Re: IP pool for VPN clients ?

Zouyu · ‎02-14-2006

Hi all

Is it possible to assign IP address within LAN in to a remote vpn client ?

with the example in this exact scenario :

http://www.cisco.com/warp/public/707/25a.gif

can I set an IP local pool in router as 10.2.2.10 - 10.2.2.20

the problem is any remote client can establish vpn connection with assigened IP (such as 10.2.2.10/32), but it cannot access any resources in LAN.

Thanks for your help.

spremkumar · ‎02-15-2006

hi

In your setup over here which device acts as the VPN termination point . is it a pix or a router ??

if possible can you post out the relevant config here ??

regds

Zouyu · ‎02-15-2006

We've setup a Cisco 3640 as the VPN gateway for remote users.

config is here:

r3640-VPN>en

Password:

r3640-VPN#show run

Building configuration...

Current configuration : 5146 bytes

!

! Last configuration change at 17:25:33 GMT Tue Feb 14 2006

! NVRAM config last updated at 17:25:34 GMT Tue Feb 14 2006

!

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

no service password-encryption

service udp-small-servers

service tcp-small-servers

!

hostname r3640-VPN

!

boot-start-marker

boot-end-marker

!

logging buffered 409600 debugging

enable secret 5 $1$yVaS$iEAlCgSYVALCBlFE7OyzB0

!

aaa new-model

!

aaa authentication login userauthen local

aaa authentication ppp default local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

!

clock timezone GMT 8

!

ip cef

ip name-server 10.71.0.61

!

ip ssh rsa keypair-name ssh-key

ip ssh version 2

!

username cisco password 0 cisco

!

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnuser

key shlear

dns 10.71.0.61

wins 10.67.0.61

domain vpn.foo.org

pool ippool

include-local-lan

netmask 255.255.255.255

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

description " Inside Interface "

ip address 10.71.0.99 255.255.254.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description " Wan Interface "

no ip address

no ip proxy-arp

ip virtual-reassembly

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dialer1

description " PPP-Dialup "

bandwidth 512

ip address negotiated

no ip redirects

ip local-proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer redial interval 5 attempts 0 re-enable 5

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname name

ppp chap password pass

ppp pap sent-username name password pass

ppp ipcp dns request

crypto map mymap

!

ip local pool ippool 10.71.0.241 10.71.0.254

ip http server

ip http secure-server

!

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip nat inside source route-map no-nat interface Dialer1 overload

!

access-list 1 permit 10.71.0.0 0.0.1.255 log

access-list 101 deny ip 10.71.0.0 0.0.1.255 10.71.0.240 0.0.0.15

access-list 101 permit ip 10.71.0.0 0.0.1.255 any

dialer-list 1 protocol ip permit

snmp-server community Private RW

!

route-map no-nat permit 10

match ip address 101

!

control-plane

!

dial-peer cor custom

!

line con 0

line aux 0

line vty 0 4

password cisco

transport input telnet ssh

!

ntp clock-period 17180020

ntp server 130.149.17.21

!

end

r3640-VPN#

spremkumar · ‎02-17-2006

hi

Can you remove include-local-lan from you isakmp config and check for the access ?

Is there any specific reason behind using the same in your config here ??

regds

Zouyu · ‎02-19-2006

Hi,

It did not work after I removed "include-local-lan" and "netmask 255.255.255.255" commands.

I've been asked to follow restricted instructions to config IP pool for VPN clients with same addressing scheme as LAN's, even when it worked when I'd tried to set a IP subnet for vpn clients other than LAN's.

Thanks for your help.

mcat84 · ‎02-19-2006

i have a similar setup and have one public ip....same problem here....vpn client can get the ip address (i have tried same and different ip range with LAN) from the vpnpool but can't access any resources in the LAN.

My router is Cisco 1841 with ADSL connection and the lastest VPN client 4.800.xxx.

I have a similar setup (with router but have a check point firewall behind the router) last time but it works 'coz i was using a public ip range for my vpn pool.....

anyone can help??? Thanks in advance...

Zouyu · ‎02-19-2006

I think we may have found out where the problem was.

It was all about NAT, all that we need to do was to set different ACLs to make sure any VPN flows could bypass NAT.

down below is our running-config:

version 12.4

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime show-timezone

service timestamps log datetime localtime show-timezone

service password-encryption

!

logging buffered 409600 debugging

enable secret

!

aaa new-model

!

aaa authentication login userauthen local

aaa authentication ppp default local

aaa authorization network groupauthor local

!

aaa session-id common

!

resource policy

!

clock timezone GMT 8

!

ip cef

!

ip ssh rsa keypair-name ssh-key

ip ssh version 2

!

username cisco password

!

crypto isakmp policy 3

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group vpnuser

key

dns 1.1.0.61

wins 1.7.0.61

domain foo.org

pool ippool

acl 190

include-local-lan

!

crypto ipsec transform-set myset esp-des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

!

crypto map mymap client authentication list userauthen

crypto map mymap isakmp authorization list groupauthor

crypto map mymap client configuration address initiate

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic dynmap

!

interface FastEthernet0/0

description " Inside Interface "

ip address 192.168.0.127 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface FastEthernet0/1

description " Wan Interface "

no ip address

no ip proxy-arp

ip virtual-reassembly

duplex auto

speed auto

pppoe enable

pppoe-client dial-pool-number 1

no cdp enable

!

interface Dialer1

description " PPP-Dialup "

bandwidth 512

ip address negotiated

no ip redirects

ip local-proxy-arp

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer idle-timeout 0

dialer redial interval 5 attempts 0 re-enable 5

dialer-group 1

no cdp enable

ppp authentication pap chap callin

ppp chap hostname name

ppp chap password

ppp pap sent-username name password

ppp ipcp dns request

crypto map mymap

!

ip local pool ippool 192.168.0.249 192.168.0.254

!

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.0.0 255.255.0.0 192.168.0.1

ip route 192.168.1.101 255.255.255.255 192.168.0.1

ip route 192.168.2.37 255.255.255.255 192.168.0.1

!

ip nat inside source route-map no-nat interface Dialer1 overload

!

access-list 1 permit 192.168.0.0 0.0.0.255 log

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.0.248 0.0.0.7

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 180 permit ip 192.168.0.0 0.0.0.255 192.168.0.248 0.0.0.7

access-list 190 permit ip 192.168.0.0 0.0.255.255 192.168.0.248 0.0.0.7

dialer-list 1 protocol ip permit

!

route-map no-nat permit 10

match ip address 101

!

line con 0

line aux 0

line vty 0 4

password cisco

transport input telnet ssh

!

ntp clock-period 17180011

ntp server 130.149.17.21

ntp server 202.112.0.38

!

end

mcat84 · ‎02-20-2006

crypto dynamic-map dynmap 10

set transform-set myset

reverse-route

what is reverse-route for??.... i haven't tried yet...but i was using different ip range and denied the NAT (same as the above example)....still having the same problem...i.e the pool is 192.168.81.1-254 and the LAN is 192.168.82.0...how is the routing like since the pool and the LAN is in different subnet??

Zouyu · ‎02-21-2006

According to the Cisco IPSec config manual, Reverse Route Injection is the ability for static routes to be automatically inserted into the routing process for those networks and hosts protected by a remote tunnel endpoint. These protected hosts and networks are known as remote proxy identities.

http://www.cisco.com/en/US/partner/products/ps6350/products_configuration_guide_chapter09186a0080455af1.html

Would you lease post your network diagram and config ?

mcat84 · ‎02-21-2006

Thanks for your reply...i have go through the RRI documentation...

My config. is similar to yours....so the necessary for the VPN client to work are:

1. Must do 'nonat' for pool addresses

2. Must do RRI (either using same IP address range with the LAN or different ip range)

My other problem is the VPN client....i have actually Huawei's VPN client and Cisco VPN client installed at the same pc....the Cisco VPN client can grabbed the ip for pool but can't access the LAN resources...after removed the Huawei's VPN client, everything is ok....