ipsec vpn client not getting ip connectivity

HI I and terminating a vpn client onto cisco 887. The ipsec tunnel connects ok, but im unable to connect to any thing. The show cry ipsec sa command shows that packets are being encrypted and de-crypted, and acl's are showing hits. To me it looks like a routing issue but im not sure of the config that is needed to resolve this.
Please help
tzeroAsked:
Who is Participating?
 
tzeroConnect With a Mentor Author Commented:
acl 101: Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log (531 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any log (54772 matches)

Its taken time but is is now listing matches for the 192.168.1.0 even though internet access is still not working.
0
 
tzeroAuthor Commented:
aaa new-model
aaa authentication login Remote_access1 local
aaa authorization exec default local
aaa authorization network Remote_access1 local
aaa session-id common

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 3600

crypto isakmp client configuration group Remote_access1
key xxx
 pool vpnpool
 acl 102

crypto isakmp client configuration group Remote_acces1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-aes esp-sha-hmac
!
crypto dynamic-map Remote_access_vpn 1
 set transform-set vpn1
!
!
crypto map clientmap client authentication list Remote_access1
crypto map clientmap isakmp authorization list Remote_access1
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic Remote_access_vpn

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.15 log
ip local pool vpnpool 192.168.2.194 192.168.2.203

cryto map is assigned to a dialer interface.






0
 
tzeroAuthor Commented:
I added the reverse-route under the client config and this did not make a difference.
0
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

 
tzeroAuthor Commented:
can anyone help please
0
 
Jan SpringerCommented:
Are you denying NAT between 192.168.1 and 192.168.2?
0
 
tzeroAuthor Commented:
I do not believe that i am no. Even though I have stated an access-list for the encrypted networks, the sho cry ipsec sa shows the loca ip range as 0.0.0.0   0.0.0.0 and the remote at 192.168.2.0
0
 
Jan SpringerCommented:
If you could post your 'ip nat inside' statement, we need to modify it.

Once we do that, we'll debug the session:

    debug crypto ipsec
    debug crypto isakmp
    term mon

Comment out any sensitive information.
0
 
tzeroAuthor Commented:
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
0
 
Jan SpringerCommented:
no access-list 101
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

You want to block NAT between the VPN IP and your internal IPs.
0
 
tzeroAuthor Commented:
Hi thank you, that must have been the easiest problem you have done. Its working, so close and yet so far, ill remember that one
0
 
Jan SpringerCommented:
Wonderful.  Thanks for the update!
0
 
tzeroAuthor Commented:
have a different problem now, for some reason im not able to access the Internet via the site. I can see that the access-lists show some hits on the acl for nat, but then it stops incrementing and Im unable to access the internet. Can ping from the router to the internet but not for pcs on the lan
0
 
tzeroAuthor Commented:
the show ip nat translations is not showing anything either
0
 
tzeroAuthor Commented:
have rebooted the router and pcs, but no change.
0
 
Jan SpringerCommented:
Can you ping the inside IP address on the PIX?
0
 
tzeroAuthor Commented:
i can yes ping the inside ip address of the router
0
 
Jan SpringerCommented:
sho access-list 101
0
 
tzeroAuthor Commented:
i have taken out the nat statements on the interfaces, rebooted the router and then re-added them, no difference.
0
 
tzeroAuthor Commented:
10 permit ip 192.168.1.0 0.0.0.255 any log    
0
 
tzeroAuthor Commented:
i can still vpn in and access lan devices.
0
 
Jan SpringerCommented:
When you made your last configuration changes prior to reboot - did you save the running to the startup?
0
 
tzeroAuthor Commented:
yes i did a wr mem
0
 
Jan SpringerCommented:
So, your nat access list only has the original permit, no deny and the vpn still works but the inside clients can't nat out?

Double check that the access list is applied to the global nat statement.
0
 
tzeroAuthor Commented:
no i have re-added the deny statement to the nat access-list
0
 
Jan SpringerCommented:
The deny should be listed first.  That will allow the VPN to access the LAN.

But, if this blocks internet access then there is a problem with the access list.

To verify, your VPN is good but no internet access.  Could you post that access-list 101 as it is right now?
0
 
tzeroAuthor Commented:
THis is from debug ip packet 101

*Sep 22 20:14:56.603: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, rcvd 3
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, stop process pak for forus packet
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2, len 104, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, TCP Adjust MSS(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending full packet
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
 --More--
0
 
Jan SpringerCommented:
what does the log show for list 101?

from the PIX, can you ping outside?
0
 
tzeroAuthor Commented:
from the router I can ping to the outside yes
0
 
Jan SpringerCommented:
clear your translations and your access-list 101 counters.

get some activity going.

show the nat translations and the access-list 101 counters.  find out what is in the log relative to a specific action to see what the pix says.
0
 
tzeroAuthor Commented:
*Sep 22 20:58:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 3170 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(37607) -> 81.149.1.184(4500), 2103 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 209.85.135.99 -> 81.149.1.184 (0/0), 9 packets
*Sep 22 21:01:01.039: %SEC-6-IPACCESSLOGP: list 100 denied tcp 205.214.192.101(43336) -> 81.149.1.184(22), 1 packet
*Sep 22 21:01:40.707: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(57756) -> 81.149.1.184(500), 1 packet
*Sep 22 21:01:55.403: %SEC-6-IPACCESSLOGNP: list 23 permitted 0 192.168.2.195 -> 0.0.0.0, 1 packet

Still no access to internet
0
 
tzeroAuthor Commented:
sho ip nat translations global   not showing any translations at all
 
0
 
Jan SpringerCommented:
sh log | i list 101

verify that the nat statement is still on the outside interface.
0
 
tzeroAuthor Commented:
I only see this at the moment

Sep 22 21:07:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 110 packets
*Sep 22 21:08:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 8 packets
*Sep 22 21:12:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 47 packets
0
 
Jan SpringerCommented:
Yes, that's good.  Do you see any nat translations since you cleared them?
0
 
tzeroAuthor Commented:
no none at all
0
 
Jan SpringerCommented:
Would you post your NAT statements (all of them)?  You should XXX the first two octets of the external IPs.
0
 
tzeroAuthor Commented:
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

interface Vlan1
 description xx_xx
 ip address 192.x.x.x 255.x.x.x
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452

interface Dialer0
 ip address negotiated
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
 no cdp enable
 crypto map clientmap
 hold-queue 224 in


0
 
Jan SpringerCommented:
I am seeing nothing wrong with this.

If you go back to the original NAT access list 101, does that restore access to the inside machines (even though it will break the vpn)?
0
 
tzeroAuthor Commented:
no the internet access doesn't work if I revert it back to what it was initially.
0
 
Jan SpringerCommented:
Then there's a new problem that has no relationship to the nat access list.  Can you tell if there were *any* hardware or configuration changes made today?
0
 
Jan SpringerCommented:
tzero.  I'm not ignoring you but I have to be out for a couple of hours.
0
 
tzeroAuthor Commented:
jesper hi  i have got the internet working again. What a pain, i reset the router I then reconfigured it and it still did not work. I then used the express tool (Hate using gui interfaces) to enable NAT. Even though I configured the interface nat's and ip source overload etc the express tool did not show that nat was enabled. This has got to be a bug!!!. I have never has so much trouble configuring an 800 router before.

I and going to test the vpn and see if that is still working. I let you know, thanks for your time much appreciated.
0
 
Jan SpringerCommented:
You are so welcome.  Odd problem but glad that you found the resolution.  Holler if you need any more assistance!
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.