Category: Networking

Oi… this is complicated for me.
I’m trying to setup IPSec VPN on a Cisco 2900 series router. I set it up previously using the MS IAS for radius authentication/authorization and using local group authentication in this post.
Now, I connect to the router with my VPN client OK but I can’t communicate with the remote LAN (Router-side inside network) for some reason… I don’t even see the ACLs incrementing for the ACL specified in the VPN configuration!
Through googling, I found this information:

! Doesn't work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload

So, I incorporated that and also split-tunneling and have this:

!NEW
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!OLD
!ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 100
interface GigabitEthernet0/0
!OLD
!ip policy route-map nonat

If I show access-list, I do not see access-list 100 incrementing!
Why is this happening? =(

So I recently replaced a Cisco ASA with a Cisco 2900 series router and needed to port forward SMTP, HTTP/HTTPS to an internal address from a global outside address.
This is the method I used that worked.  For some reason, when I tried to apply it via the route-map, it kept giving me a duplicate IP address warning on the actual server and on the router.  I am confused by that, but the following did work for me.

access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
ip nat pool MAILSERVER 10.10.0.14 10.10.0.14 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool MAILSERVER

The following did NOT work for me and I’m *not* sure why… can someone shed light?

routerA(config)#ip nat inside source static tcp 74.219.241.254 10.10.0.14 25 route-map lan2wan

Here’s part of the config (that should be relevant…)

interface GigabitEthernet0/0
 description Time Warner Cable 15x2
 ip address 74.219.241.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
end
access-list 10 permit 10.10.0.0 0.0.0.255
ip nat inside source route-map lan2wan interface GigabitEthernet0/0 overload
route-map lan2wan permit 10
match ip address 10

Here are the important pieces of the puzzle…
Router:

aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
aaa session-id common
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnclient
 key remote
 dns 10.0.0.10
 domain techish.net
 pool ippool
 acl 105
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map clientmap
!
ip radius source-interface FastEthernet0/1
!
! Split tunnel VPN traffic
access-list 105 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
radius-server host 10.147.204.12 auth-port 1645 acct-port 1646 key cisco

Windows Server 2003 IAS:
Screenshots soon…

Came across a nice tool (a bit old, but apparently still used as a baseline) called Router Audit Tool (RAT) from Center for Internet Security (CIS).

http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rat.windows.installer

Note: This tool does not reflect the Center’s current configuration guidance, is currently unsupported, and remain so until updated.

First, review some of the available commands with vpn-sessiondb:

ciscoasa# vpn-sess logoff ?
  all           All sessions
  email-proxy   Email-Proxy sessions
  index         Index specific session
  ipaddress     IP Address specific sessions
  l2l           IPsec LAN-to-LAN sessions
  name          Username specific sessions
  protocol      Protocol specific sessions
  remote        IPsec Remote Access sessions
  svc           SSL VPN Client sessions
  tunnel-group  Tunnel-group sessions
  vpn-lb        VPN Load Balancing Mgmt sessions
  webvpn        WebVPN sessions

Here’s how I log off a VPN session from an ASA. You can also log off all sessions.
Log off single session based on index.
First, get the index.

# show vpn-sessiondb remote
Username     : remoteuser1               Index        : 10030
Assigned IP  : 172.16.0.182           Public IP    : 1.2.3.4
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : DES 3DES               Hashing      : MD5 SHA1
Bytes Tx     : 220                    Bytes Rx     : 844
Group Policy : MyGroupPolicy         Tunnel Group : tpm
Login Time   : 09:59:32 EDT Wed Sep 21 2011
Duration     : 0h:01m:15s
Inactivity   : 0h:00m:00s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

Look for the user and associated index ID (in bold).
Log off that specific ID:

# vpn-sessiondb logoff index 10030
Do you want to logoff the VPN session(s)? [confirm]
INFO: Session with Index = 10030 has been logged off

Note, you can also logoff a specific sesson based on name (as well as index) if you know the name.
You can log off all sessions by simply using

vpn-sessiondb logoff all