[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 881
  • Last Modified:

Cisco VPN Client to 837 ADSL Modem

Having lots of fun with VPN's at the moment, and this one is another that I 'thought' I'd gotten right but obviously not.

This is a remote VPN Client connection to an 837 with PLUS and Hardware Accelerator plus Static IP.  Cisco VPN client connects just fine.  Am able to connect to the VPN and ping internal hosts, but am unable to connect to internal services (RDP/PC Anywhere etc).  Would appreciate any help, have run completely out of ideas.

Ignore the static nats, they're just to cover while I get this VPN going.

version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname somehost
!
logging buffered 4096 debugging
enable secret 5 **********************
!
username somehost password 7 ******************
username someadmin password 7 ********************
clock timezone NZST 12
clock summer-time NZDT recurring 1 Sun Oct 2:00 3 Sun Mar 3:00
aaa new-model
!
!
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.0.1
!
ip inspect name Dialer_0 tcp
ip inspect name Dialer_0 udp
ip inspect name Dialer_0 cuseeme
ip inspect name Dialer_0 ftp
ip inspect name Dialer_0 h323
ip inspect name Dialer_0 rcmd
ip inspect name Dialer_0 realaudio
ip inspect name Dialer_0 streamworks
ip inspect name Dialer_0 vdolive
ip inspect name Dialer_0 sqlnet
ip inspect name Dialer_0 tftp
ip audit notify log
ip audit po max-events 100
ip ssh break-string
no ftp-server write-enable
!
!        
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group somehost
 key somekey
 dns 202.27.184.3 202.27.184.5
 domain somehost.co.nz
 pool somepool
 acl 120
!
!
crypto ipsec transform-set MySet esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set MySet
!
!
crypto map VPNmap client authentication list userlist
crypto map VPNmap isakmp authorization list grouplist
crypto map VPNmap client configuration address respond
crypto map VPNmap 20 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 10.10.10.1 255.255.255.0 secondary
 ip address 192.168.0.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 dsl power-cutback 0
!        
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface Dialer0
 bandwidth 640
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 ip nat outside
 ip inspect Dialer_0 out
 encapsulation ppp
 no ip route-cache
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username metal.auck.xadsl@xtra.co.nz password 7 010709005A125F56
 ppp ipcp dns request
 crypto map VPNmap
!
ip local pool somepool 192.168.10.1 192.168.10.254
ip nat inside source list 105 interface Dialer0 overload
ip nat inside source static tcp 192.168.0.3 5631 interface Dialer0 5631
ip nat inside source static tcp 192.168.0.3 5632 interface Dialer0 5632
ip nat inside source static tcp 192.168.0.150 8234 interface Dialer0 8234
ip nat inside source static tcp 192.168.0.150 8235 interface Dialer0 8235
ip nat inside source static tcp 192.168.0.150 8236 interface Dialer0 8236
ip nat inside source static tcp 192.168.0.150 8237 interface Dialer0 8237
ip nat inside source static tcp 192.168.0.150 8238 interface Dialer0 8238
ip nat inside source static tcp 192.168.0.150 8239 interface Dialer0 8239
ip nat inside source static tcp 192.168.0.4 5641 interface Dialer0 5641
ip nat inside source static tcp 192.168.0.4 5642 interface Dialer0 5642
ip nat inside source static tcp 192.168.0.3 3389 interface Dialer0 8839
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
no ip http secure-server
!
access-list 1 remark The Local Lan
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 2 permit 192.168.0.0 0.0.0.255
access-list 2 permit 192.168.10.0 0.0.0.255
access-list 3 remark Traffic not to check for intrustion detection.
access-list 3 deny   192.168.10.0 0.0.0.255
access-list 3 permit any
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip any host 255.255.255.255
access-list 101 permit icmp any any unreachable
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any traceroute
access-list 101 permit icmp any any administratively-prohibited
access-list 101 permit icmp any any echo
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any range 5631 5632
access-list 101 permit tcp any any range 5641 5642
access-list 101 permit tcp any any range 8234 8239
access-list 101 permit tcp any any eq 8839
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit tcp any any eq 22
access-list 101 deny   ip any any log
access-list 102 remark Traffic allowed to enter the router from the Ethernet
access-list 102 deny   udp any any eq tftp
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip any host 10.10.10.1
access-list 102 permit ip any host 192.168.0.1
access-list 102 permit ip any host 255.255.255.255
access-list 102 permit esp any any
access-list 102 permit ahp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 105 deny   ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 120 permit ip 192.168.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
line con 0
 exec-timeout 120 0
 no modem enable
 transport preferred all
 transport output all
 stopbits 1
line aux 0
 transport preferred all
 transport output all
 stopbits 1
line vty 0 4
 access-class 2 in
 exec-timeout 120 0
 length 0
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end
0
Doogienz
Asked:
Doogienz
  • 5
  • 3
  • 2
  • +1
3 Solutions
 
magicommincCommented:
I see you are giving IP 192.168.10.0/24 to remote access VPN users, what is the default GW of those servers? do you have a route on those servers that remote users try to access to 192.168.10.0?
if Cisco 837 is doing a ARP-proxy, you may have one-way communication, can those servers at your internal LAN (10.10.10.0 and 192.168.0.0) ping any remote VPN pc?
0
 
