VPN Local lan access

IPsec, L2TP, Split tunneling, PPTP and all other VPN related posts.
Guest

VPN Local lan access

Post by Guest » Sat Jul 24, 2010 4:43 pm

I have configure a cisco 861 as vpn server. I could you some help if someone can tell whats wrong? Clients can connect, but cannot access local lan resources for subnet 10.0.10.0 Building configuration...Current configuration : 9770 bytes!version 12.4no service padservice tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msec localtimeshow-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryptionservice sequence-numbers!hostname RT861W!boot-start-markerboot system flash c860-universalk9-mz.124-24.T3.binboot-end-marker!logging message-counter sysloglogging buffered 4096 warningslogging console criticalenable secret 5 xxxxxxxx!aaa new-model!!aaa authentication login default localaaa authentication login userauthen localaaa authorization network groupauthor local !!aaa session-id commonmemory-size iomem 10clock timezone EST -4clock save interval 24!crypto pki trustpoint TP-self-signed-3796206546 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-3796206546 revocation-check none rsakeypair TP-self-signed-3796206546!!crypto pki certificate chain TP-self-signed-3796206546 certificate self-signed 01  30820259 308201C2 A0030201 02020101 300D06092A864886 F70D0101 04050030   31312F30 2D060355 04031326 494F532D 53656C662D536967 6E65642D 43657274   69666963 6174652D 33373936 32303635 3436301E170D3130 30363130 32323534   33395A17 0D323030 31303130 30303030 305A3031312F302D 06035504 03132649   4F532D53 656C662D 5369676E 65642D43 6572746966696361 74652D33 37393632   30363534 3630819F 300D0609 2A864886 F70D010101050003 818D0030 81890281   81009C68 0509FEBA BA0D4251 52AA3F1C DBB7CACB138D0D3D 8017AB75 04AABD97   16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6EB32858B 4385DE6C 3ED11616   2B997D14 C6C86431 9A956161 2D0581F4 767D60E182FF426A 911D503E 8995A69B   6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464E6DA7E06 44F94B16 3EA57809   5B710203 010001A3 8180307E 300F0603 551D130101FF0405 30030101 FF302B06   03551D11 04243022 82205254 38363157 2E636F6C6C696E73 2E316661 6D696C79   756E6974 65642E63 6F6D301F 0603551D 230418301680142C 21E7314B D28AFE1A   26115A1B F53AFB03 0ED1A830 1D060355 1D0E041604142C21 E7314BD2 8AFE1A26   115A1BF5 3AFB030E D1A8300D 06092A86 4886F70D01010405 00038181 008CC48F   6A1BFB52 0F268B05 B977AE8E CA450936 8272D889B46DE9FB 5680782C 59DA2354   04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22C7BED922 73C35C32 54696F37   89E424C2 561FFF54 99573AC6 713E58D8 E3B67064295D4331 845FCDEC F6CD8017   58006C58 F94A8771 78217788 FE63AA11 0E5DF6B11A8D0111 CDD87A1D CC        quitno ip source-routeno ip gratuitous-arpsip dhcp smart-relayip dhcp bootp ignoreip dhcp excluded-address 10.0.1.1 10.0.1.10ip dhcp excluded-address 10.0.10.1 10.0.10.10!ip dhcp pool VLAN_10   network 10.0.10.0 255.255.255.224   default-router 10.0.10.1    domain-name xxxxxx   dns-server 10.0.10.1 !ip dhcp pool VLAN_1   network 10.0.1.0 255.255.255.224   default-router 10.0.1.1    domain-name xxxxxx   dns-server 10.0.1.1 !!ip cefip inspect log drop-pktip inspect max-incomplete high 1100ip inspect max-incomplete low 1100ip inspect one-minute high 1100ip inspect one-minute low 1100ip inspect udp idle-time 60ip inspect dns-timeout 10ip inspect name FIREWALL tcp timeout 3600ip inspect name FIREWALL udp timeout 15ip inspect name FIREWALL ftp timeout 3600ip inspect name FIREWALL rcmd timeout 3600ip inspect name FIREWALL smtp alert on timeout 3600ip inspect name FIREWALL sqlnet timeout 3600ip inspect name FIREWALL tftp timeout 30ip inspect name FIREWALL icmp timeout 15ip inspect name FIREWALL ssh timeout 15ip inspect name FIREWALL login audit-trail onip inspect name FIREWALL websterip inspect name FIREWALL skinnyip inspect name FIREWALL routerip inspect name FIREWALL cifsip inspect name FIREWALL cuseemeip inspect name FIREWALL dnsip inspect name FIREWALL realaudioip inspect name FIREWALL rtspip inspect name FIREWALL streamworksip inspect name FIREWALL vdoliveip inspect name FIREWALL sipip inspect name FIREWALL pop3 alert on resetip inspect name FIREWALL ftpsip inspect name FIREWALL isakmpip inspect name FIREWALL ipsec-msftip inspect name FIREWALL ntpip inspect name FIREWALL imapip inspect name FIREWALL imapsip inspect name FIREWALL imap3ip inspect name FIREWALL pop3sno ip bootp serverip domain name xxxxxxxxxip name-server 8.8.8.8ip name-server 8.8.4.4ip name-server 208.67.222.222ip name-server 208.67.220.220ip name-server 74.128.19.102ip name-server 74.128.17.114!!license agent notifyhttp://10.0.10.11:9710/clm/servlet/HttpListenServletdummy dummy 2.0!!username xxxx privilege 15 secret 5 xxxxxxusername xxxxx secret 5 xxxxx! !crypto isakmp policy 3 encr aes 256 authentication pre-share group 2crypto isakmp nat keepalive 3600!crypto isakmp client configuration group xxxxx key xxxxxx dns 10.0.10.5 domain xxxxxxxx pool vpnpool include-local-lan netmask 255.255.255.224!!crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac comp-lzs !crypto dynamic-map dynmap 10 set transform-set myset reverse-route!!crypto map clientmap client authentication listuserauthencrypto map clientmap isakmp authorization listgroupauthorcrypto map clientmap client configuration addressinitiatecrypto map clientmap client configuration addressrespondcrypto map clientmap 10 ipsec-isakmp dynamic dynmap !crypto ctcp port 6000 archive log config  hidekeys!!ip tcp synwait-time 10ip ssh time-out 60ip ssh authentication-retries 2bridge irb!!!interface Loopback0 ip address 10.100.100.1 255.255.255.0 ip nat inside ip virtual-reassembly!interface Null0 no ip unreachables!interface FastEthernet0 switchport access vlan 10!interface FastEthernet1 switchport access vlan 10!interface FastEthernet2 switchport access vlan 10!interface FastEthernet3 switchport access vlan 10 switchport mode trunk!interface FastEthernet4 description WAN$FW_OUTSIDE$ ip address dhcp client-id FastEthernet4 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip flow egress ip inspect FIREWALL out ip nat outside ip virtual-reassembly duplex auto speed auto crypto map clientmap!interface wlan-ap0 description Service module interface to manage theembedded AP ip unnumbered Vlan1 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip virtual-reassembly arp timeout 0!interface Wlan-GigabitEthernet0 description Service module interface to manage theembedded AP switchport mode trunk!interface Vlan1 description VLAN_1$FW_INSIDE$ ip address 10.0.1.1 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface Vlan10 description VLAN_10$FW_INSIDE$ ip address 10.0.10.1 255.255.255.224 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452!interface BVI1 description $FW_INSIDE$ ip address dhcp hostname WAPB no ip redirects no ip unreachables no ip proxy-arp ip flow ingress no ip route-cache cef no ip route-cache!router rip version 1 network 10.0.0.0!ip local pool vpnpool 197.0.0.1 197.0.0.5no ip forward-protocol ndip route 0.0.0.0 0.0.0.0 dhcpip route 0.0.0.0 0.0.0.0 FastEthernet4 dhcpip http serverip http access-class 2ip http authentication localip http secure-server!ip dns serverip nat inside source list 1 interface FastEthernet4overloadip nat inside source list 2 interface FastEthernet4overloadip nat inside source static tcp 10.0.10.3 3389interface FastEthernet4 3389ip nat inside source static tcp 10.0.10.3 1723interface FastEthernet4 1723ip nat inside source static tcp 10.0.10.3 80interface FastEthernet4 80!logging 10.0.10.1access-list 1 permit 10.0.1.0 0.0.0.31access-list 2 permit 10.0.10.0 0.0.0.31access-list 199 permit gre any anyaccess-list 199 permit tcp any any eq 1723access-list 199 permit tcp any any establishedaccess-list 199 permit udp any any eq 3389access-list 199 permit udp any any eq ntpaccess-list 199 permit udp any any gt 1023access-list 199 deny   tcp any anyaccess-list 199 deny   tcp 10.0.0.0 0.255.255.255 anyaccess-list 199 deny   tcp 172.16.0.0 0.15.255.255anyaccess-list 199 deny   tcp 192.168.0.0 0.0.0.255 anyaccess-list 199 deny   udp 10.0.0.0 0.255.255.255 anyaccess-list 199 deny   udp 172.16.0.0 0.15.255.255anyaccess-list 199 deny   udp 192.168.0.0 0.0.0.255 anyaccess-list 199 deny   icmp any any echoaccess-list 199 deny   udp any any eq 135access-list 199 deny   udp any any eq netbios-nsaccess-list 199 deny   udp any any eq netbios-ssaccess-list 199 deny   udp any any eq isakmpaccess-list 199 deny   tcp any any eq telnetaccess-list 199 deny   tcp any any eq smtpaccess-list 199 deny   tcp any any eq nntpaccess-list 199 deny   tcp any any eq 135access-list 199 deny   tcp any any eq 137access-list 199 deny   tcp any any eq 139access-list 199 deny   tcp any any eq wwwaccess-list 199 deny   tcp any any eq 443access-list 199 deny   tcp any any eq 445access-list 199 deny   ip any anyno cdp run!control-plane!bridge 1 protocol ieeebridge 1 route ipbridge 10 protocol ieeebridge 10 route ipbanner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorizeduser!^C!line con 0 no modem enable transport output telnetline aux 0 transport output telnetline 2 no activation-character no exec transport preferred none transport input all transport output allline vty 0 4 access-class 104 in transport input telnet ssh!scheduler max-task-time 5000scheduler allocate 4000 1000scheduler interval 500ntp server 192.43.244.18end

