Announcement

Collapse
No announcement yet.

EZVPN Configuration Issue:Could not access remote lan and also lost internet connecti

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • EZVPN Configuration Issue:Could not access remote lan and also lost internet connecti

    Hi,

    I am facing problem while configuring Cisco 877 router as EZVPN server that Cisco 1801 EZVPN client connect with the server but could not access EZVPN server lan and also lost internet connectivity at EZVPN Client side.I can ping only local IP of EZVPN server router and could not ping other local ips.After going through different posts at cisco support community and some other web sites I found that EZVPN Pool must be on separate subnet as compared to EZVPN server lan and also must have NAT exemption.But after adding this configuration I am still having same problem.

    Here is the EZVPN server Configuration:

    xxxx#sh run
    Building configuration...
    Current configuration : 7143 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec localtime
    service timestamps log datetime msec localtime
    service password-encryption
    !
    hostname xxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200
    enable secret yyyyyy
    !
    aaa new-model
    !
    !
    aaa authentication login USER_AAA local
    aaa authentication login USERLIST local
    aaa authorization network GROUP_AAA local
    !
    !
    aaa session-id common
    !
    !
    crypto isakmp policy 10
    encr 3des
    hash md5
    authentication pre-share
    group 2
    crypto isakmp keepalive 90 12
    !
    crypto isakmp client configuration group testEZVPN
    key xxxxx
    domain testEZVPN.com
    pool EZVPN-POOL
    acl SPLIT_T
    save-password
    !
    !
    crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
    !
    crypto dynamic-map INT_MAP 1
    set security-association lifetime kilobytes 530000000
    set security-association lifetime seconds 14400
    set transform-set TRANSFORM-1
    reverse-route
    !
    !
    crypto map INT_MAP client authentication list USER_AAA
    crypto map INT_MAP isakmp authorization list GROUP_AAA
    crypto map INT_MAP client configuration address respond
    crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
    !
    ip cef
    !
    !
    ip dhcp excluded-address 192.168.11.1 192.168.11.10
    !
    !
    ip domain name testEZVPN.com
    ip host BLROGERS.PBX11 192.168.11.66
    ip name-server xxxxxx
    ip name-server yyyyyy
    login block-for 30 attempts 3 within 30
    login on-failure log
    login on-success log
    !
    multilink bundle-name authenticated
    vpdn enable
    vpdn logging
    vpdn logging local
    vpdn logging user
    !
    vpdn-group 1
    ! Default PPTP VPDN group
    accept-dialin
    protocol pptp
    virtual-template 1
    ip mtu adjust
    !
    !
    !
    !
    spanning-tree vlan 1 priority 8192
    spanning-tree vlan 2 priority 8192
    spanning-tree vlan 3 priority 8192
    spanning-tree vlan 4 priority 8192
    spanning-tree vlan 5 priority 8192
    username xxxxx password yyyyyy
    username vpnuser password zzzzzz
    username ezvpn-wah password cccccccc
    archive
    log config
    hidekeys
    !
    !
    !
    track 1 interface ATM0 line-protocol
    !
    !
    !
    interface Loopback0
    ip address 192.168.10.1 255.255.255.0
    !
    interface ATM0
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    no ip mroute-cache
    no atm ilmi-keepalive
    dsl operating-mode auto
    !
    interface ATM0.1 point-to-point

    ip address xxxxxxx
    no ip unreachables
    ip nat outside
    ip virtual-reassembly
    no snmp trap link-status
    atm route-bridged ip
    pvc 0/101
    encapsulation aal5snap
    !
    !
    interface FastEthernet0

    switchport mode trunk
    !
    interface FastEthernet1

    switchport mode trunk
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Virtual-Template1
    ip unnumbered Vlan2
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1200
    peer default ip address pool PPTPCLIENT
    compress mppc
    ppp encrypt mppe auto
    ppp authentication ms-chap chap
    !
    interface Vlan1
    ip address xxxxxxx
    ip access-group 103 in
    ip nat outside
    ip virtual-reassembly
    crypto map INT_MAP
    !
    interface Vlan2
    description USER
    ip address 192.168.11.1 255.255.255.192
    ip helper-address 192.168.11.130
    ip nat inside
    ip virtual-reassembly
    !
    interface Vlan3
    description VOICE
    ip address 192.168.11.65 255.255.255.192
    ip helper-address 192.168.11.130
    ip nat inside
    ip virtual-reassembly
    !
    interface Vlan4
    description SERVER
    ip address 192.168.11.129 255.255.255.224
    ip helper-address 192.168.11.130
    ip nat inside
    ip virtual-reassembly
    !
    ip local pool PPTPCLIENT 192.168.11.6 192.168.11.7
    ip local pool EZVPN-POOL 192.168.10.10 192.168.10.100
    ip route 0.0.0.0 0.0.0.0 xxxxx 100 track 1
    ip route 0.0.0.0 0.0.0.0 yyyyyy
    ip route xxxxx 255.255.0.0 yyyyy
    ip route xxxx 255.255.255.0 zzzzz
    ip route xxxxx 255.255.0.0 yyyyy
    ip route xxxxx 255.255.255.255 yyyyyy
    !
    !
    no ip http server
    no ip http secure-server
    ip dns server
    ip nat inside source static tcp 192.168.11.66 443 interface Vlan1 443
    ip nat inside source static tcp 192.168.11.66 81 interface ATM0.1 81
    ip nat inside source route-map nonat interface Vlan1 overload
    ip nat inside source static udp 192.168.11.66 5060 146.255.3.45 48500 extendable
    !
    ip access-list extended SPLIT_T
    permit ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
    !
    access-list 103 remark VOIP-UNLIMITED
    access-list 104 remark Voice-Control
    access-list 104 permit udp host 192.168.11.66 any eq 5060
    access-list 104 permit udp any any eq 5060
    access-list 105 permit gre any any
    access-list 105 permit udp any any eq 10000
    access-list 105 permit udp any any eq non500-isakmp
    access-list 105 permit udp any any eq isakmp
    access-list 105 permit esp any any
    access-list 105 permit ahp any any
    access-list 106 deny ip 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255
    access-list 106 permit ip 192.168.11.0 0.0.0.255 any
    !
    !
    !
    route-map nonat permit 10
    match ip address 106
    !
    !
    control-plane
    !
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    login authentication USERLIST
    escape-character 90
    !
    scheduler max-task-time 5000
    ntp clock-period 17175125
    ntp source ATM0.1
    ntp peer xxxxx
    ntp peer yyyyy
    !
    webvpn cef
    end

  • #2
    Re: EZVPN Configuration Issue:Could not access remote lan and also lost internet conn

    What interface is your public internet facing interface? What does the config look like on the ezvpn client? Also post the results of :


    show crypto ipsec sa

    on both devices

    If you trying to ping windows hosts make sure their is an exception in the windows firewall for icmp traffic or disable the windows firewall.
    Last edited by auglan; 23rd October 2012, 15:54.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: EZVPN Configuration Issue:Could not access remote lan and also lost internet conn

      1) The interface facing public internet on EZVPN server is interface VLAN 1.

      2) Here is Client Configuration:

      xxxxx#sh run
      Building configuration...
      Current configuration : 2822 bytes
      !
      version 12.4
      service timestamps debug datetime msec
      service timestamps log datetime msec
      service password-encryption
      !
      hostname xxxxxx
      !
      boot-start-marker
      boot-end-marker
      !
      enable secret xxxx
      enable password yyy
      !
      no aaa new-model
      !
      !
      dot11 syslog
      !
      !
      ip cef
      no ip dhcp use vrf connected
      ip dhcp excluded-address 192.168.0.33 192.168.0.40
      ip dhcp excluded-address 192.168.0.65 192.168.0.70
      !
      ip dhcp pool Data
      network 192.168.0.32 255.255.255.224
      default-router 192.168.0.33
      dns-server 192.168.0.1
      domain-name yyyyyy
      lease 8
      !
      ip dhcp pool Voice
      network 192.168.0.64 255.255.255.224
      default-router 192.168.0.65
      dns-server 192.168.0.1
      lease 8
      !
      !
      ip domain name testEZVPN.com
      !
      multilink bundle-name authenticated
      !
      !
      username xxxx
      username yyyy
      !
      !
      !
      crypto ipsec client ezvpn testEZVPN
      connect manual
      group testEZVPN key test123
      mode client
      peer hhhhhh
      username test password testezvpn
      xauth userid mode local
      !
      archive
      log config
      hidekeys
      !
      interface ATM0
      no ip address
      no atm ilmi-keepalive
      pvc 0/103
      pppoe-client dial-pool-number 1
      !
      dsl operating-mode auto
      !
      interface BRI0
      no ip address
      encapsulation hdlc
      shutdown
      no cdp enable
      !
      interface FastEthernet0
      description Connected to 3560Switch
      ip address 192.168.0.1 255.255.255.252
      ip nat inside
      ip virtual-reassembly
      duplex auto
      speed auto
      no cdp enable
      crypto ipsec client ezvpn testEZVPN inside
      !
      interface FastEthernet1
      no cdp enable
      !
      interface FastEthernet2
      no cdp enable
      !
      interface FastEthernet3
      no cdp enable
      !
      interface FastEthernet4
      no cdp enable
      !
      interface FastEthernet5
      no cdp enable
      !
      interface FastEthernet6
      no cdp enable
      !
      interface FastEthernet7
      no cdp enable
      !
      interface FastEthernet8
      no cdp enable
      !
      interface Vlan1
      no ip address
      shutdown
      !
      interface Dialer0
      ip address negotiated
      ip mtu 1492
      ip nat outside
      ip virtual-reassembly
      encapsulation ppp
      ip tcp adjust-mss 1452
      dialer pool 1
      ppp chap hostname pppppp
      ppp chap password 7 051B120C2D
      ppp pap sent-username qqqqqq password yyyy
      ppp ipcp dns request accept
      crypto ipsec client ezvpn testEZVPN
      !
      ip forward-protocol nd
      ip route 0.0.0.0 0.0.0.0 Dialer0
      ip route 192.168.0.32 255.255.255.224 192.168.0.2
      ip route 192.168.0.64 255.255.255.224 192.168.0.2
      !
      !
      no ip http server
      no ip http secure-server
      ip dns server
      ip nat inside source list NAT interface Dialer0 overload
      !
      ip access-list standard NAT
      permit 192.168.0.0 0.0.0.255
      !
      !
      !
      !
      !
      !
      !
      control-plane
      !
      !
      line con 0
      exec-timeout 0 0
      password xxxx
      line aux 0
      line vty 0 4
      password yyyy
      login
      !
      no process cpu extended
      no process cpu autoprofile hog
      end

      3) The output of sh crypto ipsec sa on EZVPN client is:


      EZVPNClient#sh crypto ipsec sa
      interface: Dialer0
      Crypto map tag: Dialer0-head-0, local addr yyyyyy
      protected vrf: (none)
      local ident (addr/mask/prot/port): (192.168.10.11/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer xxxxxx port 500
      PERMIT, flags={origin_is_acl,}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
      local crypto endpt.: yyyyy, remote crypto endpt.: xxxxx
      path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
      current outbound spi: 0x60D75B62(1624726370)
      inbound esp sas:
      spi: 0x727392FA(1920176890)
      transform: esp-3des esp-md5-hmac ,
      in use settings ={Tunnel, }
      conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Dialer0-head-0
      sa timing: remaining key lifetime (k/sec): (4602476/14234)
      IV size: 8 bytes
      replay detection support: Y
      Status: ACTIVE
      inbound ah sas:
      inbound pcp sas:
      outbound esp sas:
      spi: 0x60D75B62(1624726370)
      transform: esp-3des esp-md5-hmac ,
      in use settings ={Tunnel, }
      conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Dialer0-head-0
      sa timing: remaining key lifetime (k/sec): (4602476/14234)
      IV size: 8 bytes
      replay detection support: Y
      Status: ACTIVE
      outbound ah sas:
      outbound pcp sas:
      interface: Virtual-Access1
      Crypto map tag: Dialer0-head-0, local addr xxxxxx
      protected vrf: (none)
      local ident (addr/mask/prot/port): (192.168.10.11/255.255.255.255/0/0)
      remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      current_peer yyyyy port 500
      PERMIT, flags={origin_is_acl,}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
      local crypto endpt.: yyyyy, remote crypto endpt.: xxxxxx path mtu 1492, ip mtu 1492, ip mtu idb Dialer0
      current outbound spi: 0x60D75B62(1624726370)
      inbound esp sas:
      spi: 0x727392FA(1920176890)
      transform: esp-3des esp-md5-hmac ,
      in use settings ={Tunnel, }
      conn id: 1, flow_id: Motorola SEC 2.0:1, crypto map: Dialer0-head-0
      sa timing: remaining key lifetime (k/sec): (4602476/14234)
      IV size: 8 bytes
      replay detection support: Y
      Status: ACTIVE
      inbound ah sas:
      inbound pcp sas:
      outbound esp sas:
      spi: 0x60D75B62(1624726370)
      transform: esp-3des esp-md5-hmac ,
      in use settings ={Tunnel, }
      conn id: 2, flow_id: Motorola SEC 2.0:2, crypto map: Dialer0-head-0
      sa timing: remaining key lifetime (k/sec): (4602476/14234)
      IV size: 8 bytes
      replay detection support: Y
      Status: ACTIVE
      outbound ah sas:
      outbound pcp sas:

      Comment


      • #4
        Re: EZVPN Configuration Issue:Could not access remote lan and also lost internet conn

        From what I remember about ezvpn cleint is that you dont need to manually configure nat on the ezvpn client. Ezvpn client assumes you are running PAT and the router will overload on the outside interface for traffic not destined to the tunnel and traffic to the tunnel will be PAT'd to the ip address assigned from the ezvpn server.


        remove the ip nat inside and outside commands on the ezvpn client
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: EZVPN Configuration Issue:Could not access remote lan and also lost internet conn

          When the tunnel is up you should see the interface loopback 10000 go up as well. This is used for the PAT for traffic going over the tunnel.
          CCNA, CCNA-Security, CCNP
          CCIE Security (In Progress)

          Comment


          • #6
            Re: EZVPN Configuration Issue:Could not access remote lan and also lost internet conn

            Removing NAT inside & outside could not solve the problem.The problem remains there i.e could not ping/access remote clients and also lost internet connectivity on connecting EZVPN.

            Comment


            • #7
              Re: EZVPN Configuration Issue:Could not access remote lan and also lost internet conn

              As I previously stated, you need to remove all your nat config. The inside,outside, the PAT statement and anything related. Also from looking at show crypto ipsec sa, it seems the client isn't getting the split tunnel ACL from the server.

              local ident (addr/mask/prot/port): (192.168.10.11/255.255.255.255/0/0)
              remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

              This is tunneling all traffic over the tunnel. Would explain why internet doesnt work.

              Your also not encrypting or decrypting any traffic on the client.

              #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
              #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

              #pkts compressed: 0, #pkts decompressed: 0
              #pkts not compressed: 0, #pkts compr. failed: 0
              #pkts not decompressed: 0, #pkts decompress failed: 0
              #send errors 0, #recv errors 0



              Start running some debugs and double check the server and client configs.
              CCNA, CCNA-Security, CCNP
              CCIE Security (In Progress)

              Comment

              Working...
              X