DoogienzAuthor Commented:
AFAIK you don't set any gateway for the VPN clients.  That's covered by the default ip route command... here's the options for the isakmp-config-group

ISAKMP group policy config commands:
  access-restrict    Restrict clients in this group to an interface
  acl                Specify split tunneling inclusion access-list number
  dns                Specify DNS Addresses
  domain             Set default domain name to send to client
  exit               Exit from ISAKMP client group policy configuration mode
  firewall           Enforce group firewall feature
  group-lock         Enforce group lock feature
  include-local-lan  Enable Local LAN Access with no split tunnel
  key                pre-shared key/IKE password
  no                 Negate a command or set its defaults
  pool               Set name of address pool
  save-password      Allows remote client to save XAUTH password
  wins               Specify WINS Addresses

So no gateway option within that.      I've been through the config with a fine tooth comb, and my major failing is lack of debugging skills.. I'm pretty good with IPSEC debugging but nothing else :)
0
 
magicommincCommented:
I mean the default gateway for those internal servers? do they know how to get to 192.168.10.0?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
DoogienzAuthor Commented:
To answer your query.. all machines have 192.168.0.1 as their gateway (eth0 on the 837).   A user on the lan is able to ping a user on the VPN from the machine the user is trying to connect to.  So they can ping each other, but the VPn user can't connect to RDP or PC Anywhere on any machine internally.

We've verified that there are no firewalls installed on the PC's and as from the access-list and static map, we are able to connect to the machine via a port mapping to RDP etc.

0
 
lrmooreCommented:
Try this:

no ip nat inside source list 105 interface Dialer0 overload

access-list 103 deny ip 10.10.10.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 103 permit ip 10.10.10.0 0.0.0.255 any
access-list 103 permit ip 192.168.0.0 0.0.0.255 any

route-map nonatvpn permit 10
 match ip address 103

ip nat inside source route-map nonatvpn interface Dialer0 overload
0
 
DoogienzAuthor Commented:
Okay tried that and same result.. can ping all hosts, but can't connect to any services on any of the boxes.  The VPN client is showing packets being encrypted and decrypted and Transparent Tunneling is happening over port 4500.

About this time I'm going to stand on my head to look at the solution :D
0
 
plemieux72Commented:
What VPN Client version are you using?  Try a different one if possible.

In access-list 101, remove the last line:
access-list 101 deny   ip any any log

At one point, I had one of these in 12.3(7)Tsomething and it was buggy and would not work unless I removed it.  Just see taking it out makes a difference.  Your config looks good at first glance.
0
 
DoogienzAuthor Commented:
Thanks for the suggestion, no go unfortunately.  I always thought that the deny was implicit even if you didn't put it, it's just I'm logging the deny in this case.  My question is where should I be debugging on this now..
0
 
plemieux72Commented:
Right, it's implicit unless you are logging.  

Another bug I've heard of when using the VPN client is with SHA.  Try MD5 instead.  Again, not that your config is wrong... just for troubleshooting purposes.

0
 
lrmooreCommented:
For troubleshooting, start by removing the access-group from the LAN interface to rule it out
Next, start debug crypto ipsec
0
 
DoogienzAuthor Commented:
I've found the issue finally.  I'd like to thank everyone for the tips, it upgraded my knowledge something chronic.  

These lines:

ip nat inside source static tcp 192.168.0.3 5631 interface Dialer0 5631
ip nat inside source static tcp 192.168.0.3 5632 interface Dialer0 5632
ip nat inside source static tcp 192.168.0.4 5641 interface Dialer0 5641
ip nat inside source static tcp 192.168.0.4 5642 interface Dialer0 5642
ip nat inside source static tcp 192.168.0.3 3389 interface Dialer0 8839

Were screwing it up, I can only surmise because the local ports were the same as the ports being connected into via the VPN, that it was screwing it up somehow.. for instance RDP on 3389 internally... so that port was probably being funneled out the static trans.

Again thank you all.  
0
 
lrmooreCommented:
Good work, watson.
That was what the route-map and the access-list that denied traffic from local lan to vpn pool subnet was supposed to overcome.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 5
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now