Help needed with VPN routing on a Cisco 851

Kevin Forsyth · 11-19-2008, 10:45 AM

Greetings all, I'm new to this forum and hopeful that someone can help me with a possibly simple VPN routing question.

We have a Cisco 851 as our border router. I have succeeded in setting up a working Easy VPN Server on it -- our users can use Cisco's VPN client software to get into the system and act like an ordinary PC on the LAN. So far, so good.

The thing is, our main reason for wanting the VPN is so our mobile users can administer a third-party server, located off-site. The server is ACL-protected, and we want to make our users' dynamic IPs appear to come from our office IP like the rest of the LAN. The third-party server's IP is included in the split tunnel -- but traffic coming in through the tunnel is not turning around and going back out to the server. I suspect a simple routing issue, but have not found it yet.

I've attached a scrubbed copy of the configuration. I concealed public IPs with private ones: the router's external port is shown as 10.10.10.2 (attached via T1 to our ISP at 10.10.10.1); the third-party server is 172.16.1.1. The LAN is essentially as shown, in the 192.168.0.0 range.

Thanks to anyone with hints! Kevin
--------------
!
hostname name
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa group server radius rad_eap
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authentication login remote-users local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa authorization network remote-users local
aaa authorization network sdm_vpn_group_ml_1 local
aaa accounting network acct_methods start-stop group rad_acct
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.2 192.168.1.9
ip dhcp excluded-address 192.168.2.2 192.168.2.9
ip dhcp excluded-address 192.168.1.235
!
ip dhcp pool Internal-net
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name YourDomain.com
dns-server 216.230.64.5 216.198.87.14 216.230.64.6 216.163.64.9
lease 0 12
!
ip dhcp pool VLAN20
import all
network 192.168.2.0 255.255.255.0
default-router 192.168.2.1
domain-name YourDomain.com
lease 4
!
!
ip cef
ip inspect name MYFW tcp
ip inspect name MYFW udp
ip domain name
ip name-server
!
!
crypto pki trustpoint TP-self-signed-987654321
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-987654321
revocation-check none
rsakeypair TP-self-signed-861427262
!
!
crypto pki certificate chain TP-self-signed-987654321
certificate self-signed 01
...
quit
username admin privilege 15 password
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 480
!
crypto isakmp client configuration group remote-users
key secret
pool SDM_POOL_1
acl 101
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set VPN1 ah-sha-hmac esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association lifetime seconds 3600
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
ip address 10.10.10.2 255.255.255.252
ip access-group Internet-inbound-ACL in
ip inspect MYFW out
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1460
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers
!
encryption vlan 20 mode ciphers
!
ssid
...
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2412
station-role root
no dot11 extension aironet
no cdp enable
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.20
description Guest wireless LAN - routed WLAN
encapsulation dot1Q 20
ip address 192.168.2.1 255.255.255.0
ip access-group Guest-ACL in
ip inspect MYFW out
ip nat inside
ip virtual-reassembly
no snmp trap link-status
!
interface Vlan1
description Internal Network
no ip address
ip nat inside
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
description Bridge to Internal Network
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.1.150 192.168.1.165
ip classless
ip route 0.0.0.0 0.0.0.0 10.10.10.1
!
ip http server
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended Guest-ACL
deny ip any 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit udp any eq domain any
permit tcp any any established
permit udp any any eq ntp
permit udp any host 10.10.10.2 eq isakmp
!
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
access-list 100 remark SDM_ACL Category=2
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.150
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.151
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.152
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.153
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.154
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.155
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.156
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.157
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.158
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.159
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.160
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.161
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.162
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.163
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.164
access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.165
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.150
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.151
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.152
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.153
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.154
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.155
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.156
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.157
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.158
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.159
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.160
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.161
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.162
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.163
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.164
access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.165
access-list 100 deny ip any host 192.168.1.150
access-list 100 deny ip any host 192.168.1.151
access-list 100 deny ip any host 192.168.1.152
access-list 100 deny ip any host 192.168.1.153
access-list 100 deny ip any host 192.168.1.154
access-list 100 deny ip any host 192.168.1.155
access-list 100 deny ip any host 192.168.1.156
access-list 100 deny ip any host 192.168.1.157
access-list 100 deny ip any host 192.168.1.158
access-list 100 deny ip any host 192.168.1.159
access-list 100 deny ip any host 192.168.1.160
access-list 100 deny ip any host 192.168.1.161
access-list 100 deny ip any host 192.168.1.162
access-list 100 deny ip any host 192.168.1.163
access-list 100 deny ip any host 192.168.1.164
access-list 100 deny ip any host 192.168.1.165
access-list 100 permit ip 192.168.2.0 0.0.0.255 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 172.16.1.1 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.255.255 any
route-map SDM_RMAP_1 permit 1
match ip address 100
!
radius-server attribute 32 include-in-access-req format %h
radius-server vsa send accounting
!
control-plane
!
bridge 1 route ip
!
line con 0
password 7
no modem enable
line aux 0
line vty 0 4
password 7
!
scheduler max-task-time 5000
ntp clock-period 17174809
ntp server
end

11-19-2008, 10:45 AM	#1 (permalink)
Kevin Forsyth Registered User Join Date: Nov 2008 Posts: 1 OS: XP SP3	Help needed with VPN routing on a Cisco 851 Greetings all, I'm new to this forum and hopeful that someone can help me with a possibly simple VPN routing question. We have a Cisco 851 as our border router. I have succeeded in setting up a working Easy VPN Server on it -- our users can use Cisco's VPN client software to get into the system and act like an ordinary PC on the LAN. So far, so good. The thing is, our main reason for wanting the VPN is so our mobile users can administer a third-party server, located off-site. The server is ACL-protected, and we want to make our users' dynamic IPs appear to come from our office IP like the rest of the LAN. The third-party server's IP is included in the split tunnel -- but traffic coming in through the tunnel is not turning around and going back out to the server. I suspect a simple routing issue, but have not found it yet. I've attached a scrubbed copy of the configuration. I concealed public IPs with private ones: the router's external port is shown as 10.10.10.2 (attached via T1 to our ISP at 10.10.10.1); the third-party server is 172.16.1.1. The LAN is essentially as shown, in the 192.168.0.0 range. Thanks to anyone with hints! Kevin -------------- ! hostname name ! boot-start-marker boot-end-marker ! no logging buffered ! aaa new-model ! ! aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login default local aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authentication login remote-users local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization ipmobile default group rad_pmip aaa authorization network remote-users local aaa authorization network sdm_vpn_group_ml_1 local aaa accounting network acct_methods start-stop group rad_acct ! aaa session-id common ! resource policy ! ip subnet-zero no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.2 192.168.1.9 ip dhcp excluded-address 192.168.2.2 192.168.2.9 ip dhcp excluded-address 192.168.1.235 ! ip dhcp pool Internal-net import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name YourDomain.com dns-server 216.230.64.5 216.198.87.14 216.230.64.6 216.163.64.9 lease 0 12 ! ip dhcp pool VLAN20 import all network 192.168.2.0 255.255.255.0 default-router 192.168.2.1 domain-name YourDomain.com lease 4 ! ! ip cef ip inspect name MYFW tcp ip inspect name MYFW udp ip domain name ip name-server ! ! crypto pki trustpoint TP-self-signed-987654321 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-987654321 revocation-check none rsakeypair TP-self-signed-861427262 ! ! crypto pki certificate chain TP-self-signed-987654321 certificate self-signed 01 ... quit username admin privilege 15 password ! ! ! crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2 lifetime 480 ! crypto isakmp client configuration group remote-users key secret pool SDM_POOL_1 acl 101 ! crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set VPN1 ah-sha-hmac esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set security-association lifetime seconds 3600 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! bridge irb ! ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface FastEthernet4 ip address 10.10.10.2 255.255.255.252 ip access-group Internet-inbound-ACL in ip inspect MYFW out ip nat outside ip virtual-reassembly ip tcp adjust-mss 1460 duplex auto speed auto no cdp enable crypto map SDM_CMAP_1 ! interface Dot11Radio0 no ip address ! encryption vlan 1 mode ciphers ! encryption vlan 20 mode ciphers ! ssid ... ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 channel 2412 station-role root no dot11 extension aironet no cdp enable ! interface Dot11Radio0.1 encapsulation dot1Q 1 native no snmp trap link-status bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Dot11Radio0.20 description Guest wireless LAN - routed WLAN encapsulation dot1Q 20 ip address 192.168.2.1 255.255.255.0 ip access-group Guest-ACL in ip inspect MYFW out ip nat inside ip virtual-reassembly no snmp trap link-status ! interface Vlan1 description Internal Network no ip address ip nat inside ip virtual-reassembly bridge-group 1 bridge-group 1 spanning-disabled ! interface BVI1 description Bridge to Internal Network ip address 192.168.1.1 255.255.255.0 ip nat inside ip virtual-reassembly ! ip local pool SDM_POOL_1 192.168.1.150 192.168.1.165 ip classless ip route 0.0.0.0 0.0.0.0 10.10.10.1 ! ip http server ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload ! ip access-list extended Guest-ACL deny ip any 192.168.1.0 0.0.0.255 permit ip any any ip access-list extended Internet-inbound-ACL permit udp any eq bootps any eq bootpc permit icmp any any echo permit icmp any any echo-reply permit icmp any any traceroute permit gre any any permit esp any any permit udp any eq domain any permit tcp any any established permit udp any any eq ntp permit udp any host 10.10.10.2 eq isakmp ! access-list 1 remark SDM_ACL Category=16 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 1 permit 192.168.2.0 0.0.0.255 access-list 100 remark SDM_ACL Category=2 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.150 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.151 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.152 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.153 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.154 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.155 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.156 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.157 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.158 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.159 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.160 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.161 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.162 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.163 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.164 access-list 100 deny ip 192.168.0.0 0.0.255.255 host 192.168.1.165 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.150 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.151 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.152 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.153 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.154 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.155 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.156 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.157 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.158 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.159 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.160 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.161 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.162 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.163 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.164 access-list 100 deny ip 172.16.1.1 0.0.0.255 host 192.168.1.165 access-list 100 deny ip any host 192.168.1.150 access-list 100 deny ip any host 192.168.1.151 access-list 100 deny ip any host 192.168.1.152 access-list 100 deny ip any host 192.168.1.153 access-list 100 deny ip any host 192.168.1.154 access-list 100 deny ip any host 192.168.1.155 access-list 100 deny ip any host 192.168.1.156 access-list 100 deny ip any host 192.168.1.157 access-list 100 deny ip any host 192.168.1.158 access-list 100 deny ip any host 192.168.1.159 access-list 100 deny ip any host 192.168.1.160 access-list 100 deny ip any host 192.168.1.161 access-list 100 deny ip any host 192.168.1.162 access-list 100 deny ip any host 192.168.1.163 access-list 100 deny ip any host 192.168.1.164 access-list 100 deny ip any host 192.168.1.165 access-list 100 permit ip 192.168.2.0 0.0.0.255 any access-list 100 permit ip 192.168.1.0 0.0.0.255 any access-list 101 remark SDM_ACL Category=4 access-list 101 permit ip 172.16.1.1 0.0.0.255 any access-list 101 permit ip 192.168.0.0 0.0.255.255 any route-map SDM_RMAP_1 permit 1 match ip address 100 ! radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting ! control-plane ! bridge 1 route ip ! line con 0 password 7 no modem enable line aux 0 line vty 0 4 password 7 ! scheduler max-task-time 5000 ntp clock-period 17174809 ntp server end