Solved: Re: VPN Remote Access wit dynamic routing (ospf)

chike2much · ‎12-14-2022

Hi Guys,

I'm having a problem with ospf dynamic routing .. I set up 3 Routers to simulate HQ --- ISP ---- Branch routers respectively and i have ospf dynamic routing configured btw them for site to site VPN tunneling which works fine . I have configured Remote Access VPN on the HQ router for Remote users to connect into the LAN environment to access internal resources. Now my question is even without connecting the VPN it can still access my internal network and i want to kill this route because i don't want remote users to have direct access to internal resources but only after they connect using remote VPN.

==HQ router== #sh ip route

10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks

O 10.10.1.0/24 [110/129] via 85.85.86.2, 01:23:55, Serial0/0/1

C 10.10.10.0/24 is directly connected, GigabitEthernet0/1

L 10.10.10.3/32 is directly connected, GigabitEthernet0/1

S 10.10.20.0/24 [1/0] via 10.10.10.1

S 10.10.30.0/24 [1/0] via 10.10.10.1

S 10.10.40.0/24 [1/0] via 10.10.10.1

85.0.0.0/8 is variably subnetted, 4 subnets, 2 masks

C 85.85.86.0/30 is directly connected, Serial0/0/1

L 85.85.86.1/32 is directly connected, Serial0/0/1

O 85.85.86.4/30 [110/128] via 85.85.86.2, 01:24:30, Serial0/0/1

O 85.85.86.8/30 [110/128] via 85.85.86.2, 01:24:30, Serial0/0/1

S* 0.0.0.0/0 is directly connected, Serial0/0/1

Please any ideas will be appreciated. Many thanks

~Chike

MHM Cisco World · ‎12-16-2022

sorry I can not open the PKT file, can you share the remote access router config and hub as text ?

View solution in original post

balaji.bandi · ‎12-14-2022

Now my question is even without connecting the VPN it can still access my internal network - is this question - depends on what resource you looking to access, security point of view you do not have visiility if you open for public to access internal resources, so suggest to have secure connection.

and i want to kill this route because i don't want remote users to have direct access to internal resources but only after they connect using remote VPN. - sure this is best way to connect- setup a vpn profile for remote users to connect to Lan.

not sure show ip route you provided ? are you looking any guidance of this show ip route output ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

chike2much · ‎12-14-2022

The show ip route is for the HQ Router I already set up both the VPN profiles (crypto maps for RA and S2S) and it works fine .... but after i disconnect the RA-VPN. The Remote Access Nodes (Boss & IT Guy) from the coffee shop can still access the HQ internal resources thru the internet router directly..... I'm assuming because because my L3 SWT and Router has dynamic Routing (OSPF) set up btw them and down thru the INTERNET to the BRANCH LAN L3 SWT.. i don't know what to think.. That is the route i want to kill so that when i connect the RA-vpn from the coffee shop it can access both the HQ and branch LAN thru the INTERNET router simultaneously. I attached the Pkt file ... to clarify my question...

I await your reponse

~Chike

chike2much · ‎12-15-2022

For Secured connection is why i'm trying to make sure only the RA coming thru the internet can reach my both internal resources on HQ and Branch Networks.

MHM Cisco World · ‎12-14-2022

check reverse route injection, this will add route to remote router only for time VPN is UP and then it remove when VPN is down

chike2much · ‎12-14-2022

Yes the remote VPN does add and remote it's static routes automatically as it should. But the downside is the VPN clients from the coffee shop router can still access the HQ LAN even without a VPN Connection ... I don't like that. (Maybe the reason might be because i'm running a dynamic routing via L2 and L3 routers ... My implementation is you can only access internal resources after authentication or do you suggest AAA ? I have been trying to crack this moving fwd Let me know your ideas ...

~Chike

chike2much · ‎12-15-2022

Hi @MHM Cisco World ,

Did you get to look into this issue for me . What do you think I can do .

MHM Cisco World · ‎12-15-2022

Yes friend I lab and find the answer
config the reverse-route injection without keyword static

keyword static make route always appear in hub router but without it the static route add remove when tunnel up down.

chike2much · ‎12-15-2022

I just checked the configs For the reverse injections under the crypto dynamic map sequence there was NO key word "static" configured

#>reverse route

#>set transform-set <>

can you paste configs to help me understand better my friend . Thanks .

chike2much · ‎12-16-2022

== CONFIGS===

crypto dynamic-map dynamicVPN 15

set transform-set projectVPN

reverse-route

I did not use any static key word can you please tell me what you think. Thanks.

MHM Cisco World · ‎12-16-2022

one think is in my mind,
using keepalive for isakmp to detect that tunnel is down and to automatic remove the reverse route inject.
can you add keepalive and see result.

chike2much · ‎12-16-2022

I don't have those keep alive keyword on Cisco PT maybe on main gear. But this problems is only arises because i'm running a dynamic protocol. From my Internet router to my Core Switch in my Lan Set up.

MHM Cisco World · ‎12-16-2022

sorry I can not open the PKT file, can you share the remote access router config and hub as text ?

chike2much · ‎12-19-2022

I fixed the issue. My wildcard mask for my ACL-NAT was not matching the destination network....Sometimes this little things could be a pain. .. Now i'm scaling the network to wireless and Voip segmenting with VLANs... Then run all traffic thru site to site VPN tunneling and Remote Access users authenticate thru the internet using AAA authentication credentials. At least at the CCNA level ..... Thanks my friend for everything.

~Chike

MHM Cisco World · ‎12-19-2022

you are so so welcome,
I am so happy your issue solved.
good luck friend.