Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1893
Views
0
Helpful
3
Replies

Cisco VPN Client unable to gain access to VPN network resources.

lostrouter
Level 1
Level 1

‎06-19-2012 04:57 AM

I have a Cisco 881 setup with the following VPN config.

crypto isakmp policy 12

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group MyVPN

key myKEY

dns 192.168.1.2

pool vpnuser

acl 101

!

!

crypto ipsec transform-set authenc3 esp-3des esp-md5-hmac

!

crypto dynamic-map dynamo 10

set transform-set authenc3

!

!

crypto map primary client authentication list userauth

crypto map primary isakmp authorization list groupauth

crypto map primary client configuration address respond

crypto map primary 500 ipsec-isakmp dynamic dynamo

!

interface FastEthernet4

crypto map primary

!

ip local pool vpnuser 192.168.1.3

!

ip nat inside source route-map nonat interface FastEthernet4 overload

!

access-list 100 deny   ip 192.168.1.0 0.0.0.31 host 192.168.1.3

access-list 100 deny   ip 192.168.1.32 0.0.0.15 host 192.168.1.3

access-list 100 deny   ip 192.168.1.48 0.0.0.7 host 192.168.1.3

access-list 100 permit ip 192.168.1.0 0.0.0.31 any

access-list 100 permit ip 192.168.1.32 0.0.0.15 any

access-list 100 permit ip 192.168.1.48 0.0.0.7 any

access-list 101 permit ip 192.168.1.0 0.0.0.31 host 192.168.1.3

access-list 101 permit ip 192.168.1.32 0.0.0.15 host 192.168.1.3

access-list 101 permit ip 192.168.1.48 0.0.0.7 host 192.168.1.3

!

!

!

!

route-map nonat permit 10

match ip address 100

!

The client is able to connect just fine to the network via VPN,  but I am unable to gain access to any of the local resources.  I know 192.168.1.1 has SSH running and 192.168.1.50 has telnet running but if I try to connect to either using the correct program they just timeout.   I am not sure what else I can provide,  if you need something please let me know.  I am really at a loss on why the vpn connection connects but I can not gain access to any of the resources on the VPN network.

Labels:
0 Helpful
3 Replies 3

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-19-2012 05:19 AM

Your VPN Client pool should be in a totally different subnet than the internal network. It needs to be a unique subnet, otherwise the internal host is just trying to ARP for it, and it will fail.

0 Helpful

lostrouter
Level 1
Level 1
In response to Jennifer Halim

‎06-19-2012 05:37 AM

Ok I tried the following changes. 

I removed the ACL from my crypto isakmp client config.

I added a new VLAN network 172.16.1.0 /29,  I gave the vpnuser pool 172.16.1.2 - 172.16.1.6.  I also changed my route map acl to the following.

access-list 100 permit ip 192.168.1.0 0.0.0.31 any

access-list 100 permit ip 192.168.1.32 0.0.0.15 any

access-list 100 permit ip 192.168.1.48 0.0.0.7 any

access-list 100 permit ip 172.16.1.0 0.0.0.7 any

Also on an odd note I noticed this in my sh crypto ipsec sa.

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 109, #pkts decrypt: 109, #pkts verify: 109

I assume that means the traffic is being decrypted but not encrypted back to the vpn client?

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to lostrouter

‎06-19-2012 05:45 AM

Yes, that is correct. Looks like the VPN is now up.

You would need to configure NAT exemption on access-list 100:

access-list 100 deny ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.7

Make sure it's above all the permit statements.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents