- Posts: 1
- Thank you received: 0
Cisco EZ-VPN - cant access internal network
13 years 5 months ago #37084
by SunCCi
Cisco EZ-VPN - cant access internal network was created by SunCCi
Hi,
i set up an EZ-VPN but once i connected i cannot ping my internal lan behind the router.
192.168.1.x -> VPN Client IP's
192.168.0.0 -> Internal Lan via Vlan10 interface to switch
Dialer -> internet connection
I cant ping 192.168.0.2 but i can ping 192.168.0.30. I found out that 192.168.0.2 does not send the packets back to the VPN client i guess.
But i can ping the 192.168.0.2 from the VPN Router if i logged into it.
Here is my config:
Current configuration : 7730 bytes
!
! Last configuration change at 16:24:55 UTC Tue Jun 14 2011 by suncci
! NVRAM config last updated at 20:21:30 UTC Fri Jun 10 2011 by suncci
!
version 12.4
service timestamps debug datetime msecq
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_VPN local
aaa authorization exec default local
aaa authorization network AUTHORIZE_VPN local
!
!
aaa session-id common
ip cef
!
!
!
!
ip name-server 208.67.222.222
ip name-server 205.188.146.145
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1861908046
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1861908046
revocation-check none
rsakeypair TP-self-signed-1861908046
!
!
crypto pki certificate chain TP-self-signed-1861908046
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383631 39303830 3436301E 170D3032 30333031 30313431
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363139
30383034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD30 FB88278D F9010218 AD58E479 21C00A39 76974A87 DF43C948 D56E65CC
98F484A1 1F5BA429 449E416F 78598186 B3C5729C 8873A168 DB9EEAAA B0521523
C8011877 14888C9A 193E43E3 C3575491 74A940A2 B2970549 FE436E4A 4DA6FB23
21C20110 0CD3A8F6 32EAD292 648F9E32 7EE6C86F 181FC3C2 8F91DA66 A3886F5C
467D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 FD800727
5FA9AD41 6EAE99B0 1EDA2735 C0DBBBCC 301D0603 551D0E04 160414FD 8007275F
A9AD416E AE99B01E DA2735C0 DBBBCC30 0D06092A 864886F7 0D010104 05000381
810076CE E5030E51 5BD6FE9F A8A42483 53E7D250 CDE09E87 6AD77195 09D225AF
25858304 034D146B C4970C31 F6EF496B 7F57C772 7A1F0DFE 8A06B878 919AFD58
212E475A 0346ADA6 D629BDFC AE58C42A 919816A1 36D971D1 3BAB8541 EAC0AA10
52086757 E22F5015 2171A4C7 6832C2BC 89ADEF72 95A81A51 0B888B1C 9EE9EE58 8E65
quit
!
!
username xxxxxx privilege 15 password 0 xxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 5
!
crypto isakmp client configuration group Sun-VPN-Group
key 12345
dns 208.67.222.222
pool VPN_Pool
acl VPN_Test
crypto isakmp profile ISAKMP_Profile_EZVPN
match identity group Sun-VPN-Group
client authentication list AUTH_VPN
isakmp authorization list AUTHORIZE_VPN
client configuration address respond
client configuration group Sun-VPN-Group
virtual-template 1
!
!
crypto ipsec transform-set Sun-VPN esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_Profile_EZVPN
set transform-set Sun-VPN
set isakmp-profile ISAKMP_Profile_EZVPN
!
!
!
!
!
!
!
