Solved

VPN connects but unable to access network resources

Posted on 2014-10-01
1
425 Views
Last Modified: 2015-04-27
using the Cisco VPN Client dialer. Able to connect to the VPN but unable to access network resources. Suspect I do not have the necessary ACL. Any help is greatly appreciated!

Building configuration...
WLAN_AP_SM: Config command is not supported

Current configuration : 7822 bytes
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
security authentication failure rate 3 log
security passwords min-length 10
logging buffered 16384
logging console critical
enable secret 5 $1$fW7P$R7uRO0HR/qfTKfWLJRzuX/
enable password 7 0960472E31311953050B22677871
!
aaa new-model
!
!
aaa authentication login local_authen local-case
aaa authentication login rtr-remote local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization console
aaa authorization exec local_author local
aaa authorization network rtr-remote local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2189269114
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2189269114
 revocation-check none
 rsakeypair TP-self-signed-2189269114
!
!
crypto pki certificate chain TP-self-signed-2189269114
 certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32313839 32363931 3134301E 170D3134 30393137 31353237
  33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31383932
  36393131 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B288 C7F43947 F348BEAC C77DC9EA C4E65AD0 7DBC3F44 66BC9A6B 244054CC
  4C5C59F3 253CE4DA 644B7C08 68B6D59A B3382174 D7861A76 7E416D12 8E778E54
  137CEEAD E213B888 E7F6DBA5 6F4344F1 535277B6 59002D04 566FE7F9 AFB70717
  B4F6CA45 06CB23A7 50EF4D5B 80384EE0 3DE44A1F 614C4380 151C8EC7 5CBD2FAE
  8D0D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 148CCBE1 B0D4D10C 40D1F60B 1FD097FF B5FDEBAE 60301D06
  03551D0E 04160414 8CCBE1B0 D4D10C40 D1F60B1F D097FFB5 FDEBAE60 300D0609
  2A864886 F70D0101 05050003 81810038 6767E94E E2F1C3A9 730ACD07 24F5CB36
  D6DE02B3 B0E27992 5970A7F2 AFC581ED 6716C21B 675EDF73 2FA25FE7 8EC70C66
  6FB1B85C 63727F86 1FFC3C33 A52B0DEE 55D5099B 62A7B70F 5AAF7A29 23A9EABB
  ED53CBD3 C0E11077 09308D4C 8D88CAC8 F5727A29 BCF73D31 A70CEDC7 4809D468
  D13A3563 FA74AD99 358C36D9 6736F8
        quit
no ip source-route

ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.150 192.168.0.254
!
ip dhcp pool Local_DHCP
 import all
 network 192.168.0.0 255.255.255.0
 domain-name ecsinternal.com
 dns-server 8.8.8.8 100.100.1.1
 default-router 192.168.0.30
 lease 7
!
!
!
no ip bootp server
ip domain name ecs.com
ip inspect WAAS flush-timeout 10
ip cef
login block-for 30 attempts 3 within 30
login delay 4
login quiet-mode access-class 2
login on-failure log every 3
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
!
license udi pid C819G-4G-V-K9 sn FTX183780X5
!
!
username wcperkins privilege 15 secret 5 $1$t.LO$Oud1W2yJqVPdUSlcz5gM/.
username ecsvpn password 7 050E350C75795E1D580812
username champnet privilege 15 secret 5 $1$tjeE$UZejKpoxmHaPtlL3XoEFM/
!
!
!
!
!
controller Cellular 0
!
ip tcp synwait-time 10
ip ssh maxstartups 4
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto ctcp port 10000
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ecsvpn
 key XXXXX
 dns 100.100.1.1
 pool dynpool
 acl 102
 max-users 10
 netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group ecsvpn
   client authentication list ciscocp_vpn_xauth_ml_2
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1

crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
 mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set vpn1
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto dynamic-map dynmap 1
 set transform-set vpn1
 reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Cellular0
 ip address negotiated
 no ip unreachables
 ip nat outside
 ip virtual-reassembly in
 encapsulation slip
 load-interval 30
 dialer in-band
 dialer idle-timeout 0
 dialer enable-timeout 6
 dialer string lte
 dialer string ltescript
 dialer watch-group 1
 async mode interactive
 crypto map static-map
!
interface FastEthernet0
 no ip address
 shutdown
!
interface FastEthernet1
 no ip address
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface GigabitEthernet0
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface Serial0
 no ip address
 shutdown
 clock rate 2000000
!
interface Virtual-Template1
 ip unnumbered Cellular0
!
interface Virtual-Template2 type tunnel
 ip unnumbered Cellular0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 ip address 192.168.0.30 255.255.255.0
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly in
 ip tcp adjust-mss 1400
 ip policy route-map clear-df
!
ip local pool dynpool 192.168.199.100 192.168.199.149
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http max-connections 10
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
ip nat inside source list 100 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
!
dialer watch-list 1 ip 1.2.3.4 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
route-map clear-df permit 10
 set ip df 0
!
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.199.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
 script dialer ltescript
 no modem enable
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 stopbits 1
line 3
 script dialer lte
 no exec
 rxspeed 100000000
 txspeed 50000000
line vty 0 4
 access-class 1 in
 exec-timeout 5 30
 timeout login response 20
 logout-warning 30
 absolute-timeout 60
 authorization exec local_author
 login authentication local_authen
 transport input ssh
 transport output ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway gateway_1
 ip address X.X.X.X port 443
 ssl trustpoint TP-self-signed-2189269114
 inservice
 !
webvpn context ecsvpn
 secondary-color white
 title-color #669999
 text-color black
 virtual-template 1
 aaa authentication list ciscocp_vpn_xauth_ml_1
 gateway gateway_1 domain ecsvpn
 !
 ssl authenticate verify all
 inservice
 !
 policy group policy_1
   functions svc-enabled
   svc address-pool "dynpool" netmask 255.255.255.255
   svc default-domain "XXXX
   svc keep-client-installed
   svc dns-server primary 8.8.8.8
 default-group-policy policy_1
!
end
0
Comment
Question by:ShawnNT
1 Comment
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
Comment Utility
There is a good chance that you need what is essentially a nat exemption. The following ACL is used for nat in your config:

access-list 100 permit ip any any

This means that ALL traffic is nat'd, including traffic to vpn users. The ACL should first deny traffic that shouldn't be nat'd, then permit the rest to be nat'd.

access-list 100 deny ip any 192.168.199.0 0.0.0.255
access-list 100 permit ip any any
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now