+ Reply to Thread
Results 1 to 12 of 12
  1. Member
    Join Date
    Dec 2012
    Posts
    41
    #1

    Default cant access Lan behind Easy VPN server

    I set up an easy VPN server on my Cisco route and am able to connect the VPN client using the 1.1.1.1 ip address to the cisco router but cant access the LAN behind the server(gi0/0)
    my interface facing the internet it gi0/1 with arbitrary ip of 1.1.1.1
    Not sure what I am doing wrong, would appreciate any help.

    aaa new-model
    aaa authentication login default local
    aaa authentication login VPN-USER-AUTHENTICATION local
    aaa authorization exec default local
    aaa authorization network ML-GROUP local


    username aaaa privilege 15 password 0 cisco


    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group mlgroup
    key 6 aaCisco
    pool ML-POOL
    max-users 20


    crypto isakmp profile AAAA-PROFILE
    match identity group mlgroup
    client authentication list VPN-USER-AUTHENTICATION
    isakmp authorization list AAAA-GROUP
    client configuration address respond
    virtual-template 2


    crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
    mode tunnel
    !
    crypto ipsec profile AAAA-PROFILE-2
    set transform-set AAAA-TRANSFORM-SET
    set isakmp-profile AAAA-PROFILE
    !


    interface GigabitEthernet0/0
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
    ip address 10.10.10.1 255.255.255.248
    duplex auto
    speed auto
    !
    interface GigabitEthernet0/1
    ip address 1.1.1.1 255.255.255.0
    duplex auto
    speed auto


    !
    interface Virtual-Template2 type tunnel
    ip unnumbered GigabitEthernet0/0
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile AAAA-PROFILE-2
    !
    ip local pool AAAA-POOL 192.168.1.1 192.168.1.20




    ip route 0.0.0.0 0.0.0.0 1.1.1.254
    Last edited by ahmedahmed; 03-01-2013 at 08:58 PM.
    Reply With Quote Quote  

  2. SS -->
  3. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #2
    I don't see an ACL defining the protected subnets, do you?

    Read this example:

    Easy VPN Server* [Networking Software (IOS & NX-OS)] - Cisco Systems

    they used an ACL to annotate the protected subnets.

    Use this video, it will help you remember to do this/might provide you an idea of how to do the same for your own configs.


    step 1, the ACL, defines the traffic that passes, if not, oh well (where is it?)

    Listen to this video:
    CISCO VPN CONFIG RAP - YouTube
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  4. Senior Member Bundiman's Avatar
    Join Date
    Jan 2013
    Posts
    198

    Certifications
    CCNP-Security, CISSP
    #3
    they outside interface is not part of the interesting traffic. So unless you are trying to admin it from outside the tunnel you should try to connect on the inside interface or by the ip that the server assigns the ezvpn client.
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #4
    No response from the original poster yet.

    It would appear that it's missing the ACL that allows the access, per my original post above.

    From what I can tell, this is the hub router getting configured, and it needs an ACL to permit the traffic.

    Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) - Cisco Systems

    Here is a video presentation, that also configures an ACL.

    LabMinutes# SEC0020 - Cisco Router Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI) - YouTube
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  6. Member
    Join Date
    Dec 2012
    Posts
    41
    #5
    Hi Instant000
    I am not sure but from most of the configuration i saw an ACL was for Tunneling. do you mean an ACL for traffic from VPN pool address to internal network?

    Bundiman,
    How can I access the internal interface without using the external interface from the internet?
    Last edited by ahmedahmed; 03-02-2013 at 03:25 AM.
    Reply With Quote Quote  

  7. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #6
    ahmedahmed:

    You're right. I'm totally off.

    Further research reveals that for EZVPN, the ACL should only be required for enabling split-tunneling. The access should be handled by routing, configuration of a virtual-template interface and the ipsec profile.

    I'm going to lab this up and see if I can resolve the issue. (which will probably be tomorrow, as it is late in the night, my time zone).

    At the least, I already know more about DVTI now than I did before, so it's been worth it, already.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #7
    ahmedahmed:

    Good morning.

