Firewall Wizards mailing list archives

Cisco Remote Access VPN Problem

From: "Firewall-Wizards" <Firewall-Wizards () govnet gov fj>
Date: Wed, 7 Sep 2005 14:07:35 +1200
Hi Folks 

Would apreciate any help on the following problem which has been bugging
me for a few days.

Have setup a remote access VPN using a Cisco 2600XM as the VPN endpoint
device and using Cisco VPN Clients (latest ver). Have basically utilized
the config guide at
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0
9186a00800a393b.shtml , with the pool of virtual ips assigned from the
dmz segment.

I can get the tunnel successfully established ,the client successfully
authenticated with RADIUS, SA's formed and virtual ips (from the dmz)
assigned to the remote vpn client. There's static routes present on the
2600 to route internal network traffic to the dmz gateway (ie. fw) which
subsequently has rules to route these vpn traffic inside the internal
network.

However my problem is the vpn client CANNOT get into the internal
network.The virual ips, seem 'invisible' to the rest of the network when
it comes to routing, rendering traffic from these sources unroutable
onwards from the dmz. Sniffing on the dmz segment shows inbound int net
traffic from the vpn client making its way to the fw, but arp requests
from the fw failing to get the MAC of virtual ip, thus preventing return
traffic.

As a workaround, i tried putting in some static arp entries on the fw ,
for these virtual ips to point to physical dmz interface of the vpn
device The ensuring result was that return traffic made it way back to
the vpn device, but then couldn't get to the actual vpn client :-(

Could someone help me point on the right direction to go, as to what i
am missing or doing wrong. I was of the opinion that virtual ip's bind
themselves to some physical interface to resolve ARP issues as with PPP,
but it in this, this isnt appearing so or maybe binding itself is on the
ext intf of the vpn ??. Do i have to use public add's in ip pools and
NAT them to DMZ ips in order for all this to work (ughhh..)



My scenario
***********
                                                 ext
(10.1.85.x)INT-----------------
FW-----------------------------------router---internet
                                |                                 | 
                                |dmz (192.168.0.x)              |
                                |                               |
                                VPN-----------------------------


Configs
***************
aaa authentication login userauthen group radius aaa authorization
network groupauthor local aaa session-id common ip subnet-zero no ip
source-route ip cef !
!
!
no ip bootp server
no ip domain lookup
ip domain name vpn.gov.fj
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!         
!
!
!
!
!
!
!
!
!
! 
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client  key cisco  dns
10.1.85.156  wins 10.1.85.156  domain govnet.local  pool ippool
!         
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac !
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen crypto map
clientmap isakmp authorization list groupauthor crypto map clientmap
client configuration address respond crypto map clientmap 10
ipsec-isakmp dynamic dynmap !
!
interface FastEthernet0/0
 description VPN Link to Internet -unprotected  ip address x.x.x.x
255.255.255.240  ip access-group 100 in  no ip redirects  no ip
unreachables  no ip proxy-arp  duplex auto  speed auto  crypto map
clientmap !
interface FastEthernet0/1
 description VPN Link to DMZ termination point  ip address 192.168.0.249
255.255.255.0  ip access-group 102 in  no ip proxy-arp  duplex auto
speed auto !
ip local pool ippool 192.168.0.250 192.168.0.254 ip classless ip route
0.0.0.0 0.0.0.0 external_router_ip ip route 10.1.85.0 255.255.255.0
192.168.0.1 !
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000 !
access-list 10 permit x.x.x.x  0.0.0.15
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.85.0 0.0.0.255
access-list 100 permit ip any host vpnexternalip access-list 100 permit
ip x.x.x.x 0.0.0.15 any access-list 102 permit ip 192.168.0.0 0.0.0.255
any access-list 102 permit ip 10.1.85.0 0.0.0.255 any !
!
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7
02050D480809


========================================================================
==================================


Thanks in advance 

Cheers 

AN

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:

Cisco Remote Access VPN Problem Firewall-Wizards (Sep 07)
- RE: Cisco Remote Access VPN Problem Paul Melson (Sep 07)
- <Possible follow-ups>
- RE: Cisco Remote Access VPN Problem Firewall-Wizards (Sep 08)