03-16-2013 09:16 AM
I have set up VPN on a stick on my router and my VPN is established but I cant get to the internet after the client gets the VPN connection, my Nat translations are not taking place when i check using the show Nat commands.
What I require is that users connect to the router through a VPN (on cisco router) and then the VPN traffic get routed through the internet to a remote network so that I can control the internet activity of my clients.
Below is my configuration:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
username user password 0 cisco
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group vpnclient
key cisco123
pool ippool
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
interface gi0/1
ip address 216.x.x.x 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
ip local pool ippool 192.168.1.1 192.168.1.2
ip route 0.0.0.0 0.0.0.0 216.x.x..y
ip nat inside source list 101 interface gi0/1 overload
access-list 101 permit ip any any
access-list 144 permit ip 192.168.1.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
Solved! Go to Solution.
03-18-2013 01:36 PM
Hello Portu,
I added the above configuration but did not work. here is the result of the show/debug commands:
Client statistics do show UDP port 4500 active.
1)show ip nat translations: no output.
2)yourname#show crypto session
Crypto session current status
Interface: GigabitEthernet0/1
Username: user
Group: vpnclient
Assigned address: 192.168.1.2
Session status: UP-ACTIVE
Peer: 71.17.105.24 port 1179
IKEv1 SA: local y.y.y.8/4500 remote 71.17.105.24/1179 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.2
Active SAs: 2, origin: dynamic crypto map
3)yourname#show access-list 144
Extended IP access list 144
10 permit ip 192.168.1.0 0.0.0.255 any (492 matches)
yourname#
4)yourname#show access-list 101
Extended IP access list 101
20 permit ip 192.168.1.0 0.0.0.255 any
yourname#
5)yourname#show ip cef exact-route 192.168.1.2 4.2.2.2
192.168.1.2 -> 4.2.2.2 => IP adj out of GigabitEthernet0/1, addr y.y.y.254
yourname#
yourname#
6)yourname#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: clientmap, local addr y.y.y.8
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.1.2/255.255.255.255/0/0)
current_peer 71.17.105.24 port 1179
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 68, #pkts decrypt: 68, #pkts verify: 68
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: y.y.y.8, remote crypto endpt.: 71.17.105.24
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x23958620(597001760)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x879616B4(2274760372)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2011, flow_id: Onboard VPN:11, sibling_flags 80000040, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4244275/3293)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x23958620(597001760)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2012, flow_id: Onboard VPN:12, sibling_flags 80000040, crypto map: clientmap
sa timing: remaining key lifetime (k/sec): (4244287/3293)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)
outbound ah sas:
outbound pcp sas:
yourname#
7)yourname#show ip nat statistics
Total active translations: 0 (0 static, 0 dynamic; 0 extended)
Peak translations: 0
Outside interfaces:
GigabitEthernet0/1
Inside interfaces:
Loopback0
Hits: 0 Misses: 0
CEF Translated packets: 0, CEF Punted packets: 0
Expired translations: 0
Dynamic mappings:
-- Inside Source
[Id: 1] access-list 101 interface GigabitEthernet0/1 refcount 0
Total doors: 0
Appl doors: 0
Normal doors: 0
Queued Packets: 0
yourname#
8)yourname#show ip policy
Interface Route map
Gi0/1 VPN-Client
yourname#
9)debug ip policy: (when i ping the nexthop)
*Mar 18 19:54:12.091: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, FIB policy match
*Mar 18 19:54:12.091: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, PBR Counted
*Mar 18 19:54:12.091: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, g=10.11.0.2, len 60, FIB policy routed
*Mar 18 19:54:17.187: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, FIB policy match
*Mar 18 19:54:17.187: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, PBR Counted
*Mar 18 19:54:17.187: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, g=10.11.0.2, len 60, FIB policy routed
