cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1129
Views
0
Helpful
3
Replies

Configuring Remote Access VPN

tomocisco
Level 1
Level 1

Dear all,

I need help with configuring remote access vpn. I want some remote users that have internet access on their systems to connect to and access an application server in my corporate head office user cisco vpn client. I am using Cisco 881. I am unable to use SDM to do the configuration because it appears SDM is not supported by the router so I am using command line. I will appreciate any help I can get. Thank you.

Below is the configuration I have:

VPNROUT#sho run
Building configuration...

Current configuration : 6832 bytes
!
! Last configuration change at 10:50:45 UTC Sat May 30 2015 by thomas
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPNROUT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen1 local
aaa authorization network groupauthor1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1632305899
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1632305899
 revocation-check none
 rsakeypair TP-self-signed-1632305899
!
!
crypto pki certificate chain TP-self-signed-1632305899
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363332 33303538 3939301E 170D3134 30313233 31323132
  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36333233
  30353839 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100BC0C 341CD79B A38572CE 1F0F9A91 F96B133C A889B564 E8352034 1CF5EE4B
  B505616B 6014041B EC498C0A F6C5CD2B F5BF62DA BD6E1C44 0C7B9089 1FD0C6E5
  299CEB40 28CD3F3B ADE3468A B07AAA9F AC42F0A7 4087172A 33C4013D 9A50884D
  5778727E 53A4940E 6E622460 560C5252 F597DD53 3B261584 E45E8776 A848B73D
  92D50203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E85AD0 DEF133D8 E09516FD 0AA5FDAD E10EAB1A FA301D06
  03551D0E 04160414 E85AD0DE F133D8E0 9516FD0A A5FDADE1 0EAB1AFA 300D0609
  2A864886 F70D0101 05050003 818100A5 5B23ED5B 9A380E1F 467ABB03 BAB1070B
  3F1C55AE 71509E8F 7A218377 73089DC1 D32DA585 C5FD7ECE 0D000F96 7F3AB6CC
  E37536A3 1008FBF9 A29329D5 6F76DDC0 AA1C70AE 958AAE5D 32388BE4 2C1C6839
  0369D533 027B612C 8D199C35 C008FE00 F7E1DF62 9C73E603 85C3240A 63611D93
  854A61E2 794F8EF5 DA535DCC B209DA
        quit
!
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.20.0.1 172.20.0.50
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2
!
ip dhcp pool 1
 network 172.20.0.0 255.255.240.0
 domain-name meogl.net
 default-router 172.20.0.1
 dns-server 172.20.0.4 41.79.4.11 4.2.2.2 8.8.8.8
 lease 8
!
!
!
no ip domain lookup
ip domain name meogl.net
ip name-server 172.20.0.4
ip name-server 41.79.4.11
ip name-server 4.2.2.2
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ1804C3SL
!
!
username thomas privilege 15 secret 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
username mowe privilege 15 secret 4 hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group moweclients
 key xxxxxxx
 dns 172.20.0.4
 domain meogl.net
 pool mowepool
!
!
crypto ipsec transform-set moweset esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 1
 set transform-set moweset
 reverse-route
!
!
crypto map mowemap client authentication list userauthen1
crypto map mowemap isakmp authorization list groupauthor1
crypto map mowemap client configuration address respond
crypto map mowemap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
 ip address 172.30.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 100
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 41.7.8.13 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 ip policy route-map VPN-CLIENT
 shutdown
 duplex auto
 speed auto
 crypto map mowemap
!
interface Vlan1
 description $ETH_LAN$
 ip address 10.10.10.1 255.255.255.248
 ip tcp adjust-mss 1452
!
interface Vlan100
 ip address 172.20.0.1 255.255.240.0
 ip nat inside
 ip virtual-reassembly in
!
ip local pool mowepool 192.168.1.1 192.168.1.100
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map LAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 41.7.8.12
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.20.0.0 0.0.15.255
access-list 100 permit ip 172.20.0.0 0.0.15.255 any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
route-map LAT permit 1
 match ip address 100
 set ip next-hop 41.7.8.12
!
route-map VPN-CLIENT permit 1
 match ip address 144
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
!
end

 

Please will the above config, give me the desired result.

Thanks.

 

1 Accepted Solution

Accepted Solutions

Hello Thomas,

 

I'm glad to hear that you found the configuration example helpful.

I checked your configuration and everything looks ok with it, specially the nat statements.

ip local pool mowepool 192.168.1.1 192.168.1.100

access-list 100 deny   ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.20.0.0 0.0.15.255 any

route-map LAT permit 1
 match ip address 100
 
 ip nat inside source route-map LAT interface FastEthernet4 overload
 
interface Vlan100
 ip address 172.20.0.1 255.255.240.0
 ip nat inside
 ip virtual-reassembly in

 

Try generating ICMP traffic behind your VLAN 100 to the VPN client in order to answer the following questions:

 

- Is the router receiving this traffic from the VLAN100 device?

- Is the router encrypting this traffic after it receives the ICMP packet?

             Router#show crypto ipsec sa can help you with this last question. Look for the encaps/decaps counters. 

- Try the same but the opposite way (from VPN client to device behind VLAN100) to isolate the issue.

 

The following document explains further this crypto commands and debugs if necessary.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#iosdbgs

 

View solution in original post

3 Replies 3

Hello Tomocisco, 

 

You may find the following configuration guide helpful for this. 

