Tunnel up, but no domain authentication

[shaferbus]

... and I thought the EasyVPN wizard would make this "Easy" ;-)

I'm trying to set up an EasyVPN Server (Cisco 871) to EasyVPN Remote (Cisco 851) connection. I need the remote site to access the Win2k domain in the main office.

I've got the tunnel up, can ping both ways, and domain hostnames are being resolved at the remote site. NSLOOKUP returns the correct info. However, I can't get domain authentication from the domain controller. Whenever I try to access a domain resource, I get an error message that "The list of servers for this workgroup is not currently available" and an Event ID 1054 in the event log.

I'm doubtful that the problem is with the EasyVPN server, because I can access it using the Cisco Client software on my laptop. It's probably an ACL, but I'm missing it (and by no means an expert!).

Domain subnet is 192.168.16.0
Remote subnet is 192.168.15.0
VPN DHCP pool is 192.168.17.50 - 192.168.17.55
Domain controller is 192.168.16.2

Here's the setup for the 851 (remote) router. Any suggestions would be appreciated.

!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ciscorouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxx
!
no aaa new-model
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
import all
network 192.168.15.0 255.255.255.0
default-router 192.168.15.1
dns-server 208.67.222.222
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name lashome.com
ip name-server 208.67.222.222
ip name-server 192.168.16.1
ip name-server 192.168.16.2
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-123456789
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-123456789
revocation-check none
rsakeypair TP-self-signed-123456789
!
!
crypto pki certificate chain TP-self-signed-123456789
certificate self-signed 01
!
!
!<<DELETED CRYPTO CERTIFICATE STUFF>>
!
!
username lasrouter privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
!
crypto ipsec client ezvpn ShafersVPN
connect auto
group SHAFERVPN key xxxxxxxxxxxxxxxxx
mode client
peer 66.192.xxx.xxx
xauth userid mode http-intercept
!
!
!
!
interface Loopback0
ip address 192.168.17.50 255.255.255.255
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto ipsec client ezvpn ShafersVPN
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.15.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ShafersVPN inside
!
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.15.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 192.168.16.2 eq domain any
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) ShafersVPN
access-list 101 permit udp host 66.192.xxx.xxx any eq 10000
access-list 101 permit udp host 208.67.222.222 eq domain any
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.16.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 101 permit udp host 66.192.xxx.xxx any eq non500-isakmp
access-list 101 permit udp host 66.192.xxx.xxx any eq isakmp
access-list 101 permit esp host 66.192.xxx.xxx any
access-list 101 permit ahp host 66.192.xxx.xxx any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 192.168.15.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.15.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 103 remark SDM_ACL Category=2
access-list 103 permit ip 192.168.15.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 103
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport output telnet
line aux 0
login local
transport output telnet
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

 

[shaferbus]

uh-oh... this must be so messed up that no one wants to touch it LOL

An update:
I got rid of the loopback interface. I'm not really sure where that even came from... perhaps something SDM did when I deleted my first EasyVPN Remote and started over a while back.

I was fooling around with ACL's and changed the rule
access-list 100 deny ip host 255.255.255.255 any
from deny to permit - and now I can at least SEE the machines on the office network. I am still denied access to anything though...

I tested the tunnel via SDM from the remote site, and although the tunnel is up, I got the following error:

A ping with data size of this VPN interface MTU size and 'Do not Fragment' bit set to the other end VPN device is failing. This may happen if there is a lesser MTU network which drops the 'Do not fragment' packets.

The "Recommended Actions" were:

1)Contact your ISP/Administrator to resolve this issue.
2)Issue the command 'crypto ipsec df-bit clear' under the VPN interface to avoid packets drop due to fragmentation.

However, it doesn't say whether to apply the command to the Server or Remote or both. Should I start by changing the MTU size before I execute this command?

TIA for any advice anyone has.

Tim

 

[InKyEyES]

Hey, I'm by no means a Cisco or VPN expert but In searching for the answer to a different question I came across your post.

I have a working EzVPN Hub - Spoke setup. The Hub is an ASA 5510 and the spokes are ASA 5505's.

What I had to do to allow the Remote sites with the 5505's to long on to the domain over the vpn tunnel is define the Split-dns and dns-server values for the EzVpn's Group-Policy.

This is what mine is like (note this is from an ASA 5510)
--------------------------------------
group-policy ezvpn attributes
banner none
dns-server value 172.20.11.2 172.20.11.1
dhcp-network-scope none
vpn-simultaneous-logins 20
split-tunnel-policy tunnelspecified
split-tunnel-network-list value ezvpn
default-domain value Inkyeyes.lan
split-dns value Inkyeyes Inkyeyes.lan
nem enable
----------------------------------

Basically Whatever Domain names you define via the split-dns will be sent to the dns servers listed in the dns-server value.

Hope this helps!

 

[shaferbus]

Thanks for the response Inky... I was beginning to wonder if I needed to change my deodorant ;-)

Actually, I finally got it working last night. After a ton if internet researching, I made a number of changes. I cranked down the MTU size, turned off RPC filtering on my domain server, and cleared the df-bit on both ends.

Actually, I had tried the split-dns at one point, but I wasn't terribly sure I was doing it right. I appreciate your very understandable description!

Tim