    Why is the tunnel source not the internet interface? i was thinking that it would be the internet interface, which appears to be on the 1.1.1.0/24 network.

    Please confirm if Gi0/1 or Gi0/0 faces the internet in this example. This is one thing that is throwing me off a bit right now, as your default route points to 1.1.1.1.254, which would be reachable via Gi0/1, however, you're putting your ip unnumbered interface as the Gi0/0 interface.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  9. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #8
    Figured it out, four changes required (at least in my example), will post pertinent configs shortly.

    corrections
    1 - pool -changed name to AAAA-pool from ML-pool (since there was no prior reference to that)
    2 - modified interface unnumbered to the WAN interface (since I didn't see any examples for this otherwise for the server router, this could be unnecessary, but as its working now, kind of hard to say "go change this" at this point)
    3 - changed isakmp authorization list AAAA-GROUP to ML-GROUP (as ML-GROUP is the name of the group that was configured)
    4 - added save-password to the mlgroup (I got an error on my client, as I had the username and password in the client configuration, it asked that I add this to the server side, according to my error message)

    I can't say that this is the best or "perfect" way to do this, but it does get a "client mode" configuration of DVTI working, where the client gets access to the corporate network. to prove it worked, i can see that the client gets an UPDATED default gateway, and also, I can ping the 10.10.10.0/24 network across the tunnel.

    Look:

    Code:
    EASYVPN_Client#crypto ipsec client ezvpn connect
    EASYVPN_Client#
    *Mar  1 00:07:11.091: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client)  User=aaaa  Group=mlgroup  Server_public_addr=1.1.1.1  Assigned_client_addr=192.168.1.2
    *Mar  1 00:07:11.095: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up
    EASYVPN_Client#
    *Mar  1 00:07:11.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up
    *Mar  1 00:07:11.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up
    *Mar  1 00:07:12.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
    EASYVPN_Client#sho ip route
    Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
           D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
           N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
           E1 - OSPF external type 1, E2 - OSPF external type 2
           i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
           ia - IS-IS inter area, * - candidate default, U - per-user static route
           o - ODR, P - periodic downloaded static route
    
    Gateway of last resort is 0.0.0.0 to network 0.0.0.0
    
         1.0.0.0/32 is subnetted, 1 subnets
    S       1.1.1.1 [1/0] via 2.2.2.254
         2.0.0.0/24 is subnetted, 1 subnets
    C       2.2.2.0 is directly connected, FastEthernet0/0
         20.0.0.0/24 is subnetted, 1 subnets
    C       20.20.20.0 is directly connected, FastEthernet0/1
         22.0.0.0/32 is subnetted, 1 subnets
    C       22.22.22.2 is directly connected, Loopback0
         192.168.1.0/32 is subnetted, 1 subnets
    C       192.168.1.2 is directly connected, Loopback10000
    S*   0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access2
    EASYVPN_Client#ping 10.10.10.1
    
    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds:
    !!!!!
    Success rate is 100 percent (5/5), round-trip min/avg/max = 88/99/116 ms
    EASYVPN_Client#
    Last edited by instant000; 03-03-2013 at 08:04 PM.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  10. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #9
    Pertinent configurations are attached here:

    Lab Topology:
    Code:
    EasyVPNServer[F0/1] ----- [F0/1][ISP_Router][F0/0] ----- [F0/0][EasyVPNClient]
    Server
    Code:
    configure terminal
    !
    aaa new-model
    aaa authentication login default local
    aaa authentication login VPN-USER-AUTHENTICATION local
    aaa authorization exec default local
    aaa authorization network ML-GROUP local
    
    
    username aaaa privilege 15 password 0 cisco
    
    
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group mlgroup
    key 6 aaCisco
    pool AAAA-POOL
    max-users 20
    save-password
    
    crypto isakmp profile AAAA-PROFILE
    match identity group mlgroup
    client authentication list VPN-USER-AUTHENTICATION
    isakmp authorization list ML-GROUP
    client configuration address respond
    virtual-template 2
    
    
    crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
    mode tunnel
    !
    crypto ipsec profile AAAA-PROFILE-2
    set transform-set AAAA-TRANSFORM-SET
    set isakmp-profile AAAA-PROFILE
    !
    
    
    interface FastEthernet0/0
    no shutdown
    description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
    ip address 10.10.10.1 255.255.255.248
    
    !
    interface FastEthernet0/1
    no shutdown
    ip address 1.1.1.1 255.255.255.0
    
    
    
    !
    interface Virtual-Template2 type tunnel
    ip unnumbered FastEthernet0/1
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile AAAA-PROFILE-2
    !
    ip local pool AAAA-POOL 192.168.1.1 192.168.1.20
    
    
    
    
    ip route 0.0.0.0 0.0.0.0 1.1.1.254
    Client
    Code:
    configure terminal
    !
    ! BASIC CONFIGURATION OF ROUTER
    !
    hostname EASYVPN_Client
    !
    interface fastEthernet 0/0
    no shutdown
    description WAN connection to ISP
    ip address dhcp
    !
    interface fastEthernet 0/1
    no shutdown
    description internal LAN connection
    ip address 20.20.20.1 255.255.255.0
    !
    ! DVTI CONFIGURATION OF ROUTER
    
    interface loopback 0
    ip address 22.22.22.2 255.255.255.255
    !
    interface virtual-template1 type tunnel
    ip unnumbered loopback0
    !
    ip route 0.0.0.0 0.0.0.0 2.2.2.254 200
    !
    !
    crypto ipsec client ezvpn CLIENT
    connect manual
    group mlgroup key 6 aaCisco
    mode client
    peer 1.1.1.1
    virtual-interface 1
    username aaaa password cisco
    xauth userid mode local
    !
    interface fastEthernet0/0
    crypto ipsec client ezvpn CLIENT
    !
    interface fastEthernet0/1
    crypto ipsec client ezvpn CLIENT inside
    
    
    
    end
    ISP
    Code:
    
    configure terminal
    !
    hostname ISP_Router
    !
    interface FastEthernet 0/1
    no shutdown
    description ISP connection to EasyVPNServer
    ip address 1.1.1.254 255.255.255.0
    !
    interface FastEthernet 0/0
    no shutdown
    description ISP connection to EasyVPNClient
    ip address 2.2.2.254 255.255.255.0
    !
    ip dhcp excluded-address 2.2.2.254 2.2.2.254
    ip dhcp pool DHCPCLIENT
    network 2.2.2.0 255.255.255.0
    lease 7
    !
    end
    Last edited by instant000; 03-03-2013 at 08:05 PM.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

  11. Netlurker cisco_trooper's Avatar
    Join Date
    Aug 2007
    Posts
    1,420

    Certifications
    CCNP Security, ASA Specialist, Firewall Security Specialist, IOS Security Specialist, IPS Specialist, VPN Security Specialist
    #10
    Reply With Quote Quote  

  12. Member
    Join Date
    Dec 2012
    Posts
    41
    #11
    Hi instant000,

    Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.
    Last edited by ahmedahmed; 03-13-2013 at 01:42 AM.
    Reply With Quote Quote  

  13. Senior Member
    Join Date
    Apr 2011
    Location
    San Antonio, TX
    Posts
    1,727

    Certifications
    [Reserved]
    #12
    Quote Originally Posted by ahmedahmed View Post
    Hi instant000,

    Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.
    Sorry, but I didn't get back to this thread sooner, because I had not been checking this sub-forum.

    I showed in my post above that I could ping the internal router interface: 10.10.10.1, which would be considered the "LAN behind the router".

    Since I could reach the final network gateway, if I couldn't reach a host attached there, I would confirm connectivity between that host and its default gateway.

    If there aren't any access-lists blocking the traffic, then you could investigate the host for local firewalls, confirming that the RDP service is running, etc.

    If you can tell me what the IP address of the host is, I can provide a host configuration, and add it to the set above, and prove connectivity to it.

    I hope this helps.
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks