[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 519
  • Last Modified:

catalyst 3750 issue

my clients are connected to catalyst 3750, they cannot connect to vpn
without the switch they can connect to vpn
how can i fix switch to pass vpn traffic
0
ammadeyy2020
Asked:
ammadeyy2020
  • 13
  • 8
  • 4
  • +1
1 Solution
 
from_expCommented:
please post config of a switch
0
 
ammadeyy2020Author Commented:
do u need the entire config?




Press RETURN to get started.


User Access Verification

Username:
Password:
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...

Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!

no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
 log config
  logging enable
  logging size 200
  notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1


 
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip access-group 110 out
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
 ip address 192.168.60.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan70
 ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
 ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
 ip address 192.168.90.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 ip access-group 102 in
!
router rip
 network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny   any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
 --More--
0
 
ammadeyy2020Author Commented:
from the client pc's im able to ping to vpn server on remote office
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ammadeyy2020Author Commented:
im using cisco vpn client 4.0.3 (D)
0
 
ammadeyy2020Author Commented:

EDGE_Switch#
EDGE_Switch#
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...

Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!

no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
 log config
  logging enable
  logging size 200
  notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1

 switchport access vlan 10
!
interface GigabitEthernet1/0/2

 switchport access vlan 20
!
interface GigabitEthernet1/0/3

 switchport access vlan 20
!
interface GigabitEthernet1/0/4

 switchport access vlan 30
!
interface GigabitEthernet1/0/5

 switchport access vlan 30
!
interface GigabitEthernet1/0/6

 switchport access vlan 30
!
interface GigabitEthernet1/0/7

 switchport access vlan 30
!
interface GigabitEthernet1/0/8

 switchport access vlan 30
!
interface GigabitEthernet1/0/9

 switchport access vlan 30
!
interface GigabitEthernet1/0/10

 switchport access vlan 40
!
interface GigabitEthernet1/0/11

 switchport access vlan 50
!
interface GigabitEthernet1/0/12

 switchport access vlan 90
!
interface GigabitEthernet1/0/13

 switchport access vlan 20
!
interface GigabitEthernet1/0/14

 switchport access vlan 80
!
interface GigabitEthernet1/0/15

 switchport access vlan 80
!
interface GigabitEthernet1/0/16

 switchport access vlan 80
!
interface GigabitEthernet1/0/17

 switchport access vlan 100
!
interface GigabitEthernet1/0/18

 switchport access vlan 100
!
interface GigabitEthernet1/0/19

 switchport access vlan 100
!
interface GigabitEthernet1/0/20

 switchport access vlan 100
!
interface GigabitEthernet1/0/21
 switchport access vlan 101
!
interface GigabitEthernet1/0/22
 switchport access vlan 101
!
interface GigabitEthernet1/0/23
 switchport access vlan 70
!
interface GigabitEthernet1/0/24
 switchport access vlan 90
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip access-group 110 out
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
 ip address 192.168.60.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan70
 ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
 ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
 ip address 192.168.90.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 ip access-group 102 in
!
router rip
 network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny   any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
access-list 101 permit ip any host 192.168.100.200
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 1025
access-list 101 permit tcp any any eq 88
access-list 101 permit udp any any eq 88
access-list 101 permit tcp any any eq 135
access-list 101 permit udp any any eq 135
access-list 101 permit tcp any any eq 137
access-list 101 permit tcp any any eq 138
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-ss
access-list 101 permit tcp any any eq 13000
access-list 101 permit tcp any any eq 14000
access-list 101 permit tcp any any eq 3351
access-list 101 permit tcp any any eq 1583
access-list 101 permit udp any any eq syslog
access-list 101 permit ip 192.168.80.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip 192.168.70.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip host 192.168.60.207 host 192.168.10.10
access-list 101 permit ip 192.168.40.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip any host 192.168.60.40
access-list 101 permit ip host 192.168.10.10 host 192.168.20.20
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit tcp any any range 1024 65535
access-list 101 permit tcp any range 1024 65535 any
access-list 101 permit udp any any range 1024 65535
access-list 101 permit udp any range 1024 65535 any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq 389
access-list 102 permit ip any host 192.168.20.20
access-list 102 permit ip any host 192.168.20.55
access-list 102 permit ip any host 192.168.30.2
access-list 102 permit ip any host 192.168.30.4
access-list 102 permit ip any host 192.168.30.65
access-list 102 permit ip any host 192.168.90.40
access-list 102 permit ip any host 192.168.100.100
access-list 102 permit ip any host 192.168.100.200
access-list 102 permit ip host 192.168.60.40 any
access-list 102 permit ip any host 192.168.90.1
access-list 102 permit ip any host 192.168.90.2
access-list 102 permit ip host 192.168.90.40 any
access-list 102 permit ip host 192.168.60.207 host 192.168.10.10
access-list 102 permit ip host 192.168.90.2 any
access-list 102 permit ip host 192.168.40.202 host 192.168.10.10
access-list 102 permit ip host 192.168.40.203 host 192.168.10.10
access-list 102 permit ip host 192.168.40.204 host 192.168.10.10
access-list 102 permit ip host 192.168.40.205 host 192.168.10.10
access-list 102 permit ip host 192.168.90.207 host 192.168.10.10
access-list 102 permit ip any host 64.69.195.50
access-list 102 permit ip any host 64.27.240.50
access-list 102 permit ip any host 64.69.195.51
access-list 102 permit ip any host 64.27.240.51
access-list 105 permit ip 0.0.0.0 255.255.255.0 any
access-list 110 permit ip host 192.168.20.20 any
access-list 110 permit ip host 192.168.20.55 host 192.168.10.10
access-list 110 permit ip host 192.168.100.100 host 192.168.10.10
access-list 110 permit ip host 192.168.100.200 host 192.168.10.10
access-list 110 permit ip host 192.168.100.250 host 192.168.10.10
access-list 110 permit ip host 192.168.80.98 host 192.168.10.10
access-list 110 permit ip host 192.168.80.3 host 192.168.10.10
access-list 110 permit ip any host 195.27.162.31
access-list 110 permit ip any host 195.27.162.155
access-list 110 permit ip host 192.168.90.207 host 192.168.10.10
access-list 110 permit ip host 192.168.70.2 host 192.168.10.10
access-list 110 permit ip host 192.168.80.210 host 192.168.10.10
access-list 110 permit ip host 192.168.80.6 host 192.168.10.10
access-list 110 permit ip host 192.168.80.18 host 192.168.10.10
access-list 110 permit ip host 192.168.80.2 host 192.168.10.10
access-list 110 permit ip host 192.168.80.217 host 192.168.10.10
access-list 110 permit ip host 192.168.80.9 host 192.168.10.10
access-list 110 permit ip host 192.168.80.80 host 192.168.10.10
access-list 110 permit ip host 192.168.80.178 host 192.168.10.10
access-list 110 permit ip host 192.168.80.51 host 192.168.10.10
access-list 110 permit ip host 192.168.80.51 host 202.1.192.196
access-list 110 permit ip host 192.168.80.251 host 192.168.10.10
access-list 110 permit ip host 192.168.80.251 host 208.68.106.6
access-list 110 permit ip host 192.168.80.251 host 208.68.104.106
access-list 110 permit ip host 192.168.80.51 host 208.68.106.6
access-list 110 permit ip host 192.168.80.51 host 208.68.104.106
access-list 110 permit ip host 192.168.40.203 host 192.168.10.10
access-list 110 permit ip host 192.168.40.204 host 192.168.10.10
access-list 110 permit ip host 192.168.40.205 host 192.168.10.10
access-list 110 permit ip host 192.168.100.100 host 192.168.10.4
access-list 110 permit ip host 192.168.100.200 any
access-list 110 permit ip host 192.168.40.202 host 192.168.10.10
access-list 110 permit ip host 192.168.80.8 host 192.168.10.10
access-list 110 permit ip host 192.168.80.202 host 192.168.10.10
access-list 110 permit ip host 192.168.70.7 host 192.168.10.10
access-list 110 permit ip host 192.168.100.50 host 192.168.10.10
access-list 110 permit ip host 192.168.80.5 host 192.168.10.10
access-list 110 permit ip host 192.168.80.200 host 192.168.10.10
access-list 110 permit ip host 192.168.80.53 host 192.168.10.10
access-list 110 permit ip host 192.168.80.52 host 192.168.10.10
access-list 110 permit ip host 192.168.80.222 host 192.168.10.10
access-list 110 permit ip host 192.168.80.58 host 192.168.10.10
access-list 110 permit ip host 192.168.80.55 host 192.168.10.10
access-list 110 permit ip host 192.168.80.57 host 192.168.10.10
access-list 110 permit ip host 192.168.80.54 host 192.168.10.10
access-list 110 permit ip host 192.168.80.21 host 192.168.10.10
access-list 110 permit ip host 192.168.70.30 host 192.168.10.10
access-list 110 permit ip host 192.168.80.206 host 192.168.10.10
access-list 110 permit ip host 192.168.100.101 host 192.168.10.10
access-list 110 permit ip host 192.168.70.3 host 192.168.10.10
access-list 110 permit ip host 192.168.70.6 host 192.168.10.10
access-list 110 permit ip host 192.168.100.80 host 192.168.10.10
access-list 110 permit ip host 192.168.80.7 host 192.168.10.10
access-list 110 permit ip host 192.168.80.201 host 192.168.10.10

access-list 140 permit ip host 192.168.90.207 host 192.168.10.10
snmp-server community
snmp-server community READONLY RW 98
snmp-server enable traps license
!
control-plane
!
!
line con 0
 password
 logging synchronous
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password
 logging synchronous
 login local
 transport input none
line vty 5
 access-class 23 in
 privilege level 15
 password
 logging synchronous
 login local
 transport input none
line vty 6 15
 access-class 23 in
 login
 transport input none
!
ntp server 192.168.20.20
end

EDGE_Switch#
EDGE_Switch#
EDGE_Switch#
0
 
ammadeyy2020Author Commented:
i have added the following 2 lines to access-list 102
permit gre any any
permit tcp any any eq 1723
0
 
rexxusCommented:
What Vlans are you clients connected to that are unable to access VPN?

