Solved

No access to VPN Resources, Cisco SR 520

Posted on 2009-07-06
4
1,113 Views
Last Modified: 2012-06-27
I have a Cisco SR 520.  Users can connect to the VPN with both IPSEC and SSL Clients.  However, once connected, the users cannot access any resources.  An IPSCAN only returns a ping from the Router itself and the IP assigned to the VPN client.  I'm sure there is an ACL I am missing, but I'm just not seeing it.

Current configuration : 8457 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname SR520
!
boot-start-marker
boot system flash sr520-advipservicesk9-mz.124-24.T1.bin
boot-end-marker
!
security authentication failure rate 5 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login tango_authen_login line local
aaa authentication login EZVPN_GROUP_1 local
aaa authorization exec default local
aaa authorization exec tango_author_exec if-authenticated
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
aaa authorization network EZVPN_GROUP_1 local
!
!
aaa session-id common
clock timezone CST -6
clock summer-time CDT recurring
!
crypto pki trustpoint XXXX
 enrollment selfsigned
 subject-name cn=XXXX
 revocation-check none
 rsakeypair XXXX
!
!
crypto pki certificate chain XXXX
 certificate self-signed 01
  XXXX
dot11 syslog
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.100 192.168.1.255
!
ip dhcp pool inside
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 68.87.72.130 68.87.77.130
!
!
ip cef
no ip bootp server
ip name-server 68.87.72.130
ip name-server 68.87.77.130
ip ips config location flash:/ips/ retries 5 timeout 5
ip ips notify SDEE
ip ips name sdm_ips_rule
!        
ip ips signature-category
  category all
   retired true
  category ios_ips basic
   retired false
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username X privilege 15 secret 5 X
usernameY privilege 15 secret 5 Y
username Z secret 5 Z
!
crypto key pubkey-chain rsa
 named-key realm-cisco.pub
  key-string
   XXXX
  quit
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
 key X
 dns 68.87.72.130 68.87.77.130
 pool SDM_POOL_1
 acl 100
 max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 5
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
archive
 log config
  hidekeys
!        
process-max-time 150
!
ip tcp synwait-time 10
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 switchport access vlan 75
!
interface FastEthernet1
 switchport access vlan 75
!
interface FastEthernet2
 switchport access vlan 75
!
interface FastEthernet3
 switchport access vlan 75
!
interface FastEthernet4
 ip address X.X.X.X 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip ips sdm_ips_rule out
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map static-map
!
interface Virtual-Template5 type tunnel
 ip unnumbered Vlan75
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface Vlan75
 ip address 192.168.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip ips sdm_ips_rule in
 ip virtual-reassembly
!
ip local pool SDM_WEBVPN_POOL_1 192.168.1.210 192.168.1.219
ip local pool SDM_POOL_1 192.168.1.200 192.168.1.209
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 X.X.X.X
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 2 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.1.151 22 interface FastEthernet4 22
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit WAN STATIC IP 0.0.0.3
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
 password 7 X
 logging synchronous
 no modem enable
 history size 256
 transport output telnet
line aux 0
 transport output telnet
line vty 0 2
 password 7 X
 authorization exec tango_author_exec
 login authentication tango_authen_login
 transport input telnet ssh
line vty 3
 password 7 X
 authorization exec tango_author_exec
 login authentication tango_authen_login
 transport input all
line vty 4
 password 7 X
 authorization exec tango_author_exec
 logging synchronous
 login authentication tango_authen_login
 history size 256
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn gateway SDM_WEBVPN_GATEWAY_1
 ip address X port 443  
 ssl trustpoint X
 inservice
 !
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
 !
webvpn context SDM_WEBVPN_CONTEXT_1
 secondary-color white
 title-color #CCCC66
 text-color black
 ssl authenticate verify all
 !
 !
 policy group SDM_WEBVPN_POLICY_1
   functions svc-enabled
   svc address-pool "SDM_WEBVPN_POOL_1"
   svc keep-client-installed
   svc split include 192.168.1.0 255.255.255.0
   svc dns-server primary 68.87.72.130
   svc dns-server secondary 68.87.77.130
 default-group-policy SDM_WEBVPN_POLICY_1
 aaa authentication list sdm_vpn_xauth_ml_1
 gateway SDM_WEBVPN_GATEWAY_1
 inservice
!        
end
0
Comment
Question by:Blackline
  • 2
  • 2
4 Comments
 
LVL 28

Expert Comment

by:Jan Springer
ID: 24786373
Two comments come to mind immediately:

1) The pool of IPs that you hand to VPN clients must not be from the same network as your internal netblock (i.e., use 192.168.255.0/24 or something else for VPN clients)

2) Your ACL 2 for nat must have a line before the permit statement excluding nat between the VPN pool and 192.168.1.0/24.
0
 

Author Comment

by:Blackline
ID: 24786851
1)  So the DHCP block for the VPN can't be from the same DHCP address block given out by the routers to the internal clients?  
2)  Not sure how to phrase that ACL statement.  Can you give me an example please?
 
0
 
LVL 28

Accepted Solution

by:
Jan Springer earned 500 total points
ID: 24786993
1) that's correct

2) acl presuming vpn pool is 192.168.255.0/24
   
    no access-list 2
    access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.255.0 0.0.0.255
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any

    no ip nat inside source list 2 interface FastEthernet4 overload
    ip nat inside source list 102 interface FastEthernet4 overload
0
 

Author Closing Comment

by:Blackline
ID: 31600180
I just got off with TAC who said the exact same thing you did.   Thanks a lot, I appreciate it!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Hello , This is a short article on how would you go about enabling traceoptions on a Juniper router . Traceoptions are similar to Cisco debug commands but these traceoptions are implemented in Juniper networks router . The following demonstr…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now