VPN - Cisco IOS <-> VPN Client - problem

Discussion in 'Cisco' started by Jaros³aw Skórka, Feb 1, 2005.

  1. Hello everybody,
    I have tried to set up a VPN connection from Cisco VPN Client (4.6.00.0045
    on Win XP Sp2) to Cisco Router 2621 (64MB RAM/ 16MB Flash) - with enterprise
    IOS 12.2.
    When I map a crypto map to the interface ( crypto map CRYPTOMAP to serial
    0/0.1 ) - the nat stopped working and I havn't got a remonte connection to
    my router and other services behind the router. When I got to the LAN I was
    able to connect to router via ssh. Then I removed crypto map on Serial 0/0.1
    and nat starts working but I haven't got a VPN connection :(

    I don't know what is wrong. I have studied Cisco materials and some other
    configs without any ideas.
    Would You be so kind and help me with this configuration ?
    Thanks a lot.

    !
    ! Last configuration change at 08:16:20 CET Tue Feb 1 2005 by jskorka
    ! NVRAM config last updated at 22:57:51 CET Mon Jan 31 2005 by jskorka
    !
    version 12.2
    service tcp-keepalives-in
    service timestamps debug datetime localtime
    service timestamps log datetime localtime
    service password-encryption
    !
    hostname VIV_2621
    !
    logging buffered 16000 debugging
    logging monitor informational
    aaa new-model
    aaa authentication login default local
    enable secret 5 $XXXXXXXXXX
    !
    username jskorka password 7 1234567890
    clock timezone CET 1
    clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
    ip subnet-zero
    no ip source-route
    !
    !
    ip domain-name aaa.com.pl
    ip name-server 192.168.0.2
    !
    no ip bootp server
    ip cef
    ip audit notify log
    ip audit po max-events 100
    ip ssh authentication-retries 4
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local local_vpn_pool
    !
    !
    crypto ipsec transform-set VPN_TRANSFORMS ah-sha-hmac esp-3des esp-sha-hmac
    !
    crypto dynamic-map VPN_USER_MAP 50
    description Cryptographic dynamic map to VPN users
    set transform-set VPN_TRANSFORMS
    match address 115
    !
    !
    crypto map CRYPTOMAP client configuration address initiate
    crypto map CRYPTOMAP client configuration address respond
    crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN_USER_MAP
    !
    call rsvp-sync
    !
    !
    !
    !
    !
    !
    !
    !
    interface FastEthernet0/0
    description connected to EthernetLAN
    ip address 192.168.0.254 255.255.255.0
    ip access-group msngg in
    ip nat inside
    duplex auto
    speed auto
    !
    interface Serial0/0
    no ip address
    encapsulation frame-relay IETF
    no fair-queue
    frame-relay lmi-type ansi
    !
    interface Serial0/0.1 point-to-point
    description connected to Internet
    ip address 80.50.189.114 255.255.255.252
    ip access-group ntp_serv out
    ip nat outside
    no cdp enable
    frame-relay interface-dlci 99 IETF
    !
    interface FastEthernet0/1
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    ip local pool local_vpn_pool 192.168.5.1 192.168.5.254
    ip nat pool VIV_2621_natpool 80.51.xxx.yyy 80.51.xxx.yyy netmask
    255.255.255.240
    ip nat inside source route-map nonat pool VIV_2621_natpool overload
    ip nat inside source static tcp 192.168.0.254 1805 80.51.xxx.yyy 1805
    extendable
    ip nat inside source static tcp 192.168.0.254 5050 80.51.xxx.yyy 5050
    extendable
    ip nat inside source static tcp 192.168.0.254 1863 80.51.xxx.yyy 1863
    extendable
    ip nat inside source static tcp 192.168.0.254 1550 80.51.xxx.yyy 1550
    extendable
    ip nat inside source static tcp 192.168.0.3 80 80.51.xxx.yyy 80 extendable
    ip nat inside source static tcp 192.168.0.230 8001 80.51.xxx.yyy 8001
    extendable
    ip nat inside source static tcp 192.168.0.40 80 80.51.xxx.zzz 80 extendable
    ip nat inside source static tcp 192.168.0.10 20 80.51.xxx.zzz 20 extendable
    ip nat inside source static tcp 192.168.0.10 21 80.51.xxx.yyy 21 extendable
    ip nat inside source static tcp 192.168.0.230 5001 80.51.xxx.yyy 5001
    extendable
    ip nat inside source static tcp 192.168.0.230 5002 80.51.xxx.yyy 5002
    extendable
    ip nat inside source static tcp 192.168.0.230 5003 80.51.xxx.yyy 5003
    extendable
    ip nat inside source static tcp 192.168.0.57 9001 80.51.xxx.ccc 9001
    extendable
    ip nat inside source static udp 192.168.0.57 9001 80.51.xxx.ccc 9001
    extendable
    ip nat inside source static udp 192.168.0.57 9002 80.51.xxx.ccc 9002
    extendable
    ip nat inside source static tcp 192.168.0.57 9002 80.51.xxx.ccc 9002
    extendable
    ip nat inside source static tcp 192.168.0.57 9999 80.51.xxx.ccc 9999
    extendable
    ip nat inside source static udp 192.168.0.57 9999 80.51.xxx.ccc 9999
    extendable
    ip nat inside source static tcp 192.168.0.231 8002 80.51.xxx.yyy 8002
    extendable
    ip nat inside source static tcp 192.168.0.231 5011 80.51.xxx.yyy 5011
    extendable
    ip nat inside source static tcp 192.168.0.231 5012 80.51.xxx.yyy 5012
    extendable
    ip nat inside source static tcp 192.168.0.231 5013 80.51.xxx.yyy 5013
    extendable
    ip classless
    ip route 0.0.0.0 0.0.0.0 Serial0/0.1
    no ip http server
    !
    !
    ip access-list extended msngg
    deny tcp any 217.17.41.80 0.0.0.15 eq 8074
    deny tcp any 217.17.41.80 0.0.0.15 eq 443
    deny tcp any 207.46.104.0 0.0.3.255 eq 1863
    deny tcp any 207.46.104.0 0.0.3.255 eq www
    permit ip any any
    ip access-list extended ntp_serv
    deny udp any eq ntp any eq ntp
    permit ip any any
    access-list 90 permit any log
    access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
    access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    access-list 115 deny ip any 224.0.0.0 15.255.255.255
    access-list 115 deny ip any host 192.168.0.255
    access-list 115 permit ip any any
    route-map nonat permit 10
    description Policy routing for no natting VPN traffic
    match ip address 101
    !
    !
    dial-peer cor custom
    !
    !
    !
    !
    banner login 
    +---------------------------------------------------------------------------+
    | WARNING !
    |
    | This computer system including all related equipment, network devices
    |
    | (specifically including Internet access), are provided only for
    |
    | authorized use. All computer systems may be monitored for all lawful
    |
    | purposes, including to ensure that their use is authorized, for
    |
    | management of the system, to facilitate protection against unauthorized
    |
    | access, and to verify security procedures, survivability and
    |
    | operational security. Monitoring includes active attacks by authorized
    |
    | personnel and their entities to test or verify the security of the
    |
    | system. During monitoring, information may be examined, recorded,
    |
    | copied and used for authorized purposes. All information including
    |
    | personal information, placed on or sent over this system may be
    |
    | monitored. Uses of this system, authorized or unauthorized, constitutes
    |
    | consent to monitoring of this system. Unauthorized use may subject you
    |
    | to criminal prosecution. Evidence of any such unauthorized use
    |
    | collected during monitoring may be used for administrative, criminal or
    |
    | other adverse action. Use of this system constitutes consent to
    |
    | monitoring for these purposes.
    |
    +---------------------------------------------------------------------------+
    
