I can also ping the local network gateway, however, I cannot access any of the local machines.

I'm quite stumped as to why it is not working. Please could someone help.

The router configuration and tests results are shown below. Please let me know if you need any further information.

Thanks and regards,
Simon

1. Routing table on router
router#sh ip route
Gateway of last resort is ggg.hhh.125.34 to network 0.0.0.0
      xxx.yyy.zzz.0/29 is subnetted, 1 subnets
C       xxx.yyy.zzz.192 is directly connected, Vlan10
      ggg.hhh.125.0/32 is subnetted, 1 subnets
C       ggg.hhh.125.34 is directly connected, Dialer0
      172.16.0.0/32 is subnetted, 1 subnets
S       172.16.100.50 [1/0] via mmm.nnn.ppp.sss
S*     0.0.0.0/0 [1/0] via ggg.hhh.125.34

2. Pinging from remote PC (172.16.100.50) to local GW (172.16.100.1) successful
> ping 172.16.100.1
Pinging 172.16.100.1 with 32 bytes of data:
Reply from 172.16.100.1: bytes=32 time=24ms TTL=255
Reply from 172.16.100.1: bytes=32 time=10ms TTL=255
Reply from 172.16.100.1: bytes=32 time=10ms TTL=255
Reply from 172.16.100.1: bytes=32 time=11ms TTL=255

3. Pinging from remote PC (172.16.100.50) to local server (172.16.100.10) unsuccessful
> ping 172.16.100.10
Pinging 172.16.100.10 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

4. Ping from router to local server successful
router#ping 172.16.100.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.100.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

5. Show version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(15)T1, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 12.3(8r)YH6, RELEASE SOFTWARE (fc1)
router uptime is 1 hour, 9 minutes
System image file is "flash:c181x-advipservicesk9-mz.124-15.T1.bin"
Cisco 1812-J (MPC8500) processor (revision 0x300) with 118784K/12288K bytes of memory.
10 FastEthernet interfaces
1 ISDN Basic Rate interface
Configuration register is 0x2102

6. Router Config
aaa authentication login default local
aaa authentication login VPN local
aaa authorization exec default local
aaa authorization network VPN local
!
!
aaa session-id common
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ASI_Group
key mykey
dns aaa.bbb.cccc.ddd
domain mydomain.com
pool VPN_Pool
acl VPN_ACL
!
!
crypto ipsec transform-set TS1 esp-3des esp-sha-hmac
!
crypto dynamic-map DYNMAP 10
set transform-set TS1
reverse-route
!
!
crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic DYNMAP
!
!
!
ip cef
!
!
!
multilink bundle-name authenticated
!
!
username admin privilege 15 password mypassword
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
description WAN
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet2
description Public_LAN_Interface
switchport access vlan 10
duplex full
speed 100
!
interface FastEthernet6
description Private_LAN_Interface
switchport access vlan 100
duplex full
speed 100
!
interface Vlan1
no ip address
!
interface Vlan10
description Public_LAN
ip address xxx.yyy.zzz.193 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Vlan100
ip address 172.16.100.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
no ip mroute-cache
!
interface Dialer0
ip unnumbered Vlan10
no ip unreachables
ip mtu 1452
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname myhostname
ppp chap password mychappassword
ppp ipcp dns request accept
ppp ipcp route default
ppp ipcp address accept
crypto map VPN
!
ip local pool VPN_Pool 172.16.100.50 172.16.100.60
!
!
no ip http server
no ip http secure-server
!
ip access-list extended VPN_ACL
permit ip 172.16.100.0 0.0.0.255 any
!
dialer-list 1 protocol ip permit
no cdp run
!
!

raga.fusionet · ‎08-02-2011

Simon,

Basically when you connect thru a VPN Client your PC's routing table gets updated automatically once the connection gets established. So you dont need to manually add any routes. You can check this by doing a "route print" once you are connected.

Ideally you need to put your VPN Pool on subnet that does not exist on your physical network, that way the router would be to route the traffic between the IP pool and the internal subnet.

