topic Re: Site to Site IPsec up - can ping from router but not from PC in Network Security

Site to Site IPsec up - can ping from router but not from PC on LAN

anthonyfear — Fri, 21 Feb 2020 11:27:15 GMT

Hi All

I've managed to establish a VPN with another cisco device and can successfully ping a pc on remote end but only if i use command like :

ping 3.0.3.242 source 192.168.6.254

if i try just a ping from router - no luck

if i try to ping from PC on lan - no luck

Config posted below:

Any ideas?

Re: Site to Site IPsec up - can ping from router but not from PC

Jon Marshall — Mon, 11 May 2009 18:29:55 GMT

Anthony

The problem you have is your crypto map acl is

access-list 114 permit ip 192.168.6.0 0.0.0.255 3.0.0.0 0.255.255.255

so when you use fa0/0 as the source then the address matches ie. 192.168.6.254 is out of the 192.168.6.0/24 network.

But any clients on the 192.168.6.0/24 network will be natted as they go through the router so they will not have a 192.168.6.x address anymore, they will be natted to the public address on the Dialer0 interface. So they will never match on acl 114.

This doesn't apply to packets sourced from fa0/0 ie. they don't get natted.

Jon

Re: Site to Site IPsec up - can ping from router but not from PC

anthonyfear — Tue, 12 May 2009 20:04:52 GMT

Hi Jon

Thanks for your comments - that makes sense but how do i get around it?

I guess I should amend the acl 114? But in what way?

Thanks

Anthony

Re: Site to Site IPsec up - can ping from router but not from PC

Jon Marshall — Tue, 12 May 2009 20:21:23 GMT

You do need to amend acl 114. Thing is that your outside address that are you Natting the source addresses to is negotiated so you don't know what it will be, unless you always negotiate the same address.

So the acl would look like -

access-list 114 permit ip host 3.0.0.0 0.255.255.255

you could replace with "any" which would definitely work but it would be better if you could work out the Natted IP.

Jon

Re: Site to Site IPsec up - can ping from router but not from PC

anthonyfear — Wed, 13 May 2009 00:56:31 GMT

Hi Jon

My public is always the same so I changed the acl 114 to :

access-list 114 permit ip host [public IP] 3.0.0.0 0.255.255.255

but i can't ping from router or PC

even if i use source 192.168.6.254

so i deleted acl and tried

access-list 114 permit ip any 3.0.0.0 0.255.255.255

and that didn't work either?

show crypto isakmp

shows the vpn as inactive.

Any ideas?

Re: Site to Site IPsec up - can ping from router but not from PC

Jon Marshall — Wed, 13 May 2009 13:44:45 GMT

Are you sure the VPN actually worked beforeyou amended acl 114 because if you use "any" then it should work.

Bear in mind that when you changed acl 114 to use your public IP you also need to amend the acl on the other end as well.

Could you post both configs ?

Jon

Re: Site to Site IPsec up - can ping from router but not from PC

anthonyfear — Wed, 13 May 2009 15:09:16 GMT

Hi jon

The other end is third-party so I can't post config.

I only know VPN works because I can get ping when I use source 192.168.6.254

I tried a debug ip packet 114 and this is the result:

PTIME#ping 3.0.3.242

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 3.0.3.242, timeout is 2 seconds:

*May 13 17:01:48.483: IP: tableid=0, s=212.115.54.9 (local), d=3.0.3.242 (Dialer

0), routed via RIB

*May 13 17:01:48.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100

, sending

*May 13 17:01:48.483: IP: s=212.115.54.9 (local), d=3.0.3.242 (Dialer0), len 100