Hardware EZVPN Client

abolton291078 · ‎02-04-2014

HI All,

I am running a 1841 Branch router as an EZVPN hardware remote in client mode so very simular way the software clients work, below shows the

Central Office

External Interface address is a public IP

Internal Interface Subnet 192.168.128.0/24

VPN Pool 192.168.255.0/24

Branch (1841)

External Interface address is a public IP

Internal Interface 10.255.255.248 (10.255.255.240/28)

at the Branch a Layer 3 routed switch sites between the Internal Interface of the router and the client devices.

Interface between routed port on the switch and the branchs routers internal interface 10.255.255.247 (10.255.255.240/28)

Client Device subnet 172.16.32.0/23

Problem:

traffic orginating from the subnet 10.255.255.240/28 can access the remote subnet of 192.168.128.0/24 but clients behind the switch on the

172.16.32.0/23 are being blocked.

debug shows this

*Feb 4 11:30:22.330: IPACL-DP: Seems no matching ACE in the ACL: MyEZVPN_enterprise-list, Implicit Deny

I dident create the ACL MyEZVPN_enterprise-list it appear to be created on the VPN connection so it doesent show in my config

sh ip access-lists MyEZVPN_enterprise-list

Extended IP access list MyEZVPN_enterprise-list

10 permit ip 10.255.255.240 0.0.0.15 any (2991 matches)

I can add entries to this but when the tunnel goes down my ammendments are cleared.

Question:

How can i make these changes stick

Azubuike Obiora · ‎02-04-2014

Hi Abolton,

Truth be told, I haven't had the chance of using a hardware to do client remote vpn. But it seem to me the problem is with ACL, you need to permit and deny at some points. If you can put into a diagram what exactly you are trying to accomplish that could help in pointing out where you need to permit and deny.

Secondly, I would like to ask, do you have access to the Central office? I mean control over the device, in my own opinion if you do have access, I will advice that you configure site to site btwn both sites, since you have a 1841.....it doesn't logically add up to me why you would want to use a hardware for remote vpn client.

I guess the question I'll need to ask you is this, how many uses from the branch office access he central via the hardware remote vpn client?

Thanks

Teddy

abolton291078 · ‎02-04-2014

Hi Teddy,

Thanks for your reply, i would prefer to use the router in ezvpn client mode as this keep the branch seperate as all traffic nats through the assigned address from the ASA.

Direction of traffic ------->

172.16.32.0/23 (L3 Switch)10.255.255.250->10.255.255.248 (Router)x.x.x.x(INTERNET)x.x.x.x(ASA)192.168.128.254

10.255.255.240/28 Can ping any addres on 192.168.128.0/24

172.16.32.0/23 Cannot ping any addres on 192.168.128.0/24

Azubuike Obiora · ‎02-04-2014

Hi Abolton,

Ok just a quick question, have you tried adding your 172.16.32.0/23 into your access list above?

Extended IP access list MyEZVPN_enterprise-list

10 permit ip 10.255.255.240 0.0.0.15 any

10 permit ip 176.16.32.0 0.0.1.255 any

abolton291078 · ‎02-04-2014

Hi

Yes and that works, but when the VPN goes down and reconnects that change is lost as this particular access list seems to be generated by the VPN when it is established.

Regards

Sent from Cisco Technical Support iPhone App

Azubuike Obiora · ‎02-04-2014

Hi Abolton,

Are you saying that the access-list you configured would disappear as soon as the VPN tunnle goes down and you try renegotiating the tunnel again? That's strange!

Is it possible you get your config pasted in here? that might help in troubleshooting.

Teddy

abolton291078 · ‎02-04-2014

Hi Teddy

here is the config.

!

! Last configuration change at 11:44:32 UTC Sat Feb 1 2014 by root

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname xxxxxx

!

boot-start-marker

boot-end-marker

!

enable secret 5 xxxx

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

ip domain name xxxx.xxx

no ipv6 cef

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1253001002

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1253001002

revocation-check none

rsakeypair TP-self-signed-1253001002

!

crypto pki certificate chain TP-self-signed-1253001002

certificate self-signed 01

3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

551D2304 18301680 14E425FF F1A4D89E D7C0C912 17558948 07293153 1C301D06

03551D0E 04160414 E425FFF1 A4D89ED7 C0C91217 55894807 2931531C 300D0609

2A864886 F70D0101 05050003 81810037 3B2C8F5E 36A2D871 12BF7378 F1147C20

18DE2D47 BD8563A8 C73CC415 107FBC6B 7BB37101 03A9718E 51B5293E 767D4D3E

79779ACC D8D007E2 AE498F79 77B21669 8D1D4351 2043A7A9 9855A4F1 F21442E1

0393352D DA5074E6 AE69D75E C6A6B6AC 519C4B0C C9760814 0248D864 09331630

F77A4138 F4594F09 3ADCF7EB EFAFD0

quit

!

license udi pid CISCO1841 sn FCZ1103206S

username xxxx privilege 15 secret 5 xxxx

!

redundancy

!

controller E1 0/0/0

!

ip ssh version 2

!

crypto ipsec client ezvpn xxxx-CC

connect auto

group xxxx-Prod key xxxx

mode client

peer xxx.xxx.xxx.xxx

username xxxx password xxxx

xauth userid mode local

!

interface FastEthernet0/0

ip address 10.255.255.248 255.255.255.240

ip nat inside

ip virtual-reassembly in

speed auto

full-duplex

no mop enabled

crypto ipsec client ezvpn xxxx-CC inside

!

interface FastEthernet0/1

ip address xxx.xxx.xxx.xxx 255.255.255.248

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto ipsec client ezvpn xxxx-CC

!

interface ATM0/1/0

no ip address

shutdown

no atm ilmi-keepalive

!

ip forward-protocol nd

ip http server

ip http secure-server

!

ip nat inside source list 1 interface FastEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 145.255.244.209 2

ip route 172.16.32.0 255.255.254.0 10.255.255.250

!

logging esm config

access-list 1 permit 172.16.32.0 0.0.1.255

access-list 1 permit 10.255.255.240 0.0.0.15

disable-eadi

!

control-plane

!

line con 0

line aux 0

line vty 0 4

exec-timeout 40 0

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end