You access lists are probably denying the VPN traffic.  For VPN you need to allow UDP 500 and PROTOCOL 50 or 51 depending on the type of encryption.  A "permit ip x.x.x.x y.y.y.y" entry will allow protocol 50 and 51

Have a look at the following for an overview of VLAN ACL's:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html
0
 
ammadeyy2020Author Commented:
vlan 90 and 40
0
 
rexxusCommented:
Another way to determine if your ACL is blocking the traffic is to add a "deny ip any any log" to the end of the ACL.  The log command will cause any failed packet to generate a syslog entry which you can view to troubleshoot.
0
 
rexxusCommented:
Is the VPN remote end an IP address listed in access list 102?
0
 
ammadeyy2020Author Commented:
yes it is there
from client pc's i can ping to vpn remote end
0
 
rexxusCommented:
A quick and dirty way to identify if it is an access list issue is to remove the access list and see if a client is able to connect. e.g.

int vlan 40
 no ip access-group 102 in

int vlan 90
 no ip access-group 102 in

If the client is able to connect than it is an access-list problem.  If you can't provide further information try the "deny ip any any log" at the and of access list 102 to identify where the traffic is being blocked.

If you can provide more details about the problem, source, destination etc I can offer more advice.
0
 
ammadeyy2020Author Commented:
i have added deny ip any any log to the end of acl 102

and i try to vpn connection it shows only udp 137 denied
0
 
ammadeyy2020Author Commented:
i have removed accesslist from vlan 90, still same issue "failed to get tcp connection" reason 414
0
 
rexxusCommented:
Are the settings on the VPN client and the VPN gateway the same?

Is one configured for NAT-T and the other is not?  This could explain the problem you are seeing
0
 
ammadeyy2020Author Commented:
my firewall have 3 interface
1- external
2- local (connected to catalyst  3750)
2-loca (connected to unmanage switch)

clients connected to unmanage swith is able to connect to vpn gateway
clients on 3750 switch cannot, so its a issue in the switch
0
 
rexxusCommented:
Possibly an issue with the switch yes.  Although with you having removed the ACL on VLAN 90 I would start looking elsewhere.

Can you move the client who is connected to the switch and failing VPN connectivity to the unmanaged switch and try again?  If the client still fails then it definitely points to the switch.

The other problem may be you're NAT'ing the VLAN 90 IP addresses on the firewall but not NAT'ing the unmanaged switch IP addresses.
0
 
ammadeyy2020Author Commented:
i moved the client to unmanage switch, vpn is working
and again i moved to cisco switch, vpn doesnt connect

0
 
rexxusCommented:
Ok that indicates to me that the client is configured correctly.

You previously removed the access list so that should have passed all traffic.

That indicates that there is some configuration differences on your firewall between the two interfaces, the one that connects to the unmanaged switch and the one that connects to the cisco switch.  Are VLAN 90 clients being NAT'd on the firewall?
0
 
JFrederick29Commented:
The Firewall is 192.168.10.10, right?

You also have access-list 110 outbound on the VLAN10 interface where you need to permit the VPN traffic in addition to access-list 102.

ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
...
0
 
JFrederick29Commented:
Also, access-list 102:

ip access-list ext 102
permit tcp any eq 1723 any
0
 
ammadeyy2020Author Commented:
192.168.10.10 is firewall

ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
permit ip any host x.x.x.x

x.x.x.x is vpn gateway

yes NAT is on firewall
0
 
JFrederick29Commented:
Still not working with the access-list 110 addition?

Add this to access-list 102 also:

ip access-list ext 102
permit ip any host x.x.x.x

x.x.x.x is vpn gateway
0
 
JFrederick29Commented:
The Firewall has routes back to these VLAN subnets via 192.168.10.1, right?  Does regular internet access work from VLAN90, VLAN40, etc...?
0
 
ammadeyy2020Author Commented:
JFrederick29 is the MAN
0
 
rexxusCommented:
permitting tcp port 1723 and GRE is for when you are using PPTP, not for IKE and IPSEC (which I'm guessing you're using as you have the Cisco VPN client installed).

Although the, following statement would be required:

ip access-list ext 110
 permit ip any host x.x.x.x

Is the outbound NAT'ing on the firewall the same for both your internal interfaces?

0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 8
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now