 

http://www.cisco.com/c/en/us/support/docs/routers/3600-series-multiservice-platforms/91193-rtr-ipsec-internet-connect.html

Hello Andres,

Thanks for your reply to my discussion. Your input was quite helpful.

I was able to set up the vpn and it shows that it is up. But I cannot ping the internal systems/servers from the remote network over the vpn. Below is my running configuration as well as show crypto isakmp session, show crypto isakmp sa,  please what could be blocking the access.

 

VPNROUT#sho run
Building configuration...

Current configuration : 6814 bytes
!
! Last configuration change at 07:12:13 UTC Mon Jun 1 2015 by thomas
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname VPNROUT
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen1 local
aaa authorization network groupauthor1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-1632305899
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1632305899
 revocation-check none
 rsakeypair TP-self-signed-1632305899
!
!
crypto pki certificate chain TP-self-signed-1632305899
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363332 33303538 3939301E 170D3134 30313233 31323132
  33325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36333233
 --More--


no ip dhcp conflict logging
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 172.20.0.1 172.20.0.50
!
ip dhcp pool ccp-pool
 import all
 network 10.10.10.0 255.255.255.248
 default-router 10.10.10.1
 lease 0 2
!
ip dhcp pool 1
 import all
 network 172.20.0.0 255.255.240.0
 domain-name meogl.net
 default-router 172.20.0.1
 dns-server 172.20.0.4 41.79.4.11 4.2.2.2 8.8.8.8
 lease 8
!
!
!
no ip domain lookup
ip domain name meogl.net
ip name-server 172.20.0.4
ip name-server 41.79.4.11
ip name-server 4.2.2.2
ip name-server 8.8.8.8
ip cef
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FCZ1804C3SL
!
!
username thomas privilege 15 secret 4 JXSizd1r/hMqPpGz94vKBb5somtpZLy03k50rJvHO6c
username mowe privilege 15 secret 4 hlfv/rdDRCAeTUzRXbOIfdaKhJCl1onoGdaQeaQsAnw
!
!
!
!
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group moweclients
 key xxxxxxx
 dns 172.20.0.4
 domain meogl.net
 pool mowepool
 acl 101
!
!
crypto ipsec transform-set moweset esp-3des esp-sha-hmac
 mode tunnel
!
!
!
crypto dynamic-map dynmap 1
 set transform-set moweset
 reverse-route
!
!
crypto map mowemap client authentication list userauthen1
crypto map mowemap isakmp authorization list groupauthor1
crypto map mowemap client configuration address respond
crypto map mowemap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
 ip address 172.30.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
!
interface FastEthernet0
 no ip address
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 switchport access vlan 100
 no ip address
!
interface FastEthernet3
 no ip address
!
interface FastEthernet4
 ip address 41.7.8.13 255.255.255.252
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map mowemap
!
interface Vlan1
 description $ETH_LAN$
 ip address 10.10.10.1 255.255.255.248
 ip tcp adjust-mss 1452
!
interface Vlan100
 ip address 172.20.0.1 255.255.240.0
 ip nat inside
 ip virtual-reassembly in
!
ip local pool mowepool 192.168.1.1 192.168.1.100
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map LAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 41.7.8.12
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 172.20.0.0 0.0.15.255
access-list 100 deny   ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.20.0.0 0.0.15.255 any
access-list 101 permit ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255
no cdp run
!
route-map LAT permit 1
 match ip address 100
!
!
!

!
line con 0
 no modem enable
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
!
end

 


VPNROUT#sho crypto session
Crypto session current status

Interface: FastEthernet4
Username: thomas
Group: moweclients
Assigned address: 192.168.1.1
Session status: UP-ACTIVE
Peer: 41.138.178.39 port 59813
  IKEv1 SA: local 41.7.8.13/500 remote 41.138.178.39/59813 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.1
        Active SAs: 2, origin: dynamic crypto map

Interface: FastEthernet4
Session status: DOWN-NEGOTIATING
Peer: 41.76.85.74 port 500
  IKEv1 SA: local 41.7.8.13/500 remote 41.76.85.74/500 Inactive


VPNROUT#sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
41.7.8.13    41.138.178.39   QM_IDLE           2001 ACTIVE
41.7.8.13    41.76.85.74     MM_NO_STATE          0 ACTIVE (deleted)

IPv6 Crypto ISAKMP SA

I appreciate your inputs and help to resolve this.

Thanks

Thomas

 

 

Hello Thomas,

 

I'm glad to hear that you found the configuration example helpful.

I checked your configuration and everything looks ok with it, specially the nat statements.

ip local pool mowepool 192.168.1.1 192.168.1.100

access-list 100 deny   ip 172.20.0.0 0.0.15.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 172.20.0.0 0.0.15.255 any

route-map LAT permit 1
 match ip address 100
 
 ip nat inside source route-map LAT interface FastEthernet4 overload
 
interface Vlan100
 ip address 172.20.0.1 255.255.240.0
 ip nat inside
 ip virtual-reassembly in

 

Try generating ICMP traffic behind your VLAN 100 to the VPN client in order to answer the following questions:

 

- Is the router receiving this traffic from the VLAN100 device?

- Is the router encrypting this traffic after it receives the ICMP packet?

             Router#show crypto ipsec sa can help you with this last question. Look for the encaps/decaps counters. 

- Try the same but the opposite way (from VPN client to device behind VLAN100) to isolate the issue.

 

The following document explains further this crypto commands and debugs if necessary.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/5409-ipsec-debug-00.html#iosdbgs