Solved

No access to VPN Resources, Cisco SR 520

Posted on 2009-07-06
4
1,133 Views
Last Modified: 2012-06-27
I have a Cisco SR 520.  Users can connect to the VPN with both IPSEC and SSL Clients.  However, once connected, the users cannot access any resources.  An IPSCAN only returns a ping from the Router itself and the IP assigned to the VPN client.  I'm sure there is an ACL I am missing, but I'm just not seeing it.

Current configuration : 8457 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SR520
!
boot-start-marker
boot system flash sr520-advipservicesk9-mz.124-24.T1.bin
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login tango_authen_login line local
aaa authentication login EZVPN_GROUP_1 local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
aaa authorization network EZVPN_GROUP_1 local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint XXXX
 enrollment selfsigned
 subject-name cn=XXXX
 revocation-check none
 rsakeypair XXXX
!
!
crypto pki certificate chain XXXX
 certificate self-signed 01
  XXXX
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.100 192.168.1.255
!
ip dhcp pool inside
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 68.87.72.130 68.87.77.130
!
!
ip cef
no ip bootp server
ip name-server 68.87.72.130
ip name-server 68.87.77.130
ip ips config location flash:/ips/ retries 5 timeout 5
ip ips notify SDEE
ip ips name sdm_ips_rule
!        
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username X privilege 15 secret 5 X
usernameY privilege 15 secret 5 Y
username Z secret 5 Z
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub
  key-string
   XXXX
  quit
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
 key X
 dns 68.87.72.130 68.87.77.130
 pool SDM_POOL_1
 acl 100
 max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 5
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!        
process-max-time 150
!
ip tcp synwait-time 10
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 switchport access vlan 75
!
interface FastEthernet1
 switchport access vlan 75
!
interface FastEthernet2
 switchport access vlan 75
!
interface FastEthernet3
 switchport access vlan 75
!
interface FastEthernet4
 ip address X.X.X.X 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface Virtual-Template5 type tunnel
 ip unnumbered Vlan75
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan75
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip ips sdm_ips_rule in
 ip virtual-reassembly
!
ip local pool SDM_WEBVPN_POOL_1 192.168.1.210 192.168.1.219
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.209
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.151 22 interface FastEthernet4 22
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit WAN STATIC IP 0.0.0.3
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
 password 7 X
 logging synchronous
 no modem enable
 history size 256
 transport output telnet
line aux 0
 transport output telnet
line vty 0 2
 password 7 X
 authorization exec tango_author_exec
 login authentication tango_authen_login
 transport input telnet ssh
line vty 3
 password 7 X
 authorization exec tango_author_exec
 login authentication tango_authen_login
 transport input all
line vty 4
 password 7 X
 authorization exec tango_author_exec
 logging synchronous
 login authentication tango_authen_login
 history size 256
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway SDM_WEBVPN_GATEWAY_1
 ip address X port 443  
 ssl trustpoint X
 inservice
 !
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
 !
webvpn context SDM_WEBVPN_CONTEXT_1
 secondary-color white
 title-color #CCCC66
 text-color black
 ssl authenticate verify all
 !
 !
 policy group SDM_WEBVPN_POLICY_1
   functions svc-enabled
   svc address-pool "SDM_WEBVPN_POOL_1"
   svc keep-client-installed
   svc split include 192.168.1.0 255.255.255.0
   svc dns-server primary 68.87.72.130
   svc dns-server secondary 68.87.77.130
 default-group-policy SDM_WEBVPN_POLICY_1
 aaa authentication list sdm_vpn_xauth_ml_1
 gateway SDM_WEBVPN_GATEWAY_1
 inservice
!        
end
0
Comment
Question by:Blackline
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 29

Expert Comment

by:Jan Springer
ID: 24786373
Two comments come to mind immediately:

1) The pool of IPs that you hand to VPN clients must not be from the same network as your internal netblock (i.e., use 192.168.255.0/24 or something else for VPN clients)

2) Your ACL 2 for nat must have a line before the permit statement excluding nat between the VPN pool and 192.168.1.0/24.
0
 

Author Comment

by:Blackline
ID: 24786851
1)  So the DHCP block for the VPN can't be from the same DHCP address block given out by the routers to the internal clients?  
2)  Not sure how to phrase that ACL statement.  Can you give me an example please?
 
0
 
LVL 29

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24786993
1) that's correct

2) acl presuming vpn pool is 192.168.255.0/24
   
    no access-list 2
    access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.255.0 0.0.0.255
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any

    no ip nat inside source list 2 interface FastEthernet4 overload
    ip nat inside source list 102 interface FastEthernet4 overload
0
 

Author Closing Comment

by:Blackline
ID: 31600180
I just got off with TAC who said the exact same thing you did.   Thanks a lot, I appreciate it!
0

Featured Post

Plug and play, no additional software required!

The ATEN UE3310 USB3.1 Gen1 Extender Cable allows users to extend the distance between the computer and USB devices up to 10 m (33 ft). The UE3310 is a high-quality, cost-effective solution for professional environments such as hospitals, factories and business facilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Suggested Courses
Course of the Month4 days, 3 hours left to enroll

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question