Firewall Wizards mailing list archives
Cisco Remote Access VPN Problem
From: "Firewall-Wizards" <Firewall-Wizards () govnet gov fj>
Date: Wed, 7 Sep 2005 14:07:35 +1200
Hi Folks Would apreciate any help on the following problem which has been bugging me for a few days. Have setup a remote access VPN using a Cisco 2600XM as the VPN endpoint device and using Cisco VPN Clients (latest ver). Have basically utilized the config guide at http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0 9186a00800a393b.shtml , with the pool of virtual ips assigned from the dmz segment. I can get the tunnel successfully established ,the client successfully authenticated with RADIUS, SA's formed and virtual ips (from the dmz) assigned to the remote vpn client. There's static routes present on the 2600 to route internal network traffic to the dmz gateway (ie. fw) which subsequently has rules to route these vpn traffic inside the internal network. However my problem is the vpn client CANNOT get into the internal network.The virual ips, seem 'invisible' to the rest of the network when it comes to routing, rendering traffic from these sources unroutable onwards from the dmz. Sniffing on the dmz segment shows inbound int net traffic from the vpn client making its way to the fw, but arp requests from the fw failing to get the MAC of virtual ip, thus preventing return traffic. As a workaround, i tried putting in some static arp entries on the fw , for these virtual ips to point to physical dmz interface of the vpn device The ensuring result was that return traffic made it way back to the vpn device, but then couldn't get to the actual vpn client :-( Could someone help me point on the right direction to go, as to what i am missing or doing wrong. I was of the opinion that virtual ip's bind themselves to some physical interface to resolve ARP issues as with PPP, but it in this, this isnt appearing so or maybe binding itself is on the ext intf of the vpn ??. Do i have to use public add's in ip pools and NAT them to DMZ ips in order for all this to work (ughhh..) My scenario *********** ext (10.1.85.x)INT----------------- FW-----------------------------------router---internet | | |dmz (192.168.0.x) | | | VPN----------------------------- Configs *************** aaa authentication login userauthen group radius aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ip cef ! ! ! no ip bootp server no ip domain lookup ip domain name vpn.gov.fj ip audit po max-events 100 no ftp-server write-enable ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group 3000client key cisco dns 10.1.85.156 wins 10.1.85.156 domain govnet.local pool ippool ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 10 set transform-set myset ! ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! ! interface FastEthernet0/0 description VPN Link to Internet -unprotected ip address x.x.x.x 255.255.255.240 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp duplex auto speed auto crypto map clientmap ! interface FastEthernet0/1 description VPN Link to DMZ termination point ip address 192.168.0.249 255.255.255.0 ip access-group 102 in no ip proxy-arp duplex auto speed auto ! ip local pool ippool 192.168.0.250 192.168.0.254 ip classless ip route 0.0.0.0 0.0.0.0 external_router_ip ip route 10.1.85.0 255.255.255.0 192.168.0.1 ! no ip http server ip http authentication local no ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! access-list 10 permit x.x.x.x 0.0.0.15 access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.85.0 0.0.0.255 access-list 100 permit ip any host vpnexternalip access-list 100 permit ip x.x.x.x 0.0.0.15 any access-list 102 permit ip 192.168.0.0 0.0.0.255 any access-list 102 permit ip 10.1.85.0 0.0.0.255 any ! ! radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7 02050D480809 ======================================================================== ================================== Thanks in advance Cheers AN _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Cisco Remote Access VPN Problem Firewall-Wizards (Sep 07)
- RE: Cisco Remote Access VPN Problem Paul Melson (Sep 07)
- <Possible follow-ups>
- RE: Cisco Remote Access VPN Problem Firewall-Wizards (Sep 08)