Solved: Re: VPN clients can't access vlan

drvliet07 · ‎11-17-2010

Hello,

I have just changed my flat lan to a multi vlan environment but I now need assistance to get my VPN back working again as the VPN user can't access servers that are not on the 'gateway' vlan. I have read enough to know that it's most likely NAT related but am unsure as to where to put that information.

Does it go in the NAT related to the E0 (gateway outbound to internet) interface, to the vlan10 (the vlan the router actually resides on) or do I create another one and apply it to the crypto ipsec and isakmp side of things that VPN users use?

My network is set up as such...

VPN Client - Router1811 - split trunk - C3550-12G - trunked - multiple C3550s - Servers/Wstns

The Router is on subnet 192.168.10.0 as are all the switches, vlans are set up through vtp on the 12G with all other switches being 'vtp clients' including the router. The user can get to the 10 subnet and any server on it, but not to the 'server farm' on subnet 192.168.11.0.

I did notice Federico was working on something very similar to this... but help from anyone would be appreciated.

Thanks, Don

apothula · ‎11-18-2010

Hi Don,

Please mark this discussion as resolved if there are no other issues with this VPN.

Cheers,

Nash.

View solution in original post

Jennifer Halim · ‎11-17-2010

If you have split tunnel configured, you would need to add 192.168.11.0/24 into the access-list, and also you would need to also create NAT exemption for the 192.168.11.0/24 subnet. I assume from your explaination that the 192.168.11.0/24 is routed via 192.168.10.x, right?

drvliet07 · ‎11-17-2010

Yes you are correct, the other vlans (11.0 etc) are being routed by the 12G L3 switch and not the 1811 router.

I am not using split tunnelling on this router (it is set up on the site-to-site router that I have working)

so to update my network info I have:

Pix506 - vpn s2s tunnel - Router1811 ...

as well. This works fine and it works with the vlans.

My issue is mobile users!

Thank you for your input, I will check it against my config.

Don.

apothula · ‎11-17-2010

Don,

Could you provide us a sanitized copy of the configuration ?

Cheers,

Nash.

drvliet07 · ‎11-17-2010

It's 514 lines trimmed... What parts would you like?

-Don

apothula · ‎11-17-2010

The VPN part and the nat part of the configuration.

Nash.

drvliet07 · ‎11-17-2010

Well here goes nothin! Hopin it aint worth nothin though...

Thanks!

!This is a very heavily trimmed running config of the router: 192.168.10.253
!----------------------------------------------------------------------------
!version 12.4
!
aaa new-model
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-
!
crypto pki certificate chain TP-self-signed-
certificate self-signed 01

quit
dot11 syslog
no ip source-route
!
appfw policy-name SDM_LOW
application http
    port-misuse p2p action reset alarm
!
crypto isakmp policy 20
encr aes 256
authentication pre-share
group 5
lifetime 7200
!
crypto isakmp policy 40
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group divisional
key
dns 192.168.10.241
wins 192.168.10.241
domain ourdomain.local
pool SDM_POOL_1
acl 106
pfs
!
crypto isakmp client configuration group executive
key
dns 192.168.10.241
wins 192.168.10.241
domain ourdomain.local
pool SDM_POOL_1
acl 106
pfs
!
crypto isakmp profile sdm-ike-profile-1
   match identity group divisional
   match identity group executive
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
crypto ipsec transform-set CLIENT_VPN esp-aes 256 esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 1200
set transform-set CLIENT_VPN
set isakmp-profile sdm-ike-profile-1
!
interface FastEthernet0
description $ETH-WAN$$FW_OUTSIDE$
ip address 999.999.999.999 255.255.255.0
ip access-group 116 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!
interface FastEthernet1
description $ETH-WAN$$FW_OUTSIDE$
ip address 555.555.555.555 255.255.255.0
ip access-group 117 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
service-policy input sdmappfwp2p_SDM_LOW
service-policy output sdmappfwp2p_SDM_LOW
!

interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$$ES_LAN$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan10
ip address 192.168.10.253 255.255.255.0
ip access-group 111 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.19.2 192.168.19.21
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 991.991.991.991
ip route 10.0.0.0 255.0.0.0 551.551.551.551
ip route 444.444.444.0 255.255.255.248 551.551.551.551
ip route 444.444.444.8 255.255.255.248 551.551.551.551
ip route 333.333.333.0 255.255.255.224 551.551.551.551
ip route 333.333.333.32 255.255.255.224 551.551.551.551
ip route 192.168.11.0 255.255.255.0 192.168.10.10
ip route 192.168.12.0 255.255.255.0 192.168.10.10
ip route 192.168.17.0 255.255.255.0 192.168.10.10
!
ip nat inside source static tcp 192.168.10.250 interface FastEthernet0
ip nat inside source static tcp 192.168.10.250 interface FastEthernet0
ip nat inside source static tcp 192.168.10.250 interface FastEthernet0
ip nat inside source static tcp 192.168.10.4 interface FastEthernet0
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.10.243 992.992.992.992 extendable
!
logging trap debugging
access-list 102 remark SDM_ACL Category=2
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.11.0 0.0.0.255 any
access-list 102 permit ip 192.168.12.0 0.0.0.255 any
access-list 102 permit ip 192.168.17.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=4
access-list 106 permit ip 192.168.10.0 0.0.0.255 any
access-list 106 permit ip 192.168.12.0 0.0.0.255 any
access-list 110 remark VTY Access-class list
access-list 110 remark SDM_ACL Category=1
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 deny   ip any any
access-list 111 remark auto generated by SDM firewall configuration
access-list 111 remark SDM_ACL Category=1
access-list 111 remark Auto generated by SDM for NTP (123) 712.712.712.712
access-list 111 permit udp host 712.712.712.712 eq ntp host 192.168.10.253 eq ntp
access-list 111 remark Auto generated by SDM for NTP (123) 192.168.10.241
access-list 111 permit udp host 192.168.10.241 eq ntp host 192.168.10.253 eq ntp
access-list 111 deny   ip 991.991.991.0 0.0.0.255 any
access-list 111 deny   ip 555.555.555.0 0.0.0.255 any
access-list 111 remark No broadcasting
access-list 111 deny   ip host 255.255.255.255 any
access-list 111 deny   ip 127.0.0.0 0.255.255.255 any
access-list 111 permit ip any any
access-list 112 remark auto generated by SDM firewall configuration
access-list 112 remark SDM_ACL Category=1
access-list 112 deny   ip 991.991.991.0 0.0.0.255 any
access-list 112 deny   ip 192.168.10.0 0.0.0.255 any
access-list 112 deny   ip 555.555.555.0 0.0.0.255 any
access-list 112 deny   ip host 255.255.255.255 any
access-list 112 deny   ip 127.0.0.0 0.255.255.255 any
access-list 112 permit ip any any
access-list 113 remark auto generated by SDM firewall configuration
access-list 113 remark SDM_ACL Category=1
access-list 113 deny   ip 991.991.991.0 0.0.0.255 any
access-list 113 deny   ip 192.168.10.0 0.0.0.255 any
access-list 113 deny   ip 555.555.555.0 0.0.0.255 any
access-list 113 deny   ip host 255.255.255.255 any
access-list 113 deny   ip 127.0.0.0 0.255.255.255 any
access-list 113 permit ip any any
access-list 114 remark auto generated by SDM firewall configuration
access-list 114 remark SDM_ACL Category=1
access-list 114 deny   ip 991.991.991.0 0.0.0.255 any
access-list 114 deny   ip 192.168.10.0 0.0.0.255 any
access-list 114 deny   ip 555.555.555.0 0.0.0.255 any
access-list 114 deny   ip host 255.255.255.255 any
access-list 114 deny   ip 127.0.0.0 0.255.255.255 any
access-list 114 permit ip any any
access-list 116 remark auto generated by SDM firewall configuration
access-list 116 remark SDM_ACL Category=1
access-list 116 remark Auto generated by SDM for NTP (123) 712.712.712.712
access-list 116 permit udp host 712.712.712.712 eq ntp host 999.999.999.999 eq ntp
access-list 116 remark Auto generated by SDM for NTP (123) 712.712.712.712
access-list 116 permit udp host 741.741.741.741 eq ntp host 999.999.999.999 eq ntp
access-list 116 remark IPSec Rule
access-list 116 deny   ip 192.168.10.0 0.0.0.255 any
access-list 116 permit tcp any host 992.992.992.992 eq www
access-list 116 permit tcp any host 999.999.999.999 eq smtp
access-list 116 permit tcp any host 999.999.999.999 eq 23800
access-list 116 permit tcp any host 999.999.999.999 eq 3101
access-list 116 permit tcp any host 999.999.999.999 eq www
access-list 116 permit tcp any host 999.999.999.999 eq 1888
access-list 116 permit tcp any host 999.999.999.999 eq 2040
access-list 116 permit udp host 888.888.888.888 eq domain host 999.999.999.999
access-list 116 permit udp host 777.777.777.777 eq domain host 999.999.999.999
access-list 116 permit udp any host 999.999.999.999 eq non500-isakmp
access-list 116 permit udp any host 999.999.999.999 eq isakmp
access-list 116 permit esp any host 999.999.999.999
access-list 116 permit ahp any host 999.999.999.999
access-list 116 permit udp any eq bootps any eq bootps
access-list 116 permit icmp any host 999.999.999.999 echo-reply
access-list 116 permit icmp any host 999.999.999.999 time-exceeded
access-list 116 permit icmp any host 999.999.999.999 unreachable
access-list 116 deny   ip 555.555.555.0 0.0.0.255 any
access-list 116 deny   ip 10.0.0.0 0.255.255.255 any
access-list 116 deny   ip 192.168.0.0 0.0.255.255 any
access-list 116 deny   ip 127.0.0.0 0.255.255.255 any
access-list 116 deny   ip host 255.255.255.255 any
access-list 116 deny   ip host 0.0.0.0 any
access-list 116 deny   ip any any log
access-list 117 remark auto generated by SDM firewall configuration
access-list 117 remark SDM_ACL Category=1
access-list 117 remark Auto generated by SDM for NTP (123) 712.712.712.712
access-list 117 permit udp host 712.712.712.712 eq ntp host 555.555.555.555 eq ntp
access-list 117 remark Auto generated by SDM for NTP (123) 712.712.712.712
access-list 117 permit udp host 741.741.741.741 eq ntp host 555.555.555.555 eq ntp
access-list 117 permit udp any eq bootps any eq bootps
access-list 117 permit icmp any host 555.555.555.555 echo-reply
access-list 117 permit icmp any host 555.555.555.555 time-exceeded
access-list 117 permit icmp any host 555.555.555.555 unreachable
access-list 117 deny   ip 991.991.991.0 0.0.0.255 any
access-list 117 deny   ip 10.0.0.0 0.255.255.255 any
access-list 117 deny   ip 192.168.0.0 0.0.255.255 any
access-list 117 deny   ip 127.0.0.0 0.255.255.255 any
access-list 117 deny   ip host 255.255.255.255 any
access-list 117 deny   ip host 0.0.0.0 any
access-list 117 deny   ip any any log

route-map SDM_RMAP_1 permit 1
match ip address 102

apothula · ‎11-17-2010

Could you provide us the output of show route-map

Also, the access lists used in the route map.

If the access-list used in the route map is 145,

show access-lists 145

Cheers,

Nash.

apothula · ‎11-17-2010

Add the following configuration to the Router,

ip access-list extended 102

1 deny ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255

2 deny ip 192.168.12.0 0.0.0.255 192.168.19.0 0.0.0.255

Let me know if that helps.

Cheers,

Nash.

drvliet07 · ‎11-17-2010

First one is the one in question, the second one is used for our site to site

route-map SDM_RMAP_1, permit, sequence 1
Match clauses:
ip address (access-lists): 102
Set clauses:
Policy routing matches: 0 packets, 0 bytes
route-map SDM_RMAP_2, permit, sequence 1
Match clauses:
ip address (access-lists): 100
Set clauses:
Policy routing matches: 0 packets, 0 bytes

Extended IP access list 102
    10 deny ip 192.168.10.0 0.0.0.255 192.168.19.0 0.0.0.255
    20 deny ip 192.168.11.0 0.0.0.255 192.168.19.0 0.0.0.255
    30 permit ip 192.168.10.0 0.0.0.255 any (68 matches)
    40 permit ip 192.168.11.0 0.0.0.255 any
    50 permit ip 192.168.12.0 0.0.0.255 any
    60 permit ip 192.168.17.0 0.0.0.255 any

drvliet07 · ‎11-17-2010

still same issue... I can VPN connect and I can ping the server on 10 but not the one on 11.

Are you ready for the twist, or should I leave it until the VPN works!!?!

Well here it is if your curious... If the server has the default gateway set to 10.253 (this router) I can ping, if it has the default gateway set as 10.10 (the L3 12G routing switch) like it should, I cannot ping.

Thanks! Appreciate the help.

-Don

apothula · ‎11-17-2010

Don,

In that case add a route on the l3 12G switch pointing traffic to the VPN pool (192.168.19.0/24) network to the VPN router.

Change the default gateway back to 10.10 and try pinging.

Let me know how it goes.

Cheers,

Nash.

drvliet07 · ‎11-17-2010

should I be adding a vlan 19 or not? I have one in there and I have the route already.

(I am pretty sure the vlan 19 was added before when I was thinking about putting a vlan on 19 and forgot about vpn, yeah that was it...)

I assume I should probably remove it as when I looked on my old router that I have, there is no vlan for the vpn subnet...

-Don

drvliet07 · ‎11-17-2010

whoo hoo! I removed the vlan from the 12G and voila! I can ping into 11 from a VPN client.

(and the route auto disappeared)

Thanks for the help... now let's see if some of my other issues went away. and to test the gateway numbers...

-Don

Thanks for the help... I've been staring at this code for weeks...

Now to clean up some 'testing' code and see what's really needed!

Thanks again.

I may be back sooner than later!

Appreciate the feedback / brainstorming etc.

apothula · ‎11-18-2010

Hi Don,

Please mark this discussion as resolved if there are no other issues with this VPN.

Cheers,

Nash.