We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you two Citrix podcasts. Learn about 2020 trends and get answers to your biggest Citrix questions!Listen Now

x

catalyst 3750 issue

ammadeyy2020
ammadeyy2020 asked
on
Medium Priority
543 Views
Last Modified: 2012-08-13
my clients are connected to catalyst 3750, they cannot connect to vpn
without the switch they can connect to vpn
how can i fix switch to pass vpn traffic
Comment
Watch Question

Commented:
please post config of a switch

Author

Commented:
do u need the entire config?




Press RETURN to get started.


User Access Verification

Username:
Password:
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...

Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!

no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
 log config
  logging enable
  logging size 200
  notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1


 
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip access-group 110 out
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
 ip address 192.168.60.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan70
 ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
 ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
 ip address 192.168.90.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 ip access-group 102 in
!
router rip
 network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny   any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
 --More--

Author

Commented:
from the client pc's im able to ping to vpn server on remote office

Author

Commented:
im using cisco vpn client 4.0.3 (D)

Author

Commented:

EDGE_Switch#
EDGE_Switch#
EDGE_Switch#sh run
EDGE_Switch#sh running-config
Building configuration...

Current configuration : 11415 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname EDGE_Switch
!
!

no aaa new-model
switch 1 provision ws-c3750e-24td
system mtu routing 1500
ip subnet-zero
ip routing
no ip domain-lookup
!
!
!
!
archive
 log config
  logging enable
  logging size 200
  notify syslog
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0
 no ip address
 shutdown
!
interface GigabitEthernet1/0/1

 switchport access vlan 10
!
interface GigabitEthernet1/0/2

 switchport access vlan 20
!
interface GigabitEthernet1/0/3

 switchport access vlan 20
!
interface GigabitEthernet1/0/4

 switchport access vlan 30
!
interface GigabitEthernet1/0/5

 switchport access vlan 30
!
interface GigabitEthernet1/0/6

 switchport access vlan 30
!
interface GigabitEthernet1/0/7

 switchport access vlan 30
!
interface GigabitEthernet1/0/8

 switchport access vlan 30
!
interface GigabitEthernet1/0/9

 switchport access vlan 30
!
interface GigabitEthernet1/0/10

 switchport access vlan 40
!
interface GigabitEthernet1/0/11

 switchport access vlan 50
!
interface GigabitEthernet1/0/12

 switchport access vlan 90
!
interface GigabitEthernet1/0/13

 switchport access vlan 20
!
interface GigabitEthernet1/0/14

 switchport access vlan 80
!
interface GigabitEthernet1/0/15

 switchport access vlan 80
!
interface GigabitEthernet1/0/16

 switchport access vlan 80
!
interface GigabitEthernet1/0/17

 switchport access vlan 100
!
interface GigabitEthernet1/0/18

 switchport access vlan 100
!
interface GigabitEthernet1/0/19

 switchport access vlan 100
!
interface GigabitEthernet1/0/20

 switchport access vlan 100
!
interface GigabitEthernet1/0/21
 switchport access vlan 101
!
interface GigabitEthernet1/0/22
 switchport access vlan 101
!
interface GigabitEthernet1/0/23
 switchport access vlan 70
!
interface GigabitEthernet1/0/24
 switchport access vlan 90
!
interface GigabitEthernet1/0/25
!
interface GigabitEthernet1/0/26
!
interface GigabitEthernet1/0/27
!
interface GigabitEthernet1/0/28
!
interface TenGigabitEthernet1/0/1
!
interface TenGigabitEthernet1/0/2
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
!
interface Vlan10
 ip address 192.168.10.1 255.255.255.0
 ip access-group 110 out
!
interface Vlan20
 ip address 192.168.20.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan30
 ip address 192.168.30.1 255.255.255.0
 ip access-group 101 out
!
interface Vlan40
 ip address 192.168.40.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan50
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan60
 ip address 192.168.60.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan70
 ip address 192.168.70.1 255.255.255.0
!
interface Vlan80
 ip address 192.168.80.1 255.255.255.0
!
interface Vlan90
 ip address 192.168.90.1 255.255.255.0
 ip access-group 102 in
!
interface Vlan100
 ip address 192.168.100.1 255.255.255.0
!
interface Vlan101
 ip address 192.168.101.1 255.255.255.0
 ip access-group 102 in
!
router rip
 network 192.168.0.0
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.10.10
no ip http server
!
logging 192.168.30.65
access-list 23 deny   any
access-list 98 permit 192.168.100.100
access-list 100 permit tcp host 192.168.100.100 host 192.168.100.1 eq telnet
access-list 101 permit ip host 192.168.100.100 any
access-list 101 permit ip any host 192.168.100.200
access-list 101 permit udp any any eq domain
access-list 101 permit tcp any any eq 389
access-list 101 permit tcp any any eq 445
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq pop3
access-list 101 permit tcp any any eq smtp
access-list 101 permit tcp any any eq 1433
access-list 101 permit tcp any any eq 1025
access-list 101 permit tcp any any eq 88
access-list 101 permit udp any any eq 88
access-list 101 permit tcp any any eq 135
access-list 101 permit udp any any eq 135
access-list 101 permit tcp any any eq 137
access-list 101 permit tcp any any eq 138
access-list 101 permit udp any any eq ntp
access-list 101 permit udp any any eq netbios-dgm
access-list 101 permit udp any any eq netbios-ns
access-list 101 permit udp any any eq netbios-ss
access-list 101 permit tcp any any eq 13000
access-list 101 permit tcp any any eq 14000
access-list 101 permit tcp any any eq 3351
access-list 101 permit tcp any any eq 1583
access-list 101 permit udp any any eq syslog
access-list 101 permit ip 192.168.80.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip 192.168.70.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip host 192.168.60.207 host 192.168.10.10
access-list 101 permit ip 192.168.40.0 0.0.0.255 host 192.168.10.10
access-list 101 permit ip any host 192.168.60.40
access-list 101 permit ip host 192.168.10.10 host 192.168.20.20
access-list 101 permit udp any eq domain any
access-list 101 permit tcp any eq pop3 any
access-list 101 permit tcp any any range 1024 65535
access-list 101 permit tcp any range 1024 65535 any
access-list 101 permit udp any any range 1024 65535
access-list 101 permit udp any range 1024 65535 any
access-list 101 permit tcp any any established
access-list 101 permit udp any any eq 389
access-list 102 permit ip any host 192.168.20.20
access-list 102 permit ip any host 192.168.20.55
access-list 102 permit ip any host 192.168.30.2
access-list 102 permit ip any host 192.168.30.4
access-list 102 permit ip any host 192.168.30.65
access-list 102 permit ip any host 192.168.90.40
access-list 102 permit ip any host 192.168.100.100
access-list 102 permit ip any host 192.168.100.200
access-list 102 permit ip host 192.168.60.40 any
access-list 102 permit ip any host 192.168.90.1
access-list 102 permit ip any host 192.168.90.2
access-list 102 permit ip host 192.168.90.40 any
access-list 102 permit ip host 192.168.60.207 host 192.168.10.10
access-list 102 permit ip host 192.168.90.2 any
access-list 102 permit ip host 192.168.40.202 host 192.168.10.10
access-list 102 permit ip host 192.168.40.203 host 192.168.10.10
access-list 102 permit ip host 192.168.40.204 host 192.168.10.10
access-list 102 permit ip host 192.168.40.205 host 192.168.10.10
access-list 102 permit ip host 192.168.90.207 host 192.168.10.10
access-list 102 permit ip any host 64.69.195.50
access-list 102 permit ip any host 64.27.240.50
access-list 102 permit ip any host 64.69.195.51
access-list 102 permit ip any host 64.27.240.51
access-list 105 permit ip 0.0.0.0 255.255.255.0 any
access-list 110 permit ip host 192.168.20.20 any
access-list 110 permit ip host 192.168.20.55 host 192.168.10.10
access-list 110 permit ip host 192.168.100.100 host 192.168.10.10
access-list 110 permit ip host 192.168.100.200 host 192.168.10.10
access-list 110 permit ip host 192.168.100.250 host 192.168.10.10
access-list 110 permit ip host 192.168.80.98 host 192.168.10.10
access-list 110 permit ip host 192.168.80.3 host 192.168.10.10
access-list 110 permit ip any host 195.27.162.31
access-list 110 permit ip any host 195.27.162.155
access-list 110 permit ip host 192.168.90.207 host 192.168.10.10
access-list 110 permit ip host 192.168.70.2 host 192.168.10.10
access-list 110 permit ip host 192.168.80.210 host 192.168.10.10
access-list 110 permit ip host 192.168.80.6 host 192.168.10.10
access-list 110 permit ip host 192.168.80.18 host 192.168.10.10
access-list 110 permit ip host 192.168.80.2 host 192.168.10.10
access-list 110 permit ip host 192.168.80.217 host 192.168.10.10
access-list 110 permit ip host 192.168.80.9 host 192.168.10.10
access-list 110 permit ip host 192.168.80.80 host 192.168.10.10
access-list 110 permit ip host 192.168.80.178 host 192.168.10.10
access-list 110 permit ip host 192.168.80.51 host 192.168.10.10
access-list 110 permit ip host 192.168.80.51 host 202.1.192.196
access-list 110 permit ip host 192.168.80.251 host 192.168.10.10
access-list 110 permit ip host 192.168.80.251 host 208.68.106.6
access-list 110 permit ip host 192.168.80.251 host 208.68.104.106
access-list 110 permit ip host 192.168.80.51 host 208.68.106.6
access-list 110 permit ip host 192.168.80.51 host 208.68.104.106
access-list 110 permit ip host 192.168.40.203 host 192.168.10.10
access-list 110 permit ip host 192.168.40.204 host 192.168.10.10
access-list 110 permit ip host 192.168.40.205 host 192.168.10.10
access-list 110 permit ip host 192.168.100.100 host 192.168.10.4
access-list 110 permit ip host 192.168.100.200 any
access-list 110 permit ip host 192.168.40.202 host 192.168.10.10
access-list 110 permit ip host 192.168.80.8 host 192.168.10.10
access-list 110 permit ip host 192.168.80.202 host 192.168.10.10
access-list 110 permit ip host 192.168.70.7 host 192.168.10.10
access-list 110 permit ip host 192.168.100.50 host 192.168.10.10
access-list 110 permit ip host 192.168.80.5 host 192.168.10.10
access-list 110 permit ip host 192.168.80.200 host 192.168.10.10
access-list 110 permit ip host 192.168.80.53 host 192.168.10.10
access-list 110 permit ip host 192.168.80.52 host 192.168.10.10
access-list 110 permit ip host 192.168.80.222 host 192.168.10.10
access-list 110 permit ip host 192.168.80.58 host 192.168.10.10
access-list 110 permit ip host 192.168.80.55 host 192.168.10.10
access-list 110 permit ip host 192.168.80.57 host 192.168.10.10
access-list 110 permit ip host 192.168.80.54 host 192.168.10.10
access-list 110 permit ip host 192.168.80.21 host 192.168.10.10
access-list 110 permit ip host 192.168.70.30 host 192.168.10.10
access-list 110 permit ip host 192.168.80.206 host 192.168.10.10
access-list 110 permit ip host 192.168.100.101 host 192.168.10.10
access-list 110 permit ip host 192.168.70.3 host 192.168.10.10
access-list 110 permit ip host 192.168.70.6 host 192.168.10.10
access-list 110 permit ip host 192.168.100.80 host 192.168.10.10
access-list 110 permit ip host 192.168.80.7 host 192.168.10.10
access-list 110 permit ip host 192.168.80.201 host 192.168.10.10

access-list 140 permit ip host 192.168.90.207 host 192.168.10.10
snmp-server community
snmp-server community READONLY RW 98
snmp-server enable traps license
!
control-plane
!
!
line con 0
 password
 logging synchronous
 login local
line vty 0 4
 access-class 23 in
 privilege level 15
 password
 logging synchronous
 login local
 transport input none
line vty 5
 access-class 23 in
 privilege level 15
 password
 logging synchronous
 login local
 transport input none
line vty 6 15
 access-class 23 in
 login
 transport input none
!
ntp server 192.168.20.20
end

EDGE_Switch#
EDGE_Switch#
EDGE_Switch#

Author

Commented:
i have added the following 2 lines to access-list 102
permit gre any any
permit tcp any any eq 1723

Commented:
What Vlans are you clients connected to that are unable to access VPN?

You access lists are probably denying the VPN traffic.  For VPN you need to allow UDP 500 and PROTOCOL 50 or 51 depending on the type of encryption.  A "permit ip x.x.x.x y.y.y.y" entry will allow protocol 50 and 51

Have a look at the following for an overview of VLAN ACL's:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html

Author

Commented:
vlan 90 and 40

Commented:
Another way to determine if your ACL is blocking the traffic is to add a "deny ip any any log" to the end of the ACL.  The log command will cause any failed packet to generate a syslog entry which you can view to troubleshoot.

Commented:
Is the VPN remote end an IP address listed in access list 102?

Author

Commented:
yes it is there
from client pc's i can ping to vpn remote end

Commented:
A quick and dirty way to identify if it is an access list issue is to remove the access list and see if a client is able to connect. e.g.

int vlan 40
 no ip access-group 102 in

int vlan 90
 no ip access-group 102 in

If the client is able to connect than it is an access-list problem.  If you can't provide further information try the "deny ip any any log" at the and of access list 102 to identify where the traffic is being blocked.

If you can provide more details about the problem, source, destination etc I can offer more advice.

Author

Commented:
i have added deny ip any any log to the end of acl 102

and i try to vpn connection it shows only udp 137 denied

Author

Commented:
i have removed accesslist from vlan 90, still same issue "failed to get tcp connection" reason 414

Commented:
Are the settings on the VPN client and the VPN gateway the same?

Is one configured for NAT-T and the other is not?  This could explain the problem you are seeing

Author

Commented:
my firewall have 3 interface
1- external
2- local (connected to catalyst  3750)
2-loca (connected to unmanage switch)

clients connected to unmanage swith is able to connect to vpn gateway
clients on 3750 switch cannot, so its a issue in the switch

Commented:
Possibly an issue with the switch yes.  Although with you having removed the ACL on VLAN 90 I would start looking elsewhere.

Can you move the client who is connected to the switch and failing VPN connectivity to the unmanaged switch and try again?  If the client still fails then it definitely points to the switch.

The other problem may be you're NAT'ing the VLAN 90 IP addresses on the firewall but not NAT'ing the unmanaged switch IP addresses.

Author

Commented:
i moved the client to unmanage switch, vpn is working
and again i moved to cisco switch, vpn doesnt connect

Commented:
Ok that indicates to me that the client is configured correctly.

You previously removed the access list so that should have passed all traffic.

That indicates that there is some configuration differences on your firewall between the two interfaces, the one that connects to the unmanaged switch and the one that connects to the cisco switch.  Are VLAN 90 clients being NAT'd on the firewall?
Top Expert 2009

Commented:
The Firewall is 192.168.10.10, right?

You also have access-list 110 outbound on the VLAN10 interface where you need to permit the VPN traffic in addition to access-list 102.

ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
...
Top Expert 2009
Commented:
Also, access-list 102:

ip access-list ext 102
permit tcp any eq 1723 any

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
192.168.10.10 is firewall

ip access-list ext 110
permit gre any any
permit tcp any any eq 1723
permit ip any host x.x.x.x

x.x.x.x is vpn gateway

yes NAT is on firewall
Top Expert 2009

Commented:
Still not working with the access-list 110 addition?

Add this to access-list 102 also:

ip access-list ext 102
permit ip any host x.x.x.x

x.x.x.x is vpn gateway
Top Expert 2009

Commented:
The Firewall has routes back to these VLAN subnets via 192.168.10.1, right?  Does regular internet access work from VLAN90, VLAN40, etc...?

Author

Commented:
JFrederick29 is the MAN

Commented:
permitting tcp port 1723 and GRE is for when you are using PPTP, not for IKE and IPSEC (which I'm guessing you're using as you have the Cisco VPN client installed).

Although the, following statement would be required:

ip access-list ext 110
 permit ip any host x.x.x.x

Is the outbound NAT'ing on the firewall the same for both your internal interfaces?

Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.