Cisco Easy VPN Client connects but can't access internal resources

Discussion in 'Internet, Connectivity and Communications' started by NathanNeedsHelp, Aug 11, 2009.

  1. NathanNeedsHelp

    NathanNeedsHelp Bit Poster

    12
    0
    9
    Morning.
    I'm wrestling with my 857 router again. Recently I got Easy VPN Server configured through SDM and was able to access my network from anywhere for a change, but at the same time I used the SDM security audit function which stopped email working properly for the network. The problem was down to 'no ip unreachables' on the vlan1 interface. With that correct after help from certforums I thought it'd be a cinch to get the vpn sorted again, but that's not been the case. I've been round and round with the config, but can't get it working. I can connect the Client, but there is no response when I try to open a data folder inside the LAN. I can, however get at the router using the established vpn unsing telnet and https, so those particular acl's involved with that bit seem right. My initial guess is routing, but perhaps there's more to it than that, maybe an acl isn't right. If someone can proffer some ideas I'd be very grateful as I'd love to get this working asap as I'm off for shoulder surgery next week and want this loose end tied off.
    Config follow, many thanks in advance. Nathan.

    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    service sequence-numbers
    no service dhcp
    !
    hostname WRS
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 10240 debugging
    logging console critical
    enable secret 5 $1$BFYi$AmW.97vm6u15Yba4izjoG.
    !
    aaa new-model
    !
    !
    aaa authentication login local_authen local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authentication login sdm_vpn_xauth_ml_2 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    aaa authorization network sdm_vpn_group_ml_3 local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone London 0
    no ip source-route
    !
    !
    ip cef
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    ip inspect name DEFAULT100 imap
    ip inspect name firewall pptp
    ip tcp synwait-time 10
    no ip bootp server
    ip name-server 208.67.222.222
    ip name-server 208.67.220.220
    ip ssh time-out 60
    ip ssh authentication-retries 2
    !
    !
    crypto pki trustpoint TP-self-signed-63753999
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-63753999
    revocation-check none
    rsakeypair TP-self-signed-63753999
    !
    !
    crypto pki certificate chain TP-self-signed-63753999
    certificate self-signed 01
    30820237 308201A0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    2F312D30 2B060355 04031324 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 36333735 33393939 301E170D 30393037 30363137 34363538
    5A170D32 30303130 31303030 3030305A 302F312D 302B0603 55040313 24494F53
    2D53656C 662D5369 676E6564 2D436572 74696669 63617465 2D363337 35333939
    3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100D413
    525E9B6C 29673ED2 4F00C0CA A32E89C1 9F2D5A03 5A29C44A 9C19AA25 B0F7D46A
    B57780B7 D5263100 FAFB0175 AA7ADEA6 F0F7E0D0 604BADC1 380CB45B 3C7B5B79
    F94BF960 E18D6B92 9CF5896E A9EB4379 19BB7C64 E43EB382 8A7314B1 603CEFB3
    E37BA924 F1C37E1B FFDF2D3E 8C0B51C6 011BA194 41B01820 EE4625CC 47B30203
    010001A3 63306130 0F060355 1D130101 FF040530 030101FF 300E0603 551D1104
    07300582 03575253 301F0603 551D2304 18301680 1412C301 96AC2E50 94437889
    254C528F 2C82C6F9 CB301D06 03551D0E 04160414 12C30196 AC2E5094 43788925
    4C528F2C 82C6F9CB 300D0609 2A864886 F70D0101 04050003 8181006E E2047019
    9C5B8D64 0D9ECDAB 0C8FDE41 ACE9D671 78C0346B E3384C57 6E533EC0 4C9BF8D9
    B3629B10 C1E83F7E 6A758967 D6A0C065 E25951BC C75F6407 A1AF396D B6301E20
    5FC8FD05 25B5C743 35AE4375 BE6C2D41 D319EAD0 ECCDAF86 F2FE4676 9EE6758D
    BE224B66 E68693FA B5D8F467 327E4186 6EE1F8E2 58CEC741 32BD3D
    quit
    username WRS privilege 15 secret
    username Nathan secret 5
    username Julian secret 5
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group 'xxxxxx'
    key 'xxxxxx'
    dns 192.168.200.2
    domain type-it.co.uk
    pool SDM_POOL_1
    acl 100
    max-users 5
    crypto isakmp profile sdm-ike-profile-1
    match identity group NEWVPN
    client authentication list sdm_vpn_xauth_ml_2
    isakmp authorization list sdm_vpn_group_ml_3
    client configuration address respond
    virtual-template 4
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile SDM_Profile1
    set security-association idle-time 300
    set transform-set ESP-3DES-SHA1
    set isakmp-profile sdm-ike-profile-1
    !
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point
    description $ES_WAN$$FW_OUTSIDE$
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no snmp trap link-status
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template4 type tunnel
    ip unnumbered Dialer0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile SDM_Profile1
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
    ip address 192.168.200.251 255.255.255.0
    ip access-group 102 in
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Dialer0
    description $FW_OUTSIDE$
    ip address negotiated
    ip access-group 101 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1458
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip route-cache cef
    no ip route-cache
    no ip mroute-cache
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap callin
    ppp chap hostname xxxxx
    ppp chap password 7 xxxxx
    !
    ip local pool SDM_POOL_1 192.168.250.1 192.168.250.15
    ip route 0.0.0.0 0.0.0.0 Dialer0
    ip route 192.168.250.0 255.255.255.0 Vlan1
    !
    ip http server
    ip http access-class 3
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface Dialer0 overload
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.200.0 0.0.0.255
    access-list 2 remark Where management can be done from
    access-list 2 remark SDM_ACL Category=17
    access-list 2 remark LAN, VPN, Nathan home, Ste home, Ste work
    access-list 2 permit 192.168.200.0 0.0.0.255
    access-list 2 permit 192.168.250.0 0.0.0.255
    access-list 2 permit 90.195.55.0 0.0.0.255
    access-list 2 permit 87.194.146.0 0.0.0.255
    access-list 2 permit 95.195.55.0 0.0.0.255
    access-list 2 permit 212.158.45.0 0.0.0.255
    access-list 3 remark HTTP Access-class list
    access-list 3 remark SDM_ACL Category=1
    access-list 3 permit 192.168.200.0 0.0.0.255
    access-list 3 permit 192.168.250.0 0.0.0.255
    access-list 3 deny any
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit ip 192.168.200.0 0.0.0.255 any
    access-list 101 remark Traffic allowed to enter router from Internet
    access-list 101 permit udp host 208.67.220.220 eq domain any
    access-list 101 permit udp host 208.67.222.222 eq domain any
    access-list 101 permit udp any any eq non500-isakmp
    access-list 101 permit udp any any eq isakmp
    access-list 101 permit esp any any
    access-list 101 permit ahp any any
    access-list 101 permit tcp any any eq 1723
    access-list 101 permit gre any any
    access-list 101 permit tcp host 87.194.146.83 any
    access-list 101 permit tcp host 212.158.45.90 any
    access-list 101 permit tcp host 90.195.55.129 any
    access-list 101 permit tcp host 95.195.55.26 any
    access-list 101 deny ip 0.0.0.0 0.255.255.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip 169.254.0.0 0.0.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.0.2.0 0.0.0.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 198.18.0.0 0.1.255.255 any
    access-list 101 deny ip 224.0.0.0 0.15.255.255 any
    access-list 101 deny ip any host 255.255.255.255
    access-list 101 deny icmp any any echo
    access-list 101 deny ip any any log
    access-list 102 remark Traffic allowed to enter router from ethernet
    access-list 102 remark SDM_ACL Category=17
    access-list 102 permit ip 192.168.200.0 0.0.0.255 any
    access-list 102 permit ip 192.168.250.0 0.0.0.255 192.168.200.0 0.0.0.255
    access-list 102 permit ip any host 192.168.200.251
    access-list 102 permit ip any host 255.255.255.255
    access-list 102 deny ip any any log
    dialer-list 1 protocol ip permit
    no cdp run
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    login authentication local_authen
    no modem enable
    transport output telnet
    line aux 0
    login authentication local_authen
    transport output telnet
    line vty 0 4
    access-class 2 in
    login authentication local_authen
    transport input telnet ssh
    transport output none
    !
    scheduler max-task-time 5000
    scheduler allocate 4000 1000
    scheduler interval 500
    end
     
    Certifications: Way old MCSE 2000
  2. NathanNeedsHelp

    NathanNeedsHelp Bit Poster

    12
    0
    9
    Thought of some more info to add to the above post:
    When the Easy VPN Client connects and receives a VPN IP address from the router it's of the 192.168.250.0 network (indicated by the config above) the VPN adapter has a gateway address which is the same as it's IP address, and with the VPN connected the normal wireless adapter appears to lose it's Gateway. That struck me as odd, but I'm not convinces I actually know any better!
    With the VPN connected and with an adapter IP of 192.168.250.9 say, I can't ping internal resources on the 192.168.200.0 network, I can't 'net view' the shares on the 192.168.200.2 file server, but the split tunnel does at least allow me to browse Internet pages with the VPN connected.
    Not really sure what to do from here to troubleshoot it.
    I've removed the no ip unreachables from Dialer0, as a stab in the dark after my previous problem, but that didn't help.
    Are there maybe some other 'no' statements in the config that are causing the problem?
     
    Certifications: Way old MCSE 2000
  3. Spice_Weasel

    Spice_Weasel Kilobyte Poster

    254
    45
    45
    First thing, I would suggest exempting traffic destined to the vpn clients from nat. To do this you will need to change your nat config a bit, e.g.:

    no ip nat inside source list 1 interface Dialer0 overload
    ip access-list 150 deny ip 192.168.200.0 0.0.0.255 192.168.250.0 0.0.0.255
    ip access-list 150 per ip 192.168.200.0 0.0.0.255 any
    ip nat inside source list 150 dialer0 overload

    Also, I would try removing the route to the vpn client pool:

    no ip route 192.168.250.0 255.255.255.0 Vlan1


    Spice_Weasel
     
    Certifications: CCNA, CCNP, CCIP, JNCIA-ER, JNCIS-ER,MCP
    WIP: CCIE
  4. NathanNeedsHelp

    NathanNeedsHelp Bit Poster

    12
    0
    9
    Thanks Spice Weasel, I tried the suggestions but only served to stop internet traffic for the network.
    what I have since noticed though, is that with the existing config, once the vpn is created, I can actually access my own machine (I hadn't tried this earlier because I was concerned only with getting to the server) and rdp to it, get to the shares, basically it works. I wish I'd tried my own machine earlier, but here's the rub, my pc is addressed by dhcp (very simple dhcp from the server I'm currently failing to access) but the server is static and I can't get to it.

    I tested this idea further and revealed that I can get to all the dhcp assigned computers, but not the static ones, yet both sorts use the same gateway (the cisco 857) and the same dns (a very simple dns on the server I'm trying to access.)

    I have since put the local domain into the NEWVPN crypto group, but that didn't help. I also removed a bunch of statements from the router that the SDM security audit threw at it, such as no ip proxy-arp on the di0 interface. But it still won't let me access the server.

    Does anyone know if there's something in Cisco setups that differentiates between static and dhcp addressing with respect to vpn access?
     
    Certifications: Way old MCSE 2000
  5. NathanNeedsHelp

    NathanNeedsHelp Bit Poster

    12
    0
    9
    After all the trauma this has caused, trying every little change in the cisco config, i happened to do a route print on the dns server in the office and what I saw made me ***** an eyebrow. There was a persistent active route the was directing vpn traffic (192.168.250.0) to a gateway that didn't exist! I don't recall ever putting a persistent route on the dns server, i've never needed to, so I've no idea what it was doing there or how it got there. Very weird. But sure enough once it was deleted I could get traffic from the office LAN to anywhere. It wasn't even anything to do with 'allow-local-lan' in the router config, or 'Allow Local LAN access' in the Transport tab of Easy VPN Clinet. Nothing to do witih WINS, nothing to do with DHCP server,
    I hope that helps someone else look at this thread, see a vpn config that works, and then check that thye don't have a persistent route throwing a spanner in the works.
     
    Certifications: Way old MCSE 2000

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.