cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
314
Views
0
Helpful
2
Replies

Cisco Easy VPN Server - Unable to communicate with inside network.

Luke Oxley
Level 1
Level 1
Hello,

I am currently working on my home router to enable me to VPN in remotely using Cisco VPN Client on my laptop when out and about. I am using a Cisco 857w router running IOS 12.3(8r)YI4. The issue I am having, is that with the current configuration I am able to connect to the VPN (an ISAKMP SA and IPsec SA are created) however I cannot pass any traffic from the VPN Client adapter on my laptop to my internal subnet of 10.10.0.0/24. Pings and various other services I've tried are all timing out. Debugging icmp yields no results either. 
I've attached my sanitised configuration below. I'd be really grateful if someone could take a look and point me in the right direction, as this has had me stumped for weeks now and it is something I'd finally like working.
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname <removed>
!
boot-start-marker
boot-end-marker
!
no logging console
no logging monitor
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login AUTHEN local
aaa authorization network AUTHOR local
!
!
aaa session-id common
!
dot11 syslog
!
dot11 ssid <removed>
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 7 <removed>
!
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.0.1 10.10.0.50
ip dhcp excluded-address 10.10.0.240 10.10.0.254
!
ip dhcp pool LAN_Pool
   network 10.10.0.0 255.255.255.0
   default-router 10.10.0.254
   domain-name <removed>
   dns-server 8.8.8.8
   lease 5
!
!
ip cef
ip inspect name FW_SI icmp
ip inspect name FW_SI http
ip inspect name FW_SI https
ip inspect name FW_SI tcp
ip inspect name FW_SI udp
ip domain name <removed>
ip name-server 8.8.8.8
!
!
!
!
spanning-tree vlan 1 priority 1
username <removed> privilege 15 password 7 <removed>
username <removed> password 7 <removed>
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local EZVPN_POOL
crypto isakmp xauth timeout 60
!
crypto isakmp client configuration group <removed>
 key <removed>
 dns 8.8.8.8
 domain <removed>
 pool EZVPN_POOL
 acl 150
!
!
crypto ipsec transform-set EZVPN_TSET1 esp-3des esp-sha-hmac
!
crypto dynamic-map EVPN_MAP1 1
 set transform-set EZVPN_TSET1
 reverse-route
!
!
crypto map EVPN_MAP1 client authentication list AUTHEN
crypto map EVPN_MAP1 isakmp authorization list AUTHOR
crypto map EVPN_MAP1 client configuration address respond
crypto map EVPN_MAP1 1 ipsec-isakmp dynamic EVPN_MAP1
!
archive
 log config
  hidekeys
!
!
ip ssh time-out 5
ip ssh logging events
ip ssh version 2
!
bridge irb
!
!
interface ATM0
 description ## Sky ADSL Interface ##
 no ip address
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface FastEthernet0
 description ## Home LAN Port ##
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet1
 description ## Home LAN Port ##
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet2
 description ## Home LAN Port ##
 duplex full
 speed 100
 spanning-tree portfast
!
interface FastEthernet3
 description ## Downlink trunk to JETSTREAM_SW_01 ##
 shutdown
 duplex full
 speed 100
!
interface Dot11Radio0
 description ## WLAN Interface ##
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid <removed>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
!
interface Dot11Radio0.1
 description ## WLAN VLAN Interface ##
 encapsulation dot1Q 1 native
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description ## VLAN1 Interface ##
 no ip address
 bridge-group 1
!
interface Dialer0
 description ## Sky ADSL Dialer ##
 ip address negotiated
 ip access-group OUTSIDE_ACCESS_IN in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect FW_SI out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <removed>
 ppp chap password 7 <removed>
 crypto map EVPN_MAP1
!
interface BVI1
 description ## IP Bridge ##
 ip address 10.10.0.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool EZVPN_POOL 172.10.1.10 172.10.1.15
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer0 overload
!
ip access-list extended OUTSIDE_ACCESS_IN
 permit tcp any any eq 22
 permit udp any any eq isakmp
 permit esp any any
 permit udp any any eq non500-isakmp
 permit udp any any eq 10000
 permit tcp any any eq 10000
!
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 150 permit ip 172.10.1.0 0.0.0.255 any
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 exec-timeout 0 0
 privilege level 15
 no modem enable
 length 25
 history size 15
 full-help
line aux 0
 exec-timeout 5 0
 privilege level 15
 length 25
 history size 15
 full-help
line vty 0 4
 exec-timeout 5 0
 login authentication AUTHEN
 length 25
 history size 15
 full-help
 transport preferred ssh
 transport input ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
sntp server 143.210.16.201
sntp broadcast client
end
Thanks in advance,
Luke


2 Replies 2

Luke Oxley
Level 1
Level 1
*** UPDATE ***

I have added a few lines of configuration and believe to be a step in the right direction, but still not working. I amended ACL 150 (the VPN ACL) as it was originally incorrect. Also, I have added in a deny to NONAT in ACL 100 for the VPN traffic, I'm still not sure this is needed for Easy VPN but I could be wrong. Lastly I have removed the OUTSIDE_ACCESS_IN ACL from the Dialer0 (outside interface) temporarily for testing purposes.
Interface Dialer0
no ip access-group OUTSIDE_ACCESS_IN in
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 100 deny ip 10.10.0.0 0.0.0.255 172.10.1.0 0.0.0.255
access-list 150 permit ip 10.10.0.0 0.0.0.255 172.10.1.0 0.0.0.255
Now with icmp debugging enabled, when I ping 10.10.0.254 (BVI1, inside interface) from my laptop over the VPN, I can see the router sending echos back to the VPN Client adapter - a good sign. However, the echos never seem to make it back to my laptop. Routing perhaps?
Thanks,
Luke


Luke Oxley
Level 1
Level 1
*** UPDATE ***

I have now resolved this issue. It looks like it is too late in the night for my brain to be ordering access control lists, correctly anyway. As per my last update, I reconfigured and corrected the interesting traffic access control list and added the all important NONAT function. What I failed to recognise is that the access control list for NAT (ACL 100) was ordered wrong. the permit for my internal subnet was above the deny, so this was catching the traffic destined for the tunnel and as such was being NAT'd. I've now amended to the following and the tunnel is up and passing traffic AOK.
no access-list 100
access-list 100 deny ip 10.10.0.0 0.0.0.255 172.10.1.0 0.0.0.255
access-list 100 permit ip 10.10.0.0 0.0.0.255 any
Happy-Chappy. Thanks,
Luke


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: