Solved: Router and VPN Client for Public Internet on a Stick issue

Vindemiatrix · ‎06-07-2010

I'm attempting to follow http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008073b06b.shtml in order to allow VPN clients to receive their internet though the connection instead of split-tunneling. Internal resources are available but the internet does not work when a client is connected? It appears the VPN clients are not translating.

!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
authentication pre-share
crypto isakmp key keystring address x.x.x.x no-xauth
!
crypto isakmp client configuration group VPN-Users
key keystring
dns 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac
!
crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map CLIENTMAP client authentication list default
crypto map CLIENTMAP isakmp authorization list default
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-3DES-SHA
set pfs group1
match address 100
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
archive
log config
hidekeys
!
!
controller T1 2/0
framing sf
linecode ami
!
ip ssh authentication-retries 2
!
!
!
!
interface Loopback0
ip address 192.168.100.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0/0
description $ETH-WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0/0 hostname 3725router
ip access-group 104 in
no ip unreachables
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip policy route-map SDM_RMAP_1
duplex auto
speed auto
crypto map CLIENTMAP
!
interface Serial0/0
description $FW_OUTSIDE$
ip address 10.0.0.1 255.255.240.0
ip access-group 105 in
ip verify unicast reverse-path
no ip unreachables
ip inspect SDM_LOW out
ip virtual-reassembly
shutdown
clock rate 2000000
crypto map CLIENTMAP
!
interface FastEthernet0/1
no ip address
no ip unreachables
ip virtual-reassembly
speed auto
full-duplex
!
interface FastEthernet0/1.2
description $FW_INSIDE$
encapsulation dot1Q 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 enable
!
interface FastEthernet0/1.3
description $FW_INSIDE$
encapsulation dot1Q 3
ip address 172.16.3.1 255.255.255.0
ip access-group 102 in
no ip unreachables
ip nat inside
ip virtual-reassembly
ipv6 enable
!
interface FastEthernet0/1.10
description Guest Wireless Vlan
encapsulation dot1Q 100
ip address 172.16.100.1 255.255.255.0
ip access-group 110 out
no ip unreachables
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.50
description $Phones$
encapsulation dot1Q 50
ip address 172.16.50.1 255.255.255.0
ip virtual-reassembly
!
interface Serial0/1
no ip address
no ip unreachables
shutdown
clock rate 2000000
!
interface Serial0/2
no ip address
shutdown
!
interface Serial0/3
no ip address
shutdown
!
interface Serial1/0
no ip address
shutdown
!
interface BRI2/0
no ip address
ip virtual-reassembly
encapsulation hdlc
shutdown
!
interface Virtual-Template1 type tunnel
description $FW_INSIDE$
ip unnumbered Loopback0
ip access-group 103 in
no ip unreachables
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1
!
ip local pool VPN_POOL 192.168.0.100 192.168.0.105
ip forward-protocol nd
ip route 172.16.200.0 255.255.255.252 172.16.2.3
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat translation udp-timeout 900
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
logging origin-id hostname
logging 172.16.3.3
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 101 remark SDM_ACL Category=17
access-list 101 permit ahp any host 172.16.2.1
access-list 101 permit esp any host 172.16.2.1
access-list 101 permit udp any host 172.16.2.1 eq isakmp
access-list 101 permit udp any host 172.16.2.1 eq non500-isakmp
access-list 101 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 101 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 101 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 101 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 101 deny   ip host 255.255.255.255 any log
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny   tcp any any range 1 chargen log
access-list 101 deny   tcp any any eq whois log
access-list 101 deny   tcp any any eq 93 log
access-list 101 deny   tcp any any range 135 139 log
access-list 101 deny   tcp any any eq 445 log
access-list 101 deny   tcp any any range exec 518 log
access-list 101 deny   tcp any any eq uucp log
access-list 101 permit ip any any
access-list 101 deny   ip 172.16.100.0 0.0.0.255 any log
access-list 102 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 102 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 102 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 102 deny   ip host 255.255.255.255 any log
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 102 permit ip any any
access-list 103 deny   ip 172.16.2.0 0.0.0.255 any
access-list 103 deny   ip 10.0.0.0 0.0.15.255 any
access-list 103 deny   ip 172.16.3.0 0.0.0.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 permit ip any any
access-list 104 remark SDM_ACL Category=17
access-list 104 permit ip host 192.168.0.100 any
access-list 104 permit ip host 192.168.0.101 any
access-list 104 permit ip host 192.168.0.102 any
access-list 104 permit ip host 192.168.0.103 any
access-list 104 permit ip host 192.168.0.104 any
access-list 104 permit ip host 192.168.0.105 any
access-list 104 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 permit ip host 192.168.0.100 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.101 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.102 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.103 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.104 172.16.0.0 0.0.255.255
access-list 104 permit ip host 192.168.0.105 172.16.0.0 0.0.255.255
access-list 104 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 104 permit udp host 205.152.132.23 eq domain any
access-list 104 permit udp host 205.152.144.23 eq domain any
access-list 104 remark Auto generated by SDM for NTP (123) 129.6.15.29
access-list 104 permit udp host 129.6.15.29 eq ntp any eq ntp
access-list 104 permit ahp any any
access-list 104 permit esp any any
access-list 104 permit 41 any any
access-list 104 permit udp any any eq isakmp
access-list 104 permit udp any any eq non500-isakmp
access-list 104 deny   ip 10.0.0.0 0.0.15.255 any log
access-list 104 deny   ip 172.16.2.0 0.0.0.255 any log
access-list 104 deny   ip 192.168.0.0 0.0.0.255 any log
access-list 104 deny   ip 172.16.3.0 0.0.0.255 any log
access-list 104 permit udp any eq bootps any eq bootpc
access-list 104 permit icmp any any echo-reply
access-list 104 permit icmp any any time-exceeded
access-list 104 permit icmp any any unreachable
access-list 104 permit icmp any any echo
access-list 104 deny   icmp any any mask-request log
access-list 104 deny   icmp any any redirect log
access-list 104 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 104 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 104 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 104 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 104 deny   ip 224.0.0.0 15.255.255.255 any log
access-list 104 deny   ip host 255.255.255.255 any log
access-list 104 deny   tcp any any range 6000 6063 log
access-list 104 deny   tcp any any eq 6667 log
access-list 104 deny   tcp any any range 12345 12346 log
access-list 104 deny   tcp any any eq 31337 log
access-list 104 deny   udp any any eq 2049 log
access-list 104 deny   udp any any eq 31337 log
access-list 104 deny   udp any any range 33400 34400 log
access-list 104 deny   ip any any log
access-list 105 remark SDM_ACL Category=17
access-list 105 permit ip host 192.168.0.100 any
access-list 105 permit ip host 192.168.0.101 any
access-list 105 permit ip host 192.168.0.102 any
access-list 105 permit ip host 192.168.0.103 any
access-list 105 permit ip host 192.168.0.104 any
access-list 105 permit ip host 192.168.0.105 any
access-list 105 permit ip host 192.168.0.100 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.101 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.102 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.103 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.104 172.16.0.0 0.0.255.255
access-list 105 permit ip host 192.168.0.105 172.16.0.0 0.0.255.255
access-list 105 permit ip 172.31.12.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp any host 10.0.0.1 eq non500-isakmp
access-list 105 permit udp any host 10.0.0.1 eq isakmp
access-list 105 permit esp any host 10.0.0.1
access-list 105 permit ahp any host 10.0.0.1
access-list 105 permit udp host 129.6.15.29 eq ntp host 10.0.0.1 eq ntp
access-list 105 permit ahp host 10.0.0.2 host 10.0.0.1
access-list 105 permit esp host 10.0.0.2 host 10.0.0.1
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq isakmp
access-list 105 permit udp host 10.0.0.2 host 10.0.0.1 eq non500-isakmp
access-list 105 permit ip 172.16.10.0 0.0.0.255 172.16.2.0 0.0.0.255
access-list 105 permit udp host 10.0.0.2 host 172.16.2.10 eq tftp
access-list 105 permit udp host 10.0.0.2 host 172.16.2.5 eq syslog
access-list 105 deny   ip 172.16.2.0 0.0.0.255 any
access-list 105 deny   ip 192.168.0.0 0.0.0.255 any
access-list 105 deny   ip 172.16.3.0 0.0.0.255 any
access-list 105 permit icmp any host 10.0.0.1 echo-reply
access-list 105 permit icmp any host 10.0.0.1 time-exceeded
access-list 105 permit icmp any host 10.0.0.1 unreachable
access-list 105 deny   ip 10.0.0.0 0.255.255.255 any
access-list 105 deny   ip 172.16.0.0 0.15.255.255 any
access-list 105 deny   ip 192.168.0.0 0.0.255.255 any
access-list 105 deny   ip 127.0.0.0 0.255.255.255 any
access-list 105 deny   ip host 255.255.255.255 any
access-list 105 deny   ip host 0.0.0.0 any
access-list 105 deny   ip any any log
access-list 110 deny   ip 172.16.2.0 0.0.0.255 any
access-list 110 deny   ip 172.16.3.0 0.0.0.255 any
access-list 110 permit ip any any
access-list 115 permit ip 172.16.0.0 0.0.255.255 any
access-list 115 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 deny   ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.0.255
access-list 120 permit ip 172.16.0.0 0.0.255.255 any
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.101
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.102
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.103
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.104
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.105
access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
snmp-server community public RO
ipv6 route ::/0 Tunnel0
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 150
set ip next-hop 192.168.100.2
!
route-map SDM_RMAP_1 permit 10
match ip address 150
set ip next-hop 192.168.100.2

Todd Pula · ‎06-08-2010

Based on my own lab testing, you can achieve this with and without policy routing. You can either configure the policy route on the virtual template interface and direct the traffic towards the loopback where ip nat inside is enabled, or you can just configure ip nat inside on the virtual template interface and remove the policy routing.

crypto isakmp policy 3
encr 3des
authentication pre-share
group 2

crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0

crypto isakmp client configuration group VPN-Users
key cisco123
dns 208.67.222.222 208.67.220.220
domain domain.com
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
crypto isakmp profile IKE-PROFILE
   match identity group VPN-Users
   client authentication list default
   isakmp authorization list default
   client configuration address initiate
   client configuration address respond
   virtual-template 1

crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 esp-sha-hmac

crypto ipsec profile IPSEC_PROFILE1
set transform-set ESP-3DES-SHA
set isakmp-profile IKE-PROFILE

crypto dynamic-map DYNMAP 10
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP

interface GigabitEthernet0/0
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
media-type rj45
crypto map CLIENTMAP

interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
ip nat inside
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE1

ip local pool VPN_POOL 192.168.0.100 192.168.0.105

ip nat inside source list 150 interface GigabitEthernet0/0 overload

access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.100
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.101
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.102
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.103
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.104
access-list 150 deny   ip 172.16.0.0 0.0.255.255 host 192.168.0.105
access-list 150 deny   ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255
access-list 150 permit ip 172.16.2.0 0.0.0.255 any
access-list 150 permit ip 172.16.3.0 0.0.0.255 any
access-list 150 permit ip 192.168.0.0 0.0.0.255 any

***************************************************************************************

Pro Inside global Inside local Outside local Outside global
icmp 1.1.1.1:1 192.168.0.102:1 4.2.2.2:1 4.2.2.2:1

View solution in original post

andrew.prince · ‎06-08-2010

You do not have a route-map to set the next hop ip address to the loopback interface for the VPN IP pool.

HTH>

Vindemiatrix · ‎06-08-2010

Andrew,

How do you mean, I have the following:

"ip policy route-map SDM_RMAP_1" under f0/0

route-map SDM_RMAP_1 permit 10
match ip address 150
set ip next-hop 192.168.100.2

interface Loopback0
ip address 192.168.100.1 255.255.255.0
no ip unreachables
ip nat inside
ip virtual-reassembly

per the Cisco example they did not use the same network as the VPN_POOL clients. The example uses 192.186.1.0 for the clients and 10.11.0.x for the reverse map stuff. My understanding is the net-hop address doesn't actually exist but instead is a method to force the use of the loopback?

Please correct me where I'm wrong...

andrew.prince · ‎06-08-2010

Change the route map to use the exact IP address of the loopback and test.

HTH>

Vindemiatrix · ‎06-08-2010

#set ip next-hop 192.168.100.1
% Warning: Next hop address is our address

I changed the route-map to look like the following but translations are not occuring and there is not internet for the VPN clients:

!
route-map SDM_RMAP_1 permit 10
match ip address 150
set ip next-hop 192.168.100.1
!

andrew.prince · ‎06-08-2010

Very interesting - change it back to what it was previously

Then see if the ACL in the route map is actually being hit

Vindemiatrix · ‎06-08-2010

#sh ip access-lists 150
Extended IP access list 150
    10 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.100 (44 matches)
    20 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.101
    30 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.102
    40 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.103 (37 matches)
    50 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.104
    60 deny ip 172.16.0.0 0.0.255.255 host 192.168.0.105
    70 permit ip 172.16.2.0 0.0.0.255 any (17723 matches)
    80 permit ip 172.16.3.0 0.0.0.255 any
    90 permit ip 192.168.0.0 0.0.0.255 any (608 matches)
    100 deny ip 172.16.2.0 0.0.0.255 172.31.12.0 0.0.0.255

andrew.prince · ‎06-08-2010

post the output of

"debug ip policy "

Vindemiatrix · ‎06-08-2010

Turned on terminal monitor and then debugging for access-list for 150 but didn't see anything which I find strange because the access-list shows hits.

#debug ip policy 150
Policy routing debugging is on for access list 150

andrew.prince · ‎06-08-2010

Your policy is not named 150 - that is your acl.

Just type "debug ip policy"

Vindemiatrix · ‎06-08-2010

I get a bunch of these but they're probably another issue.

Jun 8 14:49:12.792: IP: s=73.30.171.1 (FastEthernet0/0), d=255.255.255.255, len 366, policy rejected -- normal forwarding

Jun 8 14:49:16.788: IP: s=73.30.171.1 (FastEthernet0/0), d=255.255.255.255, len 366, policy rejected -- normal forwarding

Jun 8 14:49:18.312: IP: s=73.30.171.1 (FastEthernet0/0), d=255.255.255.255, len 328, policy rejected -- normal forwarding

When I try hitting the internet from a VPN client I get these and my client is .101, the source IPs are probably so volitele since it's a Wifi card.

Jun 8 14:49:46.217: IP: s=74.125.157.18 (FastEthernet0/0), d=192.168.0.101 (Virtual-Access2), len 40, policy rejected -- normal forwarding

Jun 8 14:49:51.850: IP: s=74.125.157.99 (FastEthernet0/0), d=192.168.0.101 (Virtual-Access2), len 40, policy rejected -- normal forwarding

andrew.prince · ‎06-08-2010

what about the traffic that originates from the VPN client - what is the output for that traffic in the debug?

Vindemiatrix · ‎06-08-2010

Those were the only two items that were showing up... Should I do something to try to elict more messages?

andrew.prince · ‎06-08-2010

Yes - generate some traffic, ping some websites try and browse etc.

Vindemiatrix · ‎06-08-2010

I had tried browsing before but I also tried pinging external hosts such as Google and a few external DNS server and I still only recieved the two messages above...