• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 520
  • Last Modified:

Outbound Cisco VPNClient Blocked by Cisco 837 when Site to Site VPN Active

I am using Cisco VPNClient to connect to a remote site through my Cisco 837 ADSL router. This works fine until I configure a Site to Site VPN tunnel which terminates on the router. As soon as I apply the crypto map to the Dialer interface the VPNClient stops working.

The router uses NAT and has a single, fixed IP address from the ISP.

Is it possible to run the two VPNs together?
0
inscribble82
Asked:
inscribble82
1 Solution
 
neoponderCommented:
If you only have one IP, I don't think so.  You are telling the router to encrypt everything outbound and send it over the tunnel.   When you bring up your VPN client software it tries to tunnel that as well.  (tunnel in a tunnel).    You might be able to specify in your Access list interesting traffic based only on the networks you wish to lan2lan, Im not very familiar with the DSL router you are using.  

0
 
jhilvingCommented:
You might be having a problem due to the VPN policies. I’ve done plenty of tunnels, and tunnels inside tunnels, etc in the past but it seems to me what you are going to do is make the VPN server think a VPN user, is trying to VPN again.

So your router does a VPN tunnel, which gives you a “public” IP out of the VPN pool space…being a public Pool or NAT, heck or both. Then, you initiate another VPN session from the PC, but the source would be an IP out of the pool from which the VPN server will assign you. It sort of looks like a spoofed packet attempt from a firewall stance.

I am sure there are ways around this but I am not seeing the benefit.

-James
0
 
lrmooreCommented:
What version IOS on the 837? You might need to upgrade to one that supports nat transparency..
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
inscribble82Author Commented:
The IOS is version 12.3(4)T7. I don';t think it can be NAT transparency because the VPN Client works until you enable the Site to Site.

Would it help if I posted the config?
0
 
lrmooreCommented:
I'll be happy to take a look at your config with site-site enabled, client not working...
0
 
inscribble82Author Commented:
My network address is 192.168.4.0. There is a vpn tunnel to 192.168.58.0.
With line:
    crypto map SDM_CMAP_1
present in the di0 interface the site to site tunnel works but a VPNClient on my network cannot connect to any site.
With the crypto map line out, the tunnel obvisously doesn't work but the VPNClient does work

I've tried removing the Inspect rule and the incoming acces-list but that doesn't seem to help.

Config follows:

version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 0 <password>
!
username administrator privilege 15 secret 0 <password>
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name hotfix-ltd.co.uk
ip name-server 158.43.128.1
ip dhcp excluded-address 192.168.4.1 192.168.4.239
ip dhcp excluded-address 192.168.4.249 192.168.4.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.4.0 255.255.255.0
   dns-server 158.43.128.1
   default-router 192.168.4.254
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key shared.key address 80.71.217.49
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to80.71.217.49
 set peer 80.71.217.49
 set transform-set SDM_TRANSFORMSET_1
 match address 104
!
!
!
!
interface Tunnel0
 ip unnumbered Dialer0
 ip mtu 1420
 tunnel source Dialer0
 tunnel destination 80.71.217.49
 tunnel path-mtu-discovery
!
interface Loopback1
 ip address 10.0.4.1 255.255.255.255
!
interface Ethernet0
 description $FW_INSIDE$$ETH-LAN$$INTF-INFO-Ethernet 10/100$
 ip address 192.168.4.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip route-cache flow
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect DEFAULT100 out
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <adsl@username>
 ppp chap password <password>
 crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.58.0 255.255.255.0 Tunnel0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   gre host 80.29.36.23 host 80.71.217.49
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.4.254 host 192.168.58.254
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ahp host 80.71.217.49 host 80.29.36.23
access-list 103 permit esp host 80.71.217.49 host 80.29.36.23
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq isakmp
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit gre host 80.71.217.49 host 80.29.36.23
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 deny   ip 192.168.4.0 0.0.0.255 any
access-list 103 permit icmp any any
access-list 103 deny   ip any any log
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 80.29.36.23 host 80.71.217.49
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^
...
!
line con 0
...
line aux 0
...
line vty 0 4
...
!
scheduler max-task-time 5000
scheduler interval 500
!
end
0
 
lrmooreCommented:
This VPN tunnel is not the way I would set it up, unless this office is a spoke office and there is a head-end that has connections to many spokes. Is this a simple point-to-point VPN with no other offices involved other than these two?

0
 
inscribble82Author Commented:
This is a spoke office. There are three spokes out from the hub. The hub also acts as a server for VPNClients (but this is the what my VPNClient is connecting to). I would be very pleased to hear any comments on the config. This is the first hub / spoke system I have set up and there are a number of issues with this too but that is not my immediate problem.

Have I done something silly?
0
 
lrmooreCommented:
Reference:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080110ba1.html

This is the prefered method of creating dynamic VPN tunnels in a hub-and-spoke configuration.
Notice that you don't encrypt the GRE as you are doing - you encrypt the traffic within the GRE tunnel, applying the crypto  map (via profile) to the tunnel interface..

>Have I done something silly?
Not at all! You've got all the right concepts, just need to tweak it a little bit...
Using the DMVPN, you can let all the sites talk to each other for much more efficient use of bandwidth and information sharing..
0
 
inscribble82Author Commented:
I have now rebulit the tunnels using this document from cisco and it all looks good. Now that the crypto isn't on the physical interface the VPN Client works fine

Thanks very much for your help

0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now