08-03-2008 02:44 PM - edited 03-09-2019 09:13 PM
Very standard EZVPN configuration...
EZVPN clients can connect with the server (871 router) and they can ping the router however they can't ping computers inside the LAN but these computers can ping EZVPN clients without problems. Somebody please help! Thanks!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname CCSPHOMERTR
!
boot-start-marker
boot-end-marker
!
enable secret xxx
!
aaa new-model
!
!
aaa authentication login LOGIN_AUTHEN local
aaa authorization console
aaa authorization exec EXEC_AUTHOR local
aaa authorization network NETWORK_AUTHOR local
!
!
aaa session-id common
!
!
!
!
crypto isakmp policy 100
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP
key XXXXXXXX
dns 10.0.0.254
domain pc-pro.ca
pool IPPOOL_EZVPN
acl ACL_EZVPN_SPLIT
!
!
crypto ipsec transform-set IPSEC_TRANS_EZVPN esp-aes esp-md5-hmac
!
crypto dynamic-map EZVPN_DYNAMIC_MAP 1
set transform-set IPSEC_TRANS_EZVPN
reverse-route
!
!
crypto map VPN_MAP client authentication list LOGIN_AUTHEN
crypto map VPN_MAP isakmp authorization list NETWORK_AUTHOR
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 65535 ipsec-isakmp dynamic EZVPN_DYNAMIC_MAP discover
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.0.1 10.0.0.3
ip dhcp excluded-address 10.0.0.254
!
ip dhcp pool VLAN10_IP_POOL
network 10.0.0.0 255.255.255.0
default-router 10.0.0.254
dns-server 10.0.0.254
domain-name pc-pro.ca
!
ip dhcp pool VISTA_IP_POOL
host 10.0.0.3 255.255.255.0
client-identifier 0100.1a92.d12a.de
default-router 10.0.0.254
dns-server 10.0.0.254
domain-name pc-pro.ca
!
!
no ip bootp server
ip domain name pc-pro.ca
!
multilink bundle-name authenticated
!
!
username support privilege 15 secret xxx
archive
log config
hidekeys
!
!
ip ssh rsa keypair-name RSA_SSH
!
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VPN_MAP
!
interface Vlan1
no ip address
!
interface Vlan10
ip address 10.0.0.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool IPPOOL_EZVPN 10.255.255.1 10.255.255.253
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source list ACL_NAT interface FastEthernet4 overload
ip nat inside source static tcp 10.0.0.2 22 interface FastEthernet4 2222
!
ip access-list extended ACL_EZVPN_SPLIT
permit ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255
ip access-list extended ACL_NAT
deny ip 10.0.0.0 0.0.0.255 10.255.255.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
!
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 60 0
authorization exec EXEC_AUTHOR
login authentication LOGIN_AUTHEN
no modem enable
line aux 0
line vty 0 4
exec-timeout 60 0
authorization exec EXEC_AUTHOR
logging synchronous
login authentication LOGIN_AUTHEN
transport input ssh
!
scheduler max-task-time 5000
!
webvpn cef
end
08-03-2008 06:45 PM
change ur split tunnel to the following
Access-list 10 permit ip 10.0.0.0 0.0.0.255
should work now now
then
crypto isakmp client configuration group EZVPN_GROUP
acl 10
good luck
Please, if helpful Rate
08-04-2008 12:10 AM
Thank you for your quick reply! However it still doesn't work...
Here is my config now:
crypto isakmp client configuration group EZVPN_GROUP
key XXXXXXXX
dns 10.0.0.254
domain pc-pro.ca
pool IPPOOL_EZVPN
acl 1
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
By the way the standard access-list can't specify "ip" in the list. It's the not the problem, right?
I don't think the split-tunneling works because after the connection the client doesn't show the "secured routes" to 10.0.0.0. Instead it shows 0.0.0.0 255.255.255.255, just like no split tunneling at all. I also tried no split tunneling but it doesn't work too... Please advice. Thanks!
08-04-2008 06:08 AM
do the following
keep the split tunnel ACL as i told u i mean the new one
first change the client pool to
ip local pool IPPOOL_EZVPN 10.200.200.1 10.200.200.253
then change the nating as follow
ip nat inside source route-map NATING interface FastEthernet4 overload
route-map NATING permit 10
match ip address ACL_NAT
ip access-list extended ACL_NAT
deny ip 10.0.0.0 0.0.0.255 10.200.200.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
about the ip in the spilt tunnel dont worry
do as i told u befor simple standerd one
and let me
good luck
08-04-2008 09:55 AM
Here is my config now:
crypto isakmp client configuration group EZVPN_GROUP
key XXXXXXXX
dns 10.0.0.254
domain pc-pro.ca
pool IPPOOL_EZVPN
acl 1
!
!
ip local pool IPPOOL_EZVPN 10.200.200.1 10.200.200.253
!
!
access-list 1 permit 10.0.0.0 0.0.0.255
!
route-map ROUTE_MAP_NAT permit 10
match ip address ACL_NAT
!
ip access-list extended ACL_NAT
deny ip 10.0.0.0 0.0.0.255 10.200.200.0 0.0.0.255
permit ip 10.0.0.0 0.0.0.255 any
Still don't work... The split tunneling standard ACL doesn't seem to work. Please see the attachment. Anyway the split tunneling shouldn't be the problem, right? Even without the split tunneling it still won't work...
However if I use "tracert" I do get reply from the router (10.0.0.254) but no further reply. It seems like the router itself doesn't know how to forward the ping...
Please help! Thanks!
08-04-2008 01:05 PM
I just tried an extended ping on the router. I specified the source interface as F4 (external interface) and pinged an internal IP 10.0.0.3 and it couldn't go through. Is that normal? Normal ping works...
CCSPHOMERTR#ping
*Aug 4 20:58:30.420: %SYS-5-CONFIG_I: Configured from console by support on consol
Protocol [ip]:
Target IP address: 10.0.0.3
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: fastethernet 4
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
Packet sent with a source address of 70.64.22.2
.....
Success rate is 0 percent (0/5)
CCSPHOMERTR#ping 10.0.0.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.3, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
08-04-2008 05:10 PM
hi dear
keep the config as i told and as u have dont after change
only one thing i want u to change it
the split tunnel
this one i have just tried it and its working
acce-list 100 permit ip 10.0.0.0 0.0.0.255 any
then
go to ur vpn group configuration
do
no acl 10
then
acl 100
and let me know
by the way make an loopbak interface any try to ping it after u change the split tunnel to acl 100
good luck
08-04-2008 06:27 PM
Still the same... I don't think it's because of split-tunneling. I should be able to ping the internal network even without split tunneling.
crypto isakmp client configuration group EZVPN_GROUP
key XXXXXXXX
dns 10.0.0.254
domain pc-pro.ca
pool IPPOOL_EZVPN
acl 101
!
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
08-04-2008 07:10 PM
then fix the router problem
and now ur vpn config should be fin
good luck
if u need any more help just post here
please, if helpful rate
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: