07-02-2011 07:05 PM
Hi Guys,
I have configured a Cisco 881 with a remote acccess ipsec vpn. The VPN authentication works fine, and connects fine.once connected i can see the route is available, split tunneling is working and i can ping the Vlan interface on the router, however i can't ping past that. i've been looking over all the obvious things like NAT rules and and return routes, everything looks fine. Thers is also a site to site vpn configured that is working fine. Any ideas???
Router#show run
Building configuration...
Current configuration : 4156 bytes
!
! Last configuration change at 11:46:09 AEST Sun Jul 3 2011 by matt
!
version 15.0
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging count
logging buffered 16384
enable secret 5 <SNIP>
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authentication login LOCAL local
aaa authorization network rtr-remote local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone AEST 10
!
!
ip source-route
!
!
!
!
ip cef
no ip bootp server
no ip domain lookup
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL150821W4
!
!
username <SNIP> password 7 <SNIP>
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key <SNIP> address <SNIP>
crypto isakmp client configuration address-pool local VPN_POOL
!
crypto isakmp client configuration group VPN_GROUP
key <SNIP>
dns 192.168.1.21 4.2.2.2
domain <SNIP>
pool VPN_POOL
acl 140
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set 3des-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-SHA-HMAC esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_MAP 1
set transform-set vpn1
reverse-route
!
!
crypto map VPN_MAP client authentication list LOCAL
crypto map VPN_MAP isakmp authorization list rtr-remote
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 1 ipsec-isakmp dynamic VPN_MAP
crypto map VPN_MAP 2 ipsec-isakmp
set peer <SNIP>
set transform-set 3des-sha-hmac
set pfs group2
match address 101
!
crypto map static-map 1 ipsec-isakmp dynamic VPN_MAP
!
bridge irb
!
!
!
!
interface FastEthernet0
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 10
spanning-tree portfast
!
interface FastEthernet4
ip address <SNIP> 255.255.255.240
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN_MAP
!
interface Virtual-Template2 type tunnel
ip unnumbered BVI10
tunnel mode ipsec ipv4
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
bridge-group 10
bridge-group 10 spanning-disabled
!
interface BVI10
no ip address
ip nat inside
ip virtual-reassembly
shutdown
!
ip local pool VPN_POOL 192.168.211.1 192.168.211.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.21 25 <SNIP> 25 extendable
ip route 0.0.0.0 0.0.0.0 <SNIP>
ip route 192.168.2.0 255.255.255.0 <SNIP>
!
logging trap warnings
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.211.0 0.0.0.255
access-list 110 deny ip 192.168.211.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 140 permit ip 192.168.1.0 0.0.0.255 any
access-list 199 permit ip 192.168.211.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 30 0
logging synchronous
login authentication LOCAL
no modem enable
line aux 0
line vty 0 4
exec-timeout 30 0
logging synchronous
login authentication LOCAL
!
scheduler max-task-time 5000
end
Router#
07-03-2011 12:09 AM
Sorted... i got onto the Cisco TAC and the configuration was fine. There is an issue with CEF with IPSEC VPN's on some IOS. CEF was disabled and it came good straight away.
07-04-2011 05:22 AM
Indeed your config looks fine except for a small remark:
The acl 110 (NAT exemption) is longer than necessary
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.211.0 0.0.0.255
access-list 110 deny ip 192.168.211.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 deny ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
This would also suffice:
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.211.0 0.0.0.255
access-list 110 deny ip 192.168.2.0 0.0.0.255 192.168.211.0 0.0.0.255
access-list 110 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Expl: NAT exemption only needs to be performed for inside address ranges.
Or even shorter:
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.0.0 0.0.255.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
Private ip's are not routed on the Internet so you are not taking risks.
IPsec and NAT are both performed before routing as you can see here:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080133ddd.shtml
This is why the static route for 192.168.2.0 can also be omitted. This traffic is matched by acl 110 and 101.
regards,
Leo
regards,
Leo
07-04-2011 03:44 PM
Leo,
Thanks for your response! I will be configuring the VPN to have access to the site at the other end of the site to site VPN, so this entry will have to remain:
access-list 110 deny ip 192.168.211.0 0.0.0.255 192.168.2.0 0.0.0.255
I will go through and make the changes you have suggested, thanks for taking the time to read through!
Matt
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide