[Config] Need help getting VPN traffic to access LAN space in Cisco

[Config] Need help getting VPN traffic to access LAN space in Cisco http://www.dslreports.com/forum/r22618246 en Sun, 29 Nov 2009 13:20:54 EDT Sun, 29 Nov 2009 13:20:54 EDT Re: [Config] Need help getting VPN traffic to access LAN space http://www.dslreports.com/forum/remark,22650563 phantasm11b : SSH is fixed.]]> http://www.dslreports.com/forum/remark,22650563 Fri, 03 Jul 2009 16:25:45 EDT Re: [Config] Need help getting VPN traffic to access LAN space http://www.dslreports.com/forum/remark,22649901 phantasm11b : I didn't notice your reply until now. Sorry for not responding. Here is where it is at:

Ok. Restarting this thread. I've been working with a member here on the configuration for my router, specifically the VPN. He's been very helpful but with this being a holiday weekend I would not expect him to be online much. As suggested by tubbynet I have not tried adding local-lan to the config. I will try this though.

Problems:
1. When users authenticateon my VPN I see these errors:

»pastebin.com/m657cf2d7

Jul  3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C)1.Jul  3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: MODECFG_HOSTNAME (0x700A)2.Jul  3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 3.    {esp-aes 256 esp-md5-hmac comp-lzs }4.Jul  3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 2565.Jul  3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 6.    {esp-aes 256 esp-sha-hmac comp-lzs }7.Jul  3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 2568.Jul  3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 9.    {esp-aes esp-md5-hmac comp-lzs }10.Jul  3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 25611.Jul  3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 12.    {esp-aes esp-sha-hmac comp-lzs }13.Jul  3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 25614.Jul  3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 15.    {esp-aes 256 esp-md5-hmac }16.Jul  3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 25617.Jul  3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 18.    {esp-aes 256 esp-sha-hmac }19.Jul  3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 25620.Jul  3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 21.    {esp-aes esp-md5-hmac }22.Jul  3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 25623.TheDarkSide#24.Jul  3 12:50:34.508 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP  .  Peer xxx.xxx.xxx.xxx       Id: xxxxx

2. Users cannot access LAN assets, particularly 192.168.1.2 (Cisco 2619 – lab router).

3. SSH does not work in either direction. I've disabled the inbound_wan ACL and ssh works. I re-enable it and it does not, however no entries are shown against the ACL when someone tries to connect. The large number of blocked networks have not been an issue until today. SSH worked yesterday, today it does not. What changed? A lot. Lol.

Here's the configuration as it stands.Everything works with the exception of what is mentioned above.

!! Last configuration change at 12:34:26 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx! NVRAM config last updated at 12:57:13 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx!version 12.4no service padservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname xxxxxxxxxxxxx!boot-start-markerboot-end-marker!logging buffered 4096 notifications!aaa new-model!!aaa authentication login default localaaa authorization exec default local aaa authorization network groupauthor local !!aaa session-id commonclock timezone EDT -5clock summer-time EDT recurring!crypto pki trustpoint TP-self-signed-117880434 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-117880434 revocation-check none rsakeypair TP-self-signed-117880434!!crypto pki certificate chain TP-self-signed-117880434 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer!dot11 ssid xxxxxxxxxxxxx   vlan 1   authentication open    authentication key-management wpa   guest-mode   wpa-psk ascii 7 xxxxxxxxxxxxx!ip cef!!no ip dhcp use vrf connectedip dhcp excluded-address 192.168.1.1 192.168.1.10!ip dhcp pool Home   network 192.168.1.0 255.255.255.0   dns-server 65.32.5.111 65.32.5.112    default-router 192.168.1.1 !!ip domain name tds.net-freaks.comip inspect name MyFw cuseemeip inspect name MyFw ftpip inspect name MyFw h323ip inspect name MyFw icmpip inspect name MyFw netshowip inspect name MyFw rcmdip inspect name MyFw realaudioip inspect name MyFw rtspip inspect name MyFw esmtpip inspect name MyFw sqlnetip inspect name MyFw streamworksip inspect name MyFw tftpip inspect name MyFw tcpip inspect name MyFw udpip inspect name MyFw vdoliveip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated!!username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxxusername xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx! crypto logging session!crypto isakmp policy 3 encr aes 256 authentication pre-share group 2!crypto isakmp client configuration group HomeVPN key xxxxxxxxxxxxx dns xxxxxxxxxxxxx xxxxxxxxxxxxx pool VPN-Pool acl VPN-Traffic netmask 255.255.255.0!!crypto ipsec transform-set myset esp-aes esp-sha-hmac !crypto dynamic-map dynmap 10 set transform-set myset  reverse-route!!crypto map clientmap client authentication list userauthencrypto map clientmap isakmp authorization list groupauthorcrypto map clientmap client configuration address respondcrypto map clientmap 10 ipsec-isakmp dynamic dynmap !archive log config  hidekeys!!ip ssh maxstartups 2ip ssh time-out 15ip ssh logging events!bridge irb!!interface FastEthernet0 load-interval 30 shutdown spanning-tree portfast!interface FastEthernet1 description Cisco Lab Interface load-interval 30 duplex full speed 10!interface FastEthernet2 description Blu Ray Player load-interval 30!interface FastEthernet3 description Linux box load-interval 30 duplex full!interface FastEthernet4 description WAN Interface ip address dhcp ip access-group inbound_wan in ip nat outside ip inspect MyFw out ip virtual-reassembly load-interval 30 duplex auto speed auto no cdp enable crypto map clientmap!interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption vlan 1 mode ciphers tkip  ! ssid xxxxxxxxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable!interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Vlan1 description Internal network no ip address ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled!interface BVI1 description Bridge for LAN interfaces ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly!ip local pool VPN-Pool 10.10.29.101 10.10.29.105ip forward-protocol ndip route 0.0.0.0 0.0.0.0 FastEthernet4!!no ip http serverno ip http secure-serverip nat inside source route-map outbound_route_map interface FastEthernet4 overload!ip access-list extended VPN-Traffic permit tcp 10.10.29.0 0.0.0.255 eq telnet host 192.168.1.2 eq telnetip access-list extended inbound_wan remark Block RIPE NCC deny   ip 62.0.0.0 0.255.255.255 any deny   ip 77.0.0.0 0.255.255.255 any deny   ip 78.0.0.0 1.255.255.255 any deny   ip 80.0.0.0 7.255.255.255 any deny   ip 88.0.0.0 3.255.255.255 any deny   ip 92.0.0.0 1.255.255.255 any deny   ip 109.0.0.0 0.255.255.255 any deny   ip 141.0.0.0 0.255.255.255 any deny   ip 145.0.0.0 0.255.255.255 any deny   ip 151.0.0.0 0.255.255.255 any deny   ip 178.0.0.0 0.255.255.255 any deny   ip 188.0.0.0 0.255.255.255 any deny   ip 193.0.0.0 0.255.255.255 any deny   ip 194.0.0.0 1.255.255.255 any deny   ip 212.0.0.0 1.255.255.255 any remark Block APNIC deny   ip 43.0.0.0 0.255.255.255 any deny   ip 58.0.0.0 1.255.255.255 any deny   ip 60.0.0.0 1.255.255.255 any deny   ip 110.0.0.0 1.255.255.255 any deny   ip 112.0.0.0 7.255.255.255 any deny   ip 120.0.0.0 3.255.255.255 any deny   ip 124.0.0.0 1.255.255.255 any deny   ip 133.0.0.0 0.255.255.255 any deny   ip 153.0.0.0 0.255.255.255 any deny   ip 171.0.0.0 0.255.255.255 any deny   ip 180.0.0.0 0.255.255.255 any deny   ip 183.0.0.0 0.255.255.255 any deny   ip 202.0.0.0 1.255.255.255 any deny   ip 210.0.0.0 1.255.255.255 any deny   ip 218.0.0.0 1.255.255.255 any deny   ip 220.0.0.0 1.255.255.255 any remark Block LACNIC deny   ip 186.0.0.0 1.255.255.255 any deny   ip 189.0.0.0 0.255.255.255 any deny   ip 190.0.0.0 1.255.255.255 any deny   ip 200.0.0.0 1.255.255.255 any remark Block AfriNIC deny   ip 41.0.0.0 0.255.255.255 any deny   ip 154.0.0.0 0.255.255.255 any deny   ip 196.0.0.0 1.255.255.255 any remark Block unallocated deny   ip 240.0.0.0 7.255.255.255 any deny   ip 248.0.0.0 7.255.255.255 any remark Block RFC 1918 address space permit udp any eq bootps any eq bootpc deny   ip 10.0.0.0 0.255.255.255 any deny   ip 127.0.0.0 0.255.255.255 any deny   ip 172.16.0.0 0.15.255.255 any deny   ip 192.168.0.0 0.0.255.255 any deny   ip host 255.255.255.255 any permit tcp any eq 22 any eq 22 permit udp any eq 22 any eq 22 permit udp any eq ntp any eq ntp permit udp any any eq isakmp permit udp any any eq non500-isakmp permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit udp any eq domain any deny   ip any any logip access-list extended outbound_route_map deny   ip 192.168.1.0 0.0.0.255 10.10.29.0 0.0.0.255 deny   ip 10.10.29.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any permit ip 10.10.29.0 0.0.0.255 any!!!!route-map outbound_route_map permit 1 match ip address outbound_route_map!!control-plane!bridge 1 protocol ieeebridge 1 route ip!line con 0 exec-timeout 5 0 logging synchronous no modem enable transport output allline aux 0 transport output allline vty 0 3 exec-timeout 5 0 logging synchronous transport input telnet transport output allline vty 4 exec-timeout 5 0 logging synchronous transport input ssh transport output all!scheduler max-task-time 5000ntp loggingntp clock-period 17175054ntp server xxxxxxxxxxxxxntp server xxxxxxxxxxxxx preferend