*Mar 18 19:54:22.687: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, FIB policy match
*Mar 18 19:54:22.687: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, len 60, PBR Counted
*Mar 18 19:54:22.687: IP: s=192.168.1.2 (GigabitEthernet0/1), d=y.y.y.254, g=10.11.0.2, len 60, FIB policy ro
10)debug ip policy (when accessing http://173.194.44.84 from client)
*Mar 18 20:04:14.991: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, FIB policy match
*Mar 18 20:04:14.991: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, PBR Counted
*Mar 18 20:04:14.995: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, g=10.11.0.2, len 48, FIB policy routed
*Mar 18 20:04:15.399: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, FIB policy match
*Mar 18 20:04:15.399: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, PBR Counted
*Mar 18 20:04:15.399: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, g=10.11.0.2, len 48, FIB policy routed
*Mar 18 20:04:15.619: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, FIB policy match
*Mar 18 20:04:15.619: IP: s=192.168.1.2 (GigabitEthernet0/1), d=173.194.44.84, len 48, PBR Counted
debug ip policy (when pinging 4.2.2.2 from client)
*Mar 18 20:05:41.927: IP: s=192.168.1.2 (GigabitEthernet0/1), d=4.2.2.2, len 60, FIB policy match
*Mar 18 20:05:41.927: IP: s=192.168.1.2 (GigabitEthernet0/1), d=4.2.2.2, len 60, PBR Counted
*Mar 18 20:05:41.927: IP: s=192.168.1.2 (GigabitEthernet0/1), d=4.2.2.2, g=10.11.0.2, len 60, FIB policy routed
11)yourname#debug ip access-list data-plane
yourname#
*Mar 18 20:38:00.307: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 20:38:00.307: IPACL-DP: Pkt matched punt/drop it
*Mar 18 20:38:05.727: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 20:38:05.727: IPACL-DP: Pkt matched permit it
*Mar 18 20:38:10.811: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 20:38:10.811: IPACL-DP: Pkt matched punt/drop it
*Mar 18 20:38:21.315: IPACL-DP: Seems no matching ACE in the ACL: 101, Implicit Deny
*Mar 18 20:38:21.315: IPACL-DP: Pkt matched punt/drop it
*Mar 18 20:38:21.731: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 20:38:21.731: IPACL-DP: Pkt matched permit it
*Mar 18 20:38:22.047: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 20:38:22.047: IPACL-DP: Pkt matched permit it
*Mar 18 20:38:22.311: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 20:38:22.311: IPACL-DP: Pkt matched permit it
*Mar 18 20:38:25.071: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 20:38:25.071: IPACL-DP: Pkt matched permit it
*Mar 18 20:38:25.183: IPACL-DP: Pkt matched ACL: 144 seq: 10 Action: Permit
*Mar 18 20:38:25.183: IPACL-DP: Pkt matched permit it
03-18-2013 01:42 PM
Great information!!
What is the IP address of the inside network?
Would you mind testing with the following command?
no ip cef
Thanks.
03-18-2013 01:53 PM
OMG!!!!!!!!!!!!!
Portu,
I don't know how to thank you!!!
it is working now.
Please can you explain to me a bit of what might be happening here!!!
Words are not enough to thank you.
03-18-2013 02:03 PM
I happy to know that we finally got it working.
Before we open the Champagne, please provide the following output:
1- show ip arp
2- show ip cef
3- show version | inc 15.
Thanks
03-18-2013 02:05 PM
Hi Portu,
Here are the show commands:
yourname#show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.10.10.1 - e02f.6db0.5238 ARPA GigabitEthernet0/0
Internet 10.10.10.5 1 b8ac.6f52.27fc ARPA GigabitEthernet0/0
Internet 216.y.y.6 0 Incomplete ARPA
Internet 216.y.y.8 - e02f.6db0.5239 ARPA GigabitEthernet0/1
Internet 216.y.y.254 1 0012.017c.9b1a ARPA GigabitEthernet0/1
show
yourname#show ip cef
%IPv4 CEF not running
yourname#
yourname#show version | inc 15
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
ROM: System Bootstrap, Version 15.0(1r)M16, RELEASE SOFTWARE (fc1)
System image file is "flash0:c2900-universalk9-mz.SPA.152-4.M2.bin"
yourname#
Everything is working perfectly but,
I need to use the VPN client connection to RDP into another computer (1.1.1.1 internet ip) over the internet through a second router that has my main Lan.
secondly I want only 1.1.1.0 to go through the tunnel any other traffic should use the normal internet (ie split tunnelling)
I created this split tunnel and it is working using (tracert to check on client)but my issue is I am not sure why I Cant access RDP on 1.1.1.0.
