ipsec vpn client not getting ip connectivity
HI I and terminating a vpn client onto cisco 887. The ipsec tunnel connects ok, but im unable to connect to any thing. The show cry ipsec sa command shows that packets are being encrypted and de-crypted, and acl's are showing hits. To me it looks like a routing issue but im not sure of the config that is needed to resolve this.
Please help
Please help
ASKER
I added the reverse-route under the client config and this did not make a difference.
ASKER
can anyone help please
Are you denying NAT between 192.168.1 and 192.168.2?
ASKER
I do not believe that i am no. Even though I have stated an access-list for the encrypted networks, the sho cry ipsec sa shows the loca ip range as 0.0.0.0 0.0.0.0 and the remote at 192.168.2.0
If you could post your 'ip nat inside' statement, we need to modify it.
Once we do that, we'll debug the session:
debug crypto ipsec
debug crypto isakmp
term mon
Comment out any sensitive information.
Once we do that, we'll debug the session:
debug crypto ipsec
debug crypto isakmp
term mon
Comment out any sensitive information.
ASKER
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no access-list 101
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
You want to block NAT between the VPN IP and your internal IPs.
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
You want to block NAT between the VPN IP and your internal IPs.
ASKER
Hi thank you, that must have been the easiest problem you have done. Its working, so close and yet so far, ill remember that one
Wonderful. Thanks for the update!
ASKER
have a different problem now, for some reason im not able to access the Internet via the site. I can see that the access-lists show some hits on the acl for nat, but then it stops incrementing and Im unable to access the internet. Can ping from the router to the internet but not for pcs on the lan
ASKER
the show ip nat translations is not showing anything either
ASKER
have rebooted the router and pcs, but no change.
Can you ping the inside IP address on the PIX?
ASKER
i can yes ping the inside ip address of the router
sho access-list 101
ASKER
i have taken out the nat statements on the interfaces, rebooted the router and then re-added them, no difference.
ASKER
10 permit ip 192.168.1.0 0.0.0.255 any log
ASKER
i can still vpn in and access lan devices.
When you made your last configuration changes prior to reboot - did you save the running to the startup?
ASKER
yes i did a wr mem
So, your nat access list only has the original permit, no deny and the vpn still works but the inside clients can't nat out?
Double check that the access list is applied to the global nat statement.
Double check that the access list is applied to the global nat statement.
ASKER
no i have re-added the deny statement to the nat access-list
The deny should be listed first. That will allow the VPN to access the LAN.
But, if this blocks internet access then there is a problem with the access list.
To verify, your VPN is good but no internet access. Could you post that access-list 101 as it is right now?
But, if this blocks internet access then there is a problem with the access list.
To verify, your VPN is good but no internet access. Could you post that access-list 101 as it is right now?
ASKER
THis is from debug ip packet 101
*Sep 22 20:14:56.603: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, rcvd 3
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, stop process pak for forus packet
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2, len 104, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, TCP Adjust MSS(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending full packet
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
--More--
*Sep 22 20:14:56.603: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 140, rcvd 3
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, stop process pak for forus packet
*Sep 22 20:14:56.607: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 140, enqueue feature, TCP Adjust MSS(5), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2, len 104, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, output feature, TCP Adjust MSS(43), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.607: IP: s=192.168.1.254 (local), d=192.168.1.2 (Vlan1), len 104, sending full packet
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Stateful Inspection(4), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly(22), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, Virtual Fragment Reassembly After IPSec Decryption(34), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, MCI Check(66), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254, len 52, input feature, TCP Adjust MSS(68), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: tableid=0, s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), routed via RIB
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Sep 22 20:14:56.719: IP: s=192.168.1.2 (Vlan1), d=192.168.1.254 (Vlan1), len 52, output feature, Stateful Inspection(22), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
--More--
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
what does the log show for list 101?
from the PIX, can you ping outside?
from the PIX, can you ping outside?
ASKER
from the router I can ping to the outside yes
clear your translations and your access-list 101 counters.
get some activity going.
show the nat translations and the access-list 101 counters. find out what is in the log relative to a specific action to see what the pix says.
get some activity going.
show the nat translations and the access-list 101 counters. find out what is in the log relative to a specific action to see what the pix says.
ASKER
*Sep 22 20:58:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 3170 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(37607) -> 81.149.1.184(4500), 2103 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 209.85.135.99 -> 81.149.1.184 (0/0), 9 packets
*Sep 22 21:01:01.039: %SEC-6-IPACCESSLOGP: list 100 denied tcp 205.214.192.101(43336) -> 81.149.1.184(22), 1 packet
*Sep 22 21:01:40.707: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(57756) -> 81.149.1.184(500), 1 packet
*Sep 22 21:01:55.403: %SEC-6-IPACCESSLOGNP: list 23 permitted 0 192.168.2.195 -> 0.0.0.0, 1 packet
Still no access to internet
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(37607) -> 81.149.1.184(4500), 2103 packets
*Sep 22 20:59:49.891: %SEC-6-IPACCESSLOGDP: list 100 permitted icmp 209.85.135.99 -> 81.149.1.184 (0/0), 9 packets
*Sep 22 21:01:01.039: %SEC-6-IPACCESSLOGP: list 100 denied tcp 205.214.192.101(43336) -> 81.149.1.184(22), 1 packet
*Sep 22 21:01:40.707: %SEC-6-IPACCESSLOGP: list 100 permitted udp 212.183.140.0(57756) -> 81.149.1.184(500), 1 packet
*Sep 22 21:01:55.403: %SEC-6-IPACCESSLOGNP: list 23 permitted 0 192.168.2.195 -> 0.0.0.0, 1 packet
Still no access to internet
ASKER
sho ip nat translations global not showing any translations at all
sh log | i list 101
verify that the nat statement is still on the outside interface.
verify that the nat statement is still on the outside interface.
ASKER
I only see this at the moment
Sep 22 21:07:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 110 packets
*Sep 22 21:08:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 8 packets
*Sep 22 21:12:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 47 packets
Sep 22 21:07:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 110 packets
*Sep 22 21:08:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.194(0), 8 packets
*Sep 22 21:12:49.891: %SEC-6-IPACCESSLOGP: list 101 denied tcp 192.168.1.254(0) -> 192.168.2.195(0), 47 packets
Yes, that's good. Do you see any nat translations since you cleared them?
ASKER
no none at all
Would you post your NAT statements (all of them)? You should XXX the first two octets of the external IPs.
ASKER
ip nat inside source list 101 interface Dialer0 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
interface Vlan1
description xx_xx
ip address 192.x.x.x 255.x.x.x
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
crypto map clientmap
hold-queue 224 in
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
interface Vlan1
description xx_xx
ip address 192.x.x.x 255.x.x.x
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip route-cache cef
no ip route-cache
dialer pool 1
ppp authentication chap callin
ppp chap hostname
ppp chap password
no cdp enable
crypto map clientmap
hold-queue 224 in
I am seeing nothing wrong with this.
If you go back to the original NAT access list 101, does that restore access to the inside machines (even though it will break the vpn)?
If you go back to the original NAT access list 101, does that restore access to the inside machines (even though it will break the vpn)?
ASKER
no the internet access doesn't work if I revert it back to what it was initially.
Then there's a new problem that has no relationship to the nat access list. Can you tell if there were *any* hardware or configuration changes made today?
tzero. I'm not ignoring you but I have to be out for a couple of hours.
ASKER
jesper hi i have got the internet working again. What a pain, i reset the router I then reconfigured it and it still did not work. I then used the express tool (Hate using gui interfaces) to enable NAT. Even though I configured the interface nat's and ip source overload etc the express tool did not show that nat was enabled. This has got to be a bug!!!. I have never has so much trouble configuring an 800 router before.
I and going to test the vpn and see if that is still working. I let you know, thanks for your time much appreciated.
I and going to test the vpn and see if that is still working. I let you know, thanks for your time much appreciated.
You are so welcome. Odd problem but glad that you found the resolution. Holler if you need any more assistance!
ASKER
aaa authentication login Remote_access1 local
aaa authorization exec default local
aaa authorization network Remote_access1 local
aaa session-id common
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 3600
crypto isakmp client configuration group Remote_access1
key xxx
pool vpnpool
acl 102
crypto isakmp client configuration group Remote_acces1
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-aes esp-sha-hmac
!
crypto dynamic-map Remote_access_vpn 1
set transform-set vpn1
!
!
crypto map clientmap client authentication list Remote_access1
crypto map clientmap isakmp authorization list Remote_access1
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic Remote_access_vpn
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.15 log
ip local pool vpnpool 192.168.2.194 192.168.2.203
cryto map is assigned to a dialer interface.