cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1030
Views
5
Helpful
4
Replies

Remote access vpn fails

michellp
Level 1
Level 1

Hi,

Im trying to figure out why remote access vpn's to our company office fail. The scenario: Currently we have a working situation. The way it works is that users connect on the public ip of an adsl router which nat's the vpn traffic to an internal router. This router then forwards the traffic to the vpn server.

remote vpn client <=> {{internet}} <=> adsl cpe <=> router <=> vpn server

Now, Im implementing a 2nd internet line with more or less the same setup, but instead of a adsl cpe we use a cisco router. When active users should connect the same way with the only difference being a different public ip address

remote vpn client <=> {{internet}} <=> cisco router <=> router <=> vpn server

So the only change from the cisco vpn clients prepective is the host.  However when testing it did not work. The vpn client times out. With something like 'the vpn peer did not respond' Dont remember the exact error message by heart. Now logic tells me that because it's now working the part between the internal router and vpn gateway is ok. My guess is that this is due to the cisco's access list. I had my own access list, but for some reason I decided to use the SDM firewall config wizard and it generated this access list.

Extended IP access list 100

    10 permit tcp any host 90.90.150.82 eq 4500

    20 permit tcp any host 90.90.150.82 eq 500

    30 permit tcp any host 90.90.150.82 eq 51

    40 permit tcp any host 90.90.150.82 eq 50

    50 permit tcp any host 90.90.150.82 eq 3101

    60 permit tcp any host 90.90.150.82 eq 993

    70 permit tcp any host 90.90.150.82 eq 587

    80 permit tcp any host 90.90.150.82 eq smtp (722 matches)

    90 deny ip 192.168.0.8 0.0.0.7 any (20606 matches)

    100 permit icmp any host 90.90.150.82 echo-reply (113 matches)

    110 permit icmp any host 90.90.150.82 time-exceeded (54 matches)

    120 permit icmp any host 90.90.150.82 unreachable (1051 matches)

    130 deny ip 10.0.0.0 0.255.255.255 any (726 matches)

    140 deny ip 172.16.0.0 0.15.255.255 any

    150 deny ip 192.168.0.0 0.0.255.255 any

    160 deny ip 127.0.0.0 0.255.255.255 any

    170 deny ip host 255.255.255.255 any

    180 deny ip host 0.0.0.0 any

    190 deny ip any any log (5163 matches) Extended IP access list 100

Since the natting for the smtp works, I believe the natting is ok. I can ping the vpn server, so routing also seems to be ok. The vpn end-users should receive a vpn ip adres from the 192.168.x.x pool. Can it be that rule 150 is preventing them from connecting? I cannot test, since it's a live enviroment and I will have to schedule a window. Im just trying to figure out what is wrong so I can fix it during a window. Anyone any ideas?
   

1 Accepted Solution

Accepted Solutions

No, you don't need AH if your VPN policy does not include AH.

View solution in original post

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

The first 4 lines of access-list 100 is incorrect, it should be:

  10 permit udp any host 90.90.150.82 eq 4500

    20 permit udp any host 90.90.150.82 eq 500

    30 permit  ah any host 90.90.150.82

    40 permit esp any host 90.90.150.82

Ehm yeah makes sense, I will try that. Thanks

This probably means I have to change the natting rules aswell no?

current:

ip nat inside source static tcp 10.81.0.5 25 interface FastEthernet1 25

ip nat inside source static tcp 10.81.0.5 587 interface FastEthernet1 587

ip nat inside source static tcp 10.81.0.5 993 interface FastEthernet1 993

ip nat inside source static tcp 10.81.0.7 3101 interface FastEthernet1 3101

ip nat inside source static tcp 10.85.1.2 50 interface FastEthernet1 50

ip nat inside source static tcp 10.85.1.2 51 interface FastEthernet1 51

ip nat inside source static tcp 10.85.1.2 500 interface FastEthernet1 500

ip nat inside source static tcp 10.85.1.2 4500 interface FastEthernet1 4500

I've added these three now. There is no option to add AH though? Any ideas on that or is this enough?

ip nat inside source static esp 10.85.1.2 interface FastEthernet1

ip nat inside source static udp 10.85.1.2 500 interface FastEthernet1 500

ip nat inside source static udp 10.85.1.2 4500 interface FastEthernet1 4500

Please see my previous update .Can Anyone tell me please if the last 3 nat rules should also be there? What about AH?

No, you don't need AH if your VPN policy does not include AH.