Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
594
Views
0
Helpful
1
Replies

Question about EasyVPN

DaeHeon Kang
Level 1
Level 1

‎11-16-2017 07:13 PM - edited ‎03-12-2019 04:44 AM

I have been testing EasyVPN combined with IPSec VPN and there is an issue regarding the communication on VPN Tunnels which is summarized as follow:  * attach the configuration from Office Router and Diagram

  • The communication through IPSec Tunnel is fine.
  • EasyVPN connection can be done.
  • EasyVPN client can't communicate with hosts within Internal Network after EasyVPN connection.
  • Only ping to Office Router is fine from EasyVPN client.
  •  SSH or Telnet to Office Router is fine from EasyVPN client only if there is not Nat command under interfaces of Office Router.

EasyVPN.jpg

!

!

aaa new-model

!

!

aaa authentication login EZ-AAA local

aaa authorization network EZ-AAA local 

!

 

!

username cisco privilege 15 password 0 cisco

!

crypto isakmp policy 10

 encr aes 256

 authentication pre-share

 group 5

crypto isakmp key NETWORK address 1.1.1.1  

 

!

crypto isakmp policy 3

 encr 3des

 hash md5

 authentication pre-share

 group 2

!

crypto isakmp client configuration group EZ-GROUP

 key cisco123

 pool EZ-POOL

 acl 199

!         

!

crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac 

!

crypto ipsec transform-set ESP esp-aes 256 esp-sha-hmac 

 mode tunnel

!

crypto dynamic-map DYNAMIC-MAP 1

 set transform-set 3DES-SHA 

!

crypto map IPSEC 10 ipsec-isakmp 

 set peer 1.1.1.1

 set security-association lifetime seconds 28800

 set transform-set ESP

 set pfs group2

 match address VPN-TRAFFIC

!

crypto map IPSEC client authentication list EZ-AAA

crypto map IPSEC isakmp authorization list EZ-AAA

crypto map IPSEC client configuration address respond

crypto map IPSEC 20 ipsec-isakmp dynamic DYNAMIC-MAP 

!

!

!

interface FastEthernet0/0

 ip address 1.1.1.2 255.255.255.252

 duplex auto

 speed auto

 crypto map IPSEC

 ip nat outside

!

interface FastEthernet0/1

 ip address 192.16.15.1 255.255.255.0

 duplex auto

 speed auto

 ip nat inside

!

 

!

ip local pool EZ-POOL 172.16.1.2 172.16.1.254

ip route 0.0.0.0 0.0.0.0 1.1.1.1

!         

!

ip http server

no ip http secure-server

!

ip access-list extended VPN-TRAFFIC

 permit ip 192.168.15.0 0.0.0.255 10.1.1.0 0.0.0.255

 permit ip 192.168.15.0 0.0.0.255 10.2.2.0 0.0.0.255

!

ip access-list exttended NAT

 deny ip 172.16.1.0 0.0.0.255 any

 permit ip 192.168.15.0 0.0.0.255 any

!

access-list 199 permit ip 192.168.15.0 0.0.0.255 any

!

ip nat inside source list NAT interface fa0/0 overload

!

!

!

 

Labels:
0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎11-16-2017 09:02 PM

Hi

On your nat you should add a statement denying your internal Network to your ezvpn pool like:

deny ip 192.168.15.0 0.0.0.255 172.16.1.0 0.0.0.255

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents