RE: VPN problems

From: Tony Schaffran (groupstudy@cconlinelabs.com)
Date: Mon Apr 18 2005 - 00:24:49 GMT-3

The secret is the route map.

Tony Schaffran
Network Analyst
CCIE #11071
CCNP, CCNA, CCDA,
NNCDS, NNCSS, CNE, MCSE
 
www.cconlinelabs.com
Your #1 choice for online Cisco rack rentals.
 

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of john
matijevic
Sent: Sunday, April 17, 2005 4:55 PM
To: Tony Schaffran
Cc: ccie; ccielab@groupstudy.com
Subject: Re: VPN problems

Mark,
Just out of curiousity, what config addtion/modification did you make in
order for this to wor? Could you post the working config.
Sincerely,
John

 On 4/17/05, Tony Schaffran <groupstudy@cconlinelabs.com> wrote:
>
> Glad to help.
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com <http://www.cconlinelabs.com>
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie
> Sent: Sunday, April 17, 2005 9:52 AM
> To: groupstudy@cconlinelabs.com; ccielab@groupstudy.com
> Subject: RE: VPN problems
>
> Hi Tony
>
> Thanks for that, that is exactly the problem.
>
> Cheers
> Mark
>
> -----Original Message-----
> From: Tony Schaffran [mailto:groupstudy@cconlinelabs.com]
> Sent: 17 April 2005 17:16
> To: ccie; 'Christopher M. Heffner'; ccielab@groupstudy.com
> Subject: RE: VPN problems
>
> I believe the problem you are facing has to do with the fact that NAT
> takes
> place before the crypto.
>
> Here is a document that I have found to correct this problem.
>
> Take a look and see if it will help your situation.
>
> http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_e
> xamp
> le09186a0080094634.shtml
>
> Tony Schaffran
> Network Analyst
> CCIE #11071
> CCNP, CCNA, CCDA,
> NNCDS, NNCSS, CNE, MCSE
>
> www.cconlinelabs.com <http://www.cconlinelabs.com>
> Your #1 choice for online Cisco rack rentals.
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie
> Sent: Sunday, April 17, 2005 9:01 AM
> To: Christopher M. Heffner; ccielab@groupstudy.com
> Subject: RE: VPN problems
>
> Hi Chris
>
> Yep I have checked the client and it is using NAT - T
>
> I have been investigating the problem further and found that it is only
> the server I cannot get to. Yet when I remove the static nat for the
> server 192,168,0,3 then full duplex traffic is ok.
>
> So It would seem I have a problem with NAT...
>
> Not sure how to resolve this, as I need the static NAT for smtp and
> https to the server.
>
> Any ideas would be appreciated
>
> Mark
>
> -----Original Message-----
> From: Christopher M. Heffner [mailto:cheffner@certified-labs.com]
> Sent: 16 April 2005 00:53
> To: ccie
> Subject: RE: VPN problems
>
> Check the status of the vpn client once you are connected to the 837
> router to see if NAT-T is properly being negotiated between the vpn
> client and the 837 router. Since you are using NAT with the overload
> option (PAT) you will need NAT-T with UDP port 4500 for the extended
> translations to be properly setup for the traffic to properly transverse
> the router.
>
> HTH.
>
> Christopher M. Heffner, CCIE 8211, CCSI 98760
> Strategic Network Solutions, Inc.
> VP of Internetworking Technologies
>
> www.certified-labs.com <http://www.certified-labs.com>
>
> "Complete CCIE R&S and Security Online Rack Rentals"
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> ccie
> Sent: Friday, April 15, 2005 5:08 AM
> To: ccielab@groupstudy.com
> Subject: OT: VPN problems
>
> Hi Group
>
> Sorry for the off-topic....
>
> I have an 837 running easy VPN server and I'm using Cisco vpn client to
> connect. The tunnel comes up with no problems. But I cannot get to the
> internal address range except for the internal interface of the router.
> Any ideas/help would be appreciated. Below are the config...
>
> version 12.3
> no service pad
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname Router
> !
> no logging buffered
> !
> username ###### privilege 15 secret 5 #########
>
> aaa new-model
> !
> !
> aaa authentication login default local
> aaa authentication login sdm_vpn_xauth_ml_1 local
> aaa authorization exec default local
> aaa authorization network sdm_vpn_group_ml_1 local
> aaa session-id common ip subnet-zero !
> !
> ip inspect name DEFAULT100 cuseeme
> ip inspect name DEFAULT100 ftp
> ip inspect name DEFAULT100 h323
> ip inspect name DEFAULT100 netshow
> ip inspect name DEFAULT100 rcmd
> ip inspect name DEFAULT100 realaudio
> ip inspect name DEFAULT100 rtsp
> ip inspect name DEFAULT100 smtp
> ip inspect name DEFAULT100 sqlnet
> ip inspect name DEFAULT100 streamworks
> ip inspect name DEFAULT100 tftp
> ip inspect name DEFAULT100 tcp
> ip inspect name DEFAULT100 udp
> ip inspect name DEFAULT100 vdolive
> ip inspect name DEFAULT100 icmp
> ip audit notify log
> ip audit po max-events 100
> no ftp-server write-enable
> !
> !
> !
> !
> crypto isakmp policy 1
> encr 3des
> authentication pre-share
> group 2
> !
> crypto isakmp policy 3
> encr 3des
> group 2
> !
> crypto isakmp client configuration
> group ###########
> key 0 ###########
> dns 192.168.0.3 <http://192.168.0.3>
> domain unicorn.local
> pool SDM_POOL_1
> acl 102
> !
> !
> crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !
> crypto dynamic-map SDM_DYNMAP_1 1
> set transform-set ESP-3DES-SHA
> reverse-route
> !
> !
> crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_
> crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
> crypto map SDM_CMAP_1 client configuration address respond
> crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
> !
> !
> !
> !
> interface Ethernet0
> description $FW_INSIDE$
> ip address 192.168.0.1 <http://192.168.0.1>
255.255.255.0<http://255.255.255.0>
> ip access-group 100 in
> ip nat inside
> ip tcp adjust-mss 1452
> hold-queue 100 out
> !
> interface ATM0
> no ip address
> no atm ilmi-keepalive
> dsl operating-mode auto
> !
> interface ATM0.1 point-to-point
> pvc 0/38
> pppoe-client dial-pool-number 1
> !
> !
> interface Dialer0
> description $FW_OUTSIDE$
> ip address ##############
> ip access-group 101 in
> ip mtu 1452
> ip nat outside
> ip inspect DEFAULT100 out
> encapsulation ppp
> dialer pool 1
> dialer-group 1
> ppp authentication chap callin
> ppp chap hostname ########
> ppp chap password 0 ##########
> crypto map SDM_CMAP_1
> !
> ip local pool SDM_POOL_1 192.168.0.200 <http://192.168.0.200>
> 192.168.0.210 <http://192.168.0.210>
> ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
> ip nat inside source static network 192.168.0.3 <http://192.168.0.3>
> 217.37.73.133 <http://217.37.73.133> /32
> ip classless ip route 0.0.0.0 <http://0.0.0.0> 0.0.0.0
<http://0.0.0.0>Dialer0
> ip http server
> ip http secure-server
> !
> !
> ip access-list extended Internal_LAN
> remark SDM_ACL Category=2
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.200 <http://192.168.0.200>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.201 <http://192.168.0.201>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.202 <http://192.168.0.202>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.203 <http://192.168.0.203>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.204 <http://192.168.0.204>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.205 <http://192.168.0.205>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.206 <http://192.168.0.206>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.207 <http://192.168.0.207>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.208 <http://192.168.0.208>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.209 <http://192.168.0.209>
> deny ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255> host
> 192.168.0.210 <http://192.168.0.210>
> permit ip 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>any
>
> access-list 100 remark auto generated by SDM firewall configuration
> access-list 100 remark SDM_ACL Category=1
> access-list 100 deny ip 217.37.73.128 <http://217.37.73.128>
0.0.0.7<http://0.0.0.7>any
> access-list 100 deny ip host 255.255.255.255 <http://255.255.255.255> any
> access-list 100 deny ip 127.0.0.0 <http://127.0.0.0>
0.255.255.255<http://0.255.255.255>any
> access-list 100 permit ip any any
>
> access-list 101 remark auto generated by SDM firewall configuration
> access-list 101 remark SDM_ACL Category=1
> access-list 101 permit ahp any host 213.121.187.65 <http://213.121.187.65>
> access-list 101 permit esp any host 213.121.187.65 <http://213.121.187.65>
> access-list 101 permit udp any host 213.121.187.65
<http://213.121.187.65>eq
isakmp
> access-list 101 permit udp any host 213.121.187.65
<http://213.121.187.65>eq
non500-isakm
> access-list 101 permit ip host 192.168.0.200 <http://192.168.0.200>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.201 <http://192.168.0.201>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.202 <http://192.168.0.202>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.203 <http://192.168.0.203>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.204 <http://192.168.0.204>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.205 <http://192.168.0.205>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.206 <http://192.168.0.206>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.207 <http://192.168.0.207>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.208 <http://192.168.0.208>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.209 <http://192.168.0.209>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit ip host 192.168.0.210 <http://192.168.0.210>
> 192.168.0.0 <http://192.168.0.0> 0.0.0.255 <http://0.0.0.255>
> access-list 101 permit udp any host 217.37.73.134 <http://217.37.73.134>eq
non500-isakmp
> access-list 101 permit udp any host 217.37.73.134 <http://217.37.73.134>eq
isakmp
> access-list 101 permit esp any host 217.37.73.134 <http://217.37.73.134>
> access-list 101 permit ahp any host 217.37.73.134 <http://217.37.73.134>
> access-list 101 permit tcp any host 217.37.73.133 <http://217.37.73.133>eq
smtp
> access-list 101 permit tcp any host 217.37.73.133 <http://217.37.73.133>eq
443
> access-list 101 deny ip 192.168.0.0 <http://192.168.0.0>
0.0.0.255<http://0.0.0.255>any
> access-list 101 permit icmp any host 217.37.73.134
<http://217.37.73.134>echo-reply
> access-list 101 permit icmp any host 217.37.73.134
<http://217.37.73.134>time-exceeded
> access-list 101 permit icmp any host 217.37.73.134
<http://217.37.73.134>unreachable
> access-list 101 deny ip 10.0.0.0 <http://10.0.0.0>
0.255.255.255<http://0.255.255.255>any
> access-list 101 deny ip 172.16.0.0 <http://172.16.0.0>
0.15.255.255<http://0.15.255.255>any
> access-list 101 deny ip 192.168.0.0 <http://192.168.0.0>
0.0.255.255<http://0.0.255.255>any
> access-list 101 deny ip 127.0.0.0 <http://127.0.0.0>
0.255.255.255<http://0.255.255.255>any
> access-list 101 deny ip host 255.255.255.255 <http://255.255.255.255> any
> access-list 101 deny ip host 0.0.0.0 <http://0.0.0.0> any
> access-list 101 deny ip any any
>
> access-list 102 remark SDM_ACL Category=4
> access-list 102 permit ip 192.168.0.0 <http://192.168.0.0>
0.0.0.255<http://0.0.0.255>any
> dialer-list 1 protocol ip permit
> route-map SDM_RMAP_1 permit 1 match ip address Internal_LAN
> !
> !
> line con 0
> exec-timeout 0 0
> no modem enable
> line aux 0
> line vty 0 4
> exec-timeout 120 0
> length 0
> !
> scheduler max-task-time 5000
> !
> end
>
> ________________________________________________
> This email is confidential, may be legally privileged and is for the
> intended recipient only. Access, disclosure, copying, distribution or
> reliance on any information it contains is prohibited and may be a
> criminal offence.
> Please delete if received in error and email confirmation to sender.
>
> Please note that any views expressed in this message are those of the
> individual sender, This email has been swept by MIMEsweeper for the
> presence of computer viruses.
> ________________________________________________
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
> 

--
John Matijevic, CCIE #13254
U.S. Installation Group
Senior Network Engineer
954-969-7160 ext. 1147 (office)
305-321-6232 (cell)

This archive was generated by hypermail 2.1.4 : Tue May 03 2005 - 07:54:59 GMT-3