[fw-wiz] Cisco Remote Access VPN Problem
From: Firewall-Wizards (Firewall-Wizards_at_govnet.gov.fj)
Date: 09/07/05
- Previous message: Vahid Pazirandeh: "[fw-wiz] PIX firewall licensing and beyond (newbie)"
- Next in thread: Paul Melson: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
- Reply: Paul Melson: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
- Maybe reply: Firewall-Wizards: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Wed, 7 Sep 2005 14:07:35 +1200
Hi Folks
Would apreciate any help on the following problem which has been bugging
me for a few days.
Have setup a remote access VPN using a Cisco 2600XM as the VPN endpoint
device and using Cisco VPN Clients (latest ver). Have basically utilized
the config guide at
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example0
9186a00800a393b.shtml , with the pool of virtual ips assigned from the
dmz segment.
I can get the tunnel successfully established ,the client successfully
authenticated with RADIUS, SA's formed and virtual ips (from the dmz)
assigned to the remote vpn client. There's static routes present on the
2600 to route internal network traffic to the dmz gateway (ie. fw) which
subsequently has rules to route these vpn traffic inside the internal
network.
However my problem is the vpn client CANNOT get into the internal
network.The virual ips, seem 'invisible' to the rest of the network when
it comes to routing, rendering traffic from these sources unroutable
onwards from the dmz. Sniffing on the dmz segment shows inbound int net
traffic from the vpn client making its way to the fw, but arp requests
from the fw failing to get the MAC of virtual ip, thus preventing return
traffic.
As a workaround, i tried putting in some static arp entries on the fw ,
for these virtual ips to point to physical dmz interface of the vpn
device The ensuring result was that return traffic made it way back to
the vpn device, but then couldn't get to the actual vpn client :-(
Could someone help me point on the right direction to go, as to what i
am missing or doing wrong. I was of the opinion that virtual ip's bind
themselves to some physical interface to resolve ARP issues as with PPP,
but it in this, this isnt appearing so or maybe binding itself is on the
ext intf of the vpn ??. Do i have to use public add's in ip pools and
NAT them to DMZ ips in order for all this to work (ughhh..)
My scenario
***********
ext
(10.1.85.x)INT-----------------
FW-----------------------------------router---internet
| |
|dmz (192.168.0.x) |
| |
VPN-----------------------------
Configs
***************
aaa authentication login userauthen group radius aaa authorization
network groupauthor local aaa session-id common ip subnet-zero no ip
source-route ip cef !
!
!
no ip bootp server
no ip domain lookup
ip domain name vpn.gov.fj
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 3000client key cisco dns
10.1.85.156 wins 10.1.85.156 domain govnet.local pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac !
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen crypto map
clientmap isakmp authorization list groupauthor crypto map clientmap
client configuration address respond crypto map clientmap 10
ipsec-isakmp dynamic dynmap !
!
interface FastEthernet0/0
description VPN Link to Internet -unprotected ip address x.x.x.x
255.255.255.240 ip access-group 100 in no ip redirects no ip
unreachables no ip proxy-arp duplex auto speed auto crypto map
clientmap !
interface FastEthernet0/1
description VPN Link to DMZ termination point ip address 192.168.0.249
255.255.255.0 ip access-group 102 in no ip proxy-arp duplex auto
speed auto !
ip local pool ippool 192.168.0.250 192.168.0.254 ip classless ip route
0.0.0.0 0.0.0.0 external_router_ip ip route 10.1.85.0 255.255.255.0
192.168.0.1 !
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000 !
access-list 10 permit x.x.x.x 0.0.0.15
access-list 100 permit ip 192.168.0.0 0.0.0.255 10.1.85.0 0.0.0.255
access-list 100 permit ip any host vpnexternalip access-list 100 permit
ip x.x.x.x 0.0.0.15 any access-list 102 permit ip 192.168.0.0 0.0.0.255
any access-list 102 permit ip 10.1.85.0 0.0.0.255 any !
!
radius-server host x.x.x.x auth-port 1645 acct-port 1646 key 7
02050D480809
========================================================================
==================================
Thanks in advance
Cheers
AN
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Vahid Pazirandeh: "[fw-wiz] PIX firewall licensing and beyond (newbie)"
- Next in thread: Paul Melson: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
- Reply: Paul Melson: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
- Maybe reply: Firewall-Wizards: "RE: [fw-wiz] Cisco Remote Access VPN Problem"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
