No access to VPN Resources, Cisco SR 520
I have a Cisco SR 520. Users can connect to the VPN with both IPSEC and SSL Clients. However, once connected, the users cannot access any resources. An IPSCAN only returns a ping from the Router itself and the IP assigned to the VPN client. I'm sure there is an ACL I am missing, but I'm just not seeing it.
Current configuration : 8457 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SR520
!
boot-start-marker
boot system flash sr520-advipservicesk9-mz.1
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login tango_authen_login line local
aaa authentication login EZVPN_GROUP_1 local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
aaa authorization network Foxtrot_sdm_easyvpn_group_
aaa authorization network EZVPN_GROUP_1 local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint XXXX
enrollment selfsigned
subject-name cn=XXXX
revocation-check none
rsakeypair XXXX
!
!
crypto pki certificate chain XXXX
certificate self-signed 01
XXXX
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.100 192.168.1.255
!
ip dhcp pool inside
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.87.72.130 68.87.77.130
!
!
ip cef
no ip bootp server
ip name-server 68.87.72.130
ip name-server 68.87.77.130
ip ips config location flash:/ips/ retries 5 timeout 5
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username X privilege 15 secret 5 X
usernameY privilege 15 secret 5 Y
username Z secret 5 Z
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
XXXX
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key X
dns 68.87.72.130 68.87.77.130
pool SDM_POOL_1
acl 100
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_
isakmp authorization list Foxtrot_sdm_easyvpn_group_
client configuration address respond
virtual-template 5
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
process-max-time 150
!
ip tcp synwait-time 10
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
ip address X.X.X.X 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
crypto map static-map
!
interface Virtual-Template5 type tunnel
ip unnumbered Vlan75
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan75
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
!
ip local pool SDM_WEBVPN_POOL_1 192.168.1.210 192.168.1.219
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.209
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.151 22 interface FastEthernet4 22
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit WAN STATIC IP 0.0.0.3
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
password 7 X
logging synchronous
no modem enable
history size 256
transport output telnet
line aux 0
transport output telnet
line vty 0 2
password 7 X
authorization exec tango_author_exec
login authentication tango_authen_login
transport input telnet ssh
line vty 3
password 7 X
authorization exec tango_author_exec
login authentication tango_authen_login
transport input all
line vty 4
password 7 X
authorization exec tango_author_exec
logging synchronous
login authentication tango_authen_login
history size 256
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address X port 443
ssl trustpoint X
inservice
!
webvpn install svc flash:/webvpn/sslclient-wi
!
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group SDM_WEBVPN_POLICY_1
functions svc-enabled
svc address-pool "SDM_WEBVPN_POOL_1"
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 68.87.72.130
svc dns-server secondary 68.87.77.130
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
inservice
!
end
Current configuration : 8457 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SR520
!
boot-start-marker
boot system flash sr520-advipservicesk9-mz.1
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login tango_authen_login line local
aaa authentication login EZVPN_GROUP_1 local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
aaa authorization network Foxtrot_sdm_easyvpn_group_
aaa authorization network EZVPN_GROUP_1 local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint XXXX
enrollment selfsigned
subject-name cn=XXXX
revocation-check none
rsakeypair XXXX
!
!
crypto pki certificate chain XXXX
certificate self-signed 01
XXXX
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.100 192.168.1.255
!
ip dhcp pool inside
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 68.87.72.130 68.87.77.130
!
!
ip cef
no ip bootp server
ip name-server 68.87.72.130
ip name-server 68.87.77.130
ip ips config location flash:/ips/ retries 5 timeout 5
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username X privilege 15 secret 5 X
usernameY privilege 15 secret 5 Y
username Z secret 5 Z
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
XXXX
quit
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key X
dns 68.87.72.130 68.87.77.130
pool SDM_POOL_1
acl 100
max-users 10
crypto isakmp profile sdm-ike-profile-1
match identity group EZVPN_GROUP_1
client authentication list Foxtrot_sdm_easyvpn_xauth_
isakmp authorization list Foxtrot_sdm_easyvpn_group_
client configuration address respond
virtual-template 5
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
process-max-time 150
!
ip tcp synwait-time 10
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
switchport access vlan 75
!
interface FastEthernet1
switchport access vlan 75
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface FastEthernet4
ip address X.X.X.X 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip ips sdm_ips_rule out
ip virtual-reassembly
duplex auto
speed auto
crypto map static-map
!
interface Virtual-Template5 type tunnel
ip unnumbered Vlan75
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface Vlan75
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip ips sdm_ips_rule in
ip virtual-reassembly
!
ip local pool SDM_WEBVPN_POOL_1 192.168.1.210 192.168.1.219
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.209
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.151 22 interface FastEthernet4 22
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit WAN STATIC IP 0.0.0.3
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
password 7 X
logging synchronous
no modem enable
history size 256
transport output telnet
line aux 0
transport output telnet
line vty 0 2
password 7 X
authorization exec tango_author_exec
login authentication tango_authen_login
transport input telnet ssh
line vty 3
password 7 X
authorization exec tango_author_exec
login authentication tango_authen_login
transport input all
line vty 4
password 7 X
authorization exec tango_author_exec
logging synchronous
login authentication tango_authen_login
history size 256
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway SDM_WEBVPN_GATEWAY_1
ip address X port 443
ssl trustpoint X
inservice
!
webvpn install svc flash:/webvpn/sslclient-wi
!
webvpn context SDM_WEBVPN_CONTEXT_1
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
!
policy group SDM_WEBVPN_POLICY_1
functions svc-enabled
svc address-pool "SDM_WEBVPN_POOL_1"
svc keep-client-installed
svc split include 192.168.1.0 255.255.255.0
svc dns-server primary 68.87.72.130
svc dns-server secondary 68.87.77.130
default-group-policy SDM_WEBVPN_POLICY_1
aaa authentication list sdm_vpn_xauth_ml_1
gateway SDM_WEBVPN_GATEWAY_1
inservice
!
end
ASKER
1) So the DHCP block for the VPN can't be from the same DHCP address block given out by the routers to the internal clients?
2) Not sure how to phrase that ACL statement. Can you give me an example please?
2) Not sure how to phrase that ACL statement. Can you give me an example please?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I just got off with TAC who said the exact same thing you did. Thanks a lot, I appreciate it!
1) The pool of IPs that you hand to VPN clients must not be from the same network as your internal netblock (i.e., use 192.168.255.0/24 or something else for VPN clients)
2) Your ACL 2 for nat must have a line before the permit statement excluding nat between the VPN pool and 192.168.1.0/24.