problem reaching net behind a fw router with vpn client

From: JP (jenseike@start.no)
Date: Mon Nov 14 2005 - 18:18:44 GMT-3

• Next message: Brian McGahan: "RE: IE Workbook"
• Previous message: Guyler, Rik: "6500 Conversion to Native IOS instructions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

I have set up my cbac router config so that I can log in with a vpn client
and access to servers behind the router.

My problem is that although the vpn client are loging in fine, I am not
able to reach the servers.. This is my config.

I have had to make a nat statement, and punsh a hole to my fw to reach them.
This is not what I want.

I want to have access trough the vln client, and close this holes..what am I
doing wrong

The servers have address 192.168.1.240 and 242, and are on the subnet of
vlan 1 and needs access via http and vnc trough
the vpn client.

I have shared out a pool in the 172.16.1.0 net to the vpn client. What is
strange is that when I am hooked up with
the vpn client and try to ping 192.168.1.240 or 242, it is the outside
interface that are sending the respons.. Is this suppose
to be like this..

I have tried to disable the fw also to see if this helps, but no it does
not. PLEASE HELP

Xx.xx.xx.xx.adsl.hesbynett.no#wr t

Building configuration...

Current configuration : 6929 bytes

!

version 12.3

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service sequence-numbers

!

hostname xx.xx.xx.xx.adsl.hesbynett.no

!

boot-start-marker

boot-end-marker

!

logging buffered 4096 debugging

logging console critical

enable secret 5 $1$bJsO$6LiAvxf2n5XWZVXD5gxjq1

!

username admin privilege 15 secret 5 $1$NkZL$xPsN9BDhiGGzWs7vt0tPg1

username prediktor password 0 p8jdh

clock timezone PCTime 1

clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa session-id common

ip subnet-zero

no ip source-route

ip dhcp excluded-address 192.168.1.1 192.168.1.9

ip dhcp excluded-address 192.168.1.1 192.168.1.220

!

ip dhcp pool sdm-pool1

   import all

   network 192.168.1.0 255.255.255.0

   dns-server 81.29.32.130 81.29.32.135

   default-router 192.168.1.1

!

!

ip cef

ip inspect L2-transparent dhcp-passthrough

ip inspect name DEFAULT100 cuseeme

ip inspect name DEFAULT100 ftp

ip inspect name DEFAULT100 h323

ip inspect name DEFAULT100 icmp

ip inspect name DEFAULT100 rcmd

ip inspect name DEFAULT100 realaudio

ip inspect name DEFAULT100 rtsp

ip inspect name DEFAULT100 esmtp

ip inspect name DEFAULT100 sqlnet

ip inspect name DEFAULT100 streamworks

ip inspect name DEFAULT100 tftp

ip inspect name DEFAULT100 tcp

ip inspect name DEFAULT100 udp

ip inspect name DEFAULT100 vdolive

ip tcp synwait-time 10

no ip bootp server

ip domain name hesbynett.no

ip name-server xx.xx.xx.xx

ip name-server xx.xx.xx.xx

ip ssh time-out 60

ip ssh authentication-retries 2

vpdn enable

!

!

!

!

!

!

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr aes

 authentication pre-share

 group 2

!

crypto isakmp policy 3

 encr 3des

 authentication pre-share

 group 5

!

crypto isakmp policy 4

 encr aes

 authentication pre-share

 group 5

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group vpngroup

 key ad45xt35mn

 pool espeland

 acl 102

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

 set transform-set ESP-3DES-SHA

 reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list default

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface FastEthernet0

 no ip address

 no cdp enable

!

interface FastEthernet1

 no ip address

 no cdp enable

!

interface FastEthernet2

 no ip address

 no cdp enable

!

interface FastEthernet3

 no ip address

 no cdp enable

!

interface FastEthernet4

 description $ES_WAN$$FW_OUTSIDE$

 ip address dhcp client-id FastEthernet4

 ip access-group 101 in

 no ip redirects

 no ip unreachables

 ip inspect DEFAULT100 out

 ip nat outside

 ip virtual-reassembly

 ip route-cache flow

 duplex auto

 speed auto

 no cdp enable

 crypto map SDM_CMAP_1

!

interface Virtual-Template1

 ip unnumbered FastEthernet4

 peer default ip address pool espeland

 no keepalive

 ppp encrypt mppe auto

 ppp authentication chap ms-chap ms-chap-v2

!

interface Vlan1

 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

 ip address 192.168.1.1 255.255.255.0

 ip access-group 100 in

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat inside

 ip virtual-reassembly

 ip route-cache flow

 ip tcp adjust-mss 1452

!

ip local pool espeland 172.16.1.1 172.16.1.255

ip classless

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat inside source static tcp 192.168.1.242 5900 interface FastEthernet4
5900

ip nat inside source static tcp 192.168.1.242 80 interface FastEthernet4 80

ip nat inside source static tcp 192.168.1.240 5900 interface FastEthernet4
5901

ip nat inside source static tcp 192.168.1.240 80 interface FastEthernet4 81

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

logging trap debugging

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 deny ip host 255.255.255.255 any

access-list 100 deny ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 permit tcp any any eq 5900

access-list 101 permit tcp any any eq 3389

access-list 101 permit icmp 172.16.1.0 0.0.0.255 any

access-list 101 permit udp any any eq isakmp

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit esp any any

access-list 101 permit tcp any any eq telnet

access-list 101 permit gre any any

access-list 101 permit udp host xx.xx.xx.xx eq domain any

access-list 101 permit udp host xx.xx.xx.xx eq domain any

access-list 101 permit udp any eq bootps any eq bootpc

access-list 101 deny ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny ip 10.0.0.0 0.255.255.255 any

access-list 101 deny ip 172.16.0.0 0.15.255.255 any

access-list 101 deny ip 192.168.0.0 0.0.255.255 any

access-list 101 deny ip 127.0.0.0 0.255.255.255 any

access-list 101 deny ip host 255.255.255.255 any

access-list 101 deny ip any any

access-list 101 permit tcp any any eq 5901

access-list 101 permit tcp any any eq 81

access-list 102 permit ip 192.168.1.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 any

access-list 150 permit tcp any any eq telnet

access-list 150 permit tcp any any eq 22

no cdp run

route-map SDM_RMAP_1 permit 1

 match ip address 103

!

!

control-plane

!

banner login ^CAuthorized access only!

 Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

 no modem enable

 transport preferred all

 transport output telnet

line aux 0

 transport preferred all

 transport output telnet

line vty 0 4

 access-class 150 in

 transport preferred all

 transport input telnet ssh

 transport output all

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Jens P

• Next message: Brian McGahan: "RE: IE Workbook"
• Previous message: Guyler, Rik: "6500 Conversion to Native IOS instructions"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:06 GMT-3