Solved: can you brief your query?

GBonset05 · ‎01-27-2017

Hello all,

Of course a have a question, otherwise i would not be here ;)

When i have the vpn tunnel up, i can't see the office network (192.168.1.0). I only get the ip address from the vpnpool.

Below part of the config i used (or should i post the entire config?);

aaa authentication login userauthen local
aaa authorization network groupauthor local

username admin privilege 15 secret xxx
username klaas password xxx
username george password xxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 0.0.0.0
!
crypto isakmp client configuration group vpnclient
key xxx
dns 8.8.8.8
domain test.local
pool ipvpnpool
acl 105
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set MySet
reverse-route
!
!
crypto map MyMap client authentication list userauthen
crypto map MyMap isakmp authorization list groupauthor
crypto map MyMap client configuration address respond
crypto map MyMap 1 ipsec-isakmp
set peer 1.1.1.1
set security-association lifetime seconds 86400
set transform-set MySet
match address 101
crypto map MyMap 20 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxx password xxx
crypto map MyMap
!
ip local pool ipvpnpool 192.168.253.10 192.168.253.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 103
!
access-list 23 remark Remote_Management
access-list 23 permit 192.168.1.0 0.0.0.255 (local network)
access-list 101 remark Cryptomap-IPSEC-VPN-BM
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark nat rules
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255

Rahul Govindan · ‎01-27-2017

You are using the same ACL 101 for both crypto map and nat exemption - which is wrong.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Create a new ACL for nat exemption ( say 102) and have traffic between internal and vpn pool denied and everything else from internal allowed:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Then apply it to your NAT overload statement:

no ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload

PLEASE NOTE: you will lose internet access when making this change, so do it in a downtime and with access to the router internally.

View solution in original post

Rahul Govindan · ‎01-27-2017

You are using the same ACL 101 for both crypto map and nat exemption - which is wrong.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Create a new ACL for nat exemption ( say 102) and have traffic between internal and vpn pool denied and everything else from internal allowed:

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Then apply it to your NAT overload statement:

no ip nat inside source list 101 interface Dialer1 overload
ip nat inside source list 102 interface Dialer1 overload

PLEASE NOTE: you will lose internet access when making this change, so do it in a downtime and with access to the router internally.

GBonset05 · ‎01-27-2017

Thanks for your answer, seems logic to me. Don't know why i overlooked that.

Will try it next week when i'm on customer location.

GBonset05 · ‎02-13-2017

Hello Rahul,

These ajustments didn't work, i still can not ping the internal network through the vpn tunnel.

This is the config after adding the 102 access-list;

Current configuration : 4220 bytes
!
! Last configuration change at 10:04:09 gmt Mon Feb 13 2017
version 15.3
no service pad
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname GRDATA
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200
logging console critical
enable secret 5 $1$tOFw$lUhRf7A/Wob9gpfTITQ2k0
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone gmt 1 0
clock summer-time GMT recurring last Sun Mar 2:00 last Sun Oct 3:00
!
!
no ip domain lookup
ip domain name grdata.local
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
license udi pid C881-K9 sn FCZ2005C160
!
!
username admin privilege 15 secret 5 $1$mUyc$Tj9BqoPz4b6b9fjBk0rnU0
username klaas password 7 052C140A385A7E07415556
username george password 7 080F4D58080B1718425F58
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key xxx address 178.85.x.x
!
crypto isakmp client configuration group vpnclient
key xxx
dns 194.151.228.34
domain grdata.local
pool ipvpnpool
acl 105
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map dynmap 10
set transform-set MySet
reverse-route
!
!
crypto map MyMap client authentication list userauthen
crypto map MyMap isakmp authorization list groupauthor
crypto map MyMap client configuration address respond
crypto map MyMap 1 ipsec-isakmp
set peer 178.85.x.x
set security-association lifetime seconds 86400
set transform-set MySet
match address 101
crypto map MyMap 20 ipsec-isakmp dynamic dynmap
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
no ip address
ip virtual-reassembly in
load-interval 30
duplex full
speed 100
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Vlan1
ip address 192.168.1.248 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
no autostate
!
interface Dialer1
mtu 1492
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip verify unicast reverse-path
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username PPP password 7 05203621
crypto map MyMap
!
ip local pool ipvpnpool 192.168.253.10 192.168.253.30
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 102 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
no cdp run
!
route-map nonat permit 10
match ip address 103
!
access-list 23 remark Remote_Management
access-list 23 permit 10.11.7.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 46.144.180.1 0.0.0.248
access-list 101 remark Cryptomap-IPSEC-VPN-BM
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 remark nat rules
access-list 103 deny ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
line con 0
logging synchronous
no modem enable
escape-character 3
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
logging synchronous
transport input ssh
escape-character 3
!
scheduler allocate 20000 1000
!
end

Rahul Govindan · ‎02-13-2017

What is the following crypto map used for?

crypto map MyMap 1 ipsec-isakmp
 set peer 178.85.x.x
 set security-association lifetime seconds 86400
 set transform-set MySet
 match address 101

The reason I am asking this is because it seems to have the matching ACL for the VPN pool network.

access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.253.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Ideally, the VPN falls under the dynamic map and gets established. But this crypto map might be matching your return traffic and causing it to fail. Can you remove the static crypto map if it not being used?

MANI .P · ‎01-28-2017

can you brief your query?

VPN tunnel