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
acl 102
access-list 102 permit tcp 1.1.1.0 0.0.0.255 any
On the router having the 1.1.1.0 network I have IPS and IOS firewal and the firewall is configured to allow RDP, https, http, etc from the outside and is being continuously accessed from outside..
but I am not sure why I can t access it using the VPN client through the internet.
would appreciate your input on this.!
Once again hats off to you!!!!
03-18-2013 09:32 PM
Obaid,
It's my pleasure
What happens when you try to access the RPD server?
This is going to be a long shot, but lets try the following:
interface g0/1
ip tcp adjust-mss 1200
Let me know.
Portu.
03-18-2013 10:03 PM
Hi Portu,
Before I try this configuration I should tell you that I am able to RDP to another network (some random network on the internet) so I think it is not an issue with with this router.
Is it possible some signature on R1 the second(remote) router is seing the traffic as an attack or something as it is being translated( i will check the IPS log tomorrow)
the firewall is set to allow traffic from any ip on RDP or http(for a website) from the outside, I am not sure if something else is needed?.
Thirdly The internet IP on the VPN router is acctually a secondary IP on R1(from a secondary ISP) which uses ip sla to track so that once the primary internet is down.The secondary ISP only takes over(which is the ISP I am using to test the VPN router) when the primary ISP is down.
so:
For testing purpose, Since it is a backup internet I used it to test the VPN (to provide internet IP and next hop) and from my understanding R1 should not need it except when ISP 1 is down, or is it possible that the forewall or the IPS sees this as an attack or something?
03-18-2013 10:16 PM
Dear Obaid,
Nice info.
Check the Router's logs and make sure IPS is not dropping any packets.
Portu.
03-28-2013 12:06 PM
Thanks guys got it working perfectly!!
03-28-2013 12:34 PM
Awesome!!
I am glad to hear that
Great job Obaid!!! Keep it up!!!
Please rate any helpful posts and mark this as answered.
03-28-2013 12:46 PM
Hello Portu,
You are the best!! couldn't have figured this without your help.
I am not sure if you have the time but I need your help to consider another option to achieve the same case because there is a latency I want to avoid/reduce because of the VPN.
So once remote users over the internet rdp or http into 1.1.1.2 it gets natted to 2.2.2.3 where regualr nat takes place togo to the Lans say 10.0.0.2 server.
ie here is the traffic flow:
Remote user----------------(InternetRDP/http)--------(1.1.1.1)R2------------------Internet-------------------(2.2.2.2)R1-------Lan(10.0.0.0)
for R1:
ip name-server 10.0.0.1
interface gi0/0
ip address 10.0.0.254 255.255.255.0
interface gi0/1
ip address 2.2.2.2 255.255.255.0 (internet interface)
ip route 0.0.0.0 0.0.0.0 2.2.2.253
ip nat inside source static 2.2.2.3 10.0.0.2
ip nat inside source static 2.2.2.4 10.0.0.3
R2: (R2 only has one interface which is connected to the internet)
interface gi0/1
ip address 1.1.1.1 255.255.255.0
ip nat outside
ip virtual-reassembly
ip policy route-map Nat-on-Stick
interface Loopback0
ip address 10.11.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
access-list 144 permit ip 1.1.1.0 0.0.0.255 any
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.11.0.2
ip nat inside source static 1.1.1.2 2.2.2.3
ip nat inside source static 1.1.1.3 2.2.2.4
Not sure but This is what I came up with!.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide