03-16-2013 09:16 AM
I have set up VPN on a stick on my router and my VPN is established but I cant get to the internet after the client gets the VPN connection, my Nat translations are not taking place when i check using the show Nat commands.
What I require is that users connect to the router through a VPN (on cisco router) and then the VPN traffic get routed through the internet to a remote network so that I can control the internet activity of my clients.
Below is my configuration:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username user password 0 cisco
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpnclient
key cisco123
pool ippool
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface gi0/1
ip address 216.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
ip local pool ippool 192.168.1.1 192.168.1.2
ip route 0.0.0.0 0.0.0.0 216.x.x..y
ip nat inside source list 101 interface gi0/1 overload
access-list 101 permit ip any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
Solved! Go to Solution.
03-18-2013 01:42 PM
Great information!!
What is the IP address of the inside network?
Would you mind testing with the following command?
no ip cef
Thanks.
03-28-2013 12:34 PM
Awesome!!
I am glad to hear that
Great job Obaid!!! Keep it up!!!
Please rate any helpful posts and mark this as answered.
03-16-2013 11:29 AM
I see that packets comming from your vpn-clients go to 10.11.0.2. What's that? Another router? Does it know the route back to the client's pool?
03-16-2013 12:59 PM
10.11.0.2 is just a arbitrary next hop of the loopback interface to cause the nat to take place since there is a single interface and Nat needs both inside and outside interface.
03-16-2013 02:22 PM
Your configuration looks almost normal, except for:
access-list 101 permit ip any any
Do this instead:
ip access-list extended 101
10 permit ip 192.168.1.0 0.0.0.3 any
20 permit ip your_internal_network any
no permit ip any any
Then test again.
HTH.
Portu.
03-16-2013 10:29 PM
Thanks Portu for the guide. I will try it on monday.
Please what I am a little confused is the:
20 permit ip your_internal_network any-- is this refering to my loopback network10.11.0.0?
ie 20 permit ip 10.11.0.0 0.0.0.255 any
03-16-2013 10:36 PM
Hi Obaid,
Usually, you use the same ACL to allow Internet access to theLAN and VPN Clients, that's the reason why I added mentioned it in there.
If the Router is not providing Internet access to the inside, then ignore the ACE no.20.
Thanks.
03-16-2013 11:39 PM
Thanks alot Portu, You are a life saver.
I did all i could but couldnt get the clients to get to the internet.
Yes in my case the router has no LAN and it only serves as an agregate point for my clients to be able to access the internet.
So once the VPN is setup between the clients and the router they use that same connection to the internet.
I will test the acl modification on monday.
Thanks alot once again.
03-17-2013 11:24 AM
Cool man
Keep me posted!
03-18-2013 10:50 AM
Hi Poru ,
I changed the ACL and tested by trying to access some website but does not seem to work.
Here is the configuration I applied:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
resource policy
ip name-server 8.8.8.8
username user password 0 cisco
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpnclient
key cisco123
pool ippool
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface gi0/1
ip address y.y.y.8 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
ip local pool ippool 192.168.1.1 192.168.1.2
ip route 0.0.0.0 0.0.0.0 y.y.y.254
ip nat inside source list 101 interface gi0/1 overload
ip access-list extended 101
10 permit ip 192.168.1.0 0.0.0.3 any
no permit ip any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
Here are the debug results (debug ip nat doesn't bring up anything)
debug ip access-list data-plane
debug ip policy
yourname#debug ip access-list data-plane
yourname#
*Mar 18 17:16:22.687: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 17:16:22.687: IPACL-DP: Pkt matched punt/drop it
*Mar 18 17:16:30.075: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 17:16:30.075: IPACL-DP: Pkt matched permit it
*Mar 18 17:16:30.831: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 17:16:30.831: IPACL-DP: Pkt matched permit it
*Mar 18 17:16:31.575: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 17:16:31.575: IPACL-DP: Pkt matched permit it
*Mar 18 17:16:33.191: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 17:16:33.191: IPACL-DP: Pkt matched punt/drop it
*Mar 18 17:16:43.687: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 17:16:43.687: IPACL-DP: Pkt matched punt/drop it
*Mar 18 17:16:54.183: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 17:16:54.187: IPACL-DP: Pkt matched punt/drop it
*Mar 18 17:17:04.687: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 17:17:04.687: IPACL-DP: Pkt matched punt/drop it
yourname#debug ip policy
Policy routing debugging is on
yourname#
*Mar 18 17:18:32.279: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, FIB policy match
*Mar 18 17:18:32.279: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, PBR Counted
*Mar 18 17:18:32.279: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 78, FIB policy routed
*Mar 18 17:18:33.027: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, FIB policy match
*Mar 18 17:18:33.027: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, PBR Counted
*Mar 18 17:18:33.027: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 78, FIB policy routed
*Mar 18 17:18:33.775: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, FIB policy match
*Mar 18 17:18:33.775: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 78, PBR Counted
*Mar 18 17:18:33.775: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 78, FIB policy routed
*Mar 18 17:19:29.359: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 229, FIB policy match
*Mar 18 17:19:29.359: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 229, PBR Counted
*Mar 18 17:19:29.359: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 229, FIB policy routed
*Mar 18 17:19:32.155: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 235, FIB policy match
*Mar 18 17:19:32.155: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, len 235, PBR Counted
*Mar 18 17:19:32.155: IP: s=192.168.1.1 (GigabitEthernet0/1), d=192.168.1.255, g=10.11.0.2, len 235, FIB polic
03-18-2013 11:09 AM
Obaid,
Please do the following:
ip access-list extended 101
20 permit ip 192.168.1.0 0.0.0.255 any
no 10
Let me know if it makes any difference.
HTH.
03-18-2013 11:23 AM
Hi Portu
I just tried it but it doesnt seem like the ACL 101 is being hit!
03-18-2013 12:01 PM
Obaid,
This is interesting... It should be working.
How do you try to access the Internet?
By URL or IP?
Try the following, once connected to the VPN:
1- Open cmd, and try to ping 4.2.2.2.
2- Open the web browser and go to http://173.194.44.84
Let me know how it goes.
HTH.
03-18-2013 12:11 PM
Hi Portu,
I just tried both,
when I try to ping from the VPN client
pinged 4.2.2.2 or any other ip (other than the gi0/1 ip address x.x.x.8) and dont get a response.
used the browser to access http://173.194.44.84 and nothing happens.
I cant ping the next hop x.x.x.254.
Thanks.
03-18-2013 12:21 PM
Thanks.
Please try this:
crypto dynamic-map dynmap 10
reverse-route remote-peer Router_Internet_next_hop
If it does not work, please share:
The current configuration of the Router, including "show crypto sessions", "show access-list 144", "show access-list 101", "show ip cef exact-route vpn_client_ip 4.2.2.2", "show crypto ipsec sa" and please confirm that the client has a VPN connection on port 4500 (open the client's statistics and verify that it say "IPsec over UDP port 4500".
And the log output provided two posts before.
Thanks in advance.
03-18-2013 12:30 PM
Hello Portu,
I will test this right away.
but here is the show run from th router itself incase there is something fishy. interface gi0/0 is set up just to be able to use ccp.
yourname#show run
Building configuration...
Current configuration : 6374 bytes
!
! Last configuration change at 19:13:58 UTC Mon Mar 18 2013
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
ip cef
!
!
!
!
!
!
ip domain name yourdomain.com
ip name-server 8.8.8.8
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-3880283622
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3880283622
revocation-check none
rsakeypair TP-self-signed-3880283622
!
!
crypto pki certificate chain TP-self-signed-3880283622
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383830 32383336 3232301E 170D3132 31323130 31383236
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383032
38333632 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100D453 6EFFBFB6 8B301740 07760A6C 524ABE2D 17707A92 229C5CD4 827A278D
6928639E D1615D07 A7099F13 E7EEC722 A4C059A8 FEE7F7C6 6FA8627E 0C4C32A2
BBA76DA1 4D52B3E9 0699B152 36E4ABBC D350091A FB98AF4F 0FC050F5 4C45C671
B9641250 64D95A89 5AEC58A6 689F135B DEE85DD6 5AB4329A D090B1B6 E75FAFB9
91250203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14982725 B7B9C17D 3CD782D9 7CE306D7 05E074A6 AF301D06
03551D0E 04160414 982725B7 B9C17D3C D782D97C E306D705 E074A6AF 300D0609
2A864886 F70D0101 05050003 818100A6 F9851828 CB16EE59 4564A5BC E925BBBD
94905CFD 6475B674 D64A7F66 85D2778B 452C18D8 A9E868B7 00BB0A6E B05B05C1
CE8C70BC 490A2C9E 1EFA90FD 299064AC 37A5E346 2D5D9E9D 566BEDC6 D44FACC9
D82590BD FA175A14 00C1337C 63A86316 92FC1EE4 82A6A52C 02E68D7E 5A166095
9D85EE2F B12011CE C98D9938 D801B6
quit
license udi pid CISCO2911/K9 sn FGL165010CQ
!
!
username user password 0 cisco
!
redundancy
!
!
!
!
!
csdb tcp synwait-time 30
csdb tcp idle-time 3600
csdb tcp finwait-time 5
csdb tcp reassembly max-memory 1024
csdb tcp reassembly max-queue-length 16
csdb udp idle-time 30
csdb icmp idle-time 10
csdb session max-session 65535
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key cisco123
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address y.y.y.8 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
!
interface GigabitEthernet0/2
no ip address
shutdown
duplex auto
speed auto
!
ip local pool ippool 192.168.1.1 192.168.1.2
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 y.y.y.254
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
!
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
!
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username
Replace
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username
no username cisco
Replace
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
yourname#
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide