Solved: VPN Client Access to Native VLAN Only

jay · ‎04-02-2013

I have a 2811 Router (config below) with VPN configured. I can connect through the VPN and access devices on the native VLAN but I can't access the 10.77.5.0 (VLAN 5) network (I don't care to access the 10.77.10.0 - VLAN 10 network). This issue has been plagueing me for quite a while. I believe it's a NAT or ACL issue but if someone could help me out I would appreciate it. VPN client IP pool is 192.168.77.1 - 192.168.77.10. Thanks for looking!

Current configuration : 5490 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname 2811-Edge

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXX

!

aaa new-model

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.77.5.1 10.77.5.49

ip dhcp excluded-address 10.77.10.1 10.77.10.49

!

ip dhcp pool Lab-Network

import all

network 10.77.5.0 255.255.255.0

default-router 10.77.5.1

!

ip dhcp pool Guest

import all

network 10.77.10.0 255.255.255.0

default-router 10.77.10.1

!

ip domain name HoogyNet.net

ip inspect name FW tcp router-traffic

ip inspect name FW udp router-traffic

ip inspect name FW icmp router-traffic

ip inspect name FW dns

ip inspect name FW ftp

ip inspect name FW tftp

!

multilink bundle-name authenticated

!

voice-card 0

no dspfarm

!

crypto logging session

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

lifetime 7200

!

crypto isakmp client configuration group HomeVPN

key XXXX

domain HoogyNet.net

pool VPN_Pool

acl vpn

save-password

max-users 2

max-logins 2

crypto isakmp profile HomeVPN

match identity group HomeVPN

client authentication list userauthen

isakmp authorization list groupauthor

client configuration address respond

!

crypto ipsec transform-set vpn esp-aes 256 esp-sha-hmac

!

crypto dynamic-map vpnclient 10

set transform-set vpn

set isakmp-profile HomeVPN

reverse-route

!

crypto map vpn 65535 ipsec-isakmp dynamic vpnclient

!

username XXXX privilege 15 secret 5 XXXX

archive

log config

hidekeys

!

ip ssh port XXXX rotary 1

!

interface Loopback0

ip address 172.17.1.10 255.255.255.248

!

interface FastEthernet0/0

ip address dhcp

ip access-group INBOUND in

ip nat outside

ip inspect FW out

no ip virtual-reassembly

duplex auto

speed auto

no cdp enable

crypto map vpn

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 10.77.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.5

encapsulation dot1Q 5

ip address 10.77.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.77.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1/0

no ip address

shutdown

duplex auto

speed auto

!

router rip

version 2

network 10.0.0.0

network 172.17.0.0

network 192.168.77.0

no auto-summary

!

ip local pool VPN_Pool 192.168.77.1 192.168.77.10

no ip forward-protocol nd

!

ip http server

no ip http secure-server

ip nat inside source list NAT interface FastEthernet0/0 overload

!

ip access-list extended INBOUND

permit tcp any any eq 2277 log

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit tcp any any established

permit udp any any eq isakmp

permit udp any any eq non500-isakmp

permit esp any any

permit udp any eq domain any

permit udp any eq bootps any eq bootpc

ip access-list extended NAT

permit ip 10.77.5.0 0.0.0.255 any

permit ip 10.77.10.0 0.0.0.255 any

permit ip 192.168.77.0 0.0.0.255 any

ip access-list extended vpn

permit ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255

permit ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255

!

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps

access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.77.5.1 eq bootps

access-list 100 permit udp 10.77.10.0 0.0.0.255 eq bootpc host 10.77.5.1 eq bootps

access-list 100 deny tcp 10.77.10.0 0.0.0.255 any eq telnet

access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.5.0 0.0.0.255

access-list 100 deny ip 10.77.10.0 0.0.0.255 10.77.1.0 0.0.0.255

access-list 100 permit ip any any

!

control-plane

!

line con 0

session-timeout 30

password 7 XXXX

line aux 0

line vty 0 4

rotary 1

transport input telnet ssh

line vty 5 15

rotary 1

transport input telnet ssh

!

scheduler allocate 20000 1000

!

webvpn cef

!

end

Andrew Phirsov · ‎04-03-2013

If you mean, that after applying the nat rules the way i proposed, you've lost the connection to the native VLAN, then yes, it's because the native vlan subnet wasn't included to that acl with deny statement. So that ACL should look like this:

ip access-list extended NAT

deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255

deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255 //this was missed

permit ip any any

Plus, if you want to access throug the tunnel any other inside subnet not listed above , then you should include that subnet to the NAT exemption rule with deny statement.

View solution in original post

Andrew Phirsov · ‎04-02-2013

You should change nat ACL so it exempts vpn-traffic from being nated. It should look smth like this:

ip access-list extended NAT

deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255

permit ip any any

Plus, rewrite your split tunnel acl to this:

ip access-list extended vpn

permit ip 10.77.1.0 0.0.0.255 any

permit ip 10.77.5.0 0.0.0.255 any

jay · ‎04-03-2013

Andrew,

Thanks for your recommendations. I rewrote the extended vpn acl however when I rewrote the extended NAT acl as you have listed I lost all remote access (ssh and vpn) to my network. Once I got home I reset the extended NAT acl back to the previous config. I just tried the VPN again since making the extended vpn acl change and I still can't access the 10.77.5.0 network. Any other recommendations? Thanks!

Andrew Phirsov · ‎04-03-2013

If you mean, that after applying the nat rules the way i proposed, you've lost the connection to the native VLAN, then yes, it's because the native vlan subnet wasn't included to that acl with deny statement. So that ACL should look like this:

ip access-list extended NAT

deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255

deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255 //this was missed

permit ip any any

Plus, if you want to access throug the tunnel any other inside subnet not listed above , then you should include that subnet to the NAT exemption rule with deny statement.

jay · ‎04-03-2013

I entered that command and noticed that I still lost VPN and remote SSH access when I entered permit ip any any. So I tried the following combination of what you recommended and my previous config and everything is working correctly now. This is what I entered:

ip access-list extended NAT

deny ip 10.77.5.0 0.0.0.255 192.168.77.0 0.0.0.255

deny ip 10.77.1.0 0.0.0.255 192.168.77.0 0.0.0.255

permit ip 10.77.5.0 0.0.0.255 any

permit ip 10.77.10.0 0.0.0.255 any

Thanks for your help!