Options
VPN client connectivity/routing issues
chmod
Member Posts: 360 ■■■□□□□□□□
The following is the issue:
I have a router on and it works just fine, they have internet access and any other thing they need to work, i was given the task to allow the users to reach a server throug a vpn client so i added the upd and tcp ports to the access-list in order to make it work, i installed the vpn client and it works ok. But the vpn client assigns a DNS server that i cant reach from my network.
But if i install the vpn client in another computer outside my office or if plug my pc directly to the cable modem or ADSl i can reach that dns server, the issue is with the router(or at least seems to be the router). Just to clarify i didnt configure the router, i know this configuration sucks.
Basically i can't ping anything behind the other router from my office.
This is my show runn output:
Current configuration : 2636 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname
!
no logging buffered
enable secret 5
enable password
!
username
clock timezone UTC -6
ip subnet-zero
no ip source-route
ip cef
!
!
ip name-server (ISP name server)
ip name-server
!
!
!
!
interface FastEthernet0/0
ip address Public IP address 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
speed auto
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description ***Internal LAN***
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.2.0
!
ip default-gateway 196.40.2.241
ip nat translation timeout 2100
ip nat pool ANYTHING ISP address ISP address netmask 255.255.0.0
ip nat inside source list 1 pool ANYTHING overload
ip nat inside source static 192.168.1.250 196.40.2.243
ip nat inside source static 192.168.1.253 196.40.2.242
ip classless
ip route 0.0.0.0 0.0.0.0 196.40.2.241
ip http server
!
!
ip access-list extended NAT1
permit ip any host Public IP address
permit ip any host 196.40.2.244
permit ip any host 196.40.2.245
permit ip any host 196.40.2.246
permit tcp any host 196.40.2.243 range 8000 10000
permit tcp any host 196.40.2.243 range 45 69
permit tcp host 201.194.219.10 host 196.40.2.243 eq 50
permit tcp host 201.194.219.10 host 196.40.2.243 eq 60
permit tcp host 63.111.11.135 host 196.40.2.243 eq 50
permit tcp host 63.111.11.135 host 196.40.2.243 eq 60
permit tcp host 63.111.11.138 host 196.40.2.243 eq 60
permit tcp host 63.111.11.138 host 196.40.2.243 eq 50
permit tcp host 63.111.11.139 host 196.40.2.243 eq 50
permit tcp host 63.111.11.139 host 196.40.2.243 eq 60
permit tcp 65.207.151.0 0.0.0.255 host 196.40.2.243 eq 60
permit tcp 65.207.151.0 0.0.0.255 host 196.40.2.243 eq 50
permit tcp any host 196.40.2.242 eq ftp
permit tcp any host 196.40.2.242 eq ftp-data
permit ahp any any
permit esp any any
permit tcp any any eq 50
permit udp any any eq isakmp
permit udp any any eq 10000
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any
permit udp any any
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
end
Any idea please!
I have a router on and it works just fine, they have internet access and any other thing they need to work, i was given the task to allow the users to reach a server throug a vpn client so i added the upd and tcp ports to the access-list in order to make it work, i installed the vpn client and it works ok. But the vpn client assigns a DNS server that i cant reach from my network.
But if i install the vpn client in another computer outside my office or if plug my pc directly to the cable modem or ADSl i can reach that dns server, the issue is with the router(or at least seems to be the router). Just to clarify i didnt configure the router, i know this configuration sucks.
Basically i can't ping anything behind the other router from my office.
This is my show runn output:
Current configuration : 2636 bytes
!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname
!
no logging buffered
enable secret 5
enable password
!
username
clock timezone UTC -6
ip subnet-zero
no ip source-route
ip cef
!
!
ip name-server (ISP name server)
ip name-server
!
!
!
!
interface FastEthernet0/0
ip address Public IP address 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip mroute-cache
speed auto
full-duplex
!
interface Serial0/0
no ip address
shutdown
!
interface FastEthernet0/1
description ***Internal LAN***
ip address 192.168.1.1 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
no ip mroute-cache
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.2.0
!
ip default-gateway 196.40.2.241
ip nat translation timeout 2100
ip nat pool ANYTHING ISP address ISP address netmask 255.255.0.0
ip nat inside source list 1 pool ANYTHING overload
ip nat inside source static 192.168.1.250 196.40.2.243
ip nat inside source static 192.168.1.253 196.40.2.242
ip classless
ip route 0.0.0.0 0.0.0.0 196.40.2.241
ip http server
!
!
ip access-list extended NAT1
permit ip any host Public IP address
permit ip any host 196.40.2.244
permit ip any host 196.40.2.245
permit ip any host 196.40.2.246
permit tcp any host 196.40.2.243 range 8000 10000
permit tcp any host 196.40.2.243 range 45 69
permit tcp host 201.194.219.10 host 196.40.2.243 eq 50
permit tcp host 201.194.219.10 host 196.40.2.243 eq 60
permit tcp host 63.111.11.135 host 196.40.2.243 eq 50
permit tcp host 63.111.11.135 host 196.40.2.243 eq 60
permit tcp host 63.111.11.138 host 196.40.2.243 eq 60
permit tcp host 63.111.11.138 host 196.40.2.243 eq 50
permit tcp host 63.111.11.139 host 196.40.2.243 eq 50
permit tcp host 63.111.11.139 host 196.40.2.243 eq 60
permit tcp 65.207.151.0 0.0.0.255 host 196.40.2.243 eq 60
permit tcp 65.207.151.0 0.0.0.255 host 196.40.2.243 eq 50
permit tcp any host 196.40.2.242 eq ftp
permit tcp any host 196.40.2.242 eq ftp-data
permit ahp any any
permit esp any any
permit tcp any any eq 50
permit udp any any eq isakmp
permit udp any any eq 10000
permit icmp any any echo
permit icmp any any echo-reply
permit tcp any any
permit udp any any
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.0.255
!
!
end
Any idea please!
Comments
-
Optionschmod
Member Posts: 360 ■■■□□□□□□□
I think i've figured out something, the seems to be related with the access lists, there is an ACL access-list 1 permit 192.168.0.0 0.0.255.255
access-list 1 permit 192.168.0.0 0.0.0.255
allowing traffic from 192.168.x.x in and out, but it might be blocking traffic from 10.1.x.x because is not listed in any ACL, I suppost is been blocked by default(because of the deny all implicit in the end).
I'll check this in the afternoon. -
OptionsNetstudent
Member Posts: 1,693 ■■■□□□□□□□
I don't see any of those access-lists applied to an interface.There is no place like 127.0.0.1 BUT 209.62.5.3 is my 127.0.0.1 away from 127.0.0.1!
-
Optionsliven
Member Posts: 918
ONe thing that has helped me a lot in the last 2 months (deployed 4 ASAs, 2 ips and bunch of non cisco gear) into a network that I never saw, with tons of ACLS on every switch and router was a syslog server.
I was able to get the existing net admin to point all the devices he knew about to the syslog server, and I pointed all the new gear to the syslog server.
If traffic was not making it to the destination the first thing I did was start grepping logs for the failing IP's.
This made things a lot easier.
Sure its not an end all, but it might help.encrypt the encryption, never mind my brain hurts. -
Optionsliven
Member Posts: 918
ONe thing that has helped me a lot in the last 2 months (deployed 4 ASAs, 2 ips and bunch of non cisco gear) into a network that I never saw, with tons of ACLS on every switch and router was a syslog server.
I was able to get the existing net admin to point all the devices he knew about to the syslog server, and I pointed all the new gear to the syslog server.
If traffic was not making it to the destination the first thing I did was start grepping logs for the failing IP's.
This made things a lot easier.
Sure its not an end all, but it might help.encrypt the encryption, never mind my brain hurts.