ammadeyy2020
asked on
catalyst 3750 issue
my clients are connected to catalyst 3750, they cannot connect to vpn
without the switch they can connect to vpn
how can i fix switch to pass vpn traffic
without the switch they can connect to vpn
how can i fix switch to pass vpn traffic
from_exp
please post config of a switch
ASKER
do u need the entire config?
Press RETURN to get started.
User Access Verification
Username:
Password:
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...
Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!
no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
log config
logging enable
logging size 200
notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 110 out
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 out
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 101 out
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip access-group 102 in
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
ip address 192.168.60.1 255.255.255.0
ip access-group 102 in
!
interface Vlan70
ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
ip address 192.168.90.1 255.255.255.0
ip access-group 102 in
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip access-group 102 in
!
router rip
network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
--More--
Press RETURN to get started.
User Access Verification
Username:
Password:
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...
Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!
no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
log config
logging enable
logging size 200
notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 110 out
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 out
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 101 out
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip access-group 102 in
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
ip address 192.168.60.1 255.255.255.0
ip access-group 102 in
!
interface Vlan70
ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
ip address 192.168.90.1 255.255.255.0
ip access-group 102 in
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip access-group 102 in
!
router rip
network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
--More--
ASKER
from the client pc's im able to ping to vpn server on remote office
ASKER
im using cisco vpn client 4.0.3 (D)
ASKER
EDGE_Switch#
EDGE_Switch#
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...
Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!
no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
log config
logging enable
logging size 200
notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
no ip address
shutdown
!
interface GigabitEthernet1/0/1
switchport access vlan 10
!
interface GigabitEthernet1/0/2
switchport access vlan 20
!
interface GigabitEthernet1/0/3
switchport access vlan 20
!
interface GigabitEthernet1/0/4
switchport access vlan 30
!
interface GigabitEthernet1/0/5
switchport access vlan 30
!
interface GigabitEthernet1/0/6
switchport access vlan 30
!
interface GigabitEthernet1/0/7
switchport access vlan 30
!
interface GigabitEthernet1/0/8
switchport access vlan 30
!
interface GigabitEthernet1/0/9
switchport access vlan 30
!
interface GigabitEthernet1/0/10
switchport access vlan 40
!
interface GigabitEthernet1/0/11
switchport access vlan 50
!
interface GigabitEthernet1/0/12
switchport access vlan 90
!
interface GigabitEthernet1/0/13
switchport access vlan 20
!
interface GigabitEthernet1/0/14
switchport access vlan 80
!
interface GigabitEthernet1/0/15
switchport access vlan 80
!
interface GigabitEthernet1/0/16
switchport access vlan 80
!
interface GigabitEthernet1/0/17
switchport access vlan 100
!
interface GigabitEthernet1/0/18
switchport access vlan 100
!
interface GigabitEthernet1/0/19
switchport access vlan 100
!
interface GigabitEthernet1/0/20
switchport access vlan 100
!
interface GigabitEthernet1/0/21
switchport access vlan 101
!
interface GigabitEthernet1/0/22
switchport access vlan 101
!
interface GigabitEthernet1/0/23
switchport access vlan 70
!
interface GigabitEthernet1/0/24
switchport access vlan 90
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip access-group 110 out
!
interface Vlan20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 out
!
interface Vlan30
ip address 192.168.30.1 255.255.255.0
ip access-group 101 out
!
interface Vlan40
ip address 192.168.40.1 255.255.255.0
ip access-group 102 in
!
interface Vlan50
ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
ip address 192.168.60.1 255.255.255.0
ip access-group 102 in
!
interface Vlan70
ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
ip address 192.168.90.1 255.255.255.0
ip access-group 102 in
!
interface Vlan100
ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
ip address 192.168.101.1 255.255.255.0
ip access-group 102 in
!
router rip
network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
access-list 101 permit ip any host 192.168.100.200
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 1025
access-list 101 permit tcp any any eq 88
access-list 101 permit udp any any eq 88
access-list 101 permit tcp any any eq 135
access-list 101 permit udp any any eq 135
access-list 101 permit tcp any any eq 137
access-list 101 permit tcp any any eq 138
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-ss
access-list 101 permit tcp any any eq 13000
access-list 101 permit tcp any any eq 14000
access-list 101 permit tcp any any eq 3351
access-list 101 permit tcp any any eq 1583
access-list 101 permit udp any any eq syslog
access-list 101 permit ip 192.168.80.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip 192.168.70.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip host 192.168.60.207 host 192.168.10.10
access-list 101 permit ip 192.168.40.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip any host 192.168.60.40
access-list 101 permit ip host 192.168.10.10 host 192.168.20.20
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit tcp any any range 1024 65535
access-list 101 permit tcp any range 1024 65535 any
access-list 101 permit udp any any range 1024 65535
access-list 101 permit udp any range 1024 65535 any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq 389
access-list 102 permit ip any host 192.168.20.20
access-list 102 permit ip any host 192.168.20.55
access-list 102 permit ip any host 192.168.30.2
access-list 102 permit ip any host 192.168.30.4
access-list 102 permit ip any host 192.168.30.65
access-list 102 permit ip any host 192.168.90.40
access-list 102 permit ip any host 192.168.100.100
access-list 102 permit ip any host 192.168.100.200
access-list 102 permit ip host 192.168.60.40 any
access-list 102 permit ip any host 192.168.90.1
access-list 102 permit ip any host 192.168.90.2
access-list 102 permit ip host 192.168.90.40 any
access-list 102 permit ip host 192.168.60.207 host 192.168.10.10
access-list 102 permit ip host 192.168.90.2 any
access-list 102 permit ip host 192.168.40.202 host 192.168.10.10
access-list 102 permit ip host 192.168.40.203 host 192.168.10.10
access-list 102 permit ip host 192.168.40.204 host 192.168.10.10
access-list 102 permit ip host 192.168.40.205 host 192.168.10.10
access-list 102 permit ip host 192.168.90.207 host 192.168.10.10
access-list 102 permit ip any host 64.69.195.50
access-list 102 permit ip any host 64.27.240.50
access-list 102 permit ip any host 64.69.195.51
access-list 102 permit ip any host 64.27.240.51
access-list 105 permit ip 0.0.0.0 255.255.255.0 any
access-list 110 permit ip host 192.168.20.20 any
access-list 110 permit ip host 192.168.20.55 host 192.168.10.10
access-list 110 permit ip host 192.168.100.100 host 192.168.10.10
access-list 110 permit ip host 192.168.100.200 host 192.168.10.10
access-list 110 permit ip host 192.168.100.250 host 192.168.10.10
access-list 110 permit ip host 192.168.80.98 host 192.168.10.10
access-list 110 permit ip host 192.168.80.3 host 192.168.10.10
access-list 110 permit ip any host 195.27.162.31
access-list 110 permit ip any host 195.27.162.155
access-list 110 permit ip host 192.168.90.207 host 192.168.10.10
access-list 110 permit ip host 192.168.70.2 host 192.168.10.10
access-list 110 permit ip host 192.168.80.210 host 192.168.10.10
access-list 110 permit ip host 192.168.80.6 host 192.168.10.10
access-list 110 permit ip host 192.168.80.18 host 192.168.10.10
access-list 110 permit ip host 192.168.80.2 host 192.168.10.10
access-list 110 permit ip host 192.168.80.217 host 192.168.10.10
access-list 110 permit ip host 192.168.80.9 host 192.168.10.10
access-list 110 permit ip host 192.168.80.80 host 192.168.10.10
access-list 110 permit ip host 192.168.80.178 host 192.168.10.10
access-list 110 permit ip host 192.168.80.51 host 192.168.10.10
access-list 110 permit ip host 192.168.80.51 host 202.1.192.196
access-list 110 permit ip host 192.168.80.251 host 192.168.10.10
access-list 110 permit ip host 192.168.80.251 host 208.68.106.6
access-list 110 permit ip host 192.168.80.251 host 208.68.104.106
access-list 110 permit ip host 192.168.80.51 host 208.68.106.6
access-list 110 permit ip host 192.168.80.51 host 208.68.104.106
access-list 110 permit ip host 192.168.40.203 host 192.168.10.10
access-list 110 permit ip host 192.168.40.204 host 192.168.10.10
access-list 110 permit ip host 192.168.40.205 host 192.168.10.10
access-list 110 permit ip host 192.168.100.100 host 192.168.10.4
access-list 110 permit ip host 192.168.100.200 any
access-list 110 permit ip host 192.168.40.202 host 192.168.10.10
access-list 110 permit ip host 192.168.80.8 host 192.168.10.10
access-list 110 permit ip host 192.168.80.202 host 192.168.10.10
access-list 110 permit ip host 192.168.70.7 host 192.168.10.10
access-list 110 permit ip host 192.168.100.50 host 192.168.10.10
access-list 110 permit ip host 192.168.80.5 host 192.168.10.10
access-list 110 permit ip host 192.168.80.200 host 192.168.10.10
access-list 110 permit ip host 192.168.80.53 host 192.168.10.10
access-list 110 permit ip host 192.168.80.52 host 192.168.10.10
access-list 110 permit ip host 192.168.80.222 host 192.168.10.10
access-list 110 permit ip host 192.168.80.58 host 192.168.10.10
access-list 110 permit ip host 192.168.80.55 host 192.168.10.10
access-list 110 permit ip host 192.168.80.57 host 192.168.10.10
access-list 110 permit ip host 192.168.80.54 host 192.168.10.10
access-list 110 permit ip host 192.168.80.21 host 192.168.10.10
access-list 110 permit ip host 192.168.70.30 host 192.168.10.10
access-list 110 permit ip host 192.168.80.206 host 192.168.10.10
access-list 110 permit ip host 192.168.100.101 host 192.168.10.10
access-list 110 permit ip host 192.168.70.3 host 192.168.10.10
access-list 110 permit ip host 192.168.70.6 host 192.168.10.10
access-list 110 permit ip host 192.168.100.80 host 192.168.10.10
access-list 110 permit ip host 192.168.80.7 host 192.168.10.10
access-list 110 permit ip host 192.168.80.201 host 192.168.10.10
access-list 140 permit ip host 192.168.90.207 host 192.168.10.10
snmp-server community
snmp-server community READONLY RW 98
snmp-server enable traps license
!
control-plane
!
!
line con 0
password
logging synchronous
login local
line vty 0 4
access-class 23 in
privilege level 15
password
logging synchronous
login local
transport input none
line vty 5
access-class 23 in
privilege level 15
password
logging synchronous
login local
transport input none
line vty 6 15
access-class 23 in
login
transport input none
!
ntp server 192.168.20.20
end
EDGE_Switch#
EDGE_Switch#
EDGE_Switch#
ASKER
i have added the following 2 lines to access-list 102
permit gre any any
permit tcp any any eq 1723
permit gre any any
permit tcp any any eq 1723
What Vlans are you clients connected to that are unable to access VPN?
You access lists are probably denying the VPN traffic. For VPN you need to allow UDP 500 and PROTOCOL 50 or 51 depending on the type of encryption. A "permit ip x.x.x.x y.y.y.y" entry will allow protocol 50 and 51
Have a look at the following for an overview of VLAN ACL's:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html
You access lists are probably denying the VPN traffic. For VPN you need to allow UDP 500 and PROTOCOL 50 or 51 depending on the type of encryption. A "permit ip x.x.x.x y.y.y.y" entry will allow protocol 50 and 51
Have a look at the following for an overview of VLAN ACL's:
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html
ASKER
vlan 90 and 40
Another way to determine if your ACL is blocking the traffic is to add a "deny ip any any log" to the end of the ACL. The log command will cause any failed packet to generate a syslog entry which you can view to troubleshoot.
Is the VPN remote end an IP address listed in access list 102?
ASKER
yes it is there
from client pc's i can ping to vpn remote end
from client pc's i can ping to vpn remote end
A quick and dirty way to identify if it is an access list issue is to remove the access list and see if a client is able to connect. e.g.
int vlan 40
no ip access-group 102 in
int vlan 90
no ip access-group 102 in
If the client is able to connect than it is an access-list problem. If you can't provide further information try the "deny ip any any log" at the and of access list 102 to identify where the traffic is being blocked.
