Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
343
Views
0
Helpful
1
Replies

IPSEC VPN connected, but can't access network

EvorioSupport1
Level 1
Level 1

‎01-09-2017 02:29 PM

Hi,

As the title suggests, we are having trouble with our VPN used by our end users.  The VPN authenticates and connects fine and you are issued an IP address, however you can't connect to anything on the internal network.

Can anyone advise on the config below as to what might be causing the issue?


!
boot-start-marker
boot-end-marker
!
!
logging buffered 50000
enable secret 5 $1$lxcl$EylsZD.ZJg1XRXCI7sqQf/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login console line enable
aaa authentication login vpnclient group radius local
aaa authorization network default local
aaa authorization network vpnclient group radius local
!
!
!
!
!
aaa session-id common
!
memory-size iomem 10
clock timezone GMT 0 0
clock summer-time BST recurring
crypto pki token default removal timeout 0
!
!
ip source-route
!
!
!
no ip dhcp conflict logging
ip dhcp excluded-address 10.0.2.1 10.0.2.10
!
ip dhcp pool InternalDHCP
network 10.0.2.0 255.255.255.0
domain-name opi.local
dns-server 192.168.55.2 10.0.2.1
default-router 10.0.2.1
netbios-name-server 10.0.2.1
!
!
ip cef
ip domain name opi.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip inspect tcp reassembly queue length 500
ip inspect name firewall tcp router-traffic
ip inspect name firewall icmp router-traffic
ip inspect name firewall udp router-traffic
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn FCZ1515C0H4
!
!
username ****** secret 5 $1$Mn2U$67pX/EnjEYDEh3DHdlSrt.
!
!
!
!
!
!
crypto isakmp policy 5
encr aes 256
authentication pre-share
group 5
!
crypto isakmp policy 6
encr aes
authentication pre-share
group 2
crypto isakmp key ***** address ***** no-xauth
crypto isakmp key ***** address ***** no-xauth
crypto isakmp key ***** address ***** no-xauth
!
crypto isakmp client configuration group *****vpn
key *****
dns 192.168.55.2
domain *****
pool vpnclientpool
acl 199
!
!
crypto ipsec transform-set aes-vpn esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set aes-vpn
!
!
crypto map vpn client authentication list vpnclient
crypto map vpn isakmp authorization list default
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp
set peer *****
set transform-set aes-vpn
match address Crypto-list
crypto map vpn 65535 ipsec-isakmp dynamic dynmap
!
crypto map vpn2 client authentication list vpnclient
crypto map vpn2 isakmp authorization list default
crypto map vpn2 client configuration address respond
crypto map vpn2 65535 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 99
spanning-tree portfast
!
interface FastEthernet4
description WAN interface
ip address ***** 255.255.255.252
ip access-group firewall1 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpn
!
interface Vlan1
description LAN interface
ip address 10.0.2.1 255.255.255.0
ip mtu 1458
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1418
!
interface Vlan99
description -- Virgin Internet --
ip address 192.168.0.2 255.255.255.0
ip access-group firewall1 in
ip nat outside
ip inspect firewall out
ip virtual-reassembly in
crypto map vpn2
!
ip local pool vpnclientpool 10.254.254.1 10.254.254.6
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source route-map nonat interface Vlan99 overload
ip nat inside source static tcp 10.0.2.3 3389 ***** 3389 route-map nonat extendable
ip route 0.0.0.0 0.0.0.0 192.168.0.1
ip route ***** 255.255.255.255 *****
ip route 192.168.55.0 255.255.255.0 *****
!
ip access-list extended Crypto-list
permit ip 10.0.2.0 0.0.0.255 192.168.55.0 0.0.0.255
ip access-list extended firewall
ip access-list extended firewall1
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit tcp host ***** any eq 22
permit tcp host ***** any eq 22
permit tcp ***** 0.0.0.63 any eq 22
permit tcp ***** 0.0.0.7 any eq 22
permit tcp ***** 0.0.0.7 any eq 22
permit tcp host ***** any eq 22
permit tcp any host ***** eq 3389
permit icmp any any
permit tcp host ***** any eq 22
deny ip any any log
ip access-list extended nonat
deny ip 10.0.2.0 0.0.0.255 192.168.55.0 0.0.0.255
deny ip 10.0.2.0 0.0.0.255 10.254.254.0 0.0.0.255
deny ip 10.0.2.0 0.0.0.255 host 172.18.0.100
permit ip 10.0.2.0 0.0.0.255 any
!
ip radius source-interface Vlan1
logging esm config

access-list 199 permit ip 10.254.254.0 0.0.0.255 any
access-list 199 permit ip 10.0.2.0 0.0.0.255 any
access-list 199 permit ip 192.168.55.0 0.0.0.255 any
!
!
!
!
route-map nonat permit 10
match ip address nonat
!
radius-server host 192.168.55.2 auth-port 1645 acct-port 1646 key *****
!
!
control-plane
!
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
end

Labels:
0 Helpful
1 Reply 1

Georg Pauwen
VIP
VIP

‎01-09-2017 03:47 PM

Hello,

try and add the 'reverse-route' command as indicated below:

crypto isakmp client configuration group *****vpn
key *****
dns 192.168.55.2
domain *****
pool vpnclientpool
acl 199
!
!
crypto ipsec transform-set aes-vpn esp-aes 256 esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set aes-vpn
reverse-route

0 Helpful
Customers Also Viewed These Support Documents