Solved: Re: Routing issue after establish VPN

reza.rafatifard · ‎03-08-2011

Hi,

I configure VPDN on cisco router fine, i can dila vpn from windows vpn client externally fine. but o cannot access any servers behind my router. i can ping router internal IP address (10.2.1.1) only.

i have two subnet 10.1.1.0 and 10.2.1.0 which i need to get access via VPN

Current configuration : 6253 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname wrmelgw
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 ********
!
no aaa new-model
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-860329787
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-860329787
revocation-check none
rsakeypair TP-self-signed-860329787
!
!
crypto pki certificate chain TP-self-signed-860329787
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38363033 32393738 37301E17 0D313031 31313130 32313934
345A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3836 30333239
37383730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B48727D9 C6678610 CF7A69F6 BFFE48F2 63EE0A8D BFD7B83A 50659F84 FF358CA5
5AD0ED97 B7D8212F E99AB991 36D0B172 538D1639 D68B8746 51650BAC 17256811
80AB4344 B40FCDD1 B64B7011 49F90515 E2AD7346 4B1F1E5D 20F7D5F5 6B0AC5A8
255FC444 1C29392E 634F9611 CF5761ED B873C63F 95B04B0D 38760A1B F6A5667B
02030100 01A37630 74300F06 03551D13 0101FF04 05300301 01FF3021 0603551D
11041A30 18821677 726D656C 67772E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 80145FE0 D5554371 95D2A995 956BBCB2 0686C313 A06B301D
0603551D 0E041604 145FE0D5 55437195 D2A99595 6BBCB206 86C313A0 6B300D06
092A8648 86F70D01 01040500 03818100 245311C1 A9BBA0F4 66D3A9BA 6D8AF2FD
B5513CDE 45785D42 3496AF0B 3B3CBFB3 D258E2F9 E9B071E5 3D581442 A73E063F
21E5CF80 FA0D717F 8A6F5202 BB88C26C A6D3A559 BA520562 9CA08447 0DB28B33
5BBDC1D4 86EA654F 3AFEA64D 8BA13738 14952C7A 0FB76D7A 2B47883A 27DCB43B
7DA80B53 8D98010E 451A2949 CBCE63A7
quit
dot11 syslog
no ip source-route
ip cef
ip dhcp excluded-address 10.2.1.1 10.2.1.99
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 139.130.4.4
ip name-server 203.50.2.71
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username ***** privilege 15 secret ******
username vpn password *******
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key QnrpzdFI address *******
crypto isakmp keepalive 30 5
!
!
crypto ipsec transform-set vpn-ts esp-3des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer ********
set transform-set vpn-ts
match address sydLAN
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $FW_OUTSIDE$$ES_WAN$
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
description Inside
switchport access vlan 100
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool vpn
no keepalive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
description Data VLAN
ip address 10.2.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan100
description Voice VLAN
no ip address
!
interface Dialer0
ip address 203.*.*.* 255.255.255.0
ip access-group extIN in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname *******

ppp chap password 7 ********
crypto map rtp
!
ip local pool vpn 10.2.1.70 10.2.1.85
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 203.45.89.1
ip route 10.1.0.0 255.255.0.0 10.2.1.254
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.2.2.201 80 interface Dialer0 8001
ip nat inside source static tcp 10.2.2.200 80 interface Dialer0 8008
ip nat inside source route-map VPN-nonat interface Dialer0 overload
ip nat inside source static tcp 10.2.2.200 8000 203.45.89.182 8000 extendable
!
ip access-list extended NONAT
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.2.1.0 0.0.0.255 any
permit ip 10.2.2.0 0.0.0.255 any
ip access-list extended extIN
permit tcp any any eq 1723
permit icmp any any
permit tcp any any established
permit icmp any any echo-reply
permit icmp any any echo
permit icmp any any time-exceeded
permit icmp any any ttl-exceeded
permit icmp any any unreachable
permit tcp any any eq 22
permit esp any any
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit gre any any
permit ahp any any
permit tcp any host 203.45.89.182 eq 8000
permit tcp any host 203.45.89.182 eq 8001
permit tcp any host 203.45.89.182 eq 8008
deny ip any any log
ip access-list extended sydLAN
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255
!
logging trap debugging
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map VPN-nonat permit 1
match ip address NONAT
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Federico Coto Fajardo · ‎03-08-2011

You want to reach10.1.1.0 and 10.2.1.0

The router has this route:
ip route 10.1.0.0 255.255.0.0 10.2.1.254
and this interface:
interface Vlan1
ip address 10.2.1.1 255.255.255.0

This means that in order for the VPN client to reach 10.1.0.0/24, you need a route back to the VPN pool on the device 10.2.1.254 (assume other router).

Also please make sure you made the changes to the ACLs in my first post.

I'm not sure I understand this:''

just let you know that 10.2.1.0 is direct network and there is ipsec tunnel between 10.2.1.0 and 10.1.1.0 (maybe help)''

As far as I see 10.1.1.0 is reachable through 10.2.1.254, so you need a route back to the router to reach the VPN pool.

Example of the route on 10.2.1.254:

ip route 10.2.1.x MASK 10.2.1.1 --> route to reach the VPN pool back to the inside IP of the router

Federico.

View solution in original post

Federico Coto Fajardo · ‎03-08-2011

Hi,

Let's see.
The VPN pool is: 10.2.1.70 through 10.2.1.85

The internal LANs to access are: 10.1.1.0 and 10.2.1.0

The VPN traffic is defined as:
ip access-list extended sydLAN
permit ip 10.2.0.0 0.0.255.255 10.1.0.0 0.0.255.255

The NAT config:
ip access-list extended NONAT
deny ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
permit ip 10.2.1.0 0.0.0.255 any
permit ip 10.2.2.0 0.0.0.255 any

I would change the VPN traffic to be:
ip access-list extended sydLAN
permit ip 10.1.1.0 0.0.255.255 10.2.1.0 0.255.255.255
permit ip 10.2.1.0 0.0.255.255 10.2.1.0 0.255.255.255

Even better I would change the VPN pool to be from a range not used internally (for example 10.115.0.0/24)

Hope it helps.

Federico.

reza.rafatifard · ‎03-08-2011

Hi,

Thanks for your reply.

I changes pool and sydLAN access list per your recommendation, now i can ping any server at 10.2.1.0 subnet but no good 10.1.1.0

just let you know that 10.2.1.0 is direct network and there is ipsec tunnel between 10.2.1.0 and 10.1.1.0 (maybe help)

Regards,

Reza

Federico Coto Fajardo · ‎03-08-2011

You want to reach10.1.1.0 and 10.2.1.0

The router has this route:
ip route 10.1.0.0 255.255.0.0 10.2.1.254
and this interface:
interface Vlan1
ip address 10.2.1.1 255.255.255.0

This means that in order for the VPN client to reach 10.1.0.0/24, you need a route back to the VPN pool on the device 10.2.1.254 (assume other router).

Also please make sure you made the changes to the ACLs in my first post.

I'm not sure I understand this:''

just let you know that 10.2.1.0 is direct network and there is ipsec tunnel between 10.2.1.0 and 10.1.1.0 (maybe help)''

As far as I see 10.1.1.0 is reachable through 10.2.1.254, so you need a route back to the router to reach the VPN pool.

Example of the route on 10.2.1.254:

ip route 10.2.1.x MASK 10.2.1.1 --> route to reach the VPN pool back to the inside IP of the router

Federico.