Re: VPN tunnel is up but can't accsss internal IPs in Easy cisco

aungsanmyint · ‎03-24-2012

Hi somebody,

i just configured cisco easy vpn configurion in cisco router. VPN tunnel is up but i can't ping & access internal IPs from outside.here is my configuration file & please help me check it.

My Internal IPs = 192.168.1.xx

My VPN pool IPs = 192.168.2.xx

(config)#do sh run

Building configuration...

Current configuration : 2326 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R5

!

boot-start-marker

boot-end-marker

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

!

ip cef

no ip domain lookup

!

username asm privilege 15 secret 5 $1$C0.0$eBAs8Hym3xjiLHn1VZ84L.

username cisco123 privilege 15 secret 5 $1$xIOL$BRET.z2enHOzsrskiavw61

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpn_clients

key pncsadmin

pool SDM_POOL_1

acl 101

include-local-lan

max-users 20

netmask 255.255.255.0

!

crypto ipsec transform-set VPN esp-des esp-md5-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set VPN

reverse-route

!

crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0/0

ip address 200.200.200.200 255.255.255.0

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 200.200.200.201

!

ip http server

ip http authentication local

no ip http secure-server

!

ip nat inside source route-map VPN interface FastEthernet0/0 overload

!

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

route-map VPN permit 1

match ip address 101

!

control-plane

!

gatekeeper

shutdown

!

line con 0

exec-timeout 0 0

logging synchronous

stopbits 1

line aux 0

stopbits 1

line vty 0 4

!

end

mkabbashi · ‎09-07-2013

helpppppp!

mkabbashi · ‎09-07-2013

same issue,

should I select different subnet?

which interface should I configure easyvpn on? inside or outside one?

what about NAT?

Mike Williams · ‎09-08-2013

Hi Aung,

I would start by creating a second ACL for split-tunnel traffic on the VPN client. I also prefer to use named access-lists for ease of management. Try this:

ip access-list extended vpn

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

crypto isakmp client configuration group vpn_clients

no acl 101

acl vpn

Then remove the following lines from ACL 101:

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

And add the following line:

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

What's happening is that the ACL for split tunneling is matching the first line in ACL 101, telling it to split tunnel any traffic to the 192.168.1.0 network. This is great. But since you are using the same ACL for your NAT match, it matches the first line and never matches the second line to disable NAT to your VPN subnet.

The final ACL 101 should look like this:

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Regards,

Mike

mkabbashi · ‎09-08-2013

I faced the problem of connection to local lan , here the config.

Building configuration...

Current configuration : 3054 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname X_R_Z

!

boot-start-marker

boot system flash:c1841-advipservicesk9-mz.124-12.bin

boot-end-marker

!

no logging buffered

enable secret 5 $1$MNXK$lahi6sf17juTZIYm877hT.

enable password cisco

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.87

ip dhcp excluded-address 192.168.1.1 192.168.1.66

ip dhcp excluded-address 192.168.1.106

!

ip dhcp pool Xyz

network 192.168.1.0 255.255.255.0

default-router 192.168.1.77

dns-server 196.29.180.39 196.29.164.49 192.168.1.82

domain-name wr

!

no ip domain lookup

!

username w1 privilege 15 password 0 ww2

username fi privilege 15 secret 5 $1$oIDZ$JHpf0Hft0qMAi4oabOfM..

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group testvpn

key 111111

pool SDM_POOL_1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0/0

description WAN_INTERFACE

no ip address

no ip proxy-arp

ip mtu 1400

speed 100

full-duplex

!

interface FastEthernet0/0.71

encapsulation dot1Q 71

ip dhcp relay information trusted

ip address 192.168.1.77 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.75

encapsulation dot1Q 75

ip address 197.251.333.147 255.255.255.252

no ip proxy-arp

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

ip address 10.8.0.1 255.255.255.0

duplex auto

speed auto

!

ip local pool SDM_POOL_1 192.168.50.1 192.168.50.5

ip route 0.0.0.0 0.0.0.0 197.251.333.146

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0.75 overload

!

ip access-list extended X-Yh

remark SDM_ACL Category=16

deny ip any host 192.168.50.1

deny ip any host 192.168.50.2

deny ip any host 192.168.50.3

deny ip any host 192.168.50.4

deny ip any host 192.168.50.5

permit ip 192.168.1.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address X-Yh

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password Sr

!

scheduler allocate 20000 1000

end

any suggestions

VPN tunnel is up but can't accsss internal IPs in Easy cisco vpn Server