|
Question : Home VPN users connecting to a Cisco 1811 router cannot access workplace network resources
|
|
I'm not a Cisco tech by a long shot (liberal arts major). After researching Cisco's site and Expert's Exchange for the last month or so, I've reached the limit on what I'm able to get working on this router. So far I've got load balancing, fail over, port forwarding, firewalls, and access lists working but I can't get this VPN to function correctly.
Users can connect successfully to the VPN server being hosted on the Cisco router, but are not able to access network shares (Windows XP network, no domain as of yet, attempting via \\IP address\folder) or the workplace LAN ftp server (attempting to connect to 192.168.1.99 once logged in to VPN). They also can't browse the internet when connected to the VPN, not even able to ping to 4.2.2.1)
VPN users are at the very least able to ping workplace computers and vice versa, so there is at least some communication. Below is my Cisco config.
Thanks in advance.
Building configuration...
Current configuration : 11294 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa group server radius rad_mac1
server 192.168.1.1 auth-port 1812 acct-port 1813
!
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods1 group rad_mac1
aaa authentication login userauthen local
aaa authorization ipmobile default group rad_pmip
aaa authorization network groupauthor local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.126 192.168.1.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
dns-server 192.168.1.99
default-router 192.168.1.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 192.168.1.99
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
ip inspect max-incomplete low 100
ip inspect max-incomplete high 200
ip inspect one-minute low 100
ip inspect one-minute high 200
ip inspect udp idle-time 15
ip inspect dns-timeout 2
ip inspect tcp idle-time 600
ip inspect tcp synwait-time 10
ip inspect name CBAC cuseeme
ip inspect name CBAC dns
ip inspect name CBAC h323
ip inspect name CBAC https
ip inspect name CBAC icmp
ip inspect name CBAC imap reset
ip inspect name CBAC pop3 reset
ip inspect name CBAC netshow
ip inspect name CBAC rcmd
ip inspect name CBAC realaudio
ip inspect name CBAC rtsp
ip inspect name CBAC esmtp
ip inspect name CBAC sqlnet
ip inspect name CBAC streamworks
ip inspect name CBAC tftp
ip inspect name CBAC vdolive
ip inspect name CBAC tcp
ip inspect name CBAC udp
ip inspect name CBAC ftp
ip inspect name CBAC sip
ip inspect name CBAC appleqtc
!
!
crypto pki trustpoint TP-self-signed-3729953927
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3729953927
revocation-check none
rsakeypair TP-self-signed-3729953927
!
!
crypto pki certificate chain TP-self-signed-3729953927
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33373239 39353339 3237301E 170D3036 30383234 32303131
34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 37323939
35333932 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BE2D D55C684A 6D041CD0 59E1EBA6 C29A21C3 A885838C 43D99AC5 983F778B
2A0982FA 02E75FBC B69E49F1 54245B97 749D0DA0 73F7C21F CCE68A0A D8ECAF11
81C6C187 33CD1462 7BE57DC6 8C0FF668 A19237C0 5016BEFB FE27536B DB48F683
269EB1A8 33DA5E7A 810F6B51 1FC421FB 2CA0CA9E D3994CE9 6D0428B8 021BE899
65250203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 144E2CFF 95E6A397 3D62F8DB 1F2E873E 261AB33E
CC301D06 03551D0E 04160414 4E2CFF95 E6A3973D 62F8DB1F 2E873E26 1AB33ECC
300D0609 2A864886 F70D0101 04050003 818100B1 B60F6400 690F01D2 F5A8F9BC
2C33BB8D 80DBBE2A 9F8AB4CF 98F31322 8E9E9F6B 5B2BD92D 995FFD67 206D5125
DD22E286 24F83CB6 27E6A163 B9AA84BB 53327FE3 D81F7E78 D12DC3DB F57A7BC5
CCCD02D8 E79F0927 DBC0BB9C ACCFDA87 ABA333F9 5E2D73C0 1E865390 C89D04E9
801EA77F 184625D7 33952058 90BAAA75 4EF297
quit
username USER privilege 15 secret 5 xxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client
key xxxxx
dns 192.168.1.99
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 65535 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 128.x.x.x 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect CBAC out
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1415
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet1
description $ETH-WAN$$FW_OUTSIDE$
ip address 192.168.2.49 255.255.255.0
ip access-group 103 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect CBAC out
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1415
duplex auto
speed auto
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
spanning-tree portfast
!
interface FastEthernet5
spanning-tree portfast
!
interface FastEthernet6
spanning-tree portfast
!
interface FastEthernet7
spanning-tree portfast
!
interface FastEthernet8
spanning-tree portfast
!
interface FastEthernet9
spanning-tree portfast
!
interface Dot11Radio0
no ip address
!
ssid ubtrio
authentication open mac-address mac_methods1
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
!
ssid ubtrio
authentication open mac-address mac_methods1
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
ip local pool ippool 192.168.3.1 192.168.3.254
ip route 0.0.0.0 0.0.0.0 128.x.x.x
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RMAP-WAN0 interface FastEthernet0 overload
ip nat inside source route-map RMAP-WAN1 interface FastEthernet1 overload
ip nat inside source static tcp 192.168.1.99 20 192.168.2.49 20 extendable
ip nat inside source static tcp 192.168.1.99 21 192.168.2.49 21 extendable
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 deny any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 128.x.x.x 0.0.0.255 any
access-list 101 deny ip 192.168.2.0 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark SDM_ACL Category=1
access-list 102 permit udp any host 128.x.x.x eq isakmp log
access-list 102 permit esp any host 128.x.x.x log
access-list 102 deny ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 103 remark SDM_ACL Category=1
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp
access-list 103 permit tcp host 192.168.2.101 host 192.168.2.49 eq ftp-data
access-list 103 deny ip 192.168.1.0 0.0.0.255 any
access-list 103 deny ip 10.0.0.0 0.255.255.255 any
access-list 103 deny ip 172.16.0.0 0.15.255.255 any
access-list 103 deny ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 127.0.0.0 0.255.255.255 any
access-list 103 deny ip host 255.255.255.255 any
access-list 103 deny ip host 0.0.0.0 any
access-list 103 deny ip any any log
access-list 120 deny ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map RMAP-WAN1 permit 10
match ip address 120
match interface FastEthernet1
!
route-map RMAP-WAN0 permit 10
match ip address 120
match interface FastEthernet0
!
!
!
radius-server local
nas 192.168.1.1 key 7 09594C1D0B0C18
group VPN_Users
!
user 0014bfd84f23 nthash 7 112B3D2346472F2D227D787379166375365534515506017C02722F214D44000C0E mac-auth-only
user 0012f0ae1286 nthash 7 06552C03156D514121434A2A5A53720A717961600135213352250E010C02752A52 mac-auth-only
!
radius-server attribute 32 include-in-access-req format %h
radius-server host 192.168.1.1 auth-port 1812 acct-port 1813 key 7 06130D355E4706
radius-server vsa send accounting
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
access-class 100 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 100 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
|
Answer : Home VPN users connecting to a Cisco 1811 router cannot access workplace network resources
|
|
We hang out everywhere. . . <8-}
>VPN users are at the very least able to ping workplace computers and vice versa
This means that your VPN is working - sort of. Nice job getting everything to work by yourself, but I do have some suggestions:
>but are not able to access network shares
This is a pure Netbios issue. Assuming that the clients are all XP you have to enable Netbios and you have to have a hosts or preferably a LMHOSTS file on the VPN client computers that list the computers that they want to connect to.
>attempting to connect to 192.168.1.99 once logged in to VPN
This is not a netbios issue, it's something else... If VPN clients can ping the ftp server, they should be able to connect to it. Can they ping it?
>They also can't browse the internet when connected to the VPN, not even able to ping to 4.2.2.1
Enable split-tunneling:
access-list 199 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
crypto isakmp client configuration group 3000client
acl 199
>access-list 102 permit udp any host 128.x.x.x eq isakmp log
>access-list 102 permit esp any host 128.x.x.x log
In these acl entries, you're not allowing UDP 4500 for use by clients behind NAT routers, or the VPN tunnel traffic. Add the following:
access-list 102 permit udp any host 128.x.x.x eq 4500
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
>route-map RMAP-WAN0 permit 10
> match ip address 120
> match interface FastEthernet0 <== you don't need this match condition.
>interface BVI1
> description $ES_LAN$$FW_INSIDE$
> ip address 192.168.1.1 255.255.255.0 <== this could be part of the problem
I say this because the VAST majority of home users that will be using the VPN *also* have 192.168.1.x as their home network. Unless you want every potential VPN client to go home and change their network (and many hotels, hotspots, etc), you're going to continue to have muliple issues with the client having the same local LAN and remote LAN IP subnets. I *highly* recommend just biting the bullet now and changing your local LAN IP subnet to something less likely to be used by remote users - perhaps 192.168.199.0
|
|
|
|
|
