1 edit | [Config] Need help getting VPN traffic to access LAN spaceOk. The VPN works and I can connect but not one is able to access the IP 192.168.1.2. I think I need an IP route statement but am unsure how to route it since the LAN ports are in the BVI. Could someone give me a hand please?
!
! Last configuration change at 20:57:25 EDT Fri Jun 26 2009 by drek
! NVRAM config last updated at 20:01:25 EDT Fri Jun 26 2009 by drek
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname TheDarkSide
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 notifications
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone EDT -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-117880434
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-117880434
revocation-check none
rsakeypair TP-self-signed-117880434
!
!
crypto pki certificate chain TP-self-signed-117880434
certificate self-signed 01
xxxxxxxxxxxxxxxxxxxx
quit
!
dot11 ssid BenFranklin
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool VLAN1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server xxxxxxxxxxxxxxxxxx
!
!
ip domain name TheDarkSide.net
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username drek privilege 15 password 7 xxxxxxxxxxxxxxxxx
!
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key xxxxxxxxxxxxxxxxxxxxx
pool ippool
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
crypto ctcp port 443 10000
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
load-interval 30
shutdown
!
interface FastEthernet1
description Cisco Lab Interface
load-interval 30
duplex full
speed 10
!
interface FastEthernet2
description Blu Ray Player
load-interval 30
!
interface FastEthernet3
description Linux Box
load-interval 30
duplex full
!
interface FastEthernet4
description WAN Interface
ip address dhcp
ip access-group inbound_wan in
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid xxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Layer-3 LAN interface to bridge FA1-3 ports$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group cisco_lab out
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 172.29.100.1 172.29.100.5
no ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map outbound_route_map interface FastEthernet4 overload
!
ip access-list extended cisco_lab
permit ip 172.29.100.0 0.0.0.255 host 192.168.1.2
permit ip any any
ip access-list extended inbound_wan
remark Inbound WAN ACL
permit tcp any any eq 22
permit ahp any any
permit esp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any eq bootps any eq bootpc
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny ip 10.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip host 255.255.255.255 any
deny ip any any log
ip access-list extended outbound_route_map
deny ip 192.168.1.0 0.0.0.255 host 172.29.100.1
deny ip 192.168.1.0 0.0.0.255 host 172.29.100.2
deny ip 192.168.1.0 0.0.0.255 host 172.29.100.3
deny ip 192.168.1.0 0.0.0.255 host 172.29.100.4
deny ip 192.168.1.0 0.0.0.255 host 172.29.100.5
deny ip host 192.168.1.1 host 172.29.100.1
deny ip host 192.168.1.1 host 172.29.100.2
deny ip host 192.168.1.1 host 172.29.100.3
deny ip host 192.168.1.1 host 172.29.100.4
deny ip host 192.168.1.1 host 172.29.100.5
permit ip 192.168.1.0 0.0.0.255 any
permit ip 172.29.100.0 0.0.0.255 any
!
!
!
!
route-map outbound_route_map permit 1
match ip address outbound_route_map
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 5 0
logging synchronous
no modem enable
transport output all
line aux 0
transport output all
line vty 0 3
exec-timeout 5 0
logging synchronous
transport input telnet
transport output all
line vty 4
exec-timeout 5 0
logging synchronous
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp logging
ntp clock-period 17175082
ntp server 71.40.128.157 prefer
end
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
| Perhaps the issue is with the route map? Maybe I should add a statement permitting the 172.29.100.x access to 192.168.1.2? Hm. I'll try that.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
|
|
| reply to phantasm11b
So here's the current state of my outbound_route_map. With this the 192.168.1.1 is accessible but the .1.2 is not.
Extended IP access list outbound_route_map
10 deny ip host 192.168.1.2 host 172.29.100.1
20 deny ip host 192.168.1.2 host 172.29.100.2
30 deny ip host 192.168.1.2 host 172.29.100.3
40 deny ip host 192.168.1.2 host 172.29.100.4
50 deny ip host 192.168.1.2 host 172.29.100.5
60 deny ip host 192.168.1.1 host 172.29.100.1
70 deny ip host 192.168.1.1 host 172.29.100.2
80 deny ip host 192.168.1.1 host 172.29.100.3 (7 matches)
90 deny ip host 192.168.1.1 host 172.29.100.4
100 deny ip host 192.168.1.1 host 172.29.100.5
110 permit ip 192.168.1.0 0.0.0.255 any (59 matches)
120 permit ip 172.29.100.0 0.0.0.255 any (33 matches)
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
 tubbynetreminds me of the danse russePremium,MVM
join:2008-01-16
Chandler, AZ | are you split-tunneling the vpn connection or are you tunneling everything?
have you tried adding "include-local-lan" under your crypto group?
if you are denying nat in the route-map by subnet, then you shouldn't need to deny each individual host...
when trying to ping the 1.2 device, are you getting timeouts or replies from a public ip address? have you tried traceing the route to ensure that you are going out the vpn interface and not the public interwebz?
q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..." |
|
| I didn't notice your reply until now. Sorry for not responding. Here is where it is at:
Ok. Restarting this thread. I've been working with a member here on the configuration for my router, specifically the VPN. He's been very helpful but with this being a holiday weekend I would not expect him to be online much. As suggested by tubbynet I have not tried adding local-lan to the config. I will try this though.
Problems:
1. When users authenticateon my VPN I see these errors:
»pastebin.com/m657cf2d7
Jul 3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)
1.Jul 3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: MODECFG_HOSTNAME (0x700A)
2.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
3. {esp-aes 256 esp-md5-hmac comp-lzs }
4.Jul 3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
5.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
6. {esp-aes 256 esp-sha-hmac comp-lzs }
7.Jul 3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
8.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
9. {esp-aes esp-md5-hmac comp-lzs }
10.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
11.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
12. {esp-aes esp-sha-hmac comp-lzs }
13.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
14.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
15. {esp-aes 256 esp-md5-hmac }
16.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
17.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
18. {esp-aes 256 esp-sha-hmac }
19.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
20.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity:
21. {esp-aes esp-md5-hmac }
22.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256
23.TheDarkSide#
24.Jul 3 12:50:34.508 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer xxx.xxx.xxx.xxx Id: xxxxx
2. Users cannot access LAN assets, particularly 192.168.1.2 (Cisco 2619 – lab router).
3. SSH does not work in either direction. I've disabled the inbound_wan ACL and ssh works. I re-enable it and it does not, however no entries are shown against the ACL when someone tries to connect. The large number of blocked networks have not been an issue until today. SSH worked yesterday, today it does not. What changed? A lot. Lol.
Here's the configuration as it stands.Everything works with the exception of what is mentioned above.
!
! Last configuration change at 12:34:26 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx
! NVRAM config last updated at 12:57:13 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx
!
version 12.4
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
!
hostname xxxxxxxxxxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 notifications
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
clock timezone EDT -5
clock summer-time EDT recurring
!
crypto pki trustpoint TP-self-signed-117880434
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-117880434
revocation-check none
rsakeypair TP-self-signed-117880434
!
!
crypto pki certificate chain TP-self-signed-117880434
certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
!
dot11 ssid xxxxxxxxxxxxx
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxx
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool Home
network 192.168.1.0 255.255.255.0
dns-server 65.32.5.111 65.32.5.112
default-router 192.168.1.1
!
!
ip domain name tds.net-freaks.com
ip inspect name MyFw cuseeme
ip inspect name MyFw ftp
ip inspect name MyFw h323
ip inspect name MyFw icmp
ip inspect name MyFw netshow
ip inspect name MyFw rcmd
ip inspect name MyFw realaudio
ip inspect name MyFw rtsp
ip inspect name MyFw esmtp
ip inspect name MyFw sqlnet
ip inspect name MyFw streamworks
ip inspect name MyFw tftp
ip inspect name MyFw tcp
ip inspect name MyFw udp
ip inspect name MyFw vdolive
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
!
!
username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx
username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx
!
crypto logging session
!
crypto isakmp policy 3
encr aes 256
authentication pre-share
group 2
!
crypto isakmp client configuration group HomeVPN
key xxxxxxxxxxxxx
dns xxxxxxxxxxxxx xxxxxxxxxxxxx
pool VPN-Pool
acl VPN-Traffic
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
ip ssh maxstartups 2
ip ssh time-out 15
ip ssh logging events
!
bridge irb
!
!
interface FastEthernet0
load-interval 30
shutdown
spanning-tree portfast
!
interface FastEthernet1
description Cisco Lab Interface
load-interval 30
duplex full
speed 10
!
interface FastEthernet2
description Blu Ray Player
load-interval 30
!
interface FastEthernet3
description Linux box
load-interval 30
duplex full
!
interface FastEthernet4
description WAN Interface
ip address dhcp
ip access-group inbound_wan in
ip nat outside
ip inspect MyFw out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface Dot11Radio0
no ip address
no dot11 extension aironet
!
encryption vlan 1 mode ciphers tkip
!
ssid xxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description Internal network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge for LAN interfaces
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VPN-Pool 10.10.29.101 10.10.29.105
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4
!
!
no ip http server
no ip http secure-server
ip nat inside source route-map outbound_route_map interface FastEthernet4 overload
!
ip access-list extended VPN-Traffic
permit tcp 10.10.29.0 0.0.0.255 eq telnet host 192.168.1.2 eq telnet
ip access-list extended inbound_wan
remark Block RIPE NCC
deny ip 62.0.0.0 0.255.255.255 any
deny ip 77.0.0.0 0.255.255.255 any
deny ip 78.0.0.0 1.255.255.255 any
deny ip 80.0.0.0 7.255.255.255 any
deny ip 88.0.0.0 3.255.255.255 any
deny ip 92.0.0.0 1.255.255.255 any
deny ip 109.0.0.0 0.255.255.255 any
deny ip 141.0.0.0 0.255.255.255 any
deny ip 145.0.0.0 0.255.255.255 any
deny ip 151.0.0.0 0.255.255.255 any
deny ip 178.0.0.0 0.255.255.255 any
deny ip 188.0.0.0 0.255.255.255 any
deny ip 193.0.0.0 0.255.255.255 any
deny ip 194.0.0.0 1.255.255.255 any
deny ip 212.0.0.0 1.255.255.255 any
remark Block APNIC
deny ip 43.0.0.0 0.255.255.255 any
deny ip 58.0.0.0 1.255.255.255 any
deny ip 60.0.0.0 1.255.255.255 any
deny ip 110.0.0.0 1.255.255.255 any
deny ip 112.0.0.0 7.255.255.255 any
deny ip 120.0.0.0 3.255.255.255 any
deny ip 124.0.0.0 1.255.255.255 any
deny ip 133.0.0.0 0.255.255.255 any
deny ip 153.0.0.0 0.255.255.255 any
deny ip 171.0.0.0 0.255.255.255 any
deny ip 180.0.0.0 0.255.255.255 any
deny ip 183.0.0.0 0.255.255.255 any
deny ip 202.0.0.0 1.255.255.255 any
deny ip 210.0.0.0 1.255.255.255 any
deny ip 218.0.0.0 1.255.255.255 any
deny ip 220.0.0.0 1.255.255.255 any
remark Block LACNIC
deny ip 186.0.0.0 1.255.255.255 any
deny ip 189.0.0.0 0.255.255.255 any
deny ip 190.0.0.0 1.255.255.255 any
deny ip 200.0.0.0 1.255.255.255 any
remark Block AfriNIC
deny ip 41.0.0.0 0.255.255.255 any
deny ip 154.0.0.0 0.255.255.255 any
deny ip 196.0.0.0 1.255.255.255 any
remark Block unallocated
deny ip 240.0.0.0 7.255.255.255 any
deny ip 248.0.0.0 7.255.255.255 any
remark Block RFC 1918 address space
permit udp any eq bootps any eq bootpc
deny ip 10.0.0.0 0.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 172.16.0.0 0.15.255.255 any
deny ip 192.168.0.0 0.0.255.255 any
deny ip host 255.255.255.255 any
permit tcp any eq 22 any eq 22
permit udp any eq 22 any eq 22
permit udp any eq ntp any eq ntp
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
permit udp any eq domain any
deny ip any any log
ip access-list extended outbound_route_map
deny ip 192.168.1.0 0.0.0.255 10.10.29.0 0.0.0.255
deny ip 10.10.29.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
permit ip 10.10.29.0 0.0.0.255 any
!
!
!
!
route-map outbound_route_map permit 1
match ip address outbound_route_map
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
exec-timeout 5 0
logging synchronous
no modem enable
transport output all
line aux 0
transport output all
line vty 0 3
exec-timeout 5 0
logging synchronous
transport input telnet
transport output all
line vty 4
exec-timeout 5 0
logging synchronous
transport input ssh
transport output all
!
scheduler max-task-time 5000
ntp logging
ntp clock-period 17175054
ntp server xxxxxxxxxxxxx
ntp server xxxxxxxxxxxxx prefer
end
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy |
|
| SSH is fixed. |
|