--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy]]> http://www.dslreports.com/forum/remark,22649901 Fri, 03 Jul 2009 13:45:23 EDT Re: [Config] Need help getting VPN traffic to access LAN space http://www.dslreports.com/forum/remark,22649873 tubbynet : are you split-tunneling the vpn connection or are you tunneling everything?

have you tried adding "include-local-lan" under your crypto group?

if you are denying nat in the route-map by subnet, then you shouldn't need to deny each individual host...

when trying to ping the 1.2 device, are you getting timeouts or replies from a public ip address? have you tried traceing the route to ensure that you are going out the vpn interface and not the public interwebz?

q.
--
"...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."]]> http://www.dslreports.com/forum/remark,22649873 Fri, 03 Jul 2009 13:38:33 EDT Re: [Config] Need help getting VPN traffic to access LAN space http://www.dslreports.com/forum/remark,22624019 phantasm11b : So here's the current state of my outbound_route_map. With this the 192.168.1.1 is accessible but the .1.2 is not.

--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy]]> http://www.dslreports.com/forum/remark,22624019 Sun, 28 Jun 2009 13:56:58 EDT Re: [Config] Need help getting VPN traffic to access LAN space http://www.dslreports.com/forum/remark,22619743 phantasm11b : Perhaps the issue is with the route map? Maybe I should add a statement permitting the 172.29.100.x access to 192.168.1.2? Hm. I'll try that.
--
"There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy]]> http://www.dslreports.com/forum/remark,22619743 Sat, 27 Jun 2009 09:18:30 EDT [Config] Need help getting VPN traffic to access LAN space http://www.dslreports.com/forum/remark,22618246 phantasm11b : Ok. The VPN works and I can connect but not one is able to access the IP 192.168.1.2. I think I need an IP route statement but am unsure how to route it since the LAN ports are in the BVI. Could someone give me a hand please?

!! Last configuration change at 20:57:25 EDT Fri Jun 26 2009 by drek! NVRAM config last updated at 20:01:25 EDT Fri Jun 26 2009 by drek!version 12.4no service padservice timestamps debug datetime msec localtime show-timezoneservice timestamps log datetime msec localtime show-timezoneservice password-encryption!hostname TheDarkSide!boot-start-markerboot-end-marker!logging buffered 4096 notifications!aaa new-model!!aaa authentication login default localaaa authorization exec default local aaa authorization network groupauthor local !!aaa session-id commonclock timezone EDT -5clock summer-time EDT recurring!crypto pki trustpoint TP-self-signed-117880434 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-117880434 revocation-check none rsakeypair TP-self-signed-117880434!!crypto pki certificate chain TP-self-signed-117880434 certificate self-signed 01 xxxxxxxxxxxxxxxxxxxx  quit!dot11 ssid BenFranklin   vlan 1   authentication open    authentication key-management wpa   guest-mode   wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx!ip cef!!no ip dhcp use vrf connectedip dhcp excluded-address 192.168.1.1 192.168.1.10!ip dhcp pool VLAN1   import all   network 192.168.1.0 255.255.255.0   default-router 192.168.1.1    dns-server xxxxxxxxxxxxxxxxxx !!ip domain name TheDarkSide.netip inspect name SDM_LOW cuseemeip inspect name SDM_LOW ftpip inspect name SDM_LOW h323ip inspect name SDM_LOW icmpip inspect name SDM_LOW netshowip inspect name SDM_LOW rcmdip inspect name SDM_LOW realaudioip inspect name SDM_LOW rtspip inspect name SDM_LOW esmtpip inspect name SDM_LOW sqlnetip inspect name SDM_LOW streamworksip inspect name SDM_LOW tftpip inspect name SDM_LOW tcpip inspect name SDM_LOW udpip inspect name SDM_LOW vdoliveip auth-proxy max-nodata-conns 3ip admission max-nodata-conns 3!multilink bundle-name authenticated!!username drek privilege 15 password 7 xxxxxxxxxxxxxxxxx! !crypto isakmp policy 3 encr aes 256 authentication pre-share group 2!crypto isakmp client configuration group vpnclient key xxxxxxxxxxxxxxxxxxxxx pool ippool!!crypto ipsec transform-set myset esp-aes esp-sha-hmac !crypto dynamic-map dynmap 10 set transform-set myset  reverse-route!!crypto map clientmap client authentication list userauthencrypto map clientmap isakmp authorization list groupauthorcrypto map clientmap client configuration address respondcrypto map clientmap 10 ipsec-isakmp dynamic dynmap !crypto ctcp port 443 10000 archive log config  hidekeys!!!bridge irb!!interface FastEthernet0 load-interval 30 shutdown!interface FastEthernet1 description Cisco Lab Interface load-interval 30 duplex full speed 10!interface FastEthernet2 description Blu Ray Player load-interval 30!interface FastEthernet3 description Linux Box load-interval 30 duplex full!interface FastEthernet4 description WAN Interface ip address dhcp ip access-group inbound_wan in ip nat outside ip inspect SDM_LOW out ip virtual-reassembly load-interval 30 duplex auto speed auto no cdp enable crypto map clientmap!interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption vlan 1 mode ciphers tkip  ! ssid xxxxxxxxxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable!interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding!interface Vlan1 description Internal network no ip address ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled!interface BVI1 description Layer-3 LAN interface to bridge FA1-3 ports$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip access-group cisco_lab out ip nat inside ip virtual-reassembly!ip local pool ippool 172.29.100.1 172.29.100.5no ip forward-protocol nd!!no ip http serverno ip http secure-serverip nat inside source route-map outbound_route_map interface FastEthernet4 overload!ip access-list extended cisco_lab permit ip 172.29.100.0 0.0.0.255 host 192.168.1.2 permit ip any anyip access-list extended inbound_wan remark Inbound WAN ACL permit tcp any any eq 22 permit ahp any any permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp permit udp any eq bootps any eq bootpc permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable deny   ip 10.0.0.0 0.255.255.255 any deny   ip 172.16.0.0 0.15.255.255 any deny   ip 192.168.0.0 0.0.255.255 any deny   ip 127.0.0.0 0.255.255.255 any deny   ip host 255.255.255.255 any deny   ip any any logip access-list extended outbound_route_map deny   ip 192.168.1.0 0.0.0.255 host 172.29.100.1 deny   ip 192.168.1.0 0.0.0.255 host 172.29.100.2 deny   ip 192.168.1.0 0.0.0.255 host 172.29.100.3 deny   ip 192.168.1.0 0.0.0.255 host 172.29.100.4 deny   ip 192.168.1.0 0.0.0.255 host 172.29.100.5 deny   ip host 192.168.1.1 host 172.29.100.1 deny   ip host 192.168.1.1 host 172.29.100.2 deny   ip host 192.168.1.1 host 172.29.100.3 deny   ip host 192.168.1.1 host 172.29.100.4 deny   ip host 192.168.1.1 host 172.29.100.5 permit ip 192.168.1.0 0.0.0.255 any permit ip 172.29.100.0 0.0.0.255 any!!!!route-map outbound_route_map permit 1 match ip address outbound_route_map!!control-plane!bridge 1 protocol ieeebridge 1 route ip!line con 0 exec-timeout 5 0 logging synchronous no modem enable transport output allline aux 0 transport output allline vty 0 3 exec-timeout 5 0 logging synchronous transport input telnet transport output allline vty 4 exec-timeout 5 0 logging synchronous transport input ssh transport output all!scheduler max-task-time 5000ntp loggingntp clock-period 17175082ntp server 71.40.128.157 preferend