Solved: Re: Remote Access VPN to IOS Router

steve.slater · ‎01-18-2011

Hi All,

I am trying to set up Remote access with Split tunneling to a Cisco 2801. I can connect to the VPN profile and get to the internet however I am unable to ping/reach any of the inside devices (10.10.10.X). The vpn users are getting the correct address assignments in the 172.15.10.X range. I can see that my remote PC is sending packets to the devices but not receiving anything back. Here is what my Config looks like...any thoughts on things to look at would be great!

Thanks

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key cisco123 address x.x.x.x

!

crypto isakmp client configuration group VPN_Client

key ******

dns 64.89.70.2 64.89.74.2

pool SDM_POOL_1

acl 120

max-users 25

netmask 255.255.255.0

!

crypto isakmp profile sdm-ike-profile-1

match identity group VPN_Client

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

crypto isakmp profile SiteA

keyring myring

match identity address 1.1.1.1 255.255.255.255

local-address FastEthernet0/0

crypto isakmp profile Site2

keyring Atlanta

match identity address 2.2.2.2 255.255.255.255

local-address FastEthernet0/0

!

crypto ipsec transform-set AES192 esp-aes 192 esp-sha-hmac

crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile sdm-ike-profile-1

!

crypto dynamic-map RA-Map 10

set transform-set AES192 ESP-3DES-SHA1 ESP-3DES-SHA SDM_TRANSFORMSET_1 3DES-MD5

reverse-route

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 3.3.3.3

set peer 3.3.3.3

set transform-set AES192 ESP-3DES-SHA1 ESP-3DES-SHA SDM_TRANSFORMSET_1 3DES-MD5

set pfs group2

set isakmp-profile SiteA

match address 105

crypto map SDM_CMAP_1 2 ipsec-isakmp

description Tunnel to 4.4.4.4

set peer 4.4.4.4

set transform-set AES192 ESP-3DES-SHA1 ESP-3DES-SHA SDM_TRANSFORMSET_1 3DES-MD5

set pfs group2

set isakmp-profile SiteB

match address 106

crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic RA-Map

!

interface FastEthernet0/0

description *** Outside ETH-LAN ***

ip address 174.1.1.2 255.255.255.224

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description *** Inside ETH-LAN ***

ip address 10.10.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

interface Serial0/1/0

no ip address

shutdown

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

ip local pool SDM_POOL_1 172.15.10.1 172.15.10.50

ip forward-protocol nd

!

ip flow-top-talkers

top 10

sort-by bytes

!

ip http server

ip http secure-server

ip nat source list 110 interface FastEthernet0/0 overload

ip nat inside source list 110 interface FastEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 174.1.1.1

!

access-list 105 permit ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 105 permit ip 172.15.10.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 106 permit ip 10.10.10.0 0.0.0.255 192.168.42.0 0.0.0.255

access-list 110 deny ip 10.10.10.0 0.0.0.255 172.15.10.0 0.0.0.255

access-list 110 deny ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.255.255

access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 110 permit ip 172.15.10.0 0.0.0.255 any

access-list 110 permit ip 10.10.10.0 0.0.0.255 any

access-list 111 permit ip 10.10.10.0 0.0.0.255 any

access-list 120 permit ip 10.10.10.0 0.0.0.255 172.15.10.0 0.0.0.255

access-list 120 permit ip 172.20.0.0 0.0.255.255 172.15.10.0 0.0.0.255

access-list 130 remark SDM_ACL Category=17

access-list 130 permit udp host 4.2.2.2 eq domain any

access-list 130 permit esp host 65.79.168.6 host 174.141.59.195

access-list 130 permit ip host 65.79.168.6 host 174.141.59.195

access-list 130 permit ip any any

Federico Coto Fajardo · ‎01-18-2011

Are the VPN clients connecting to the F0/0 interface (where the crypto map is applied) or to the

virtual-template interface?

What if you do this:

crypto isakmp profile sdm-ike-profile-1

no virtual-template 1

Disconnect/reconnect.

Federico.

View solution in original post

Federico Coto Fajardo · ‎01-18-2011

Hi,

Can you PING 10.10.10.254 which is the inside IP of the router?

If you can, but cannot PING the internal network, make sure the internal network has a default route pointing to 10.10.10.254 or at least there's a route to the VPN pool.

Federico.

steve.slater · ‎01-18-2011

Hi Federico,

I can not ping the inside router interface or the internal network.

Federico Coto Fajardo · ‎01-18-2011

You mention that the VPN client shows packets encrypted but not decrypted (received)?

This means the router should show packets decrypted. Check the output of ''sh cry ips sa''

Check if the router also shows packets encrypted to see if the router is sending the data back to the VPN client.

Federico.

steve.slater · ‎01-18-2011

The router is only showing Pkts decaps and not Pkts encaps as shown below.

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

Federico Coto Fajardo · ‎01-18-2011

Are the VPN clients connecting to the F0/0 interface (where the crypto map is applied) or to the

virtual-template interface?

What if you do this:

crypto isakmp profile sdm-ike-profile-1

no virtual-template 1

Disconnect/reconnect.

Federico.

steve.slater · ‎01-18-2011

Hi Federico,

That did the trick...thanks for the extra set of eyes!

Federico Coto Fajardo · ‎01-18-2011

Glad I could help :-)

Thank you Steve.

Federico.