If you can provide more details about the problem, source, destination etc I can offer more advice.
int vlan 40
no ip access-group 102 in
int vlan 90
no ip access-group 102 in
If the client is able to connect than it is an access-list problem. If you can't provide further information try the "deny ip any any log" at the and of access list 102 to identify where the traffic is being blocked.
If you can provide more details about the problem, source, destination etc I can offer more advice.
ASKER
i have added deny ip any any log to the end of acl 102
and i try to vpn connection it shows only udp 137 denied
and i try to vpn connection it shows only udp 137 denied
ASKER
i have removed accesslist from vlan 90, still same issue "failed to get tcp connection" reason 414
Are the settings on the VPN client and the VPN gateway the same?
Is one configured for NAT-T and the other is not? This could explain the problem you are seeing
Is one configured for NAT-T and the other is not? This could explain the problem you are seeing
ASKER
my firewall have 3 interface
1- external
2- local (connected to catalyst 3750)
2-loca (connected to unmanage switch)
clients connected to unmanage swith is able to connect to vpn gateway
clients on 3750 switch cannot, so its a issue in the switch
1- external
2- local (connected to catalyst 3750)
2-loca (connected to unmanage switch)
clients connected to unmanage swith is able to connect to vpn gateway
clients on 3750 switch cannot, so its a issue in the switch
Possibly an issue with the switch yes. Although with you having removed the ACL on VLAN 90 I would start looking elsewhere.
Can you move the client who is connected to the switch and failing VPN connectivity to the unmanaged switch and try again? If the client still fails then it definitely points to the switch.
The other problem may be you're NAT'ing the VLAN 90 IP addresses on the firewall but not NAT'ing the unmanaged switch IP addresses.
Can you move the client who is connected to the switch and failing VPN connectivity to the unmanaged switch and try again? If the client still fails then it definitely points to the switch.
The other problem may be you're NAT'ing the VLAN 90 IP addresses on the firewall but not NAT'ing the unmanaged switch IP addresses.
ASKER
i moved the client to unmanage switch, vpn is working
and again i moved to cisco switch, vpn doesnt connect
and again i moved to cisco switch, vpn doesnt connect
Ok that indicates to me that the client is configured correctly.
You previously removed the access list so that should have passed all traffic.
That indicates that there is some configuration differences on your firewall between the two interfaces, the one that connects to the unmanaged switch and the one that connects to the cisco switch. Are VLAN 90 clients being NAT'd on the firewall?
You previously removed the access list so that should have passed all traffic.
That indicates that there is some configuration differences on your firewall between the two interfaces, the one that connects to the unmanaged switch and the one that connects to the cisco switch. Are VLAN 90 clients being NAT'd on the firewall?
The Firewall is 192.168.10.10, right?
You also have access-list 110 outbound on the VLAN10 interface where you need to permit the VPN traffic in addition to access-list 102.
ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
...
You also have access-list 110 outbound on the VLAN10 interface where you need to permit the VPN traffic in addition to access-list 102.
ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
192.168.10.10 is firewall
ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
permit ip any host x.x.x.x
x.x.x.x is vpn gateway
yes NAT is on firewall
ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
permit ip any host x.x.x.x
x.x.x.x is vpn gateway
yes NAT is on firewall
Still not working with the access-list 110 addition?
Add this to access-list 102 also:
ip access-list ext 102
permit ip any host x.x.x.x
x.x.x.x is vpn gateway
Add this to access-list 102 also:
ip access-list ext 102
permit ip any host x.x.x.x
x.x.x.x is vpn gateway
The Firewall has routes back to these VLAN subnets via 192.168.10.1, right? Does regular internet access work from VLAN90, VLAN40, etc...?
ASKER
JFrederick29 is the MAN
permitting tcp port 1723 and GRE is for when you are using PPTP, not for IKE and IPSEC (which I'm guessing you're using as you have the Cisco VPN client installed).
Although the, following statement would be required:
ip access-list ext 110
permit ip any host x.x.x.x
Is the outbound NAT'ing on the firewall the same for both your internal interfaces?
Although the, following statement would be required:
ip access-list ext 110
permit ip any host x.x.x.x
Is the outbound NAT'ing on the firewall the same for both your internal interfaces?