!
class-map type inspect match-any Internal
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
match protocol icmp
class-map type inspect match-any Internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any InterNet-IntraNet-Traffic
match protocol tcp
match protocol udp
match protocol icmp
match access-group name InterNet-to-IntraNet-ACL
class-map type inspect match-any IntraNet-InterNet-Traffic
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect InterNet-to-IntraNet-Policy
class type inspect InterNet-IntraNet-Traffic
inspect
class class-default
drop
policy-map type inspect IntraNet-to-InterNet-Policy
class type inspect IntraNet-InterNet-Traffic
inspect
class class-default
drop
policy-map type inspect sdm-policy-Internet
class type inspect Internet
inspect
class class-default
policy-map type inspect sdm-policy-Internal
class type inspect Internal
inspect
class class-default
drop
!
zone security Internet
zone security Internal
zone security IntraNet
description All Interfaces connected to the Intranet
zone security InterNet
description All Interfaces connected to the Internet
zone-pair security sdm-zp-Internal-self source Internal destination self
service-policy type inspect sdm-policy-Internet
zone-pair security IntraNet-InterNet source IntraNet destination InterNet
service-policy type inspect IntraNet-to-InterNet-Policy
zone-pair security InterNet-IntraNet source InterNet destination IntraNet
service-policy type inspect InterNet-to-IntraNet-Policy
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
description Outside PPPOE Interface$ETH-WAN$
no ip address
ip mask-reply
ip nat outside
ip virtual-reassembly
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
switchport access vlan 10
!
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/4
switchport access vlan 10
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security IntraNet
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_Profile_EZVPN
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.0.3 255.255.255.0
ip mask-reply
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
zone-member security IntraNet
ip route-cache flow
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security InterNet
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname pty/69733
ppp chap password 0 DSLconnect
ppp pap sent-username pty/69733 password 0 DSLconnect
!
ip local pool VPN_Pool 192.168.1.30 192.168.1.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NAT interface Dialer1 overload
!
ip access-list extended InterNet-to-IntraNet-ACL
permit tcp any 192.168.0.0 0.0.0.255
permit udp any 192.168.0.0 0.0.0.255
permit icmp any 192.168.0.0 0.0.0.255
deny ip any any
ip access-list extended Internet
remark Internet
remark SDM_ACL Category=2
remark ALL
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended VPN_Test
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 12
privilege level 15
logging synchronous
transport input telnet ssh
!
ntp clock-period 17208070
ntp server 17.151.16.21
end
Any help would be appreciated.
Thanks a lot.
i set up an EZ-VPN but once i connected i cannot ping my internal lan behind the router.
192.168.1.x -> VPN Client IP's
192.168.0.0 -> Internal Lan via Vlan10 interface to switch
Dialer -> internet connection
I cant ping 192.168.0.2 but i can ping 192.168.0.30. I found out that 192.168.0.2 does not send the packets back to the VPN client i guess.
But i can ping the 192.168.0.2 from the VPN Router if i logged into it.
Here is my config:
Current configuration : 7730 bytes
!
! Last configuration change at 16:24:55 UTC Tue Jun 14 2011 by suncci
! NVRAM config last updated at 20:21:30 UTC Fri Jun 10 2011 by suncci
!
version 12.4
service timestamps debug datetime msecq
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_VPN local
aaa authorization exec default local
aaa authorization network AUTHORIZE_VPN local
!
!
aaa session-id common
ip cef
!
!
!
!
ip name-server 208.67.222.222
ip name-server 205.188.146.145
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1861908046
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1861908046
revocation-check none
rsakeypair TP-self-signed-1861908046
!
!
crypto pki certificate chain TP-self-signed-1861908046
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383631 39303830 3436301E 170D3032 30333031 30313431
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363139
30383034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD30 FB88278D F9010218 AD58E479 21C00A39 76974A87 DF43C948 D56E65CC
98F484A1 1F5BA429 449E416F 78598186 B3C5729C 8873A168 DB9EEAAA B0521523
C8011877 14888C9A 193E43E3 C3575491 74A940A2 B2970549 FE436E4A 4DA6FB23
21C20110 0CD3A8F6 32EAD292 648F9E32 7EE6C86F 181FC3C2 8F91DA66 A3886F5C
467D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 FD800727
5FA9AD41 6EAE99B0 1EDA2735 C0DBBBCC 301D0603 551D0E04 160414FD 8007275F
A9AD416E AE99B01E DA2735C0 DBBBCC30 0D06092A 864886F7 0D010104 05000381
810076CE E5030E51 5BD6FE9F A8A42483 53E7D250 CDE09E87 6AD77195 09D225AF
25858304 034D146B C4970C31 F6EF496B 7F57C772 7A1F0DFE 8A06B878 919AFD58
212E475A 0346ADA6 D629BDFC AE58C42A 919816A1 36D971D1 3BAB8541 EAC0AA10
52086757 E22F5015 2171A4C7 6832C2BC 89ADEF72 95A81A51 0B888B1C 9EE9EE58 8E65
quit
!
!
username xxxxxx privilege 15 password 0 xxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 5
!
crypto isakmp client configuration group Sun-VPN-Group
key 12345
dns 208.67.222.222
pool VPN_Pool
acl VPN_Test
crypto isakmp profile ISAKMP_Profile_EZVPN
match identity group Sun-VPN-Group
client authentication list AUTH_VPN
isakmp authorization list AUTHORIZE_VPN
client configuration address respond
client configuration group Sun-VPN-Group
virtual-template 1
!
!
crypto ipsec transform-set Sun-VPN esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_Profile_EZVPN
set transform-set Sun-VPN
set isakmp-profile ISAKMP_Profile_EZVPN
!
!
!
!
!
!
!
!
class-map type inspect match-any Internal
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
match protocol icmp
class-map type inspect match-any Internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any InterNet-IntraNet-Traffic
match protocol tcp
match protocol udp
match protocol icmp
match access-group name InterNet-to-IntraNet-ACL
class-map type inspect match-any IntraNet-InterNet-Traffic
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect InterNet-to-IntraNet-Policy
class type inspect InterNet-IntraNet-Traffic
inspect
class class-default
drop
policy-map type inspect IntraNet-to-InterNet-Policy
class type inspect IntraNet-InterNet-Traffic
inspect
class class-default
drop
policy-map type inspect sdm-policy-Internet
class type inspect Internet
inspect
class class-default
policy-map type inspect sdm-policy-Internal
class type inspect Internal
inspect
class class-default
drop
!
zone security Internet
zone security Internal
zone security IntraNet
description All Interfaces connected to the Intranet
zone security InterNet
description All Interfaces connected to the Internet
zone-pair security sdm-zp-Internal-self source Internal destination self
service-policy type inspect sdm-policy-Internet
zone-pair security IntraNet-InterNet source IntraNet destination InterNet
service-policy type inspect IntraNet-to-InterNet-Policy
zone-pair security InterNet-IntraNet source InterNet destination IntraNet
service-policy type inspect InterNet-to-IntraNet-Policy
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
description Outside PPPOE Interface$ETH-WAN$
no ip address
ip mask-reply
ip nat outside
ip virtual-reassembly
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
switchport access vlan 10
!
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/4
switchport access vlan 10
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security IntraNet
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_Profile_EZVPN
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.0.3 255.255.255.0
ip mask-reply
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
zone-member security IntraNet
ip route-cache flow
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security InterNet
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname pty/69733
ppp chap password 0 DSLconnect
ppp pap sent-username pty/69733 password 0 DSLconnect
!
ip local pool VPN_Pool 192.168.1.30 192.168.1.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NAT interface Dialer1 overload
!
ip access-list extended InterNet-to-IntraNet-ACL
permit tcp any 192.168.0.0 0.0.0.255
permit udp any 192.168.0.0 0.0.0.255
permit icmp any 192.168.0.0 0.0.0.255
deny ip any any
ip access-list extended Internet
remark Internet
remark SDM_ACL Category=2
remark ALL
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended VPN_Test
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 12
privilege level 15
logging synchronous
transport input telnet ssh
!
ntp clock-period 17208070
ntp server 17.151.16.21
end
Any help would be appreciated.
Thanks a lot.
Time to create page: 0.113 seconds