    !
    line con 0
    exec-timeout 0 0
    password 7 XXXXXX12345678
    line aux 0
    line vty 0 4
    access-class 90 in
    exec-timeout 5 0
    password 7 XXXXXX12345678
    transport input ssh
    !
    ntp clock-period 17180455
    ntp server 217.153.69.35
    ntp server 195.187.244.4
    ntp server 193.110.120.9
    end
     
    Jaros³aw Skórka, Feb 1, 2005
    #1
    1. Advertising

  2. Jaros³aw Skórka

    PES Guest

    Jaros³aw Skórka wrote:
    > Hello everybody,
    > I have tried to set up a VPN connection from Cisco VPN Client (4.6.00.0045
    > on Win XP Sp2) to Cisco Router 2621 (64MB RAM/ 16MB Flash) - with enterprise
    > IOS 12.2.
    > When I map a crypto map to the interface ( crypto map CRYPTOMAP to serial
    > 0/0.1 ) - the nat stopped working and I havn't got a remonte connection to
    > my router and other services behind the router. When I got to the LAN I was
    > able to connect to router via ssh. Then I removed crypto map on Serial 0/0.1
    > and nat starts working but I haven't got a VPN connection :(
    >
    > I don't know what is wrong. I have studied Cisco materials and some other
    > configs without any ideas.
    > Would You be so kind and help me with this configuration ?
    > Thanks a lot.
    >
    > !
    > ! Last configuration change at 08:16:20 CET Tue Feb 1 2005 by jskorka
    > ! NVRAM config last updated at 22:57:51 CET Mon Jan 31 2005 by jskorka
    > !
    > version 12.2
    > service tcp-keepalives-in
    > service timestamps debug datetime localtime
    > service timestamps log datetime localtime
    > service password-encryption
    > !
    > hostname VIV_2621
    > !
    > logging buffered 16000 debugging
    > logging monitor informational
    > aaa new-model
    > aaa authentication login default local
    > enable secret 5 $XXXXXXXXXX
    > !
    > username jskorka password 7 1234567890
    > clock timezone CET 1
    > clock summer-time CET recurring last Sun Mar 2:00 last Sun Oct 2:00
    > ip subnet-zero
    > no ip source-route
    > !
    > !
    > ip domain-name aaa.com.pl
    > ip name-server 192.168.0.2
    > !
    > no ip bootp server
    > ip cef
    > ip audit notify log
    > ip audit po max-events 100
    > ip ssh authentication-retries 4
    > !
    > crypto isakmp policy 10
    > encr 3des
    > authentication pre-share
    > group 2
    > crypto isakmp client configuration address-pool local local_vpn_pool
    > !
    > !
    > crypto ipsec transform-set VPN_TRANSFORMS ah-sha-hmac esp-3des esp-sha-hmac
    > !
    > crypto dynamic-map VPN_USER_MAP 50
    > description Cryptographic dynamic map to VPN users
    > set transform-set VPN_TRANSFORMS
    > match address 115
    > !
    > !
    > crypto map CRYPTOMAP client configuration address initiate
    > crypto map CRYPTOMAP client configuration address respond
    > crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN_USER_MAP
    > !
    > call rsvp-sync
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > !
    > interface FastEthernet0/0
    > description connected to EthernetLAN
    > ip address 192.168.0.254 255.255.255.0
    > ip access-group msngg in
    > ip nat inside
    > duplex auto
    > speed auto
    > !
    > interface Serial0/0
    > no ip address
    > encapsulation frame-relay IETF
    > no fair-queue
    > frame-relay lmi-type ansi
    > !
    > interface Serial0/0.1 point-to-point
    > description connected to Internet
    > ip address 80.50.189.114 255.255.255.252
    > ip access-group ntp_serv out
    > ip nat outside
    > no cdp enable
    > frame-relay interface-dlci 99 IETF
    > !
    > interface FastEthernet0/1
    > no ip address
    > shutdown
    > duplex auto
    > speed auto
    > !
    > ip local pool local_vpn_pool 192.168.5.1 192.168.5.254
    > ip nat pool VIV_2621_natpool 80.51.xxx.yyy 80.51.xxx.yyy netmask
    > 255.255.255.240
    > ip nat inside source route-map nonat pool VIV_2621_natpool overload
    > ip nat inside source static tcp 192.168.0.254 1805 80.51.xxx.yyy 1805
    > extendable
    > ip nat inside source static tcp 192.168.0.254 5050 80.51.xxx.yyy 5050
    > extendable
    > ip nat inside source static tcp 192.168.0.254 1863 80.51.xxx.yyy 1863
    > extendable
    > ip nat inside source static tcp 192.168.0.254 1550 80.51.xxx.yyy 1550
    > extendable
    > ip nat inside source static tcp 192.168.0.3 80 80.51.xxx.yyy 80 extendable
    > ip nat inside source static tcp 192.168.0.230 8001 80.51.xxx.yyy 8001
    > extendable
    > ip nat inside source static tcp 192.168.0.40 80 80.51.xxx.zzz 80 extendable
    > ip nat inside source static tcp 192.168.0.10 20 80.51.xxx.zzz 20 extendable
    > ip nat inside source static tcp 192.168.0.10 21 80.51.xxx.yyy 21 extendable
    > ip nat inside source static tcp 192.168.0.230 5001 80.51.xxx.yyy 5001
    > extendable
    > ip nat inside source static tcp 192.168.0.230 5002 80.51.xxx.yyy 5002
    > extendable
    > ip nat inside source static tcp 192.168.0.230 5003 80.51.xxx.yyy 5003
    > extendable
    > ip nat inside source static tcp 192.168.0.57 9001 80.51.xxx.ccc 9001
    > extendable
    > ip nat inside source static udp 192.168.0.57 9001 80.51.xxx.ccc 9001
    > extendable
    > ip nat inside source static udp 192.168.0.57 9002 80.51.xxx.ccc 9002
    > extendable
    > ip nat inside source static tcp 192.168.0.57 9002 80.51.xxx.ccc 9002
    > extendable
    > ip nat inside source static tcp 192.168.0.57 9999 80.51.xxx.ccc 9999
    > extendable
    > ip nat inside source static udp 192.168.0.57 9999 80.51.xxx.ccc 9999
    > extendable
    > ip nat inside source static tcp 192.168.0.231 8002 80.51.xxx.yyy 8002
    > extendable
    > ip nat inside source static tcp 192.168.0.231 5011 80.51.xxx.yyy 5011
    > extendable
    > ip nat inside source static tcp 192.168.0.231 5012 80.51.xxx.yyy 5012
    > extendable
    > ip nat inside source static tcp 192.168.0.231 5013 80.51.xxx.yyy 5013
    > extendable
    > ip classless
    > ip route 0.0.0.0 0.0.0.0 Serial0/0.1
    > no ip http server
    > !
    > !
    > ip access-list extended msngg
    > deny tcp any 217.17.41.80 0.0.0.15 eq 8074
    > deny tcp any 217.17.41.80 0.0.0.15 eq 443
    > deny tcp any 207.46.104.0 0.0.3.255 eq 1863
    > deny tcp any 207.46.104.0 0.0.3.255 eq www
    > permit ip any any
    > ip access-list extended ntp_serv
    > deny udp any eq ntp any eq ntp
    > permit ip any any
    > access-list 90 permit any log
    > access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.5.0 0.0.0.255
    > access-list 101 permit ip 192.168.0.0 0.0.0.255 any
    > access-list 115 deny ip any 224.0.0.0 15.255.255.255
    > access-list 115 deny ip any host 192.168.0.255
    > access-list 115 permit ip any any
    > route-map nonat permit 10
    > description Policy routing for no natting VPN traffic
    > match ip address 101
    > !
    > !
    > dial-peer cor custom
    > !
    > !
    > !
    > !
    > banner login 
    > +---------------------------------------------------------------------------+
    > | WARNING !
    > |
    > | This computer system including all related equipment, network devices
    > |
    > | (specifically including Internet access), are provided only for
    > |
    > | authorized use. All computer systems may be monitored for all lawful
    > |
    > | purposes, including to ensure that their use is authorized, for
    > |
    > | management of the system, to facilitate protection against unauthorized
    > |
    > | access, and to verify security procedures, survivability and
    > |
    > | operational security. Monitoring includes active attacks by authorized
    > |
    > | personnel and their entities to test or verify the security of the
    > |
    > | system. During monitoring, information may be examined, recorded,
    > |
    > | copied and used for authorized purposes. All information including
    > |
    > | personal information, placed on or sent over this system may be
    > |
    > | monitored. Uses of this system, authorized or unauthorized, constitutes
    > |
    > | consent to monitoring of this system. Unauthorized use may subject you
    > |
    > | to criminal prosecution. Evidence of any such unauthorized use
    > |
    > | collected during monitoring may be used for administrative, criminal or
    > |
    > | other adverse action. Use of this system constitutes consent to
    > |
    > | monitoring for these purposes.
    > |
    > +---------------------------------------------------------------------------+
    > 
    > !
    > line con 0
    > exec-timeout 0 0
    > password 7 XXXXXX12345678
    > line aux 0
    > line vty 0 4
    > access-class 90 in
    > exec-timeout 5 0
    > password 7 XXXXXX12345678
    > transport input ssh
    > !
    > ntp clock-period 17180455
    > ntp server 217.153.69.35
    > ntp server 195.187.244.4
    > ntp server 193.110.120.9
    > end
    >
    >


    It's not nat that is broken. Your acl 115 says to encrypt everything
    except "any <> 224.0.0.0 15.255.255.255", "any host 192.168.0.255".

    When appied to the map with the match address this is a crypto acl. You
    should never use the any keyword. Always specify the networks. Also,
    do you really want to do AH, it is incompatible with nat on the client
    side by design. Additionally, if you are using the client there are
    some very good examples and samples on cisco's web site, You will
    likely want to use the vpn group commands.

    I'm on my way out the door, but I also want to comment on your use of
    access lists on interfaces. It is better to use them inbound than
    outbound in your case. However this requires a re-write of the acl's.
    Additionally, since this is obviously a go between between a trusted and
    untrested network you should be utilizing cbac via ip inspect statements
    to create temporary openings in the acl's rather than static opens.
    This is accomplished if you have the FW feature set. There is also a
    nat bypass configuration via route map and loopback interface for to
    overcome any nat issues with the vpn client to statically nat'd clients.
    Like I say I wish I had more time for details this morning, but it has
    been discussed numerous times in this group.

    --
    -------------------------
    Paul Stewart
    Lexnet Inc.
    Email address is in ROT13
     
    PES, Feb 1, 2005
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page