12-30-2011 01:33 PM - edited 02-21-2020 05:48 PM
Hello to all,
before i explain my problem i would like to show you my network:
vlan 1-20
mac web server (ip 192.168.1.2) -------------> core switch (vlan 1 ip 192.168.1.1, vlan 6 ip 172.16.0.2) ---------------> cisco router (vlan 6 ip 172.16.0.1 and wan ip at the outside interface) -----------------------> ISP
My cisco router (2600XM) is connected with the core switch with the vlan 6, behind the core switch there are many vlans and a mac web server (also DNS and DHCP). I am using remote access VPN with split tunneling (i would like to keep it instead of Dynamic interface). I can connect to the VPN and ping the cisco router, the core switch and the web server (by using telnet from the router to the switch and then to the mac but i can't access directly from the VPN client) but from the web server i can't ping the VPN client.
I tried many things such as, adding the 192.168.1.0 to the access list for the intersting traffic or allow the tcp port 8080 but i think my mistake is related to the routing and NAT but i can't figure it.
I attached the config file too.
Thank you in advance
Andrew
12-31-2011 12:43 PM
Hi Andrew ,
to access the 192.168.1.0 subnet it should be included in the split tunnel acl , looking at your config it is :
access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
this will be enough to send the traffic to this subnet through the tunnel , now regarding the router part here , checking your nat config :
ip nat inside source list VPNNAT interface Ethernet1/0 overload // ethernet 1/0 is the exit interface where we receieve the vpn request.
your nat config also seems to be correct
ip access-list extended VPNNAT
deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
permit ip any any
now connect via vpn client and open the statistics window , issue a continous ping from the web server and check if the encryption counters are increasing . see on the router using an access-list if traffic is leaving an the interface connected to the switch :
access-list 102 permit icmp host vpnclient host webserver
access-list 102 permit ip any any
apply it in the outbound direction of that interface and check if you see hits .
finally what about the routing in your inside network for the pool 172.16.1.0 , where is it pointing?
HTH
MOhammad.
01-01-2012 04:13 AM
Happy new Year Mate .
With the VPN client there is no need to the gateway as the packets are virtually routed through the VPN adapter , did you check that those packets are reaching the Switch , did you try to trace route to the server from the vpn client .
please feel free to ask me anything .
HTH
Mohammad.
01-01-2012 06:30 AM
Hello Mohammad and happy new year,
I' ve check the packets from client to webserver and i can reach up to the core switch.
From the router i can't ping the VPN client but from the core switch i can.
Cisco_Test_Router>
Cisco_Test_Router>en
Password:
Cisco_Test_Router#
Cisco_Test_Router#
Cisco_Test_Router#ping
Protocol [ip]:
Target IP address: 172.16.1.14
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.16.0.1
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.14, timeout is 2 seconds:
Packet sent with a source address of 172.16.0.1
.....
Success rate is 0 percent (0/5)
If i check the access lists the match is on the extended and not the list 100 which is the intersting traffic.
% Unknown command or computer name, or unable to find computer address
Cisco_Test_Router#show access-li
Cisco_Test_Router#show access-lists
Extended IP access list 100
10 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
20 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
30 permit icmp 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
40 permit icmp 172.16.1.0 0.0.0.255 192.168.1.0 0.0.0.255
Extended IP access list VPNNAT
10 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255 (7012 matches)
20 permit ip any any (18686 matches)
Cisco_Test_Router#
I have a default route S* 0.0.0.0/0 [1/0] via 83.244.220.225 which pointing the ISP gateway and also a static route
S 172.16.1.0/24 is directly connected, Ethernet1/0 for the VPN subnet. Do you think there is a conflict? I can't understand why the core switch can't reach the vpnclient if there is a default route at the core switch pointing the router and then the router have static pointing the ethernet1/0
Thanks
Andrew
01-01-2012 10:32 AM
If you are using dynamic crypto map then RRI should be enabled so that it adds a static route to the VPN client . you can enable it under dynamic crypto map.
cheers.
01-03-2012 09:44 AM
Hello Mohammad,
Reverse route is enabled , shall i add the command match address
from the routing table i can see the static routes which the router is creating.
do you have a sample configuration for remote access vpn with vlans?
Thanks
Andrew
01-06-2012 05:43 AM
Hello Mohammad,
i applied the access list and the show command is the following:
Extended IP access list 105
10 permit icmp host 172.16.1.6 host 10.0.0.2
20 permit ip any any (292 matches)
I applied it to the interface but couldn't ping the server. Also when i trying to ping the core switch the access list have matches only to the permit ip any any but should have to the first one right?
01-03-2012 01:33 PM
Hello,
I am attaching an image with the network diagram and the config :
Core Switch
----------------
!
ip route 0.0.0.0/0 172.16.0.1
ip route 172.16.1.0/24 172.16.0.1
!
Cisco router
------------------------
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Cisco_Test_Router
!
boot-start-marker
boot system flash:c2600-adventerprisek9-mz.124.2.T.bin
boot-end-marker
!
enable password
!
!
resource policy
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauth local
aaa authorization network groupauth local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip subnet-zero
!
!
no ip dhcp use vrf connected
!
!
ip cef
no ip domain lookup
no ip ips deny-action ips-interface
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username password
username password
!
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group Squaregroup
key square123
dns 8.8.8.8
domain google.com
pool VPNCLIENTS
acl 100
netmask 255.255.255.0
!
!
crypto ipsec transform-set mytrans esp-3des esp-sha-hmac
!
crypto dynamic-map mymap 10
set transform-set mytrans
reverse-route
!
!
!
crypto map mymap client authentication list userauth
crypto map mymap isakmp authorization list groupauth
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic mymap
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface Serial0/1
no ip address
shutdown
!
interface Ethernet1/0
description Connection to the outside world
ip address 83.xxx.xxx.xxx xxx.xxx.xxx.xxx
ip nat outside
ip virtual-reassembly
full-duplex
crypto map mymap
!
interface Ethernet1/1
description Connection to the inside network
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
full-duplex
!
interface Ethernet1/2
no ip address
shutdown
half-duplex
!
interface Ethernet1/3
no ip address
shutdown
half-duplex
!
ip local pool VPNCLIENTS 172.16.1.3 172.16.1.20
ip classless
ip route profile
ip route 0.0.0.0 0.0.0.0 83.xxx.xxx.xxx
ip route 172.16.1.0 255.255.255.0 Ethernet1/0
ip route 192.168.1.0 255.255.255.0 172.16.0.2
ip route 192.168.2.0 255.255.255.0 172.16.0.2
ip route 192.168.3.0 255.255.255.0 172.16.0.2
ip route 192.168.4.0 255.255.255.0 172.16.0.2
ip route 192.168.5.0 255.255.255.0 172.16.0.2
ip route 192.168.6.0 255.255.255.0 172.16.0.2
ip route 192.168.7.0 255.255.255.0 172.16.0.2
ip route 192.168.8.0 255.255.255.0 172.16.0.2
ip route 192.168.9.0 255.255.255.0 172.16.0.2
ip route 192.168.10.0 255.255.255.0 172.16.0.2
ip route 192.168.11.0 255.255.255.0 172.16.0.2
ip route 192.168.12.0 255.255.255.0 172.16.0.2
ip route 192.168.13.0 255.255.255.0 172.16.0.2
ip route 192.168.14.0 255.255.255.0 172.16.0.2
ip route 192.168.15.0 255.255.255.0 172.16.0.2
ip route 192.168.16.0 255.255.255.0 172.16.0.2
ip route 192.168.17.0 255.255.255.0 172.16.0.2
ip route 192.168.18.0 255.255.255.0 172.16.0.2
ip route 192.168.19.0 255.255.255.0 172.16.0.2
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map NoNat interface Ethernet1/0 overload
!
access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 permit ip any any
!
route-map NoNat permit 10
match ip address 110
!
!
!
control-plane
!
!
!
!
!
!
!
!
I can ping the router (both interfaces) and the core switch (vlan 6) but i can't ping vlan 1 and the mac server can't ping my client. If i go hop by hop, for example if i telnet to the core swtich then i can ssh to the mac server but i can't do it directly from the client.
Thanks in advance
Andrew
01-07-2012 02:17 PM
Hello,
Finally i managed to fix the issue with the vlan at the core switch, the problem was with the NAT and the ACL. The config is the following:
ip nat inside source list 110 interface Ethernet1/0 overload
!
!
access-list 100 permit ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.31 172.16.1.0 0.0.0.255
access-list 110 deny ip 172.16.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 110 deny ip 10.0.0.0 0.0.0.31 172.16.1.0 0.0.0.255
access-list 110 permit ip any any
Access list 100 is for the traffic which will pass from the VPN tunnel (if you have many vlans then u need to add all, otherwise if you have a mac server on the Vlan 1 then you can access to all the client through ARD).
Access list 110 deny the NAT to the same networks, the result is the VPN client will be able to connect to both networks.
Also the config is working with ipsec over TCP and ipsec over UDP port 10000
Regards,
Andy
01-08-2012 09:39 AM
Hi Mate ,
sorry for the late response , it is good to know that you have managed to solve this problem .
enjoy the new year.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide