cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
802
Views
0
Helpful
3
Replies

IpSec Client-to-Site Tunnel established, but no traffic.

gfitz396
Level 1
Level 1

Im currently studying for my ccna. Ive setup a cisco 891 at my home and trying to get an ipsec tunnel going from my iphone to the 891. I am able to establish a vpn connnection, and I show packets recieved and sent under the show crypto ipsec sa command. If i ping 192.168.1.1 from the iphone i get a respone from my public wan address on Gi0. other than that I am not able to ping/browse local ftp folders ect...any insight would be greatly appreciated!!

 

Building configuration...

Current configuration : 3162 bytes
!
! Last configuration change at 03:10:42 UTC Fri Jan 26 2018 by admin
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$8y..$uo.P./YpZqnfrM3/bWyyv1
!
aaa new-model
!
!
aaa authentication login admin local
aaa authorization network cisco local
!
!
!
!
!
aaa session-id common
!
!
!
!
!
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.1 192.168.1.170
ip dhcp excluded-address 192.168.1.1 192.168.1.171
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool Home
   network 192.168.1.0 255.255.255.0
   dns-server 75.75.75.75 75.75.76.76
   default-router 192.168.1.1
!
ip dhcp pool Utility
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.1 255.255.255.0
   dns-server 75.75.75.75
!
!
ip cef
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FTX150301FW
!
!
username admin password 7 0034061414570E5F5F60
!
!
ip ftp username admin
ip ftp password 7 15021E1E14262E7D71
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group cisco
 key Purple90!
 pool VPNPOOL
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
!
crypto dynamic-map map1 10
 set transform-set set1
 reverse-route
!
!
crypto map map1 client authentication list admin
crypto map map1 isakmp authorization list cisco
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
!
!
interface FastEthernet0
 !
!
interface FastEthernet1
 !
!
interface FastEthernet2
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 !
!
interface FastEthernet5
 !
!
interface FastEthernet6
 !
!
interface FastEthernet7
 !
!
interface FastEthernet8
 no ip address
 duplex auto
 speed auto
 !
!
interface FastEthernet8.1
 description HomeNetwork (192.168.1.0)
 encapsulation dot1Q 1 native
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface FastEthernet8.2
 description UtilityNet (192.168.2.0)
 encapsulation dot1Q 2
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface GigabitEthernet0
 ip address dhcp
 ip nat outside
 no ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
 crypto map map1
 !
!
interface Vlan1
 no ip address
 !
!
interface Async1
 no ip address
 encapsulation slip
 !
!
ip local pool VPNPOOL 192.168.10.10 192.168.10.20
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 102 interface GigabitEthernet0 overload
ip nat inside source static tcp 192.168.1.170 21 interface GigabitEthernet0 21
ip nat inside source static tcp 192.168.1.170 80 interface GigabitEthernet0 81
ip route 0.0.0.0 0.0.0.0 73.119.248.1
!
access-list 102 permit ip any any
!
!
!
!
!
!
control-plane
 !
!
!
line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 5 15
!
exception data-corruption buffer truncate
scheduler max-task-time 5000
end

3 Replies 3

Philip D'Ath
VIP Alumni
VIP Alumni

Replace access-list 102 with something like this:

 

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 deny ip 192.168.2.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 102 permit ip any any

 

I have written a config wizard for Cisco 897's.  You'll be able to re-use a lot of the config on an 891.

http://www.ifm.net.nz/cookbooks/890-isr-wizard.html

hmm, getthing warmer!! i am now able to access applications on my local windows server! ftp and http access. and can ping hosts but cant access anything else. also cant surf the web while on vpn. thanks for your help, ill try out your entire config tomorrow

access-list 106 permit ip 192.168.1.0 0.0.0.255 any

access-list 106 permit ip 192.168.2.0 0.0.0.255 any

 

crypto isakmp client configuration group cisco

  acl 106

Review Cisco Networking for a $25 gift card