07-22-2013 09:27 AM
Hello,
I'm new to this site.
We've had a client VPN that was working till recently. We did make some changes including upgrading the firmware on our 871. We do not know what broke the VPN and our support has transferred colleges.
I have some IP knowledge and some minor VPN experience.
The VPN still connects. I can ping and access the router, but we can no longer access our inside equipment.
Looking for help and apprecieate any assistence.
I've included our config.
The inside IPs we are trying access through the VPN are in the 192.168.2.0/24
------------------- begin config ---------------------
Main#sh run
Building configuration...
Current configuration : 8724 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Main
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local none
aaa authentication login VPNAUTH local
aaa authorization network VPNAUTH local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1790949024
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1790949024
revocation-check none
rsakeypair TP-self-signed-1790949024
!
!
crypto pki certificate chain TP-self-signed-1790949024
certificate self-signed 01
quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.2.1
ip dhcp excluded-address 192.168.2.240 192.168.2.249
ip dhcp excluded-address 192.168.2.212
ip dhcp excluded-address 192.168.2.200
!
ip dhcp pool dhcp-pool
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
dns-server 8.8.8.8 8.8.4.4
lease 0 2
!
!
ip cef
no ip bootp server
no ip domain lookup
ip domain name ourMFG
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW l2tp
!
no ipv6 cef
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
no l2tp tunnel authentication
!
!
!
username
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp policy 2
authentication pre-share
lifetime 84600
crypto isakmp key *********** address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group ourvpn
key ********
pool L2TPVPN
acl 150
max-users 9
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group ourvpn
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec security-association lifetime seconds 600
!
crypto ipsec transform-set testproposal esp-3des esp-md5-hmac
mode transport
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set security-association idle-time 3600
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map headofficeVPN_dynmap 1
set transform-set testproposal
qos pre-classify
!
!
crypto map headofficeVPN isakmp authorization list VPNAUTH
crypto map headofficeVPN client configuration address respond
crypto map headofficeVPN 65535 ipsec-isakmp dynamic headofficeVPN_dynmap
!
archive
log config
hidekeys
!
!
!
class-map match-any voice_traffic
match dscp ef
class-map match-any vpn_traffic
match access-group name IKE
!
!
policy-map traffic
class voice_traffic
priority percent 66
class vpn_traffic
bandwidth percent 5
class class-default
!
!
!
!
interface FastEthernet0
service-policy output traffic
!
interface FastEthernet1
service-policy output traffic
!
interface FastEthernet2
service-policy output traffic
!
interface FastEthernet3
service-policy output traffic
!
interface FastEthernet4
description WAN
ip address 208.104.168.71 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
speed 100
full-duplex
no cdp enable
crypto map headofficeVPN
service-policy output traffic
!
interface Virtual-Template1
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
peer default ip address pool L2TPVPN
ppp authentication ms-chap-v2 ms-chap
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
ip address 192.168.2.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
ip local pool L2TPVPN 192.168.2.240 192.168.2.249
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.104.168.1
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 175 interface FastEthernet4 overload
!
ip access-list extended IKE
permit udp any eq isakmp any eq isakmp
!
access-list 23 permit 192.168.2.0 0.0.0.255
access-list 23 permit 192.168.5.0 0.0.0.255
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark auto generated by SDM firewall configuration
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp 208.104.244.44 0.0.0.1 eq domain any
access-list 102 permit udp 208.104.2.36 0.0.0.1 eq domain any
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit udp any any eq isakmp
access-list 102 permit esp any any
access-list 102 permit tcp any any eq 1723
access-list 102 permit gre any any
access-list 102 permit ahp any any
access-list 102 permit udp any eq bootps any eq bootpc
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit tcp any any eq telnet
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip any any log
access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 150 permit ip 192.168.2.0 0.0.0.255 any log
access-list 175 deny ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
!
!
!
!
control-plane
!
line con 0
exec-timeout 60 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
logging synchronous
transport input telnet ssh
!
scheduler max-task-time 5000
end
Main#exit
07-22-2013 11:00 AM
Hello,
You didn't explain what VPN your problem is related to as you have L2TP and IPSec VPNs.
So try to add 'ip proxy-arp' to some Virtual-Template interface.
07-23-2013 11:12 AM
IPSEC, we're using the cisco client vpn.
07-23-2013 02:11 PM
I'm not sure, but you can try:
crypto ipsec transform-set testproposal esp-3des esp-md5-hmac
mode tunnel
07-23-2013 05:48 AM
Whats the subnet range of the "clients" connecting?
I don't see any routes.
07-23-2013 11:10 AM
When I conect I get a 192.168.2.x address and the inside IPs are in the same range.
07-23-2013 08:05 PM
I believe this is your problem.
Your clients should be on a different subnet range. You will need to create ACLs which ensure you don't have any NAT happening between the subnets and link those to a nat command.
e.g.
Client range 192.168.4.x
Inside range 192.168.2.x
access-list nonat extended permit ip 192.168.2.0 255.255.255.0 192.168.4.0 255.255.255.0
nat (inside) 0 access-list nonat
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide