INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!

Talk With Other Members
Be Notified Of Responses
To Your Posts
Keyword Search
One-Click Access To Your
Favorite Forums
Automated Signatures
On Your Posts
Best Of All, It's Free!

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

LINK TO THIS FORUM!

Tek-Tips LinkedIn^® Group

Join our
LinkedIn^® Group!

Hook up with past and present colleagues and classmates quickly.

Partner With Us!

"Best Of Breed" Forums Add Stickiness To Your Site

(Download This Button Today!)

Feedback

"...Want to thank those people who have made this forum such a valuable place to visit each day..."

More...

Geography

Where in the world do Tek-Tips members come from?

Click Here To Find Out!

Tek-Tips Shirts!

Get your
Tek-Tips Forums
SWAG here!

Home > Forums > MIS/IT > Security Solutions > Cisco Systems: IOS Firewall Forum

VPN clients can't access LAN through ISA 2004 between router

Read More Threads Like This One

gurner (TechnicalUser)

23 May 06 9:13

I was wondering if someone could help

We have an IOS router configured to terminate VPNs to an internal 192.168.180.x range, it has a Ethernet interface configured with 10.0.0.1 and on the other end is 10.0.0.2 attached to an ISA 2004 server.

There are NAT translations to the ISA server on port 25 and 3389 that work perfect for access over the internet, with the ISA configured to allow them in.

the ISA server is dual homed with its inside on 192.168.175.x

however, anyone VPN'd in via the Cisco can't access anything on 192.168.175.x despite a route as

ip route 192.168.175.0 255.255.255.0 10.0.0.2

which doesn't seem to work

again, these NAT Translations do, so you'd think there isn't a routing issue to the ISA server as such;

ip nat inside source static tcp 10.0.0.2 25 213.83.101.249 25 extendable
ip nat inside source static tcp 10.0.0.2 3389 213.83.101.249 3389 extendable

The ISA Server 2004 has several Firewall policies allowing the 'Cisco VPN Network' defined as 192.168.180.1 - 192.168.180.254 allowed to access any 'Internal' network

The router is configured as follows (with hashes replacing secret stuff)

And was wondering where it is going wrong where 192.168.180.x can't route to 192.168.175.x over 10.0.0.x

(the only IP that responds is if VPN'd in with a 192.168.180.x address, and you ping 10.0.0.1, the IOS router Ethernet card, you get a response back from the external public facing IP address)

---------------------------------

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SDSL
!
boot-start-marker
boot-end-marker
!
no logging console
enable secret 5 ##############
!
aaa new-model
!
!
aaa authentication login VPN-Authentication local
aaa authorization network VPN-Authorisation local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name LAN tcp
ip inspect name LAN ftp
ip inspect name LAN udp
ip inspect name LAN h323
ip inspect name LAN rcmd
ip inspect name LAN realaudio
ip inspect name LAN streamworks
ip inspect name LAN vdolive
ip inspect name LAN sqlnet
ip inspect name LAN tftp
ip inspect name LAN cuseeme
ip inspect name Internet tcp
ip inspect name Internet udp
ip inspect name Internet fragment maximum 256 timeout 1
ip inspect name Internet rcmd
ip inspect name Internet tftp
!
!
!
username admin password 0 ##############
username administrator privilege 15 password 0 ##############
username Office password 0 ##############
!
!
controller DSL 0
mode atm
line-term cpe
line-mode 2-wire line-zero
dsl-mode shdsl symmetric annex B
line-rate auto
description Controls the ATM0 and Dialer1 interfaces
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ##############VPN
key ##############
dns 192.168.175.3 10.0.0.2
domain ##############.co.uk
pool ClientVPN-DHCP-Pool
acl VPN-Clients
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map VPN-Dynamic-Map 100
set transform-set 3DES-SHA
!
!
crypto map VPN-CRYPTO-MAP client authentication list VPN-Authentication
crypto map VPN-CRYPTO-MAP isakmp authorization list VPN-Authorisation
crypto map VPN-CRYPTO-MAP client configuration address respond
crypto map VPN-CRYPTO-MAP 40 ipsec-isakmp dynamic VPN-Dynamic-Map
!
!
!
interface Loopback1
ip address 192.168.205.1 255.255.255.0
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface ATM0
description Physical connection to Internet
no ip address
no atm ilmi-keepalive
pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description Physical connection to the DMZ
ip address 10.0.0.1 255.255.255.0
ip access-group LAN in
ip inspect LAN in
ip nat inside
ip virtual-reassembly
hold-queue 32 in
hold-queue 100 out
!
interface Dialer1
description Virtual connetion to Internet
ip address negotiated
ip access-group Internet in
ip inspect Internet in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname ##############
ppp chap password 0 ##############
crypto map VPN-CRYPTO-MAP
!
ip local pool ClientVPN-DHCP-Pool 192.168.180.0 192.168.180.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.175.0 255.255.255.0 10.0.0.2
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 10.0.0.2 25 ############## 25 extendable
ip nat inside source static tcp 10.0.0.2 3389 ############## 3389 extendable
ip nat inside source static tcp 10.0.0.2 1723 ############## 1723 extendable
!
ip access-list extended Internet
permit esp any host ##############
permit ahp any host ##############
permit udp any host ############## eq isakmp log
permit udp any host ############## eq non500-isakmp
permit tcp #################### host ############# eq telnet
permit tcp host ########## host ############## eq telnet
permit tcp any host ############## eq smtp
permit tcp ##################### host ################# eq telnet
permit tcp ##################### host ################# eq 3389
permit tcp any host ################ eq 1723
permit gre any host ################
ip access-list extended LAN
permit ip host 10.0.0.2 any
permit tcp 10.0.0.0 0.0.0.255 host 10.0.0.1 eq telnet
permit ip 10.0.0.0 0.0.0.255 any
permit gre any any
ip access-list extended Route-Map
deny   ip 10.0.0.0 0.0.0.255 192.168.175.0 0.0.0.255
deny   ip 10.0.0.0 0.0.0.255 192.168.180.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended VPN-Clients
permit ip 192.168.175.0 0.0.0.255 192.168.180.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 192.168.180.0 0.0.0.255
!
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 1 permit 192.168.175.0 0.0.0.255
access-list 12 permit 195.12.9.25
access-list 12 permit 10.0.0.0 0.0.0.255
access-list 12 permit #######################
access-list 12 permit 192.168.175.0 0.0.0.255
access-list 12 permit 10.0.1.0 0.0.0.255
access-list 12 permit 192.168.180.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
route-map Route-Map permit 10
match ip address Route-Map
match interface Dialer1
!
!
control-plane
!
banner motd ^C ###########################
^C
!
line con 0
exec-timeout 120 0
no modem enable
transport output all
stopbits 1
line aux 0
line vty 0 4
access-class 12 in
exec-timeout 120 0
password ###################
transport input all
transport output all
!
scheduler max-task-time 5000
end

-------------------------

you may notice that there is a NAT translation for 1723 and GRE to try and terminate a PPTP VPN at the ISA Server, but it is the only NAT that doesn't seem to work, but it think this is a mis-configured PPTP VPN internally, not a router problem.

what we need to concentrate on is terminating the IPSec (L2TP) VPN at the Cisco, and then trying to route it through the ISA server from its own subnet, ideally

any ideas or where the config is wrong would be great!

Thanks

Gurner

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Back To Cisco Systems: IOS Firewall