cant access Lan behind Easy VPN server
ahmedahmed
Member Posts: 41 ■■□□□□□□□□
I set up an easy VPN server on my Cisco route and am able to connect the VPN client using the 1.1.1.1 ip address to the cisco router but cant access the LAN behind the server(gi0/0)
my interface facing the internet it gi0/1 with arbitrary ip of 1.1.1.1
Not sure what I am doing wrong, would appreciate any help.
aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization network ML-GROUP local
username aaaa privilege 15 password 0 cisco
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mlgroup
key 6 aaCisco
pool ML-POOL
max-users 20
crypto isakmp profile AAAA-PROFILE
match identity group mlgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization list AAAA-GROUP
client configuration address respond
virtual-template 2
crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile AAAA-PROFILE-2
set transform-set AAAA-TRANSFORM-SET
set isakmp-profile AAAA-PROFILE
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AAAA-PROFILE-2
!
ip local pool AAAA-POOL 192.168.1.1 192.168.1.20
ip route 0.0.0.0 0.0.0.0 1.1.1.254
my interface facing the internet it gi0/1 with arbitrary ip of 1.1.1.1
Not sure what I am doing wrong, would appreciate any help.
aaa new-model
aaa authentication login default local
aaa authentication login VPN-USER-AUTHENTICATION local
aaa authorization exec default local
aaa authorization network ML-GROUP local
username aaaa privilege 15 password 0 cisco
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group mlgroup
key 6 aaCisco
pool ML-POOL
max-users 20
crypto isakmp profile AAAA-PROFILE
match identity group mlgroup
client authentication list VPN-USER-AUTHENTICATION
isakmp authorization list AAAA-GROUP
client configuration address respond
virtual-template 2
crypto ipsec transform-set AAAA-TRANSFORM-SET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile AAAA-PROFILE-2
set transform-set AAAA-TRANSFORM-SET
set isakmp-profile AAAA-PROFILE
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.248
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address 1.1.1.1 255.255.255.0
duplex auto
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile AAAA-PROFILE-2
!
ip local pool AAAA-POOL 192.168.1.1 192.168.1.20
ip route 0.0.0.0 0.0.0.0 1.1.1.254
Comments
Read this example:
Easy VPN Server [Networking Software (IOS & NX-OS)] - Cisco Systems
they used an ACL to annotate the protected subnets.
Use this video, it will help you remember to do this/might provide you an idea of how to do the same for your own configs.
step 1, the ACL, defines the traffic that passes, if not, oh well (where is it?)
Listen to this video:
CISCO VPN CONFIG RAP - YouTube
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Bachelor of Science, IT - Security Emphasis (Completed: Apr 25t, 2014)
It would appear that it's missing the ACL that allows the access, per my original post above.
From what I can tell, this is the hub router getting configured, and it needs an ACL to permit the traffic.
Configuring Cisco Easy VPN with IPSec Dynamic Virtual Tunnel Interface (DVTI) - Cisco Systems
Here is a video presentation, that also configures an ACL.
LabMinutes# SEC0020 - Cisco Router Easy VPN (EZVPN) with Dynamic Virtual Tunnel Interface (DVTI) - YouTube
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
I am not sure but from most of the configuration i saw an ACL was for Tunneling. do you mean an ACL for traffic from VPN pool address to internal network?
Bundiman,
How can I access the internal interface without using the external interface from the internet?
You're right. I'm totally off.
Further research reveals that for EZVPN, the ACL should only be required for enabling split-tunneling. The access should be handled by routing, configuration of a virtual-template interface and the ipsec profile.
I'm going to lab this up and see if I can resolve the issue. (which will probably be tomorrow, as it is late in the night, my time zone).
At the least, I already know more about DVTI now than I did before, so it's been worth it, already.
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Good morning.
Why is the tunnel source not the internet interface? i was thinking that it would be the internet interface, which appears to be on the 1.1.1.0/24 network.
Please confirm if Gi0/1 or Gi0/0 faces the internet in this example. This is one thing that is throwing me off a bit right now, as your default route points to 1.1.1.1.254, which would be reachable via Gi0/1, however, you're putting your ip unnumbered interface as the Gi0/0 interface.
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
corrections
1 - pool -changed name to AAAA-pool from ML-pool (since there was no prior reference to that)
2 - modified interface unnumbered to the WAN interface (since I didn't see any examples for this otherwise for the server router, this could be unnecessary, but as its working now, kind of hard to say "go change this" at this point)
3 - changed isakmp authorization list AAAA-GROUP to ML-GROUP (as ML-GROUP is the name of the group that was configured)
4 - added save-password to the mlgroup (I got an error on my client, as I had the username and password in the client configuration, it asked that I add this to the server side, according to my error message)
I can't say that this is the best or "perfect" way to do this, but it does get a "client mode" configuration of DVTI working, where the client gets access to the corporate network. to prove it worked, i can see that the client gets an UPDATED default gateway, and also, I can ping the 10.10.10.0/24 network across the tunnel.
Look:
EASYVPN_Client#crypto ipsec client ezvpn connect EASYVPN_Client# *Mar 1 00:07:11.091: %CRYPTO-6-EZVPN_CONNECTION_UP: (Client) User=aaaa Group=mlgroup Server_public_addr=1.1.1.1 Assigned_client_addr=192.168.1.2 *Mar 1 00:07:11.095: %LINK-3-UPDOWN: Interface Virtual-Access2, changed state to up EASYVPN_Client# *Mar 1 00:07:11.591: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback10000, changed state to up *Mar 1 00:07:11.795: %LINEPROTO-5-UPDOWN: Line protocol on Interface NVI0, changed state to up *Mar 1 00:07:12.095: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up EASYVPN_Client#sho ip route Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is 0.0.0.0 to network 0.0.0.0 1.0.0.0/32 is subnetted, 1 subnets S 1.1.1.1 [1/0] via 2.2.2.254 2.0.0.0/24 is subnetted, 1 subnets C 2.2.2.0 is directly connected, FastEthernet0/0 20.0.0.0/24 is subnetted, 1 subnets C 20.20.20.0 is directly connected, FastEthernet0/1 22.0.0.0/32 is subnetted, 1 subnets C 22.22.22.2 is directly connected, Loopback0 192.168.1.0/32 is subnetted, 1 subnets C 192.168.1.2 is directly connected, Loopback10000 S* 0.0.0.0/0 [1/0] via 0.0.0.0, Virtual-Access2 EASYVPN_Client#ping 10.10.10.1 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.10.10.1, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 88/99/116 ms EASYVPN_Client#LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Lab Topology:
Server
Client
ISP
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Secure Connectivity Configuration Guide Library, Cisco IOS Release 12.4T [Cisco IOS Software Releases 12.4 T] - Cisco Systems
Thanks for the configuration but where you able to access the lan behind the router? because in my case I would get the VPN connection when i used a vpn client and It would get the VPN IP from the pool (192.168.1.2----) and I can ping the Internet interface (gi0/1) but cant get the Lan behind gi0/0. ie it is a server so i should be able to rdp etc.
Sorry, but I didn't get back to this thread sooner, because I had not been checking this sub-forum.
I showed in my post above that I could ping the internal router interface: 10.10.10.1, which would be considered the "LAN behind the router".
Since I could reach the final network gateway, if I couldn't reach a host attached there, I would confirm connectivity between that host and its default gateway.
If there aren't any access-lists blocking the traffic, then you could investigate the host for local firewalls, confirming that the RDP service is running, etc.
If you can tell me what the IP address of the host is, I can provide a host configuration, and add it to the set above, and prove connectivity to it.
I hope this helps.
LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)