Remote access VPN issue with split tunneling

andre8525 · ‎12-30-2011

Hello to all,

before i explain my problem i would like to show you my network:

vlan 1-20

mac web server (ip 192.168.1.2) -------------> core switch (vlan 1 ip 192.168.1.1, vlan 6 ip 172.16.0.2) ---------------> cisco router (vlan 6 ip 172.16.0.1 and wan ip at the outside interface) -----------------------> ISP

My cisco router (2600XM) is connected with the core switch with the vlan 6, behind the core switch there are many vlans and a mac web server (also DNS and DHCP). I am using remote access VPN with split tunneling (i would like to keep it instead of Dynamic interface). I can connect to the VPN and ping the cisco router, the core switch and the web server (by using telnet from the router to the switch and then to the mac but i can't access directly from the VPN client) but from the web server i can't ping the VPN client.

I tried many things such as, adding the 192.168.1.0 to the access list for the intersting traffic or allow the tcp port 8080 but i think my mistake is related to the routing and NAT but i can't figure it.

I attached the config file too.

Thank you in advance

Andrew

Mohammad Alhyari · ‎12-31-2011

Hi Andrew ,

to access the 192.168.1.0 subnet it should be included in the split tunnel acl , looking at your config it is :

access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

this will be enough to send the traffic to this subnet through the tunnel , now regarding the router part here , checking your nat config :

ip nat inside source list VPNNAT interface Ethernet1/0 overload // ethernet 1/0 is the exit interface where we receieve the vpn request.

your nat config also seems to be correct

ip access-list extended VPNNAT

deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

permit ip any any

now connect via vpn client and open the statistics window , issue a continous ping from the web server and check if the encryption counters are increasing . see on the router using an access-list if traffic is leaving an the interface connected to the switch :

access-list 102 permit icmp host vpnclient host webserver

access-list 102 permit ip any any

apply it in the outbound direction of that interface and check if you see hits .

finally what about the routing in your inside network for the pool 172.16.1.0 , where is it pointing?

HTH

MOhammad.

Mohammad Alhyari · ‎01-01-2012

Happy new Year Mate .

With the VPN client there is no need to the gateway as the packets are virtually routed through the VPN adapter , did you check that those packets are reaching the Switch , did you try to trace route to the server from the vpn client .

please feel free to ask me anything .

HTH

Mohammad.

andre8525 · ‎01-01-2012

Hello Mohammad and happy new year,

I' ve check the packets from client to webserver and i can reach up to the core switch.

From the router i can't ping the VPN client but from the core switch i can.

Cisco_Test_Router>

Cisco_Test_Router>en

Password:

Cisco_Test_Router#

Cisco_Test_Router#ping

Protocol [ip]:

Target IP address: 172.16.1.14

Repeat count [5]:

Datagram size [100]:

Timeout in seconds [2]:

Extended commands [n]: y

Source address or interface: 172.16.0.1

Type of service [0]:

Set DF bit in IP header? [no]:

Validate reply data? [no]:

Data pattern [0xABCD]:

Loose, Strict, Record, Timestamp, Verbose[none]:

Sweep range of sizes [n]:

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.1.14, timeout is 2 seconds:

Packet sent with a source address of 172.16.0.1

.....

Success rate is 0 percent (0/5)

If i check the access lists the match is on the extended and not the list 100 which is the intersting traffic.

% Unknown command or computer name, or unable to find computer address

Cisco_Test_Router#show access-li

Cisco_Test_Router#show access-lists

Extended IP access list 100

10 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

20 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

30 permit icmp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

40 permit icmp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255

Extended IP access list VPNNAT

10 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 (7012 matches)

20 permit ip any any (18686 matches)

Cisco_Test_Router#

I have a default route S* 0.0.0.0/0 [1/0] via 83.244.220.225 which pointing the ISP gateway and also a static route

S 172.16.1.0/24 is directly connected, Ethernet1/0 for the VPN subnet. Do you think there is a conflict? I can't understand why the core switch can't reach the vpnclient if there is a default route at the core switch pointing the router and then the router have static pointing the ethernet1/0

Thanks

Andrew

Mohammad Alhyari · ‎01-01-2012

If you are using dynamic crypto map then RRI should be enabled so that it adds a static route to the VPN client . you can enable it under dynamic crypto map.

cheers.

andre8525 · ‎01-03-2012

Hello Mohammad,

Reverse route is enabled , shall i add the command match address ?

from the routing table i can see the static routes which the router is creating.

do you have a sample configuration for remote access vpn with vlans?

Thanks

Andrew

andre8525 · ‎01-06-2012

Hello Mohammad,

i applied the access list and the show command is the following:

Extended IP access list 105

10 permit icmp host 172.16.1.6 host 10.0.0.2

20 permit ip any any (292 matches)

I applied it to the interface but couldn't ping the server. Also when i trying to ping the core switch the access list have matches only to the permit ip any any but should have to the first one right?

andre8525 · ‎01-03-2012

Hello,

I am attaching an image with the network diagram and the config :

Core Switch

----------------

!

ip route 0.0.0.0/0 172.16.0.1

ip route 172.16.1.0/24 172.16.0.1

!

Cisco router

------------------------

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Cisco_Test_Router

!

boot-start-marker

boot system flash:c2600-adventerprisek9-mz.124.2.T.bin

boot-end-marker

!

enable password

!

resource policy

!

aaa new-model

!

aaa authentication login default local

aaa authentication login userauth local

aaa authorization network groupauth local

!

aaa session-id common

no network-clock-participate slot 1

no network-clock-participate wic 0

ip subnet-zero

!

no ip dhcp use vrf connected

!

ip cef

no ip domain lookup

no ip ips deny-action ips-interface

!

username password

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group Squaregroup

key square123

dns 8.8.8.8

domain google.com

pool VPNCLIENTS

acl 100

netmask 255.255.255.0

!

crypto ipsec transform-set mytrans esp-3des esp-sha-hmac

!

crypto dynamic-map mymap 10

set transform-set mytrans

reverse-route

!

crypto map mymap client authentication list userauth

crypto map mymap isakmp authorization list groupauth

crypto map mymap client configuration address respond

crypto map mymap 10 ipsec-isakmp dynamic mymap

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0

no ip address

shutdown

no fair-queue

!

interface Serial0/1

no ip address

shutdown

!

interface Ethernet1/0

description Connection to the outside world

ip address 83.xxx.xxx.xxx xxx.xxx.xxx.xxx

ip nat outside

ip virtual-reassembly

full-duplex

crypto map mymap

!

interface Ethernet1/1

description Connection to the inside network

ip address 172.16.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

full-duplex

!

interface Ethernet1/2

no ip address

shutdown

half-duplex

!

interface Ethernet1/3

no ip address

shutdown

half-duplex

!

ip local pool VPNCLIENTS 172.16.1.3 172.16.1.20

ip classless

ip route profile

ip route 0.0.0.0 0.0.0.0 83.xxx.xxx.xxx

ip route 172.16.1.0 255.255.255.0 Ethernet1/0

ip route 192.168.1.0 255.255.255.0 172.16.0.2

ip route 192.168.2.0 255.255.255.0 172.16.0.2

ip route 192.168.3.0 255.255.255.0 172.16.0.2

ip route 192.168.4.0 255.255.255.0 172.16.0.2

ip route 192.168.5.0 255.255.255.0 172.16.0.2

ip route 192.168.6.0 255.255.255.0 172.16.0.2

ip route 192.168.7.0 255.255.255.0 172.16.0.2

ip route 192.168.8.0 255.255.255.0 172.16.0.2

ip route 192.168.9.0 255.255.255.0 172.16.0.2

ip route 192.168.10.0 255.255.255.0 172.16.0.2

ip route 192.168.11.0 255.255.255.0 172.16.0.2

ip route 192.168.12.0 255.255.255.0 172.16.0.2

ip route 192.168.13.0 255.255.255.0 172.16.0.2

ip route 192.168.14.0 255.255.255.0 172.16.0.2

ip route 192.168.15.0 255.255.255.0 172.16.0.2

ip route 192.168.16.0 255.255.255.0 172.16.0.2

ip route 192.168.17.0 255.255.255.0 172.16.0.2

ip route 192.168.18.0 255.255.255.0 172.16.0.2

ip route 192.168.19.0 255.255.255.0 172.16.0.2

!

no ip http server

no ip http secure-server

ip nat inside source route-map NoNat interface Ethernet1/0 overload

!

access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 110 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 110 permit ip any any

!

route-map NoNat permit 10

match ip address 110

!

control-plane

!

I can ping the router (both interfaces) and the core switch (vlan 6) but i can't ping vlan 1 and the mac server can't ping my client. If i go hop by hop, for example if i telnet to the core swtich then i can ssh to the mac server but i can't do it directly from the client.

Thanks in advance

Andrew

andre8525 · ‎01-07-2012

Hello,

Finally i managed to fix the issue with the vlan at the core switch, the problem was with the NAT and the ACL. The config is the following:

ip nat inside source list 110 interface Ethernet1/0 overload

!

access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 100 permit ip 10.0.0.0 0.0.0.31 172.16.1.0 0.0.0.255

access-list 110 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 110 deny ip 10.0.0.0 0.0.0.31 172.16.1.0 0.0.0.255

access-list 110 permit ip any any

Access list 100 is for the traffic which will pass from the VPN tunnel (if you have many vlans then u need to add all, otherwise if you have a mac server on the Vlan 1 then you can access to all the client through ARD).

Access list 110 deny the NAT to the same networks, the result is the VPN client will be able to connect to both networks.

Also the config is working with ipsec over TCP and ipsec over UDP port 10000

Regards,

Andy

Mohammad Alhyari · ‎01-08-2012

Hi Mate ,

sorry for the late response , it is good to know that you have managed to solve this problem .

enjoy the new year.