Solved: Easy VPN Server? Hmmm.. Not so Easy...

Rob Cluett · ‎11-24-2012

I used the Cisco Configuration Professional to add an Easy VPN Server to my 3825. I'm able to connect when remote but I can't ping the default gateway of 192.168.1.1 which is in the same network as the VPN DHCP pool. I can access every single other device on the VLAN segments but not the default gateway which means when i connect I can't look at my router. And there's more, I cannot ping anything offnet (ie 75.75.75.75). Below is my config. Attached are some images which show some details from the client during the VPN connect and a few from the router (i had to use the lan switch as a jump host). If you can figure this out before I go back to the coffee shop to test this tomorrow I will send you a cake.

One thing I just thought of, does the virtual-tempalte 1 interface have to have "nat inside" applied?

Current configuration : 12356 bytes

!

! Last configuration change at 17:21:16 EDT Sat Nov 24 2012 by cluettr

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname router-wan

!

boot-start-marker

boot system flash:c3825-advipservicesk9-mz.151-4.M5.bin

boot-end-marker

!

logging buffered 100000000

enable password xxxxxxxxxx

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

clock timezone EDT -4 0

!

dot11 syslog

no ip source-route

ip dhcp excluded-address 192.168.1.1 192.168.1.199

ip dhcp excluded-address 172.16.2.1 172.16.2.199

ip dhcp excluded-address 172.16.3.1 172.16.3.199

ip dhcp excluded-address 172.16.4.1 172.16.4.199

!

ip dhcp pool 192.168.1.0

network 192.168.1.0 255.255.255.0

dns-server 192.168.1.1

default-router 192.168.1.1

lease infinite

!

ip dhcp pool 172.16.2.0

network 172.16.2.0 255.255.255.0

dns-server 172.168.2.1

default-router 172.168.2.1

lease 0 4

!

ip dhcp pool 172.16.3.0

network 172.16.3.0 255.255.255.0

dns-server 172.16.3.1

default-router 172.16.3.1

lease infinite

!

ip dhcp pool 172.16.4.0

network 172.16.4.0 255.255.255.0

dns-server 172.16.4.1

default-router 172.16.4.1

lease 0 4

!

ip dhcp pool 172.16.5.0

network 172.16.5.0 255.255.255.0

dns-server 172.16.5.1

default-router 172.16.5.1

lease infinite

!

ip cef

!

ip domain name robcluett.net

no ipv6 cef

!

multilink bundle-name authenticated

!

voice-card 0

!

voice service voip

allow-connections sip to sip

sip

registrar server expires max 600 min 60

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-423317436

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-423317436

revocation-check none

rsakeypair TP-self-signed-423317436

!

archive

log config

hidekeys

vtp domain robcluett.net

vtp mode transparent

vtp version 2

username xxxxxxx privilege 15 secret 5 $1$q8RN$N/gL80J2Rj9qOILvzXPgS.

!

redundancy

!

vlan 3-5

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group cisco

key xxxxxxxxxxxxxxxxxxxx

dns 75.75.75.75

domain robcluett.net

pool SDM_POOL_2

crypto isakmp profile ciscocp-ike-profile-1

description "VPN Default Profile for Group Cisco"

match identity group cisco

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

client configuration group cisco

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

interface Loopback0

description "Circuitless IP Address / Router Source IP"

ip address 172.16.1.1 255.255.255.254

!

interface GigabitEthernet0/0

description "WAN :: COMCAST via DHCP"

ip address dhcp client-id GigabitEthernet0/0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

duplex full

speed 100

media-type rj45

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface GigabitEthernet1/0

description "Uplink to switch-core-lan (Catalyst 2948G-GE-TX)"

switchport mode trunk

no ip address

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description "LAN :: VLAN 1 :: PRIVATE 192.168.1.0"

ip address 192.168.1.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Vlan2

description "LAN :: VLAN 2 :: PUBLIC 172.16.2.0"

ip address 172.16.2.1 255.255.255.0

ip access-group 102 in

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Vlan3

description "WLAN :: VLAN 3 :: PRIVATE SSID=wlan-ap-private (not broadcast)"

ip address 172.16.3.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Vlan4

description "WLAN :: VLAN 4 :: PUBLIC SSID=wlan-ap-public"

ip address 172.16.4.1 255.255.255.0

ip access-group 104 in

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

rate-limit input 1024000 192000 384000 conform-action transmit exceed-action drop

rate-limit output 5120000 960000 1920000 conform-action transmit exceed-action drop

!

interface Vlan5

description "EDMZ :: VLAN 5 :: 10.10.10.0"

ip address 10.10.10.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Vlan6

description "IDMZ :: VLAN 6 :: 10.19.19.0"

ip address 10.19.19.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

interface Vlan7

description "LAN :: VLAN 7 :: Voice 172.16.5.0

ip address 172.16.5.1 255.255.255.0

ip nbar protocol-discovery

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly in

!

ip local pool SDM_POOL_2 192.168.1.200 192.168.1.254

ip forward-protocol nd

!

ip flow-export source Loopback0

ip flow-top-talkers

top 10

sort-by bytes

!

ip dns server

ip nat inside source list 2 interface GigabitEthernet0/0 overload

ip nat inside source static tcp 10.10.10.10 80 interface GigabitEthernet0/0 80

ip nat inside source static tcp 10.10.10.51 443 interface GigabitEthernet0/0 443

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp 2

!

logging trap debugging

logging source-interface Loopback0

access-list 2 remark NAT

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 2 permit 172.16.2.0 0.0.0.255

access-list 2 permit 172.16.3.0 0.0.0.255

access-list 2 permit 172.16.4.0 0.0.0.255

access-list 2 permit 172.16.5.0 0.0.0.255

access-list 2 permit 10.10.10.0 0.0.0.255

access-list 2 permit 10.19.19.0 0.0.0.255

access-list 100 remark WAN Firewall Access List

access-list 100 permit udp any eq bootps any eq bootpc

access-list 100 permit tcp any any eq www

access-list 100 permit udp any eq domain any

access-list 100 permit tcp any any established

access-list 100 deny ip any any log-input

access-list 102 remark VLAN 2 Prevent Public LAN Access to Other Networks

access-list 102 deny ip 172.16.2.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.1.0 0.0.0.255 log

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.3.0 0.0.0.255 log

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.4.0 0.0.0.255 log

access-list 102 deny ip 172.16.2.0 0.0.0.255 172.16.5.0 0.0.0.255 log

access-list 102 permit ip any any

access-list 104 remark VLAN 4 Prevent Public Wifi Access to Other Networks

access-list 104 deny ip 172.16.4.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.1.0 0.0.0.255 log

access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.2.0 0.0.0.255 log

access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.3.0 0.0.0.255 log

access-list 104 deny ip 172.16.4.0 0.0.0.255 172.16.5.0 0.0.0.255 log

access-list 104 permit ip any any

access-list 105 remark VLAN 5 Prevent EDMZ Access to Other Networks

access-list 105 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255 log

access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.2.0 0.0.0.255 log

access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.3.0 0.0.0.255 log

access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.4.0 0.0.0.255 log

access-list 105 deny ip 10.10.10.0 0.0.0.255 172.16.5.0 0.0.0.255 log

access-list 105 deny ip 10.10.10.0 0.0.0.255 10.19.19.0 0.0.0.255 log

access-list 105 permit ip any any

!

snmp-server trap-source Loopback0

snmp-server location xxxxxxxxxxxxxxxxxxxxx

snmp-server contact xxxxxxxxxxxxxxxxxxxxxxx

!

control-plane

!

mgcp profile default

!

telephony-service

max-conferences 12 gain -6

web admin system name cluettr password 11363894

dn-webedit

transfer-system full-consult

!

line con 0

line aux 0

line vty 0 4

transport input telnet ssh

transport output all

line vty 5 15

transport input telnet ssh

transport output all

!

scheduler allocate 20000 1000

ntp logging

ntp source Loopback0

end

router-wan#

olpeleri · ‎11-25-2012

Hello,

Under the virtual-template, you should have ip nat inside [ and you should make sure the vpn subnet is included in the access-list 2.

Cheers,

Olivier

View solution in original post

olpeleri · ‎11-25-2012

Hello,

Under the virtual-template, you should have ip nat inside [ and you should make sure the vpn subnet is included in the access-list 2.

Cheers,

Olivier

Rob Cluett · ‎11-25-2012

Yes that was it. If I had just gone with my original thought. Thanks so much for the help.

Question though, why can i not get to 192.168.1.1? can't ping, telnet or ssh and only when connected over the VPN. Is this expected behavor? I am able to get to it but only if I use the LAN switch or another device as a jump host.

olpeleri · ‎11-25-2012

one setting is perfectible

instead of ip unnumbered gig0/0

U should use vlan1 [or any inside vlan] to avoid any ambiguity [ both network are nat inside].

Dont forget to mark the question as answered :-)

Rob Cluett · ‎11-25-2012

I was under the impression that using the virtual template and ip unnumbered allows the interface to respond to the DHCP IP provided to Gi0/0 by my ISP. If I were to make, say, VLAN 1 the VPN interface how would I then access it from the WAN given that it has a Nat'd LAN IP? I guess port forwarding would work if that would have to be in addition to using a VLAN?

> Here's a follow up question which you or someone might be able to answer for me. Sorry for dumping the added question on you. My ultimate goal is to have a WAN accessible VPN and a VPN residing on the local LAN. Reason is so I can secure with encryption any wifi clients I have on the LAN (preventing man-in-the-middle attacks) and be secured at, for exmaple, a coffe shop. I'm not sure if there's a means to have the same configured VPN work when attached locally or remotely? And if roaming in regards to a VPN is something that can be acheived...

As an aside my reason for going to these lengths for security are valid. I've recently encountered a situation where I was hacked (this is my home network) using a MIMA and what I assume to be SSLstrip or some derivative to obtain my email address and password. Wasn't fun, wasn't pretty.

olpeleri · ‎11-25-2012

No what you're refering to is the command

IP unnumbered is just there to build the right CEF adjacency. Having a local LAN address as ip unnumbered fixes a lot of things [ it's even mandatory if you're using ikev2-flexvpn]

If you dont trust your LAN [wifi], it make sense to have a vpn in your nw segment. Looking at your config, since you dont define a local-address nor a tunnel source, then U can connect to any ip address owned by the router.

Cheers,

Peter Koltl · ‎11-25-2012

So you can ping other hosts in 192.168.1.0 network from the VPN client ? Compare the routing table and ARP table of such a host with that of the 192.168.1.1 router.

You may need to change the NAT config to include a route-map which excludes the following traffic from NAT:

src 192.168.1.0 /24 dst 192.168.1.0 /24 (from LAN to VPN client)