Solved

ipsec vpn client not getting ip connectivity

Posted on 2010-09-21
43
1,113 Views
Last Modified: 2012-05-10
HI I and terminating a vpn client onto cisco 887. The ipsec tunnel connects ok, but im unable to connect to any thing. The show cry ipsec sa command shows that packets are being encrypted and de-crypted, and acl's are showing hits. To me it looks like a routing issue but im not sure of the config that is needed to resolve this.
Please help
0
Comment
Question by:tzero
  • 25
  • 18
43 Comments
 

Author Comment

by:tzero
Comment Utility
aaa new-model
aaa authentication login Remote_access1 local
aaa authorization exec default local
aaa authorization network Remote_access1 local
aaa session-id common

crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
 lifetime 3600

crypto isakmp client configuration group Remote_access1
key xxx
 pool vpnpool
 acl 102

crypto isakmp client configuration group Remote_acces1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-aes esp-sha-hmac
!
crypto dynamic-map Remote_access_vpn 1
 set transform-set vpn1
!
!
crypto map clientmap client authentication list Remote_access1
crypto map clientmap isakmp authorization list Remote_access1
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic Remote_access_vpn

access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.15 log
ip local pool vpnpool 192.168.2.194 192.168.2.203

cryto map is assigned to a dialer interface.






0
 

Author Comment

by:tzero
Comment Utility
I added the reverse-route under the client config and this did not make a difference.
0
 

Author Comment

by:tzero
Comment Utility
can anyone help please
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Are you denying NAT between 192.168.1 and 192.168.2?
0
 

Author Comment

by:tzero
Comment Utility
I do not believe that i am no. Even though I have stated an access-list for the encrypted networks, the sho cry ipsec sa shows the loca ip range as 0.0.0.0   0.0.0.0 and the remote at 192.168.2.0
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
If you could post your 'ip nat inside' statement, we need to modify it.

Once we do that, we'll debug the session:

    debug crypto ipsec
    debug crypto isakmp
    term mon

Comment out any sensitive information.
0
 

Author Comment

by:tzero
Comment Utility
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
no access-list 101
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

You want to block NAT between the VPN IP and your internal IPs.
0
 

Author Comment

by:tzero
Comment Utility
Hi thank you, that must have been the easiest problem you have done. Its working, so close and yet so far, ill remember that one
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Wonderful.  Thanks for the update!
0
 

Author Comment

by:tzero
Comment Utility
have a different problem now, for some reason im not able to access the Internet via the site. I can see that the access-lists show some hits on the acl for nat, but then it stops incrementing and Im unable to access the internet. Can ping from the router to the internet but not for pcs on the lan
0
 

Author Comment

by:tzero
Comment Utility
the show ip nat translations is not showing anything either
0
 

Author Comment

by:tzero
Comment Utility
have rebooted the router and pcs, but no change.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Can you ping the inside IP address on the PIX?
0
 

Author Comment

by:tzero
Comment Utility
i can yes ping the inside ip address of the router
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
sho access-list 101
0
 

Author Comment

by:tzero
Comment Utility
i have taken out the nat statements on the interfaces, rebooted the router and then re-added them, no difference.
0
 

Author Comment

by:tzero
Comment Utility
10 permit ip 192.168.1.0 0.0.0.255 any log    
0
 

Author Comment

by:tzero
Comment Utility
i can still vpn in and access lan devices.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
When you made your last configuration changes prior to reboot - did you save the running to the startup?
0
 

Author Comment

by:tzero
Comment Utility
yes i did a wr mem
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
So, your nat access list only has the original permit, no deny and the vpn still works but the inside clients can't nat out?

Double check that the access list is applied to the global nat statement.
0
 

Author Comment

by:tzero
Comment Utility
no i have re-added the deny statement to the nat access-list
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
The deny should be listed first.  That will allow the VPN to access the LAN.

But, if this blocks internet access then there is a problem with the access list.

