Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 403
  • Last Modified:

Cisco Router VPN Connects but Unable to Access Internal Servers and resources

I have a cisco 1811 router and configured it as a VPN Server.  I am using the cisco vpn client version 5.0.01.0530.  I am able to successfully connect to the server user local authentication on the router; however I am not able to ping any internal servers once connected.  I get an IP address from the vpn ip pool but I can only ping the outside interface of the router 192.168.1.2 and the translated address 192.168.1.3.  Below is my config, please help.  


Current configuration : 10625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ironbridge
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.10
ip dhcp excluded-address 10.10.10.11
ip dhcp excluded-address 10.10.10.12
ip dhcp excluded-address 10.10.10.13
ip dhcp excluded-address 10.10.10.14
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.129
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool 1800-ISR
   import all
   network 10.10.10.128 255.255.255.128
   default-router 10.10.10.1
   dns-server 68.87.71.226
!
!
ip domain name nextblueprint.com
ip name-server 68.87.71.226
ip name-server 68.87.73.242
!

username ironbridge privilege 15 secret 5 $1$ff9D$Lo.vVL88uLrbgz3k8Be6m.
username xxxxxxxx password 0 xxxxxxx
!

crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxxxxx
 key xxxxxxx
 dns 10.10.10.10 68.87.73.242
 wins 10.10.10.10
 domain nextblueprint.com
 pool ippool
!
!
crypto ipsec transform-set ironbridgeset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ironbridgeset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
 description $FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!

interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 key 1 size 40bit 0 XXXXXX transmit-key
 encryption vlan 1 mode wep mandatory
 !
 ssid XXXXX
    vlan 1
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 !
 encryption vlan 1 key 1 size 40bit 0 DFA2D05063 transmit-key
 encryption vlan 1 mode wep mandatory
 !
 ssid ironbridge
    vlan 1
    authentication open
    guest-mode
 !
 speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.128
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
interface BVI1
 ip address 10.10.10.129 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 10.0.0.1 10.0.0.10
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool1 192.168.1.3 192.168.1.100 netmask 255.255.255.0
ip nat pool pool2 192.168.1.101 192.168.1.200 netmask 255.255.255.0
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
!
logging trap warnings
logging 10.10.10.10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.127
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh

!
end
0
lewylupo
Asked:
lewylupo
  • 4
  • 4
1 Solution
 
dpk_walCommented:
Can you check to make sure that the IP subnet from where you have established VPN tunnel and the subnet behind the router are different; if you have same subnet 192.168.1.0 at both ends then you would be connected but would not be able to access anything.
0
 
lewylupoAuthor Commented:
I changed the router config to reflect a not so typical subnet, instead of the 192.168.1.0 subnet, I changed it to the 10.1.1.0 subnet.  And yes the end I was connecting from was using the same subnet 192.168.1.0 so both ends were the same.  However, after the change I can still connect through VPN, but am still unable to remote desktop to the internal servers, access resources, or ping the servers.  Any more suggestions?  Its weird because when I ping the current FE interface of the router, i get a reply and am able to use SDM to connect to the router.  I just cannot get to the servers.  I did just notice when I ping only one of the servers, I get a reply but not from the actual server IP address but from the NAT/PAT translated address.
0
 
dpk_walCommented:
I am not sure the way you have configured the VPN would work.

It looks like FE is the outbound interface and Vlan1 and BVI1 are in the same subnet. Local pool defined for remote user is 10.0.0.1; there is no NAT so, how the packets leaves the client machine for 192.168.1.x subnet from the VPN adapter is unknown.

Can you draw the network diagram as to where the client is seated and some details about the router and interfaces which can help figure out what is happening.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
lewylupoAuthor Commented:
 Cisco Client on 192.168.1.1 Subnet on Remote LAN => Internet => Business Gateway Cable Modem=>Cisco Router=>Inside LAN

outside interface of business gateway cable modem is public IP 74.95.83.214
inside interface of BG cable modem is 192.168.200.1
static route on cable modem 74.95.83.214 to 192.168.200.2
DHCP is enabled on BG cable modem range 192.168.200.3 - 192.168.200.200

Router outside interface (Fast Ethernet) is 192.168.200.2
Inside VLAN1 10.10.10.1 /24
Inside BVI1 10.10.10.129 /24
VPN Client Pool 10.0.0.1 - 10.0.0.10


Hope this helps.
0
 
dpk_walCommented:
Do you have One-to-one NAT configured for your servers or all your traffic is NAT'ed to 192.168.200.2 IP.

Further is there any specific reason why you have specified 10.0.0.1-10 IP for remote client pool. Can you give IP for remote clients in the same range as your internal network, 10.10.10.x and check if you can then reach to the internal machines.

Thank you.
0
 
lewylupoAuthor Commented:
All internal server traffic is nat'ed to the 192.168.200.2 address (many to one)

And regarding the VPN pool, i thought they had to be unique range (not the same as the internal network)  

I will try a new pool though just to see if it works...
0
 
lewylupoAuthor Commented:
I'm not really sure why but now I'm able to get my VPN to work fine even though i am using a different ippool than my internal LAN.  Not sure exactly why its working now.  Thanks for the help
0
 
dpk_walCommented:
Good to know that the problem is resolved! :)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now