inscribble82
asked on
Outbound Cisco VPNClient Blocked by Cisco 837 when Site to Site VPN Active
I am using Cisco VPNClient to connect to a remote site through my Cisco 837 ADSL router. This works fine until I configure a Site to Site VPN tunnel which terminates on the router. As soon as I apply the crypto map to the Dialer interface the VPNClient stops working.
The router uses NAT and has a single, fixed IP address from the ISP.
Is it possible to run the two VPNs together?
The router uses NAT and has a single, fixed IP address from the ISP.
Is it possible to run the two VPNs together?
If you only have one IP, I don't think so. You are telling the router to encrypt everything outbound and send it over the tunnel. When you bring up your VPN client software it tries to tunnel that as well. (tunnel in a tunnel). You might be able to specify in your Access list interesting traffic based only on the networks you wish to lan2lan, Im not very familiar with the DSL router you are using.
You might be having a problem due to the VPN policies. I’ve done plenty of tunnels, and tunnels inside tunnels, etc in the past but it seems to me what you are going to do is make the VPN server think a VPN user, is trying to VPN again.
So your router does a VPN tunnel, which gives you a “public” IP out of the VPN pool space…being a public Pool or NAT, heck or both. Then, you initiate another VPN session from the PC, but the source would be an IP out of the pool from which the VPN server will assign you. It sort of looks like a spoofed packet attempt from a firewall stance.
I am sure there are ways around this but I am not seeing the benefit.
-James
So your router does a VPN tunnel, which gives you a “public” IP out of the VPN pool space…being a public Pool or NAT, heck or both. Then, you initiate another VPN session from the PC, but the source would be an IP out of the pool from which the VPN server will assign you. It sort of looks like a spoofed packet attempt from a firewall stance.
I am sure there are ways around this but I am not seeing the benefit.
-James
What version IOS on the 837? You might need to upgrade to one that supports nat transparency..
ASKER
The IOS is version 12.3(4)T7. I don';t think it can be NAT transparency because the VPN Client works until you enable the Site to Site.
Would it help if I posted the config?
Would it help if I posted the config?
I'll be happy to take a look at your config with site-site enabled, client not working...
ASKER
My network address is 192.168.4.0. There is a vpn tunnel to 192.168.58.0.
With line:
crypto map SDM_CMAP_1
present in the di0 interface the site to site tunnel works but a VPNClient on my network cannot connect to any site.
With the crypto map line out, the tunnel obvisously doesn't work but the VPNClient does work
I've tried removing the Inspect rule and the incoming acces-list but that doesn't seem to help.
Config follows:
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 0 <password>
!
username administrator privilege 15 secret 0 <password>
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name hotfix-ltd.co.uk
ip name-server 158.43.128.1
ip dhcp excluded-address 192.168.4.1 192.168.4.239
ip dhcp excluded-address 192.168.4.249 192.168.4.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.4.0 255.255.255.0
dns-server 158.43.128.1
default-router 192.168.4.254
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key shared.key address 80.71.217.49
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to80.71.217.49
set peer 80.71.217.49
set transform-set SDM_TRANSFORMSET_1
match address 104
!
!
!
!
interface Tunnel0
ip unnumbered Dialer0
ip mtu 1420
tunnel source Dialer0
tunnel destination 80.71.217.49
tunnel path-mtu-discovery
!
interface Loopback1
ip address 10.0.4.1 255.255.255.255
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF- INFO-Ether net 10/100$
ip address 192.168.4.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <adsl@username>
ppp chap password <password>
crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.58.0 255.255.255.0 Tunnel0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny gre host 80.29.36.23 host 80.71.217.49
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.4.254 host 192.168.58.254
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ahp host 80.71.217.49 host 80.29.36.23
access-list 103 permit esp host 80.71.217.49 host 80.29.36.23
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq isakmp
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit gre host 80.71.217.49 host 80.29.36.23
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 deny ip 192.168.4.0 0.0.0.255 any
access-list 103 permit icmp any any
access-list 103 deny ip any any log
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 80.29.36.23 host 80.71.217.49
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^
...
!
line con 0
...
line aux 0
...
line vty 0 4
...
!
scheduler max-task-time 5000
scheduler interval 500
!
end
With line:
crypto map SDM_CMAP_1
present in the di0 interface the site to site tunnel works but a VPNClient on my network cannot connect to any site.
With the crypto map line out, the tunnel obvisously doesn't work but the VPNClient does work
I've tried removing the Inspect rule and the incoming acces-list but that doesn't seem to help.
Config follows:
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
no service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 0 <password>
!
username administrator privilege 15 secret 0 <password>
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
no aaa new-model
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
ip domain name hotfix-ltd.co.uk
ip name-server 158.43.128.1
ip dhcp excluded-address 192.168.4.1 192.168.4.239
ip dhcp excluded-address 192.168.4.249 192.168.4.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.4.0 255.255.255.0
dns-server 158.43.128.1
default-router 192.168.4.254
!
!
no ip bootp server
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 smtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip inspect name DEFAULT100 icmp
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh break-string
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp key shared.key address 80.71.217.49
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to80.71.217.49
set peer 80.71.217.49
set transform-set SDM_TRANSFORMSET_1
match address 104
!
!
!
!
interface Tunnel0
ip unnumbered Dialer0
ip mtu 1420
tunnel source Dialer0
tunnel destination 80.71.217.49
tunnel path-mtu-discovery
!
interface Loopback1
ip address 10.0.4.1 255.255.255.255
!
interface Ethernet0
description $FW_INSIDE$$ETH-LAN$$INTF-
ip address 192.168.4.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname <adsl@username>
ppp chap password <password>
crypto map SDM_CMAP_1
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.58.0 255.255.255.0 Tunnel0
ip http server
ip http authentication local
ip http secure-server
!
!
logging trap debugging
access-list 1 remark INSIDE_IF=Ethernet0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.58.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 deny gre host 80.29.36.23 host 80.71.217.49
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 permit gre host 192.168.4.254 host 192.168.58.254
access-list 103 remark auto generated by SDM firewall configuration
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ahp host 80.71.217.49 host 80.29.36.23
access-list 103 permit esp host 80.71.217.49 host 80.29.36.23
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq isakmp
access-list 103 permit udp host 80.71.217.49 host 80.29.36.23 eq non500-isakmp
access-list 103 remark IPSec Rule
access-list 103 permit gre host 80.71.217.49 host 80.29.36.23
access-list 103 permit ip 10.0.0.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 103 deny ip 192.168.4.0 0.0.0.255 any
access-list 103 permit icmp any any
access-list 103 deny ip any any log
access-list 104 remark SDM_ACL Category=4
access-list 104 permit gre host 80.29.36.23 host 80.71.217.49
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner login ^
...
!
line con 0
...
line aux 0
...
line vty 0 4
...
!
scheduler max-task-time 5000
scheduler interval 500
!
end
This VPN tunnel is not the way I would set it up, unless this office is a spoke office and there is a head-end that has connections to many spokes. Is this a simple point-to-point VPN with no other offices involved other than these two?
ASKER
This is a spoke office. There are three spokes out from the hub. The hub also acts as a server for VPNClients (but this is the what my VPNClient is connecting to). I would be very pleased to hear any comments on the config. This is the first hub / spoke system I have set up and there are a number of issues with this too but that is not my immediate problem.
Have I done something silly?
Have I done something silly?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I have now rebulit the tunnels using this document from cisco and it all looks good. Now that the crypto isn't on the physical interface the VPN Client works fine
Thanks very much for your help
Thanks very much for your help