To verify, your VPN is good but no internet access.  Could you post that access-list 101 as it is right now?
0
 

Author Comment

by:tzero
Comment Utility
THis is from debug ip packet 101

*Sep 22 20:14:56.603: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, rcvd 3
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, stop process pak for forus packet
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2, len 104, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, TCP Adjust MSS(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending full packet
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
 --More--
0
 

Accepted Solution

by:
tzero earned 0 total points
Comment Utility
acl 101: Extended IP access list 101
    10 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255 log (531 matches)
    20 permit ip 192.168.1.0 0.0.0.255 any log (54772 matches)

Its taken time but is is now listing matches for the 192.168.1.0 even though internet access is still not working.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
what does the log show for list 101?

from the PIX, can you ping outside?
0
 

Author Comment

by:tzero
Comment Utility
from the router I can ping to the outside yes
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
clear your translations and your access-list 101 counters.

get some activity going.

show the nat translations and the access-list 101 counters.  find out what is in the log relative to a specific action to see what the pix says.
0
 

Author Comment

by:tzero
Comment Utility
*Sep 22 20:58:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 3170 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(37607) -> 81.149.1.184(4500), 2103 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 209.85.135.99 -> 81.149.1.184 (0/0), 9 packets
*Sep 22 21:01:01.039: %SEC-6-IPACCESSLOGP: list 100 denied tcp 205.214.192.101(43336) -> 81.149.1.184(22), 1 packet
*Sep 22 21:01:40.707: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(57756) -> 81.149.1.184(500), 1 packet
*Sep 22 21:01:55.403: %SEC-6-IPACCESSLOGNP: list 23 permitted 0 192.168.2.195 -> 0.0.0.0, 1 packet

Still no access to internet
0
 

Author Comment

by:tzero
Comment Utility
sho ip nat translations global   not showing any translations at all
 
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
sh log | i list 101

verify that the nat statement is still on the outside interface.
0
 

Author Comment

by:tzero
Comment Utility
I only see this at the moment

Sep 22 21:07:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 110 packets
*Sep 22 21:08:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 8 packets
*Sep 22 21:12:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 47 packets
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Yes, that's good.  Do you see any nat translations since you cleared them?
0
 

Author Comment

by:tzero
Comment Utility
no none at all
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Would you post your NAT statements (all of them)?  You should XXX the first two octets of the external IPs.
0
 

Author Comment

by:tzero
Comment Utility
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any

interface Vlan1
 description xx_xx
 ip address 192.x.x.x 255.x.x.x
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452

interface Dialer0
 ip address negotiated
 ip access-group 100 in
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip route-cache cef
 no ip route-cache
 dialer pool 1
 ppp authentication chap callin
 ppp chap hostname
 ppp chap password
 no cdp enable
 crypto map clientmap
 hold-queue 224 in


0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
I am seeing nothing wrong with this.

If you go back to the original NAT access list 101, does that restore access to the inside machines (even though it will break the vpn)?
0
 

Author Comment

by:tzero
Comment Utility
no the internet access doesn't work if I revert it back to what it was initially.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
Then there's a new problem that has no relationship to the nat access list.  Can you tell if there were *any* hardware or configuration changes made today?
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
tzero.  I'm not ignoring you but I have to be out for a couple of hours.
0
 

Author Comment

by:tzero
Comment Utility
jesper hi  i have got the internet working again. What a pain, i reset the router I then reconfigured it and it still did not work. I then used the express tool (Hate using gui interfaces) to enable NAT. Even though I configured the interface nat's and ip source overload etc the express tool did not show that nat was enabled. This has got to be a bug!!!. I have never has so much trouble configuring an 800 router before.

I and going to test the vpn and see if that is still working. I let you know, thanks for your time much appreciated.
0
 
LVL 28

Expert Comment

by:Jan Springer
Comment Utility
You are so welcome.  Odd problem but glad that you found the resolution.  Holler if you need any more assistance!
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

We've been using the Cisco/Linksys RV042 for years as: - an internet Gateway - a site-to-site VPN device - a leased line site-to-site subnet-to-subnet interface (And, here I'm assuming that any RV0xx behaves the same way as an RV042.  So that's …
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now