CCNA Video Training Series

Instant Access, Web or Mobile!

Only $99 for 30 days...
Renew at half price!

Buy/Renew

Includes FREE Practice Exams!

Member Login

Lost your password?

Not a member yet? Sign Up!

Official Lammle User Forum

Results 1 to 10 of 10

Thread: Small VPN issue

  1. #1
    Join Date
    Jul 2008
    Posts
    211

    Default Small VPN issue

    I have two offices connected by site-to-site IPSec VPN. The main office also permits remote access VPN connection. Everything works fine except for one thing. I want my remote access users to be able to access hosts in the branch office through their link to the main office. Any thoughts on what I need to change to make this work?

    Setting "debug ip packet 2400" and having access-list 2400 capture all source and destination packets from the VPN address pool, I see packets from a remote access VPN host when that host tries to connect to the router directly, but see nothing when the VPN host attempts to connect to a host in the other office.

  2. #2
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    So let me get this right first.

    Users from home go to site A, when in site A you wish them to go to Site B via the the VPN from site A to Site B?

    Depends on the way this is set up mate. How do the users at home get into the lAN what kinda VPN?
    The way i am seeing this now is.
    Say a user at home come in and get a LAN IP of 10.1.1.1, from the pool on the VPN fr home users. Your site to site VPN is using 192.168.1.0/24 at site A and 192.168.2.0/24, the home user would not be allow to across the VPN from site A to B as the "interestin g range" does not include the 10.x.x.x range and will get dropped.

    Pop some more info up mate if you can.
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  3. #3
    Join Date
    Jul 2008
    Posts
    211

    Default

    Sorry for the delayed response. Exactly right BE. Remote clients connect fine to site A, but can't communicate with hosts at site B through the site-to-site. The site-to-site itself works fine. I just can't get the packets to around and go back through the other tunnel.

    Here's a partial config:

    Code:
    crypto isakmp policy 100
     encr aes
     authentication pre-share
     group 2
    !
    crypto isakmp policy 200
     encr 3des
     hash md5
     authentication pre-share
     group 2
    crypto isakmp key AINTMYKEY address 70.26.12.22 no-xauth
    crypto isakmp keepalive 30 5
    !
    crypto isakmp client configuration group RAVPN
     key Thisisntmyk3y
     dns 192.168.1.5 192.168.1.11
     wins 192.168.1.11
     domain corp.destineerstudios.com
     pool vpnpool
     acl SPLIT_TUNNEL2
     max-users 15
     max-logins 2
     netmask 255.255.252.0
    !
    !
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac 
    crypto ipsec transform-set S2S-Set esp-aes 256 esp-sha-hmac 
    !
    crypto dynamic-map MYDYNMAP 1
     set transform-set ESP-3DES-MD5 
     reverse-route
    !
    !
    crypto map STAT_CMAP client authentication list local_authen
    crypto map STAT_CMAP isakmp authorization list group_author
    crypto map STAT_CMAP client configuration address respond
    crypto map STAT_CMAP 50 ipsec-isakmp 
     set peer 70.26.12.22
     set security-association lifetime seconds 86400
     set transform-set S2S-Set 
     match address S2S_ACL
    crypto map STAT_CMAP 100 ipsec-isakmp dynamic MYDYNMAP 
    !
    interface Loopback0
     ip address 1.1.1.1 255.255.255.252
    !
    interface Null0
     no ip unreachables
    !
    interface FastEthernet0/0
     no ip address
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip nat inside
     ip virtual-reassembly
     load-interval 30
     duplex auto
     speed auto
     no mop enabled
    !
    interface FastEthernet0/0.1
     encapsulation dot1Q 1 native
     ip address 192.168.1.1 255.255.252.0
     ip access-group 101 in
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat inside
     ip virtual-reassembly
     no cdp enable
     service-policy input MYPOLICEPOLICY
    !
    interface FastEthernet0/0.2
     encapsulation dot1Q 2
     ip address 10.0.0.1 255.255.255.0
     ip access-group 100 in
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat inside
     ip virtual-reassembly
     no cdp enable
    !
    interface FastEthernet0/1
     description $OutsideInterfaceFastEthernet0/1$$ETH-WAN$
     ip address 7.25.17.237 255.255.255.240
     ip access-group 103 in
     ip verify unicast reverse-path
     no ip redirects
     no ip unreachables
     no ip proxy-arp
     ip flow ingress
     ip nat outside
     ip inspect SDM_LOW out
     ip virtual-reassembly
     ip tcp adjust-mss 1272
     load-interval 30
     duplex auto
     speed auto
     fair-queue
     no mop enabled
     crypto map STAT_CMAP
    !
    ip local pool vpnpool 192.168.12.1 192.168.12.15
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 7.25.17.238
    !
    ip nat inside source route-map ptmnat interface FastEthernet0/1 overload
    ip nat inside source static tcp 192.168.0.7 2112 7.25.17.232 2112 route-map ptmnat extendable
    !
    !
    ip inspect name SDM_LOW dns
    ip inspect name SDM_LOW h323
    ip inspect name SDM_LOW https
    ip inspect name SDM_LOW icmp
    ip inspect name SDM_LOW imap
    ip inspect name SDM_LOW pop3
    ip inspect name SDM_LOW rcmd
    ip inspect name SDM_LOW realaudio
    ip inspect name SDM_LOW rtsp
    ip inspect name SDM_LOW esmtp
    ip inspect name SDM_LOW tcp 
    ip inspect name SDM_LOW udp
    ip inspect name SDM_LOW ssh
    ip inspect name SDM_LOW ntp
    ip inspect name SDM_LOW ftps
    !
    !
    ip access-list extended S2S_ACL
     permit ip any 192.168.8.0 0.0.0.255
     permit ip any 10.1.1.0 0.0.0.255
    ip access-list extended SPLIT_TUNNEL2
     permit ip 192.168.0.0 0.0.3.255 any
     permit ip 10.0.0.0 0.0.0.255 any
     permit ip 192.168.8.0 0.0.0.255 any
     permit ip 10.1.1.0 0.0.0.255 any
    
