EZVPN Server - clients connect but cannot pass traffic..

Discussion in 'Cisco' started by steran@dotalot.com, Sep 1, 2005.

  1. Guest

    Hi,

    I've stared at this for too long and need a fresh set of eyes to
    hopefully point me in the right direction. This router is performing
    PAT for internet access and I'm trying to enable it as an EZVPN server.
    Using the VPN client, I'm able to connect and bring up the tunnel.
    However, once I'm in, I cannot pass traffic nor ping the router LAN
    interface (on same subnet). Any thoughts?

    Thanks for your help,
    Spencer Teran


    version 12.3
    no parser cache
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname igw
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 4096 debugging
    enable secret xxx
    !
    username xxx password xxx
    username zzz password zzz
    aaa new-model
    !
    !
    aaa authorization network biotxvpn local
    aaa session-id common
    ip subnet-zero
    no ip source-route
    ip cef
    !
    !
    no ip domain lookup
    ip domain name blah.blah
    ip name-server public.ip
    !
    ip audit po max-events 100
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    crypto isakmp client configuration group biotxvpn
    key password
    dns 192.168.0.11
    wins 192.168.0.11
    domain same.as.internal.hosts
    pool dynpool
    !
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    reverse-route
    !
    !
    !
    crypto map dynmap isakmp authorization list biotxvpn
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    !
    !
    !
    interface Loopback0
    ip address 209.x.x.x 255.255.255.255
    ip nat outside
    crypto map dynmap
    !
    interface FastEthernet0/0
    description Ethernet LAN
    ip address 192.168.0.1 255.255.255.0
    ip nat inside
    duplex auto
    speed auto
    crypto map dynmap
    !
    interface Serial0/0
    description Internet WAN
    ip address 10.0.36.170 255.255.255.252
    ip nat outside
    encapsulation ppp
    no fair-queue
    service-module t1 timeslots 1-24
    crypto map dynmap
    !
    ip local pool dynpool 192.168.0.100 192.168.0.120
    ip nat inside source list 1 interface Loopback0 overload
    ip nat inside source static tcp 192.168.0.68 80 209.z.z.z 80
    extendable
    no ip http server
    no ip http secure-server
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0
    !
    !
    access-list 1 permit 192.168.0.0 0.0.0.255
    no cdp run
    !
    !
    !
    dial-peer cor custom
    !
    !
    !
    !
    !
    line con 0
    line aux 0
    line vty 0 4
    exec-timeout 0 0
    password xxx
    !
    !
    !
    end
     
    , Sep 1, 2005
    #1
    1. Advertising

  2. Guest

    wrote:
    > Hi,
    >
    > I've stared at this for too long and need a fresh set of eyes to
    > hopefully point me in the right direction. This router is performing
    > PAT for internet access and I'm trying to enable it as an EZVPN server.
    > Using the VPN client, I'm able to connect and bring up the tunnel.
    > However, once I'm in, I cannot pass traffic nor ping the router LAN
    > interface (on same subnet). Any thoughts?
    >


    I think you have to add the command "acl" under the definition of
    "crypto isakmp client configuration group biotxvpn".

    Smth like:

    crypto isakmp client configuration group biotxvpn
    key password
    dns 192.168.0.11
    wins 192.168.0.11
    domain same.as.internal.hosts
    pool dynpool
    acl vpn_routes

    ip access-list extended vpn_routes
    permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255

    You may have to adjust vpn_routes so that it is appropriate for your
    VPN permission.

    DT
     
    , Sep 1, 2005
    #2
    1. Advertising

  3. Hi DT,

    Thanks for your reply. Adding the ACL command under the isakmp client
    config allows you to specify networks to encrypt (for split tunnel).
    Without that ACL, the all traffic gets passed through the tunnel. The
    problem ended up being that the NAT was translating the VPN traffic as
    well. I ended up modifying the NAT ACL to deny traffic from the VPN
    chunk from getting translated.

    Thanks,
    Spencer Teran

    wrote:
    > wrote:
    >
    >>Hi,
    >>
    >>I've stared at this for too long and need a fresh set of eyes to
    >>hopefully point me in the right direction. This router is performing
    >>PAT for internet access and I'm trying to enable it as an EZVPN server.
    >> Using the VPN client, I'm able to connect and bring up the tunnel.
    >>However, once I'm in, I cannot pass traffic nor ping the router LAN
    >>interface (on same subnet). Any thoughts?
    >>

    >
    >
    > I think you have to add the command "acl" under the definition of
    > "crypto isakmp client configuration group biotxvpn".
    >
    > Smth like:
    >
    > crypto isakmp client configuration group biotxvpn
    > key password
    > dns 192.168.0.11
    > wins 192.168.0.11
    > domain same.as.internal.hosts
    > pool dynpool
    > acl vpn_routes
    >
    > ip access-list extended vpn_routes
    > permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
    >
    > You may have to adjust vpn_routes so that it is appropriate for your
    > VPN permission.
    >
    > DT
    >
     
    Spencer Teran, Sep 2, 2005
    #3
  4. andu

    Joined:
    Dec 5, 2008
    Messages:
    2
    I think your nat list is not enough. You shoud switch to an extended one and set denys from your inside network to the remote networks and a final permit.
     
    andu, Dec 5, 2008
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tag
    Replies:
    0
    Views:
    2,433
  2. Michael
    Replies:
    0
    Views:
    667
    Michael
    Jul 4, 2004
  3. tom
    Replies:
    11
    Views:
    3,053
  4. S Reese
    Replies:
    0
    Views:
    845
    S Reese
    Jan 18, 2008
  5. Pappy
    Replies:
    1
    Views:
    2,381
    Pappy
    Jan 30, 2009
Loading...

Share This Page