Guest

Re:VPN Local lan access

Post by Guest » Sat Jul 24, 2010 5:54 pm

Hello, The issue is due to the NAT configurations. Please try the following: no ip nat inside source list 1 interface FastEthernet4 overloadno ip nat inside source list 2 interface FastEthernet4 overload access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255access-list 101 permit ip 10.0.0.0 0.0.255.31 any route-map Internetmatch ip address 101exit ip nat inside source route-map Internet interface FastEthernet4 overload This will ensure that the VPN clients can access all of the internalresources. However, they will not be able to access the 10.0.10.3 serverusing its private IP as you cannot use the route-map when you are using the"interface" keyword. If you have a static IP assigned to your FastEthernet4interface by the ISP, then you can use the below configuration: access-list 102 deny ip host 10.0.10.3 197.0.0.0 0.0.0.7access-list 102 deny ip host 10.0.10.3 10.0.0.0 0.0.255.255access-list 102 permit ip host 10.0.10.3 any route-map Servermatch ip address 101exit no ip nat inside source static tcp 10.0.10.3 3389 interface FastEthernet43389no ip nat inside source static tcp 10.0.10.3 1723 interface FastEthernet41723no ip nat inside source static tcp 10.0.10.3 80 interface FastEthernet4 80 ip nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389route-map Serverip nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723route-map Serverip nat inside source static tcp 10.0.10.3 80 "FastEthernet4 ip" 80 route-mapServer Hope this helps. Regards, NT

Guest

Re:VPN Local lan access

Post by Guest » Sat Jul 24, 2010 6:11 pm

Thanks for your assistance, it worked like a charm.

Guest

Re:VPN Local lan access

Post by Guest » Sat Jul 24, 2010 7:01 pm

Hello, Glad that the issue is fixed. Thanks for the rating. Regards, NT

Post Reply