    access-list 101 permit tcp 192.168.0.0 0.0.3.255 host 7.25.17.238 eq 7800
    access-list 101 permit ip any 192.168.8.0 0.0.0.255
    access-list 101 permit ip any 192.168.12.0 0.0.0.255
    access-list 101 permit tcp any host 1.2.3.4 range ftp-data pop3
    access-list 101 permit tcp 192.168.0.0 0.0.3.255 host 208.70.134.11
    access-list 101 permit tcp any host 28.7.131.61 eq smtp
    access-list 101 permit tcp any host 28.7.131.61 eq 2500
    access-list 101 permit tcp 192.168.0.0 0.0.3.255 host 208.70.134.10
    access-list 101 permit tcp any host 208.70.128.213 eq smtp
    access-list 101 permit ip 192.168.0.0 0.0.3.255 10.0.0.0 0.0.0.255
    access-list 101 permit tcp any host 66.33.209.154 eq 6781
    access-list 101 permit tcp host 192.168.1.165 any
    access-list 101 permit tcp any host 15.17.235 eq smtp
    access-list 101 permit tcp any host 15.17.173.235 eq pop3
    access-list 101 deny   ip any any
    access-list 101 permit tcp any host 131.131.131.50 eq smtp
    access-list 103 permit udp host 7.25.17.238 eq ntp host 7.25.17.237 eq ntp
    access-list 103 permit udp any host 7.25.17.237 eq non500-isakmp
    access-list 103 permit udp any host 7.25.17.237 eq isakmp
    access-list 103 permit ip 192.168.12.0 0.0.0.15 any
    access-list 103 permit esp any host 7.25.17.237
    access-list 103 permit ahp any host 7.25.17.237
    access-list 103 deny   ip 192.168.4.0 0.0.0.255 any
    access-list 103 deny   ip 192.168.0.0 0.0.3.255 any
    access-list 103 deny   ip 10.0.0.0 0.0.0.255 any
    access-list 103 permit udp host 128.101.101.101 eq ntp host 7.25.17.237 eq ntp
    access-list 103 permit icmp any host 7.25.17.237 echo-reply
    access-list 103 permit icmp any host 7.25.17.237 time-exceeded
    access-list 103 permit icmp any host 7.25.17.237 unreachable
    access-list 103 permit tcp any host 7.25.17.232 eq 2112
    access-list 103 deny   ip any any log
    access-list 199 deny   ip 192.168.0.0 0.0.3.255 192.168.8.0 0.0.0.255
    access-list 199 deny   ip 192.168.0.0 0.0.3.255 10.1.1.0 0.0.0.255
    access-list 199 deny   ip 192.168.12.0 0.0.0.255 192.168.8.0 0.0.0.255
    access-list 199 deny   ip 10.0.0.0 0.0.0.255 10.1.1.0 0.0.0.255
    access-list 199 deny   ip 10.0.0.0 0.0.0.255 192.168.8.0 0.0.0.255
    access-list 199 deny   ip 192.168.0.0 0.0.255.255 192.168.12.0 0.0.0.255
    access-list 199 deny   ip 10.0.0.0 0.0.0.255 192.168.12.0 0.0.0.255
    access-list 199 permit ip 192.168.0.0 0.0.3.255 any
    access-list 199 permit ip 192.168.12.0 0.0.0.255 any
    access-list 199 permit ip 10.0.0.0 0.0.0.255 any
    
    route-map ptmnat permit 10
     match ip address 199
    !
    !
    !
    end

  4. #4
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    I think you will have to allow the IPPool you have given the remote users (192.168.12.1 - 15) to the statement below.

    Code:
    ip access-list extended S2S_ACL
     permit ip any 192.168.8.0 0.0.0.255
     permit ip any 10.1.1.0 0.0.0.255
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  5. #5
    Join Date
    Jul 2008
    Posts
    211

    Default

    Thanks BE. Already tried that. No dice.

  6. #6
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Odd, what does a debug show you, where the packets are being dropped?
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  7. #7
    Join Date
    Jul 2008
    Posts
    211

    Default

    The NAT deny ACL increments with each packet sent.

    debug ip routing <acl> shows packets sent from remote VPN client "routed via RIB"

    debug ip packet <acl> shows nothing. There should be a "sent" message.

    I think this has to do with something like the "same-security-traffic permit intra-interface" command that you have to include on an ASA to allow the traffic to hairpin back into the interface that it just came out. Found an interesting article for IOS on getting this to work. I'll try it and post findings.

    Here's the article if anyone's interested:

    http://www.cisco.com/en/US/customer/...d803645b5.html

  8. #8
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Sound like something i did a while back..

    http://bigevilsciscoworld.wordpress....-state-bypass/
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

  9. #9
    Join Date
    Jul 2008
    Posts
    211

    Default

    OK. It was probably an ACL that I cleaned up a few days ago. I got rid of some unnecessary static routes that I had put in after I got frustrated, and everything works. Basically, on router A, I had:

    ip route <site B address> 255.255.255.0 fa 0/1

    And on site B's router, I had:

    ip route <VPN addr pool> 255.255.255.0 fa 0/1

    The minute these were gone, everything worked. Pass the CR, please!

    Thanks for your help, Evil. The TCP state bypass article was interesting anyway!

  10. #10
    Join Date
    Mar 2008
    Posts
    2,888

    Default

    Well done GH.
    Maddox Thomas-Clark 14/10/2008
    Bean Thomas-Clark 18/09/2007
    Big Evils Cisco World
    Linkedin

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Small typo p.749
    By Bashar in forum Chapter 15: IPv6
    Replies: 0
    Last Post: 04-29-2011, 06:56 PM
  2. Lab Config issue
    By Sumit in forum Internetworking
    Replies: 2
    Last Post: 03-21-2011, 10:42 PM
  3. Small Doubt
    By krishnan.vadrevu in forum Announcements
    Replies: 4
    Last Post: 04-19-2009, 04:19 PM
  4. A small Doubt
    By krishnan.vadrevu in forum Announcements
    Replies: 0
    Last Post: 04-17-2009, 01:03 AM
  5. Small reference error on pg 99
    By nounlu in forum Chapter 3: Introduction to TCP/IP
    Replies: 0
    Last Post: 12-31-2007, 02:21 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •