Announcement

Collapse
No announcement yet.

Cisco 1812 EZVPN config and VPN connect problem

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1812 EZVPN config and VPN connect problem

    Hi guys, I am new here.

    i have a Cisco 1812 router and i configured EZVPN remote access.
    Problem is next: VPN client (Cisco VPN client 5.0.7) connected the remote network but can not reach remote network. I can not ping the VPN client's ip address from the router.
    The transparent tunnelinig is on but remain inactive when i connected to the VPN.
    Why?

    1812 Router config:

    sh run
    Building configuration...

    Current configuration : 3717 bytes
    !
    version 12.3
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    service sequence-numbers
    !
    hostname Iriszoffice
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 xxx
    !
    username admin privilege 15 secret 5 xxx
    username vpnuser secret 5 xxx
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    aaa new-model
    !
    !
    aaa authentication login AUTHEN local
    aaa authorization network AUTHOR local
    aaa session-id common
    ip subnet-zero
    !
    !
    ip cef
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 192.168.1.1
    ip dhcp excluded-address 192.168.1.100
    !
    ip dhcp pool ccp-pool
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    dns-server 8.8.8.8
    lease 0 2
    !
    !
    ip domain name yourdomain.com
    ip name-server 8.8.8.8
    ip ips po max-events 100
    no ftp-server write-enable
    !
    !
    !
    !
    !
    crypto isakmp policy 10
    encr aes 256
    authentication pre-share
    group 2
    crypto isakmp keepalive 10 3
    !
    crypto isakmp client configuration group EZVPN_GROUP
    key xxx
    dns 8.8.8.8
    domain Iriszoffice.hu
    pool EZVPN_POOL
    acl EZVPN_ST_ACL
    pfs
    backup-gateway 192.168.1.1
    max-logins 10
    netmask 255.255.255.0
    crypto isakmp profile EZVPN_ISAKMP_PROFILE
    self-identity address
    match identity group EZVPN_GROUP
    client authentication list AUTHEN
    isakmp authorization list AUTHOR
    client configuration address respond
    keepalive 10 retry 3
    !
    !
    crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
    !
    crypto dynamic-map EZVPN_MAP 10
    set security-association lifetime kilobytes 10240000
    set security-association lifetime seconds 36000
    set transform-set ESP_AES256_SHA
    set pfs group2
    set isakmp-profile EZVPN_ISAKMP_PROFILE
    reverse-route
    !
    !
    crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
    !
    !
    !
    interface Loopback0
    ip address 192.168.200.1 255.255.255.0
    !
    interface BRI0
    no ip address
    shutdown
    no cdp enable
    !
    interface FastEthernet0
    description $ES_WAN$
    ip address x.x.x.x y.y.y.y.y
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    no cdp enable
    crypto map VPN_MAP
    !
    interface FastEthernet1
    no ip address
    duplex auto
    speed auto
    no cdp enable
    !
    interface FastEthernet2
    no ip address
    no cdp enable
    !
    interface FastEthernet3
    no ip address
    no cdp enable
    !
    interface FastEthernet4
    no ip address
    no cdp enable
    !
    interface FastEthernet5
    no ip address
    no cdp enable
    !
    interface FastEthernet6
    no ip address
    no cdp enable
    !
    interface FastEthernet7
    no ip address
    no cdp enable
    !
    interface FastEthernet8
    no ip address
    no cdp enable
    !
    interface FastEthernet9
    no ip address
    no cdp enable
    !
    interface Vlan1
    description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
    ip address 192.168.1.1 255.255.255.0
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    ip local pool EZVPN_POOL 192.168.200.32 192.168.200.99
    ip classless
    ip route 0.0.0.0 0.0.0.0 y.y.y.y
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 60 life 86400 requests 10000
    ip nat inside source list 1 interface FastEthernet0 overload
    ip nat inside source list EZVPN_ST_ACL interface FastEthernet0 overload
    !
    ip access-list extended EZVPN_ST_ACL
    permit ip 192.168.1.0 0.0.0.255 any
    !
    access-list 1 permit any
    no cdp run
    !
    !
    !
    !
    control-plane
    !
    banner motd ^C
    banner ^C

    Do you have any ideas what is wrong?
    Thanks a lot for answers.

  • #2
    Re: Cisco 1812 EZVPN config and VPN connect problem

    So the vpn does connect but you can't reach the remote networks? Looks like your NAT statement is causing your vpn traffic to be natted.


    ip nat inside source list 1 interface FastEthernet0 overload - Your vpn traffic is matching this nat statement. ACL 1 permits anything to be natted including your vpn traffic. Also you dont need the below nat statement but you need to add a deny statement so traffic between the vpn networks doesn not get natted.

    ip nat inside source list EZVPN_ST_ACL interface FastEthernet0 overload - Remove this.


    access-list 1 permit any - Remove This

    Add This


    ip access-list extended 100 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255 (Or whatever your vpn networks are)
    ip access-list extended 100 permit ip 192.168.1.0 0.0.0.255 any (or whatever traffic you need PAT'ed


    Change your NAT Statement:

    ip nat inside source list 1 interface FastEthernet0 overload - Remove This

    Change too:


    ip nat inside source list 100 interface fastethernet0 overload
    Last edited by auglan; 28th December 2012, 20:15.
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: Cisco 1812 EZVPN config and VPN connect problem

      Hi auglan,

      Very big thanks for help the situation better, because when VPN client is connected the router is reachable (i can ping 192.168.1.1).
      But remote network still unavailable and transparent tunnel still inactive.
      And I can not ping VPN client address from the router.

      Thank you again for help.

      Modified config:

      sh run
      Building configuration...

      Current configuration : 3841 bytes
      !
      version 12.3
      service timestamps debug datetime msec
      service timestamps log datetime msec
      service password-encryption
      service sequence-numbers
      !
      hostname Iriszoffice
      !
      boot-start-marker
      boot-end-marker
      !
      logging buffered 51200 warnings
      enable secret 5 xxx
      username admin privilege 15 secret 5 xxxx
      username vpnuser secret 5 xxx
      mmi polling-interval 60
      no mmi auto-configure
      no mmi pvc
      mmi snmp-timeout 180
      aaa new-model
      !
      !
      aaa authentication login AUTHEN local
      aaa authorization network AUTHOR local
      aaa session-id common
      ip subnet-zero
      !
      !
      ip cef
      ip dhcp excluded-address 10.10.10.1
      ip dhcp excluded-address 192.168.1.1
      ip dhcp excluded-address 192.168.1.100
      !
      ip dhcp pool ccp-pool
      import all
      network 192.168.1.0 255.255.255.0
      default-router 192.168.1.1
      dns-server 8.8.8.8
      lease 0 2
      !
      !
      ip domain name yourdomain.com
      ip name-server 8.8.8.8
      ip ssh time-out 60
      ip ssh authentication-retries 2
      ip ips po max-events 100
      no ftp-server write-enable
      !
      !
      !
      !
      !
      crypto isakmp policy 10
      encr aes 256
      authentication pre-share
      group 2
      crypto isakmp keepalive 10 3
      !
      crypto isakmp client configuration group EZVPN_GROUP
      key cisco
      dns 8.8.8.8
      domain Iriszoffice.hu
      pool EZVPN_POOL
      acl EZVPN_ST_ACL
      pfs
      backup-gateway 192.168.1.1
      max-logins 10
      netmask 255.255.255.0
      crypto isakmp profile EZVPN_ISAKMP_PROFILE
      self-identity address
      match identity group EZVPN_GROUP
      client authentication list AUTHEN
      isakmp authorization list AUTHOR
      client configuration address respond
      keepalive 10 retry 3
      !
      !
      crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
      !
      crypto dynamic-map EZVPN_MAP 10
      set security-association lifetime kilobytes 10240000
      set security-association lifetime seconds 36000
      set transform-set ESP_AES256_SHA
      set pfs group2
      set isakmp-profile EZVPN_ISAKMP_PROFILE
      reverse-route
      !
      !
      crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
      !
      !
      !
      interface Loopback0
      ip address 192.168.200.1 255.255.255.0
      !
      interface BRI0
      no ip address
      shutdown
      no cdp enable
      !
      interface FastEthernet0
      description $ES_WAN$
      ip address x.x.x.x y.y.y.y
      ip nat outside
      ip virtual-reassembly
      duplex auto
      speed auto
      no cdp enable
      crypto map VPN_MAP
      !
      interface FastEthernet1
      no ip address
      duplex auto
      speed auto
      no cdp enable
      !
      interface FastEthernet2
      no ip address
      no cdp enable
      !
      interface FastEthernet3
      no ip address
      no cdp enable
      !
      interface FastEthernet4
      no ip address
      no cdp enable
      !
      interface FastEthernet5
      no ip address
      no cdp enable
      !
      interface FastEthernet6
      no ip address
      no cdp enable
      !
      interface FastEthernet7
      no ip address
      no cdp enable
      !
      interface FastEthernet8
      no ip address
      no cdp enable
      !
      interface FastEthernet9
      no ip address
      no cdp enable
      !
      interface Vlan1
      description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$
      ip address 192.168.1.1 255.255.255.0
      ip nat inside
      ip virtual-reassembly
      ip tcp adjust-mss 1452
      !
      ip local pool EZVPN_POOL 192.168.200.32 192.168.200.99
      ip classless
      ip route 0.0.0.0 0.0.0.0 x.x.x.x
      !
      !
      ip http server
      ip http authentication local
      ip http secure-server
      ip http timeout-policy idle 60 life 86400 requests 10000
      ip nat inside source list 100 interface FastEthernet0 overload
      !
      ip access-list extended EZVPN_ST_ACL
      permit ip 192.168.1.0 0.0.0.255 any
      !
      access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
      access-list 100 permit ip 192.168.1.0 0.0.0.255 any
      no cdp run
      !
      !
      !
      !
      control-plane
      !
      banner motd ^C
      banner ^C

      Comment


      • #4
        Re: Cisco 1812 EZVPN config and VPN connect problem

        Post the results of:


        show crypto isakmp sa

        show crypto ipsec sa

        show crypto ipsec client ezvpn
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: Cisco 1812 EZVPN config and VPN connect problem

          Here you are:

          riszoffice#show crypto isakmp sa
          dst src state conn-id slot status
          178.48.15.229 79.122.87.69 QM_IDLE 103 0 ACTIVE

          Iriszoffice#show crypto ipsec sa

          interface: FastEthernet0
          Crypto map tag: VPN_MAP, local addr 178.48.15.229

          protected vrf: (none)
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.200.46/255.255.255.255/0/0)
          current_peer 79.122.87.69 port 52631
          PERMIT, flags={}
          #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
          #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts compr. failed: 0
          #pkts not decompressed: 0, #pkts decompress failed: 0
          #send errors 0, #recv errors 0

          local crypto endpt.: 178.48.15.229, remote crypto endpt.: 79.122.87.69
          path mtu 1500, ip mtu 1500
          current outbound spi: 0x502FA2A2(1345299106)

          inbound esp sas:
          spi: 0x9AE1C962(259848841
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2001, flow_id: C18XX_MBRD:1, crypto map: VPN_MAP
          sa timing: remaining key lifetime (k/sec): (9984729/35919)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE

          inbound ah sas:

          inbound pcp sas:

          outbound esp sas:
          spi: 0x502FA2A2(1345299106)
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2002, flow_id: C18XX_MBRD:2, crypto map: VPN_MAP
          sa timing: remaining key lifetime (k/sec): (9984729/35899)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE

          outbound ah sas:

          outbound pcp sas:
          Iriszoffice#show cryp
          Iriszoffice#show crypto ipse
          Iriszoffice#show crypto ipsec cli
          Iriszoffice#show crypto ipsec client ezv
          Iriszoffice#show crypto ipsec client ezvpn
          Easy VPN Remote Phase: 4
          Iriszoffice#show crypto ipsec sa

          interface: FastEthernet0
          Crypto map tag: VPN_MAP, local addr 178.48.15.229

          protected vrf: (none)
          local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
          remote ident (addr/mask/prot/port): (192.168.200.46/255.255.255.255/0/0)
          current_peer 79.122.87.69 port 52631
          PERMIT, flags={}
          #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8
          #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11
          #pkts compressed: 0, #pkts decompressed: 0
          #pkts not compressed: 0, #pkts compr. failed: 0
          #pkts not decompressed: 0, #pkts decompress failed: 0
          #send errors 0, #recv errors 0

          local crypto endpt.: 178.48.15.229, remote crypto endpt.: 79.122.87.69
          path mtu 1500, ip mtu 1500
          current outbound spi: 0x502FA2A2(1345299106)

          inbound esp sas:
          spi: 0x9AE1C962(259848841
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2001, flow_id: C18XX_MBRD:1, crypto map: VPN_MAP
          sa timing: remaining key lifetime (k/sec): (9984727/35483)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE

          inbound ah sas:

          inbound pcp sas:

          outbound esp sas:
          spi: 0x502FA2A2(1345299106)
          transform: esp-256-aes esp-sha-hmac ,
          in use settings ={Tunnel, }
          conn id: 2002, flow_id: C18XX_MBRD:2, crypto map: VPN_MAP
          sa timing: remaining key lifetime (k/sec): (9984728/35410)
          IV size: 16 bytes
          replay detection support: Y
          Status: ACTIVE

          outbound ah sas:

          outbound pcp sas:
          Last edited by kissd; 28th December 2012, 23:08. Reason: update

          Comment


          • #6
            Re: Cisco 1812 EZVPN config and VPN connect problem

            For one thing I would disable any "additional" features that are not needed right now. PFS can sometimes produce issues. I would disable that first.

            Do you see a route for the remote client on the router when the vpn connects?


            show ip route


            Post screenshots of logs from the cisco vpn client and also screenshots of the "Tunnel Details and "Route Details when it is connected.

            Also how are you testing connectivity from the remote client? Just pings? If so disable or add exceptions for icmp on any firewall on those clients you are trying to reach.


            From these results you are receiving and sending via the tunnel


            #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8 (This is traffic from the router)
            #pkts decaps: 11, #pkts decrypt: 11, #pkts verify: 11 (This is traffic from the remote client to the router)
            Last edited by auglan; 29th December 2012, 00:11.
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: Cisco 1812 EZVPN config and VPN connect problem

              Hm.Interest.
              When the VPN client is connected I can not ping from router or any remote pcs.
              But I can map the VPN client network drive from all remote pcs and can not map remote pc network drive from VPN client.

              sh ip route
              Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
              D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
              N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
              E1 - OSPF external type 1, E2 - OSPF external type 2
              i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
              ia - IS-IS inter area, * - candidate default, U - per-user static route
              o - ODR, P - periodic downloaded static route

              Gateway of last resort is 178.48.15.230 to network 0.0.0.0

              192.168.200.0/24 is variably subnetted, 2 subnets, 2 masks
              S 192.168.200.47/32 [1/0] via 79.122.87.69
              C 192.168.200.0/24 is directly connected, Loopback0
              178.48.0.0/30 is subnetted, 1 subnets
              C 178.48.15.228 is directly connected, FastEthernet0
              C 192.168.1.0/24 is directly connected, Vlan1
              S* 0.0.0.0/0 [1/0] via 178.48.15.230

              Comment


              • #8
                Re: Cisco 1812 EZVPN config and VPN connect problem

                Looks like your loopback 0 interface is on the same subnet given to your remote vpn clients? Your router may be trying to route it locally instead of sending it over the tunnel. I would re address it or remove it.


                interface Loopback0
                ip address 192.168.200.1 255.255.255.0


                ip local pool EZVPN_POOL 192.168.200.32 192.168.200.99
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment


                • #9
                  Re: Cisco 1812 EZVPN config and VPN connect problem

                  I removed the loopback interface.
                  I think we are very close because i can manage the remote router when i connect to VPN.
                  But if i reach the remote touter why can not reach the network?

                  Comment


                  • #10
                    Re: Cisco 1812 EZVPN config and VPN connect problem

                    How are you testing reachability to the remote networks? Your crypto ACL says from the clients perspective send anything going to 192.168.1.0/24 over the tunnel. Are you trying to reach a host on that 192.168.1.0 network? If they are on a different network you need to specify that in the crypto acl as well.

                    ip access-list extended EZVPN_ST_ACL
                    permit ip 192.168.1.0 0.0.0.255 any
                    CCNA, CCNA-Security, CCNP
                    CCIE Security (In Progress)

                    Comment


                    • #11
                      Re: Cisco 1812 EZVPN config and VPN connect problem

                      I trying ping 192.168.1.102 and 192.168.1.5, try mapping network drives. For example \\192.168.1.102\kozos, 192.168.1.102\c, \\192.168.1.5\c These shared librarys are working in the remote network.
                      This is the most important. I config EZVPN for this. But VPN client is thinking and no answer.
                      Or need something to set up in windows?

                      But maybe I am very idiot and sorry for it
                      Last edited by kissd; 29th December 2012, 16:45.

                      Comment


                      • #12
                        Re: Cisco 1812 EZVPN config and VPN connect problem

                        Check the vpn client logs and also look at the tabs for tunnel details and route details. Do you see the traffic from the vpn client being encapsulated and sent over the tunnel? If there are any firewalls on those hosts either disable them or create exceptions.
                        CCNA, CCNA-Security, CCNP
                        CCIE Security (In Progress)

                        Comment


                        • #13
                          Re: Cisco 1812 EZVPN config and VPN connect problem

                          Congratulation... I win the bigger idiot in the world award
                          Of course working everything. The windows firewall cause the fault. I thought i turned off but no....
                          I turned off again and YOU MADE a miracle. I add exception to the firewall and working.

                          I am very very happy and thanks a million. If you come to Hungary in near future i will buy a lot of beer for you

                          Comment


                          • #14
                            Re: Cisco 1812 EZVPN config and VPN connect problem

                            Glad you got it sorted out. Windows firewall still gets me sometimes as well.
                            CCNA, CCNA-Security, CCNP
                            CCIE Security (In Progress)

                            Comment


                            • #15
                              Re: Cisco 1812 EZVPN config and VPN connect problem

                              Hi again.

                              New problem. I know you are happy
                              So I configured netbios on the router.
                              But I can not map windows network drive with hostname (\\hostname\share) only ip address. But in command line type: ping -a ip address the vpn client found the hostname and i can map the network drive with hostname.
                              Why have to ping with -a parameter? Any solution exist?
                              Is it a cisco issue or windows issue?
                              Because i am not sure nothing...

                              Thanks for help.

                              Comment

                              Working...
                              X