Now, you said that you have a web server with a Public IP that you need to access thru the VPN, does this host also as a private IP address on the 172.16.100.0 ? If it does then the ACL that I suggested should work. If it only has a public IP address then your VPN ACL should have something like

permit ip 172.16.100.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 219.xxx.yyy.192 0.0.0.7 192.168.100.0 0.0.0.255

That is telling the router and the client to encrypt any traffic between the subnets behind your router and your VPN pool.

I hope this helps.

Luis Raga

View solution in original post

raga.fusionet · ‎08-18-2011

Hey Simon I'm glad to hear that it is working now. Good work

Have fun!

Please remember to mark this question as answered. Thanks!!!

View solution in original post

raga.fusionet · ‎08-01-2011

Simon,

I dont see any NAT configuration on this router so I would assume that this is not the default gateway of your network. Most likely you are having a routing problem, you might need add a route on your default gateway to the VPN Pool via the inside interface of the VPN router. I also noticed that you defined a Pool that overlaps with your internal network, even though it looks like the way to do it, it is not ideal. Ideally you'd need to define your VPN Pool, on network that does not overlap with anything on your physical network. Another thing that I think is wrong is that the VPN ACL is allowing traffic from your internal network to any. Instead it should permit the traffic from your internal network to your VPN Pool

To sum up, I would advice you to change your Pool, to something else, lets say 192.168.100.0, go to your default gateway and add a route to 192.168.100.0 via 172.16.100.1 and finally change your VPN_ACL to reflect the new Pool, it should read something like permit ip 172.16.100.0 0.0.0.255 192.168.100.0 0.0.0.255.

Let me know how it goes

Luis Raga

android555 · ‎08-02-2011

Hi Luis,

Thank you for your help, I've been struggling with this for a while. I would tend to agree with you that it is a routing problem but couldn't see where.

To clarify the network setup, I have a single router (1812) that is connected to my ISP using pppoe (Dialer0 and Fa0). The ISP gives me a block of 8 ip addresses (219.xxx.yyy.192/29) and requires that I use ip unnumbered on the interface that connects to the ISP. I am using .193 as the gateway address for my network.
I have a webserver on the internal network (.194) and a private network 172.16.100.0/24 which I would like to connect to from a remote PC through VPN. The private network I put on VLAN 100.

Perhaps my understanding of how this all works is not quite right. I assumed I didn't need NAT since the webserver has a public address. I also assumed that the IP address my remote PC gets through the vpn client would be in the same subnet as the private network that I want to connect to, hence: ip local pool VPN_Pool 172.16.100.50 172.16.100.60. Could you confirm if this is the case or not?

The problem with the changes you suggest is that I also need to add a route to 172.16.100.0 on my remote PC.

Thanks and regards,
Simon

raga.fusionet · ‎08-02-2011

Simon,

Basically when you connect thru a VPN Client your PC's routing table gets updated automatically once the connection gets established. So you dont need to manually add any routes. You can check this by doing a "route print" once you are connected.

Ideally you need to put your VPN Pool on subnet that does not exist on your physical network, that way the router would be to route the traffic between the IP pool and the internal subnet.

Now, you said that you have a web server with a Public IP that you need to access thru the VPN, does this host also as a private IP address on the 172.16.100.0 ? If it does then the ACL that I suggested should work. If it only has a public IP address then your VPN ACL should have something like

permit ip 172.16.100.0 0.0.0.255 192.168.100.0 0.0.0.255

permit ip 219.xxx.yyy.192 0.0.0.7 192.168.100.0 0.0.0.255

That is telling the router and the client to encrypt any traffic between the subnets behind your router and your VPN pool.

I hope this helps.

Luis Raga

android555 · ‎08-18-2011

Hi Luis,

Sorry for the late reply, I was bogged down with another project.

I played around with this for a while and made changes as you suggested and it's working now :-))

I changed the vpn pool to ip local pool VPN_Pool 192.168.100.50 192.168.100.60

and used permit ip 172.16.100.0 0.0.0.255 any on the vpn pool. As you said, the route was added to the client and I could access the remote network.

Thank you very much for your help.

Best regards,

Simon

raga.fusionet · ‎08-18-2011

Hey Simon I'm glad to hear that it is working now. Good work

Have fun!

Please remember to mark this question as answered. Thanks!!!