Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
0
Replies

cisco867vae-k9 Remote Access VPN issue / zone based firewall / VDSL

bluesteel
Level 1
Level 1

‎03-06-2023 11:11 PM

Hi,

I have an issue with remote access vpn on

device:   cisco867vae-k9
IOS:       Cisco IOS Software, C860 Software (C860VAE-ADVSECURITYK9-M), Version 15.4(3)M5, RELEASE SOFTWARE (fc1)

internet provider plusnet

VDSL and ZBF appear to be working

1. client (an iphone) can connect across internet and pass phase1 and phase2.
2 client recieves correct ip addressing 192.168.3.x
3. Isakmp and Ipsec SAs are built
3. route to client injected into routing table next hop via iphone public ip

4. a. ping from iphone to router interfaces 10.10.10.10 192.168.1.253 fail!
b. ping from iphone to router causes encaps and decaps to increment simulataneously but ping timesouts

5 a. ping from router to iphone fails only encaps increment
b. ping from 192.168.1.x device fails only encaps increment

6. had to put crypto map on dialer 1 and loopback0 to establish connection to loopback0

tried
1. routing 192.168.3.0/24 via loopback0 and dialer1 - fails
2. adding access-list permit ip any any to group ciscovpngrp - fails
3. allow traffic from self to INSIDE - lock myself out the box lol
4. change VPN_PMAP to pass - fails

do I need to no nat the traffic between 192.168.1.0/24 and 192.168.3.0/24?
do I need ZBF rules between self and inside?
do I need to adjust the MTU? tried ping -l -f 1400 - fails (tried lower fails)

Anybody got any ideas as to why this is failing? many thanks in advance


cisco867vae-k9#sh run
Building configuration...

Current configuration : 6732 bytes
!
! Last configuration change at 05:01:31 GMT Tue Mar 7 2023 by ciscokid
! NVRAM config last updated at 05:13:02 GMT Tue Mar 7 2023 by ciscokid
!
version 15.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname cisco867vae-k9
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$sOEA$Xpi0Eb8z/D0jQkg46Xn2I1
enable password cisco
!
aaa new-model
!
!
aaa authentication login AAA_1 local
aaa authorization network AAA_2 local
!
!
!
!
!
aaa session-id common
wan mode dsl
clock timezone GMT 1 0
!
!
!
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool LOCAL_LAN
network 192.168.1.0 255.255.255.0
dns-server 212.159.6.9 212.159.6.10
default-router 192.168.1.253
!
!
!
ip domain name cisco.local
ip cef
no ipv6 cef
!
!
!
!
!
!
!
!
!
!
!
!
!
username cisco2 privilege 15 password 0 cisco2
username cisco password 0 cisco
!
!
controller VDSL 0
!
!
class-map type inspect match-any VPN_CMAP
match access-group 100
class-map type inspect match-any INTERNET_CMAP
match protocol icmp
match protocol tcp
match protocol udp
!
policy-map type inspect INTERNET_PMAP
class type inspect INTERNET_CMAP
inspect
class class-default
drop
policy-map type inspect VPN_PMAP
class type inspect VPN_CMAP
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect INTERNET_PMAP
zone-pair security OUT-TO-SELF source OUTSIDE destination self
service-policy type inspect VPN_PMAP
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ciscovpngrp
key cisco123
dns 212.159.6.9 212.159.6.10
pool VPN_POOL
!
!
!
crypto ipsec transform-set SET_1 esp-3des esp-md5-hmac
mode tunnel
!
!
!
!
crypto dynamic-map VPN_MAP_1 10
set transform-set SET_1
reverse-route
!
!
crypto map VPN_MAP_1 local-address Loopback0
crypto map VPN_MAP_1 client authentication list AAA_1
crypto map VPN_MAP_1 isakmp authorization list AAA_2
crypto map VPN_MAP_1 client configuration address respond
crypto map VPN_MAP_1 10 ipsec-isakmp dynamic VPN_MAP_1
!
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
crypto map VPN_MAP_1
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface Ethernet0
description VDSL-PHYINT
no ip address
!
interface Ethernet0.101
description VDSL-SUBINT-VLAN101
encapsulation dot1Q 101
pppoe-client dial-pool-number 1
!
interface FastEthernet0
description WIFI-RTR-PHYINT
switchport access vlan 2
no ip address
!
interface FastEthernet1
switchport access vlan 2
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface Vlan1
no ip address
!
interface Vlan2
description lOCAL-LAN-SVI
ip address 192.168.1.253 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
!
interface Dialer1
description VDSL-INTERNET-DVI
mtu 1492
bandwidth 20000
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication pap chap ms-chap callin
ppp chap hostname gilgamesh@plusdsl.net
ppp chap password 0 gilgamesh
ppp pap sent-username gilgamesh@plusdsl.net password 0 gilgamesh
ppp ipcp address accept
no cdp enable
crypto map VPN_MAP_1
!
ip local pool VPN_POOL 192.168.3.1 192.168.3.62
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip tftp source-interface Loopback0
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static esp 10.10.10.10 interface Dialer1
ip nat inside source static udp 10.10.10.10 500 interface Dialer1 500
ip nat inside source static udp 10.10.10.10 4500 interface Dialer1 4500
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.3.0 255.255.255.0 Loopback0
ip ssh version 2
!
!
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit 192.168.1.0 0.0.0.255 log
access-list 100 permit udp any host 10.10.10.10 eq isakmp
access-list 100 permit udp any host 10.10.10.10 eq non500-isakmp
access-list 100 permit ahp any host 10.10.10.10
access-list 100 permit esp any host 10.10.10.10
access-list 110 permit ip any any
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
password cisco
transport preferred ssh
transport input ssh
transport output ssh
!
scheduler allocate 60000 1000
sntp logging
sntp server 51.89.151.183
sntp server 143.210.16.201
sntp source-interface Dialer1
!
end

 

0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents