Cisco VPN Client unable to gain access to VPN network resources.

lostrouter · ‎06-19-2012

I have a Cisco 881 setup with the following VPN config.

crypto isakmp policy 12

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group MyVPN

key myKEY

dns 192.168.1.2

pool vpnuser

acl 101

!

crypto ipsec transform-set authenc3 esp-3des esp-md5-hmac

!

crypto dynamic-map dynamo 10

set transform-set authenc3

!

crypto map primary client authentication list userauth

crypto map primary isakmp authorization list groupauth

crypto map primary client configuration address respond

crypto map primary 500 ipsec-isakmp dynamic dynamo

!

interface FastEthernet4

crypto map primary

!

ip local pool vpnuser 192.168.1.3

!

ip nat inside source route-map nonat interface FastEthernet4 overload

!

access-list 100 deny ip 192.168.1.0 0.0.0.31 host 192.168.1.3

access-list 100 deny ip 192.168.1.32 0.0.0.15 host 192.168.1.3

access-list 100 deny ip 192.168.1.48 0.0.0.7 host 192.168.1.3

access-list 100 permit ip 192.168.1.0 0.0.0.31 any

access-list 100 permit ip 192.168.1.32 0.0.0.15 any

access-list 100 permit ip 192.168.1.48 0.0.0.7 any

access-list 101 permit ip 192.168.1.0 0.0.0.31 host 192.168.1.3

access-list 101 permit ip 192.168.1.32 0.0.0.15 host 192.168.1.3

access-list 101 permit ip 192.168.1.48 0.0.0.7 host 192.168.1.3

!

route-map nonat permit 10

match ip address 100

!

The client is able to connect just fine to the network via VPN, but I am unable to gain access to any of the local resources. I know 192.168.1.1 has SSH running and 192.168.1.50 has telnet running but if I try to connect to either using the correct program they just timeout. I am not sure what else I can provide, if you need something please let me know. I am really at a loss on why the vpn connection connects but I can not gain access to any of the resources on the VPN network.

Jennifer Halim · ‎06-19-2012

Your VPN Client pool should be in a totally different subnet than the internal network. It needs to be a unique subnet, otherwise the internal host is just trying to ARP for it, and it will fail.

lostrouter · ‎06-19-2012

Ok I tried the following changes.

I removed the ACL from my crypto isakmp client config.

I added a new VLAN network 172.16.1.0 /29, I gave the vpnuser pool 172.16.1.2 - 172.16.1.6. I also changed my route map acl to the following.

access-list 100 permit ip 192.168.1.0 0.0.0.31 any

access-list 100 permit ip 192.168.1.32 0.0.0.15 any

access-list 100 permit ip 192.168.1.48 0.0.0.7 any

access-list 100 permit ip 172.16.1.0 0.0.0.7 any

Also on an odd note I noticed this in my sh crypto ipsec sa.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 109, #pkts decrypt: 109, #pkts verify: 109

I assume that means the traffic is being decrypted but not encrypted back to the vpn client?

Jennifer Halim · ‎06-19-2012

Yes, that is correct. Looks like the VPN is now up.

You would need to configure NAT exemption on access-list 100:

access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.7

Make sure it's above all the permit statements.