Re: VPN IPSec Help

fotismark · ‎01-16-2018

Hello

i need some help from the best of the best in this topic.

I have a cisco 881 at my house, configured with Dialer0 and having a web server connected to it. Configured the web with static ip, and also some static NATs. I have also set up ipsec site to site with the company and Also Vpn client

I have set it up in a way where I can get to the server from within the same network as www.server.com and not private IP.

The issue I am experiencing is that I can't ping the remote network.

My IP sub is 10.79.55.0 and remote 192.168.100.0

I can ping the remote with source ip 10.79.55.1 Vlan 1 but won't ping or reach from any other computer.

Also, I can reach 192.168.100.0 if I connect with VPN client remotely. It matches the traffic to ACL100 but from within my own network it won't match it there but to PBR Acl (PBR is route map is the configuration to reach server within my network)

What Am I doing wrong? Here is the config

Building configuration...

Current configuration : 7779 bytes
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
!
boot-start-marker
boot-end-marker
!
!
logging buffered 64000
enable password
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
aaa session-id common
!
memory-size iomem 10
service-module wlan-ap 0 bootimage autonomous
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-3702956536
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3702956536
revocation-check none
rsakeypair TP-self-signed-3702956536
!
!
crypto pki certificate chain TP-self-signed-3702956536
certificate self-signed 01

        quit
no ip source-route
!
!
!
ip dhcp excluded-address 10.79.55.1 10.79.55.9
ip dhcp excluded-address 10.79.55.101 10.79.55.254
ip dhcp excluded-address 10.79.55.15 10.79.55.20
!
ip dhcp pool ccp-pool1
network 10.79.55.0 255.255.255.0
dns-server ********* 8.8.8.8
default-router 10.79.55.1
!
!
ip cef
ip domain name ultima.gr
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881GW-GN-A-K9 sn FTX161880ZN
license boot module c880-data level advipservices
!
!
username ********* privilege 15 password 0 *********
username ********* privilege 15 password 0 *********
!
!
!
!
controller Cellular 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key toimoi address *********
!
crypto isakmp client configuration group *********
key *********
dns 8.8.8.8
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
   match identity group EXTERNALS
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*********
set peer *********
set transform-set ESP-3DES-SHA
match address 100
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface FastEthernet0
switchport mode trunk
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description $ETH-WAN$
no ip address
duplex auto
speed auto
pppoe-client dial-pool-number 1
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
!
interface Cellular0
no ip address
encapsulation ppp
!
interface Vlan1
ip address 10.79.55.1 255.255.255.0
no ip redirects
ip nat outside
ip nat enable
ip virtual-reassembly in
ip tcp adjust-mss 1412
ip policy route-map PBRNAT
!
interface Dialer0
ip address negotiated
no ip proxy-arp
ip mtu 1452
ip nat outside
ip nat enable
ip virtual-reassembly in
encapsulation ppp
ip policy route-map PBRNAT
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *********
ppp chap password 0 *********
ppp pap sent-username ********* password 0 *********
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.79.55.15 10.79.55.20
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
!
ip nat pool NAT-POOL 10.79.55.0 10.79.55.254 netmask 255.255.255.0
ip nat source list 1 interface Dialer0 overload
ip nat source static tcp 10.79.55.100 25 interface Dialer0 25
ip nat source static tcp 10.79.55.100 110 interface Dialer0 110
ip nat source static tcp 10.79.55.100 443 interface Dialer0 443
ip nat source static tcp 10.79.55.100 80 interface Dialer0 80
ip nat source static tcp 10.79.55.100 53 interface Dialer0 53
ip nat source static tcp 10.79.55.100 389 interface Dialer0 389
ip nat source static tcp 10.79.55.100 26 interface Dialer0 26
ip nat source static tcp 10.79.55.100 44 interface Dialer0 44
ip nat source static tcp 10.79.55.100 143 interface Dialer0 143
ip nat source static tcp 10.79.55.100 995 interface Dialer0 995
ip nat source static tcp 10.79.55.100 993 interface Dialer0 993
ip nat source static tcp 10.79.55.100 8100 interface Dialer0 8100
ip nat source static tcp 10.79.55.100 3000 interface Dialer0 3000
ip nat source static tcp 10.79.55.100 1300 interface Dialer0 1300
ip nat source static tcp 10.79.55.100 21 interface Dialer0 21
ip nat source static tcp 10.79.55.100 5938 interface Dialer0 5938
ip nat source static udp 10.79.55.17 11155 interface Dialer0 11155
ip nat inside source static tcp 10.79.55.100 1000 interface Dialer0 1000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended PBR
permit ip 10.79.55.0 0.0.0.255 192.168.100.0 0.0.0.255
permit ip 10.79.55.0 0.0.0.255 any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.79.55.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.79.55.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 10.79.55.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 permit ip 10.79.55.0 0.0.0.255 any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
!
!
!
route-map PBRNAT permit 10
match ip address PBR
set interface Loopback0
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line 3
no exec
line vty 0 4
password mnemonic
transport input all
!
end

Francesco Molino · ‎01-16-2018

Hi

Why are you using pbr to reach the remote subnets?
Without pbr and with your nat exception it should work

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

fotismark · ‎01-16-2018

Yes, i know... the only reason i m using the pbr acl, is to redirect traffic to inside network so i can reach my server. It works, but i cant reach the 192 net as it his the PBR acl, but when i ping 192 net with 10.79.55.1 vlan1 ping passes and acl100 works. So how does that happen

Francesco Molino · ‎01-17-2018

If you create a loopback with a new subnet, let's say 10.252.0.254/24, then you have an ip pool within that subnet, it will work without any PBR. This is the goal of EzVPN to allow remote access and not having any PBR in place.
When you say you don't have access internally, it should be an issue with your nat I guess.
Without pbr, are you able to ping your internal private IP on the router? Can you remove PBR, try pinging from your remote vpn device and activate debug ip icmp on the router?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

fotismark · ‎01-17-2018

1st of all thank you for the time and reply. So as you can see in the image it is a simple design. It can ping the 192.168.100.53 with sourc 10.75.59.1 (Vlan1) and also when I am connectiong through VPN client I can see all the 192.168.100 What I am trying to do 1: to see my Web Email Server from my local network (it uses Nat Port Forw/Same Public IP) 2:to see 192.168.100 from my local network since ipsec tunnel is set up. I will disable the PBR ACL and route maps from Dialer and vlan1 but I will leave the loopback and try to see if I can see the 192.168.100 and my Web Email Server locally. Thanks again, I will let you know as soon as possible.

Francesco Molino · ‎01-17-2018

You want to access your web email server from inside using its public address?
Ok let me know when you disabled your PBR, what errors will you get?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question