lewylupo
asked on
Cisco Router VPN Connects but Unable to Access Internal Servers and resources
I have a cisco 1811 router and configured it as a VPN Server. I am using the cisco vpn client version 5.0.01.0530. I am able to successfully connect to the server user local authentication on the router; however I am not able to ping any internal servers once connected. I get an IP address from the vpn ip pool but I can only ping the outside interface of the router 192.168.1.2 and the translated address 192.168.1.3. Below is my config, please help.
Current configuration : 10625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ironbridge
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.10
ip dhcp excluded-address 10.10.10.11
ip dhcp excluded-address 10.10.10.12
ip dhcp excluded-address 10.10.10.13
ip dhcp excluded-address 10.10.10.14
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.129
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool 1800-ISR
import all
network 10.10.10.128 255.255.255.128
default-router 10.10.10.1
dns-server 68.87.71.226
!
!
ip domain name nextblueprint.com
ip name-server 68.87.71.226
ip name-server 68.87.73.242
!
username ironbridge privilege 15 secret 5 $1$ff9D$Lo.vVL88uLrbgz3k8B
username xxxxxxxx password 0 xxxxxxx
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxxx
dns 10.10.10.10 68.87.73.242
wins 10.10.10.10
domain nextblueprint.com
pool ippool
!
!
crypto ipsec transform-set ironbridgeset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ironbridgeset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.1.2 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 40bit 0 XXXXXX transmit-key
encryption vlan 1 mode wep mandatory
!
ssid XXXXX
vlan 1
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
encryption vlan 1 key 1 size 40bit 0 DFA2D05063 transmit-key
encryption vlan 1 mode wep mandatory
!
ssid ironbridge
vlan 1
authentication open
guest-mode
!
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
interface BVI1
ip address 10.10.10.129 255.255.255.128
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 10.0.0.1 10.0.0.10
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool1 192.168.1.3 192.168.1.100 netmask 255.255.255.0
ip nat pool pool2 192.168.1.101 192.168.1.200 netmask 255.255.255.0
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
!
logging trap warnings
logging 10.10.10.10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.127
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end
Current configuration : 10625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ironbridge
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.10
ip dhcp excluded-address 10.10.10.11
ip dhcp excluded-address 10.10.10.12
ip dhcp excluded-address 10.10.10.13
ip dhcp excluded-address 10.10.10.14
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.129
!
ip dhcp pool sdm-pool
import all
network 10.10.10.0 255.255.255.248
default-router 10.10.10.1
lease 0 2
!
ip dhcp pool 1800-ISR
import all
network 10.10.10.128 255.255.255.128
default-router 10.10.10.1
dns-server 68.87.71.226
!
!
ip domain name nextblueprint.com
ip name-server 68.87.71.226
ip name-server 68.87.73.242
!
username ironbridge privilege 15 secret 5 $1$ff9D$Lo.vVL88uLrbgz3k8B
username xxxxxxxx password 0 xxxxxxx
!
crypto isakmp policy 3
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxxx
dns 10.10.10.10 68.87.73.242
wins 10.10.10.10
domain nextblueprint.com
pool ippool
!
!
crypto ipsec transform-set ironbridgeset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set ironbridgeset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
description $FW_INSIDE$$ETH-LAN$
ip address 192.168.1.2 255.255.255.128
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 key 1 size 40bit 0 XXXXXX transmit-key
encryption vlan 1 mode wep mandatory
!
ssid XXXXX
vlan 1
authentication open
guest-mode
!
speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
station-role root
no dot11 extension aironet
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
encryption vlan 1 key 1 size 40bit 0 DFA2D05063 transmit-key
encryption vlan 1 mode wep mandatory
!
ssid ironbridge
vlan 1
authentication open
guest-mode
!
speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
station-role root
no dot11 extension aironet
!
interface Dot11Radio1.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
ip address 10.10.10.1 255.255.255.128
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Async1
no ip address
encapsulation slip
!
interface BVI1
ip address 10.10.10.129 255.255.255.128
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 10.0.0.1 10.0.0.10
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool1 192.168.1.3 192.168.1.100 netmask 255.255.255.0
ip nat pool pool2 192.168.1.101 192.168.1.200 netmask 255.255.255.0
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
!
logging trap warnings
logging 10.10.10.10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.127
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
end
dpk_wal
Can you check to make sure that the IP subnet from where you have established VPN tunnel and the subnet behind the router are different; if you have same subnet 192.168.1.0 at both ends then you would be connected but would not be able to access anything.
ASKER
I changed the router config to reflect a not so typical subnet, instead of the 192.168.1.0 subnet, I changed it to the 10.1.1.0 subnet. And yes the end I was connecting from was using the same subnet 192.168.1.0 so both ends were the same. However, after the change I can still connect through VPN, but am still unable to remote desktop to the internal servers, access resources, or ping the servers. Any more suggestions? Its weird because when I ping the current FE interface of the router, i get a reply and am able to use SDM to connect to the router. I just cannot get to the servers. I did just notice when I ping only one of the servers, I get a reply but not from the actual server IP address but from the NAT/PAT translated address.
I am not sure the way you have configured the VPN would work.
It looks like FE is the outbound interface and Vlan1 and BVI1 are in the same subnet. Local pool defined for remote user is 10.0.0.1; there is no NAT so, how the packets leaves the client machine for 192.168.1.x subnet from the VPN adapter is unknown.
Can you draw the network diagram as to where the client is seated and some details about the router and interfaces which can help figure out what is happening.
It looks like FE is the outbound interface and Vlan1 and BVI1 are in the same subnet. Local pool defined for remote user is 10.0.0.1; there is no NAT so, how the packets leaves the client machine for 192.168.1.x subnet from the VPN adapter is unknown.
Can you draw the network diagram as to where the client is seated and some details about the router and interfaces which can help figure out what is happening.
ASKER
Cisco Client on 192.168.1.1 Subnet on Remote LAN => Internet => Business Gateway Cable Modem=>Cisco Router=>Inside LAN
outside interface of business gateway cable modem is public IP 74.95.83.214
inside interface of BG cable modem is 192.168.200.1
static route on cable modem 74.95.83.214 to 192.168.200.2
DHCP is enabled on BG cable modem range 192.168.200.3 - 192.168.200.200
Router outside interface (Fast Ethernet) is 192.168.200.2
Inside VLAN1 10.10.10.1 /24
Inside BVI1 10.10.10.129 /24
VPN Client Pool 10.0.0.1 - 10.0.0.10
Hope this helps.
outside interface of business gateway cable modem is public IP 74.95.83.214
inside interface of BG cable modem is 192.168.200.1
static route on cable modem 74.95.83.214 to 192.168.200.2
DHCP is enabled on BG cable modem range 192.168.200.3 - 192.168.200.200
Router outside interface (Fast Ethernet) is 192.168.200.2
Inside VLAN1 10.10.10.1 /24
Inside BVI1 10.10.10.129 /24
VPN Client Pool 10.0.0.1 - 10.0.0.10
Hope this helps.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
All internal server traffic is nat'ed to the 192.168.200.2 address (many to one)
And regarding the VPN pool, i thought they had to be unique range (not the same as the internal network)
I will try a new pool though just to see if it works...
And regarding the VPN pool, i thought they had to be unique range (not the same as the internal network)
I will try a new pool though just to see if it works...
ASKER
I'm not really sure why but now I'm able to get my VPN to work fine even though i am using a different ippool than my internal LAN. Not sure exactly why its working now. Thanks for the help
Good to know that the problem is resolved! :)