02-21-2003 01:06 PM - edited 02-21-2020 12:22 PM
What am I overlooking? I have tried other posts, investigated known bugs with 12.2(13)T1, etc. to apply workarounds, but maybe my other configuration choices are interfering with my VPN setup.
I can establish a connection, authenticate locally, just fine. Cisco VPN client 3.6.3 stats show that I am encrypting traffic on the protected networks, but I can't get any traffic through to internal hosts once I've connected.
I've removed the security tags and replaced all public IP addresses with bogus ones in hopes that someone can point me to the obvious!
Thanks much.
----------
Current configuration : 5508 bytes
!
! Last configuration change at 22:24:38 PST Thu Feb 20 2003 by kevin
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
ip domain name mydomain.com
ip name-server 199.13.28.12
ip name-server 199.13.29.12
!
ip inspect audit-trail
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name Ethernet_0_1 tcp
ip inspect name Ethernet_0_1 udp
ip inspect name Ethernet_0_1 cuseeme
ip inspect name Ethernet_0_1 ftp
ip inspect name Ethernet_0_1 h323
ip inspect name Ethernet_0_1 rcmd
ip inspect name Ethernet_0_1 realaudio
ip inspect name Ethernet_0_1 smtp
ip inspect name Ethernet_0_1 streamworks
ip inspect name Ethernet_0_1 vdolive
ip inspect name Ethernet_0_1 sqlnet
ip inspect name Ethernet_0_1 tftp
ip inspect name Ethernet_0_1 http java-list 99
ip inspect name Ethernet_0_1 rtsp
ip inspect name Ethernet_0_1 netshow
ip inspect name Ethernet_0_0 tcp
ip inspect name Ethernet_0_0 ftp
ip inspect name Ethernet_0_0 udp
ip audit notify log
ip audit po max-events 100
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group vpngroup
key xxxxxxxxx
dns 199.13.28.12 199.13.29.12
domain mydomain.com
pool vpnpool
acl 110
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
mta receive maximum-recipients 0
!
!
interface Ethernet0/0
description connected to Internet
ip address 199.201.44.198 255.255.255.248
ip access-group 101 in
ip nat outside
ip inspect Ethernet_0_0 in
no ip route-cache
no ip mroute-cache
half-duplex
crypto map clientmap
!
interface Serial0/0
no ip address
shutdown
!
interface Ethernet0/1
description connected to Private
ip address 192.168.1.254 255.255.255.0
ip access-group 100 in
ip nat inside
ip inspect Ethernet_0_1 in
half-duplex
!
ip local pool vpnpool 192.168.2.201 192.168.2.210
ip nat translation timeout 119
!!
!!--removed next line for VPN configuration
!!ip nat inside source list 1 interface Ethernet0/0 overload
!!--replaced with the following line...
ip nat inside source route-map nonat interface Ethernet0/0 overload
ip nat inside source static 192.168.1.1 199.201.44.197
ip classless
ip route 0.0.0.0 0.0.0.0 199.201.44.193 permanent
ip http server
ip http access-class 7
ip http authentication local
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 5 permit 192.5.41.40
access-list 5 permit 192.5.41.41
access-list 5 deny any
access-list 7 permit 192.168.1.0 0.0.0.255
access-list 7 deny any
access-list 99 deny any
access-list 100 permit udp any eq rip any eq rip
access-list 100 permit tcp host 192.168.1.1 any eq www
access-list 100 permit ip host 192.168.1.1 any
access-list 100 permit tcp host 192.168.1.2 any eq www
access-list 100 permit ip host 192.168.1.2 any
access-list 100 deny ip host 192.168.1.253 any
access-list 100 permit ip any any
access-list 101 deny ip host 199.201.44.197 any
access-list 101 permit tcp any host 199.201.44.197 eq 22
access-list 101 permit tcp any host 199.201.44.197 eq www
access-list 101 permit tcp any host 199.201.44.197 eq 115
access-list 101 permit icmp any host 199.201.44.197
access-list 101 permit ip any host 199.201.44.198
access-list 101 permit tcp any host 199.201.44.197 eq 8000
access-list 101 permit tcp any host 199.201.44.197 eq 8080
access-list 101 permit tcp any host 199.201.44.197 eq 9090
access-list 101 permit udp any host 199.201.44.197 eq 7070
access-list 101 permit udp any host 199.201.44.197 eq 554
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 115 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
match ip address 115
!
line con 0
exec-timeout 0 0
password 7 XXXXXXXXXXXXXXX
line aux 0
line vty 0 4
password 7 XXXXXXXXXXXXXXXX
!
ntp clock-period 17208655
ntp source Ethernet0/0
ntp access-group peer 5
ntp access-group serve-only 7
ntp master 3
ntp server 192.5.41.41
ntp server 192.5.41.40
!
end
----------
Solved! Go to Solution.
02-23-2003 05:17 PM
Config looks OK, you should be able to get to every internal host EXCEPT 192.168.1.1 with this setup. If you do a "sho cry ipsec sa" do you see Pkts Decaps incrementing, indicating you're seeing the traffic from the remote client? Do you see Pkts Encaps incrementing, indicating you're sending a reply back out to the client from the internal host.
As for 192.168.1.1, because you have this:
> ip nat inside source static 192.168.1.1 199.201.44.197
it overrides this:
> ip nat inside source route-map nonat interface Ethernet0/0 overload
for this host only, and so return traffic for just this host is still NAT'd even though you don't want it to be. To get around it you have to send traffic from this host through a loopback interface with no NAT enabled on it, this stops it being NAT'd and allows you to connect to it over the VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically you need to add this:
interface loopback 0
ip address 1.1.1.1 255.255.255.0
interface ethernet0/1
ip policy route-map static
route-map static permit 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 permit ip host 192.168.1.1 192.168.2.0 0.0.0.255
02-23-2003 05:17 PM
Config looks OK, you should be able to get to every internal host EXCEPT 192.168.1.1 with this setup. If you do a "sho cry ipsec sa" do you see Pkts Decaps incrementing, indicating you're seeing the traffic from the remote client? Do you see Pkts Encaps incrementing, indicating you're sending a reply back out to the client from the internal host.
As for 192.168.1.1, because you have this:
> ip nat inside source static 192.168.1.1 199.201.44.197
it overrides this:
> ip nat inside source route-map nonat interface Ethernet0/0 overload
for this host only, and so return traffic for just this host is still NAT'd even though you don't want it to be. To get around it you have to send traffic from this host through a loopback interface with no NAT enabled on it, this stops it being NAT'd and allows you to connect to it over the VPN. You can see http://www.cisco.com/warp/public/707/static.html for a detailed explanation, but basically you need to add this:
interface loopback 0
ip address 1.1.1.1 255.255.255.0
interface ethernet0/1
ip policy route-map static
route-map static permit 10
match address 120
set ip next-hop 1.1.1.2
access-list 120 permit ip host 192.168.1.1 192.168.2.0 0.0.0.255
02-26-2003 01:49 PM
Thank you!!
I think part of my problem was two-fold. One, I would ping and it would take a couple of packets before the ARP would kick-in and I assumed after the first couple of pings that I still didnt have it set up correctly.
Another issue is that the IP INSPECT statements on my public and private interfaces is interfering with the VPN somehow
As you've stated, the configuration was okay for other hosts other than my static NAT'd host...but when I was testing, I wouldnt just test it by pinging other hosts, but by connecting through ftp, telnet, http, or ssh...(on other internal hosts that arent statically nat'd)...as soon as I attempted to do this, my encrypted tunnel would cease to function.
The VPN would stay connected, and from the client, data was being passed to the protected networks...just nothing would pass through to internal hosts, so I thought my VPN config was at fault...and after that, I never tested beyond the first host (static NAT)...
I now see that if I remove the IDS "inspect" statements from my public and private interfaces, I will maintain a connection.
I could be overloading things with the IOS I am testing, or there could be a conflict with VPN tunnels or an ACL except needed for this??
VPN and NAT are most important for me, so Im willing to sacrifice this if not supported in combination.
02-27-2003 09:41 AM
I noticed you use a lot of ip inspect statements in your router config here. I have a handful of Cisco 17xx routers with the FW/IPSec/IDS IOS on them, but I have not turned on any of this functionality yet as I am not sure how it is used. Can you suggest any reading for this or explain briefly what the 'ip inspect' statements on the interfaces and in the body of the config are doing? Also, what kind of performance hit does the router and traffic flow encounter with this turned on?
Thank you,
Justin Loucks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide