[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details
[x]
The Solution Rating System

With so many solutions, how can you tell which solutions are most likely to help you and which ones are not? To provide you with a tool to use, we rate our solutions based on various elements that most accurately determine if a solution is a quality solution. To explain what factors affect the solution rating, here are the elements we take into consideration when formulating our solution rating.

  • The Grade of the Solution
  • The Zone Rank of the Expert Providing the Solution
  • The Number of Author and Expert Comments
  • The Number of Experts Contributing
  • The Feedback of the Community

Your Input Matters
Because of the way the system is set up, the most important variable in this equation is you. As a member of Experts Exchange, you are able to cast your vote on the quality of the solutions in regard to how complete, accurate, helpful and easy to understand each solution is. When you provide your feedback, each rating is adjusted accordingly. So, if you see a solution that has a poor rating that you think is a good solution, let us know by rating it. As you do, the rating will be adjusted and will become more accurate for other members of our site.

If you have any suggestions that you would like to make for our rating system, please ask a question in the Suggestions Zone of Community Support.

Thank you!
9.3

Cisco Easy VPN 877-M cannot access NAT network

Asked by rweatherley in IPSec Security Protocol, Virtual Private Networking (VPN), Network Routers

Tags: Cisco, Router, 877-M, Easy VPN IOS IPSec NAT

I have a Cisco 877-M with IOS 12.4(11)XJ3, Advanced IP Services and 28MB flash. I have set up the router as an Easy VPN Server. The client is Cisco VPN Client 4.9.0.1 (0030). The router has a static IP facing the Internet and a PAT subnet. Cisco VPN client can connect from the Internet but cannot ping or access any services in the PAT network (10.1.1.0/24). I have read dozens of examples from Cisco, this site and many other places. I have tried "old style" crypto maps and newer VTI/Loopback configurations. The VPN client shows a secured route to 10.1.1.0. Packets to 10.1.1.0 are clearly going through the tunnel but are not returning. The VPN client indicates that transparent tunneling is inactive.

I use the same VPN client to access other external VPNs with no problem. I have tried a different VPN client with the same results.

The obfuscated config is attached. Any help gratefully received.

Thanks
Richard 
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:
229:
230:
231:
232:
233:
234:
235:
236:
237:
238:
239:
240:
241:
242:
243:

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router-0-1-1-10
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 65535
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
!
aaa session-id common
clock timezone Sydney 10
clock summer-time Sydney date Mar 30 2003 3:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.32
!
ip dhcp pool vlan5
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1 
   dns-server 1.2.3.4 2.3.4.5
   domain-name xxx
   lease 30
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name galexia.com
ip name-server 1.2.3.4
ip name-server 2.3.4.5
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect tcp finwait-time 10
ip inspect tcp synwait-time 60
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp router-traffic
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-518333447
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-518333447
 revocation-check none
 rsakeypair TP-self-signed-518333447
!
!
crypto pki certificate chain TP-self-signed-518333447
 certificate self-signed 01
...
  quit
!
!
username admin privilege 15 view SDM_Administrator password 7 xxx
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr aes 256
 authentication pre-share
 group 2
crypto isakmp keepalive 60 10
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group staff
 key 6 xxx
 pool SDM_POOL_1
 acl 100
crypto isakmp profile sdm-ike-profile-1
   match identity group staff
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-AES256-SHA esp-aes 256 esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set security-association idle-time 86400
 set transform-set ESP-AES256-SHA 
 set isakmp-profile sdm-ike-profile-1
!
interface Loopback0
 description Loop0 to provide unnumbered addressing to VPN$FW_INSIDE$  
 ip address 10.1.2.1 255.255.255.0
 ip access-group 115 in
!
interface Null0
 no ip unreachables
!
interface ATM0
 description --- ADSL ---
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 8/35 
  tx-ring-limit 3
  encapsulation aal5snap
  protocol ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto 
!
interface FastEthernet0
 switchport access vlan 5
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 ip access-group 115 in
 ip virtual-reassembly
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
! NAT network
interface Vlan5
 description Internal NAT LAN$FW_INSIDE$
 ip address 10.1.1.1 255.255.255.0
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
! Obfuscated static Internet address 3.4.5.6
interface Dialer0
 description --- ADSL ---$FW_OUTSIDE$
 ip address negotiated
 ip access-group 115 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect SDM_LOW out
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp chap hostname xxx
 ppp chap password 7 xxx
!
ip local pool SDM_POOL_1 10.1.3.1 10.1.3.254
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip flow-top-talkers
 top 25
 sort-by bytes
!
no ip http server
ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
!
logging 10.1.1.4
access-list 20 permit 10.1.1.0 0.0.0.255
access-list 20 deny   any log
! Set VPN route to 10.1.1.0 (crypto isakmp client configuration group staff)
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
! Block VPN traffic from being NATted
access-list 102 deny   ip 10.1.1.0 0.0.0.255 10.1.3.0 0.0.0.255
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
! For testing purposes let everything through
access-list 115 permit ip any any
no cdp run
!
route-map nonat permit 10
 match ip address 102
!
control-plane
!
line con 0
 no modem enable
 terminal-type vt100
 length 25
 stopbits 1
line aux 0
line vty 0 4
 access-class 20 in
 transport input ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
sntp server 1.2.3.4
end
[+][-]05/01/08 01:21 AM, ID: 21477096Accepted Solution

View this solution now by starting your 30-day free trial. Setting up your free trial is quick, easy, and secure. We will return you to this solution, unlocked, when you're done.

About this solution

Zones: IPSec Security Protocol, Virtual Private Networking (VPN), Network Routers
Tags: Cisco, Router, 877-M, Easy VPN IOS IPSec NAT
Sign Up Now!
Solution Provided By: markgrinceri
Participating Experts: 1
Solution Grade: A
 
 
Loading Advertisement...
20091111-EE-VQP-92 / EE_QW_2_20070628