[Config] Need help getting VPN traffic to access LAN space

Author	All Replies
phantasm11b Premium join:2007-11-02 Winter Park, FL 1 edit	[Config] Need help getting VPN traffic to access LAN space Ok. The VPN works and I can connect but not one is able to access the IP 192.168.1.2. I think I need an IP route statement but am unsure how to route it since the LAN ports are in the BVI. Could someone give me a hand please? ! ! Last configuration change at 20:57:25 EDT Fri Jun 26 2009 by drek ! NVRAM config last updated at 20:01:25 EDT Fri Jun 26 2009 by drek ! version 12.4 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname TheDarkSide ! boot-start-marker boot-end-marker ! logging buffered 4096 notifications ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network groupauthor local ! ! aaa session-id common clock timezone EDT -5 clock summer-time EDT recurring ! crypto pki trustpoint TP-self-signed-117880434 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-117880434 revocation-check none rsakeypair TP-self-signed-117880434 ! ! crypto pki certificate chain TP-self-signed-117880434 certificate self-signed 01 xxxxxxxxxxxxxxxxxxxx quit ! dot11 ssid BenFranklin vlan 1 authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 xxxxxxxxxxxxxxxxxxxxx ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool VLAN1 import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 dns-server xxxxxxxxxxxxxxxxxx ! ! ip domain name TheDarkSide.net ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! username drek privilege 15 password 7 xxxxxxxxxxxxxxxxx ! ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group vpnclient key xxxxxxxxxxxxxxxxxxxxx pool ippool ! ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! crypto ctcp port 443 10000 archive log config hidekeys ! ! ! bridge irb ! ! interface FastEthernet0 load-interval 30 shutdown ! interface FastEthernet1 description Cisco Lab Interface load-interval 30 duplex full speed 10 ! interface FastEthernet2 description Blu Ray Player load-interval 30 ! interface FastEthernet3 description Linux Box load-interval 30 duplex full ! interface FastEthernet4 description WAN Interface ip address dhcp ip access-group inbound_wan in ip nat outside ip inspect SDM_LOW out ip virtual-reassembly load-interval 30 duplex auto speed auto no cdp enable crypto map clientmap ! interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption vlan 1 mode ciphers tkip ! ssid xxxxxxxxxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description Internal network no ip address ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Layer-3 LAN interface to bridge FA1-3 ports$FW_INSIDE$ ip address 192.168.1.1 255.255.255.0 ip access-group cisco_lab out ip nat inside ip virtual-reassembly ! ip local pool ippool 172.29.100.1 172.29.100.5 no ip forward-protocol nd ! ! no ip http server no ip http secure-server ip nat inside source route-map outbound_route_map interface FastEthernet4 overload ! ip access-list extended cisco_lab permit ip 172.29.100.0 0.0.0.255 host 192.168.1.2 permit ip any any ip access-list extended inbound_wan remark Inbound WAN ACL permit tcp any any eq 22 permit ahp any any permit esp any any permit udp any any eq isakmp permit udp any any eq non500-isakmp permit udp any eq bootps any eq bootpc permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip any any log ip access-list extended outbound_route_map deny ip 192.168.1.0 0.0.0.255 host 172.29.100.1 deny ip 192.168.1.0 0.0.0.255 host 172.29.100.2 deny ip 192.168.1.0 0.0.0.255 host 172.29.100.3 deny ip 192.168.1.0 0.0.0.255 host 172.29.100.4 deny ip 192.168.1.0 0.0.0.255 host 172.29.100.5 deny ip host 192.168.1.1 host 172.29.100.1 deny ip host 192.168.1.1 host 172.29.100.2 deny ip host 192.168.1.1 host 172.29.100.3 deny ip host 192.168.1.1 host 172.29.100.4 deny ip host 192.168.1.1 host 172.29.100.5 permit ip 192.168.1.0 0.0.0.255 any permit ip 172.29.100.0 0.0.0.255 any ! ! ! ! route-map outbound_route_map permit 1 match ip address outbound_route_map ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 exec-timeout 5 0 logging synchronous no modem enable transport output all line aux 0 transport output all line vty 0 3 exec-timeout 5 0 logging synchronous transport input telnet transport output all line vty 4 exec-timeout 5 0 logging synchronous transport input ssh transport output all ! scheduler max-task-time 5000 ntp logging ntp clock-period 17175082 ntp server 71.40.128.157 prefer end -- "There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy
	to forum · permalink · · 2009-06-26 21:12:49 ·
phantasm11b Premium join:2007-11-02 Winter Park, FL	Perhaps the issue is with the route map? Maybe I should add a statement permitting the 172.29.100.x access to 192.168.1.2? Hm. I'll try that. -- "There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy
	to forum · permalink · · 2009-06-27 09:18:30 ·
phantasm11b Premium join:2007-11-02 Winter Park, FL	reply to phantasm11b So here's the current state of my outbound_route_map. With this the 192.168.1.1 is accessible but the .1.2 is not. Extended IP access list outbound_route_map 10 deny ip host 192.168.1.2 host 172.29.100.1 20 deny ip host 192.168.1.2 host 172.29.100.2 30 deny ip host 192.168.1.2 host 172.29.100.3 40 deny ip host 192.168.1.2 host 172.29.100.4 50 deny ip host 192.168.1.2 host 172.29.100.5 60 deny ip host 192.168.1.1 host 172.29.100.1 70 deny ip host 192.168.1.1 host 172.29.100.2 80 deny ip host 192.168.1.1 host 172.29.100.3 (7 matches) 90 deny ip host 192.168.1.1 host 172.29.100.4 100 deny ip host 192.168.1.1 host 172.29.100.5 110 permit ip 192.168.1.0 0.0.0.255 any (59 matches) 120 permit ip 172.29.100.0 0.0.0.255 any (33 matches) -- "There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy
	to forum · permalink · · 2009-06-28 13:56:58 ·
tubbynet reminds me of the danse russe Premium join:2008-01-16 Chandler, AZ ·Cox HSI ·Callcentric ·Sprint Mobile Broa.. ·FrontierNet Intern..	are you split-tunneling the vpn connection or are you tunneling everything? have you tried adding "include-local-lan" under your crypto group? if you are denying nat in the route-map by subnet, then you shouldn't need to deny each individual host... when trying to ping the 1.2 device, are you getting timeouts or replies from a public ip address? have you tried traceing the route to ensure that you are going out the vpn interface and not the public interwebz? q. -- "...if I in my north room dance naked, grotesquely before my mirror waving my shirt round my head and singing softly to myself..."
	to forum · permalink · · 2009-07-03 13:38:33 ·
phantasm11b Premium join:2007-11-02 Winter Park, FL	I didn't notice your reply until now. Sorry for not responding. Here is where it is at: Ok. Restarting this thread. I've been working with a member here on the configuration for my router, specifically the VPN. He's been very helpful but with this being a holiday weekend I would not expect him to be online much. As suggested by tubbynet I have not tried adding local-lan to the config. I will try this though. Problems: 1. When users authenticateon my VPN I see these errors: »pastebin.com/m657cf2d7 Jul 3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: CONFIG_MODE_UNKNOWN (0x700C) 1.Jul 3 12:50:34.352 EDT: ISAKMP (0/2004): Unknown Attr: MODECFG_HOSTNAME (0x700A) 2.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 3. {esp-aes 256 esp-md5-hmac comp-lzs } 4.Jul 3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 5.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 6. {esp-aes 256 esp-sha-hmac comp-lzs } 7.Jul 3 12:50:34.496 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 8.Jul 3 12:50:34.496 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 9. {esp-aes esp-md5-hmac comp-lzs } 10.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 11.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 12. {esp-aes esp-sha-hmac comp-lzs } 13.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 14.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 15. {esp-aes 256 esp-md5-hmac } 16.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 17.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 18. {esp-aes 256 esp-sha-hmac } 19.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 20.Jul 3 12:50:34.500 EDT: IPSEC(ipsec_process_proposal): transform proposal not supported for identity: 21. {esp-aes esp-md5-hmac } 22.Jul 3 12:50:34.500 EDT: ISAKMP:(2004): IPSec policy invalidated proposal with error 256 23.TheDarkSide# 24.Jul 3 12:50:34.508 EDT: %CRYPTO-5-SESSION_STATUS: Crypto tunnel is UP . Peer xxx.xxx.xxx.xxx Id: xxxxx 2. Users cannot access LAN assets, particularly 192.168.1.2 (Cisco 2619 – lab router). 3. SSH does not work in either direction. I've disabled the inbound_wan ACL and ssh works. I re-enable it and it does not, however no entries are shown against the ACL when someone tries to connect. The large number of blocked networks have not been an issue until today. SSH worked yesterday, today it does not. What changed? A lot. Lol. Here's the configuration as it stands.Everything works with the exception of what is mentioned above. ! ! Last configuration change at 12:34:26 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx ! NVRAM config last updated at 12:57:13 EDT Fri Jul 3 2009 by xxxxxxxxxxxxx ! version 12.4 no service pad service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption ! hostname xxxxxxxxxxxxx ! boot-start-marker boot-end-marker ! logging buffered 4096 notifications ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network groupauthor local ! ! aaa session-id common clock timezone EDT -5 clock summer-time EDT recurring ! crypto pki trustpoint TP-self-signed-117880434 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-117880434 revocation-check none rsakeypair TP-self-signed-117880434 ! ! crypto pki certificate chain TP-self-signed-117880434 certificate self-signed 01 nvram:IOS-Self-Sig#1.cer ! dot11 ssid xxxxxxxxxxxxx vlan 1 authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 xxxxxxxxxxxxx ! ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.10 ! ip dhcp pool Home network 192.168.1.0 255.255.255.0 dns-server 65.32.5.111 65.32.5.112 default-router 192.168.1.1 ! ! ip domain name tds.net-freaks.com ip inspect name MyFw cuseeme ip inspect name MyFw ftp ip inspect name MyFw h323 ip inspect name MyFw icmp ip inspect name MyFw netshow ip inspect name MyFw rcmd ip inspect name MyFw realaudio ip inspect name MyFw rtsp ip inspect name MyFw esmtp ip inspect name MyFw sqlnet ip inspect name MyFw streamworks ip inspect name MyFw tftp ip inspect name MyFw tcp ip inspect name MyFw udp ip inspect name MyFw vdolive ip auth-proxy max-nodata-conns 3 ip admission max-nodata-conns 3 ! multilink bundle-name authenticated ! ! username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx username xxxxxxxxxxxxx privilege 15 password 7 xxxxxxxxxxxxx ! crypto logging session ! crypto isakmp policy 3 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group HomeVPN key xxxxxxxxxxxxx dns xxxxxxxxxxxxx xxxxxxxxxxxxx pool VPN-Pool acl VPN-Traffic netmask 255.255.255.0 ! ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset reverse-route ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! archive log config hidekeys ! ! ip ssh maxstartups 2 ip ssh time-out 15 ip ssh logging events ! bridge irb ! ! interface FastEthernet0 load-interval 30 shutdown spanning-tree portfast ! interface FastEthernet1 description Cisco Lab Interface load-interval 30 duplex full speed 10 ! interface FastEthernet2 description Blu Ray Player load-interval 30 ! interface FastEthernet3 description Linux box load-interval 30 duplex full ! interface FastEthernet4 description WAN Interface ip address dhcp ip access-group inbound_wan in ip nat outside ip inspect MyFw out ip virtual-reassembly load-interval 30 duplex auto speed auto no cdp enable crypto map clientmap ! interface Dot11Radio0 no ip address no dot11 extension aironet ! encryption vlan 1 mode ciphers tkip ! ssid xxxxxxxxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root no cdp enable ! interface Dot11Radio0.1 encapsulation dot1Q 1 native bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description Internal network no ip address ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Bridge for LAN interfaces ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip local pool VPN-Pool 10.10.29.101 10.10.29.105 ip forward-protocol nd ip route 0.0.0.0 0.0.0.0 FastEthernet4 ! ! no ip http server no ip http secure-server ip nat inside source route-map outbound_route_map interface FastEthernet4 overload ! ip access-list extended VPN-Traffic permit tcp 10.10.29.0 0.0.0.255 eq telnet host 192.168.1.2 eq telnet ip access-list extended inbound_wan remark Block RIPE NCC deny ip 62.0.0.0 0.255.255.255 any deny ip 77.0.0.0 0.255.255.255 any deny ip 78.0.0.0 1.255.255.255 any deny ip 80.0.0.0 7.255.255.255 any deny ip 88.0.0.0 3.255.255.255 any deny ip 92.0.0.0 1.255.255.255 any deny ip 109.0.0.0 0.255.255.255 any deny ip 141.0.0.0 0.255.255.255 any deny ip 145.0.0.0 0.255.255.255 any deny ip 151.0.0.0 0.255.255.255 any deny ip 178.0.0.0 0.255.255.255 any deny ip 188.0.0.0 0.255.255.255 any deny ip 193.0.0.0 0.255.255.255 any deny ip 194.0.0.0 1.255.255.255 any deny ip 212.0.0.0 1.255.255.255 any remark Block APNIC deny ip 43.0.0.0 0.255.255.255 any deny ip 58.0.0.0 1.255.255.255 any deny ip 60.0.0.0 1.255.255.255 any deny ip 110.0.0.0 1.255.255.255 any deny ip 112.0.0.0 7.255.255.255 any deny ip 120.0.0.0 3.255.255.255 any deny ip 124.0.0.0 1.255.255.255 any deny ip 133.0.0.0 0.255.255.255 any deny ip 153.0.0.0 0.255.255.255 any deny ip 171.0.0.0 0.255.255.255 any deny ip 180.0.0.0 0.255.255.255 any deny ip 183.0.0.0 0.255.255.255 any deny ip 202.0.0.0 1.255.255.255 any deny ip 210.0.0.0 1.255.255.255 any deny ip 218.0.0.0 1.255.255.255 any deny ip 220.0.0.0 1.255.255.255 any remark Block LACNIC deny ip 186.0.0.0 1.255.255.255 any deny ip 189.0.0.0 0.255.255.255 any deny ip 190.0.0.0 1.255.255.255 any deny ip 200.0.0.0 1.255.255.255 any remark Block AfriNIC deny ip 41.0.0.0 0.255.255.255 any deny ip 154.0.0.0 0.255.255.255 any deny ip 196.0.0.0 1.255.255.255 any remark Block unallocated deny ip 240.0.0.0 7.255.255.255 any deny ip 248.0.0.0 7.255.255.255 any remark Block RFC 1918 address space permit udp any eq bootps any eq bootpc deny ip 10.0.0.0 0.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip host 255.255.255.255 any permit tcp any eq 22 any eq 22 permit udp any eq 22 any eq 22 permit udp any eq ntp any eq ntp permit udp any any eq isakmp permit udp any any eq non500-isakmp permit icmp any any echo permit icmp any any echo-reply permit icmp any any time-exceeded permit icmp any any unreachable permit udp any eq domain any deny ip any any log ip access-list extended outbound_route_map deny ip 192.168.1.0 0.0.0.255 10.10.29.0 0.0.0.255 deny ip 10.10.29.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.1.0 0.0.0.255 any permit ip 10.10.29.0 0.0.0.255 any ! ! ! ! route-map outbound_route_map permit 1 match ip address outbound_route_map ! ! control-plane ! bridge 1 protocol ieee bridge 1 route ip ! line con 0 exec-timeout 5 0 logging synchronous no modem enable transport output all line aux 0 transport output all line vty 0 3 exec-timeout 5 0 logging synchronous transport input telnet transport output all line vty 4 exec-timeout 5 0 logging synchronous transport input ssh transport output all ! scheduler max-task-time 5000 ntp logging ntp clock-period 17175054 ntp server xxxxxxxxxxxxx ntp server xxxxxxxxxxxxx prefer end -- "There are two American flags flying on the property I reside on. Anyone who tries to take them down will be rendered inoperative." -Lindy
	to forum · permalink · · 2009-07-03 13:45:23 ·
phantasm11b Premium join:2007-11-02 Winter Park, FL	SSH is fixed.
	to forum · permalink · · 2009-07-03 16:25:45 ·


Friday, 27-Nov 21:59:45	Terms of Use \| Privacy Policy \| Hosting by www.nac.net - DSL,Hosting & Co-lo \| feedback \| contact over 10 years online! © 1999-2009 dslreports.com. page compression OFF