02-01-2010 08:33 PM
I am trying to configure a Cisco 871W router to terminate connections from a Cisco VPN client.
I can successfully connect to the VPN Router using the Cisco VPN client version 4.8.02.10.
However ....I can't access ANY resources on the network.
I tried ping, traceroute and remote desktop... nothing
Have I messed up some ACL or is this a routing issue?
Is it a NAT issue?
Here is my config.......
Thanks in advance....
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dr0ff
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
enable password 7 *********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint T*********
enrollment selfsigned
subject-name *********
revocation-check none
rsakeypair *********
!
!
crypto pki certificate chain*********
certificate self-signed *********
dot11 syslog
!
dot11 ssid office
vlan 1
authentication open
authentication key-management wpa
guest-mode mbssid guest-mode
wpa-psk ascii 7 *********
dot11 ssid office guest-mode
authentication open
wpa-psk ascii 7 *********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool Internal-net
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 1.2.3.4
domain-name dr.off
lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dr.off
ip name-server 1.2.3.4
!
!
!
!
username batman privilege 15 password 7 *********
username robin privilege 15 password 7*********
username joker privilege 4 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
key *********
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid office
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 *********
no modem enable
line aux 0
line vty 0 4
password 7 *********
!
scheduler max-task-time 5000
end
02-02-2010 04:18 PM
HI Tan,
Just replace the line
ip nat inside source list 1 interface FastEthernet4 overload
with
ip nat inside route-map nonat interface FastEthernet4 overload
02-02-2010 10:28 PM
I tried that command and received an error message
then I entered this command
ip nat inside source route-map nonat interface FastEthernet4 overload
there was no error but I can't access any resources on the LAN.
I can't even ping my default gateway. 192.168.25.2
Ethernet adapter Local Area Connection 8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . xxxxxxxxxxx
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.25.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.25.2
I can however ping the Public Internet address that I receive by DHCP from my ISP.
Can it be an ACL blocking all the traffic?
02-05-2010 08:29 AM
Ok
Got this to work.
I am replying in the thread so hopefully it will help someone else in the future.
Thanks to everyone that contributed.
After pudawat replied to add the parameter
ip nat inside route-map nonat interface FastEthernet4 overload
I found that I needed to add "source"
ip nat inside source route-map nonat interface FastEthernet4 overload
Then I enabled the logging on the VPN client and found
“AddRoute failed to add a route. code 87"
I then found the following:
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_24164731.html
I upgraded my VPN client to 5.0.06.0160
Connected immediately.
Thanks again to all....
here is the final working config:
------------------------------------------
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname dr0ff
!
boot-start-marker
boot-end-marker
!
enable secret 5 *********
enable password 7 *********
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local
!
!
aaa session-id common
!
crypto pki trustpoint T*********
enrollment selfsigned
subject-name *********
revocation-check none
rsakeypair *********
!
!
crypto pki certificate chain*********
certificate self-signed *********
dot11 syslog
!
dot11 ssid office
vlan 1
authentication open
authentication key-management wpa
guest-mode mbssid guest-mode
wpa-psk ascii 7 *********
dot11 ssid office guest-mode
authentication open
wpa-psk ascii 7 *********
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.100
ip dhcp excluded-address 192.168.0.116 192.168.0.254
!
ip dhcp pool Internal-net
import all
network 192.168.0.0 255.255.255.0
default-router 192.168.0.1
dns-server 1.2.3.4
domain-name dr.off
lease 4
!
!
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ip domain lookup
ip domain name dr.off
ip name-server 1.2.3.4
!
!
!
!
username batman privilege 15 password 7 *********
username robin privilege 15 password 7*********
username joker privilege 4 secret 5 *********
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group remotegroup
key *********
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address dhcp
ip access-group 101 in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map dynmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
broadcast-key vlan 1 change 45
!
!
ssid office
!
ssid office guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2462
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool dynpool 192.168.25.1 192.168.25.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp
!
ip http server
ip http secure-server
ip nat inside source route-map nonat interface FastEthernet4 overload
!
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 deny tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 deny tcp any any eq 139 log
access-list 101 deny udp any any eq netbios-ns log
access-list 101 deny udp any any eq netbios-dgm log
access-list 101 deny udp any any eq netbios-ss log
access-list 101 deny icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny ip 192.168.0.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.0.255 any
!
!
route-map nonat permit 10
match ip address 110
!
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7 *********
no modem enable
line aux 0
line vty 0 4
password 7 *********
!
scheduler max-task-time 5000
end
02-05-2010 09:46 AM
HI Tan,
I missed the command to add "source" in it.
The essence is to NAT-EXEMPT the traffic from the LAN network to the VPN local pool
Cheers!
Thanks,
Pradhuman
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide