11-21-2020 11:34 PM
i have the below config on the router VPN from windows 10 pc is connected but cannot ping internal network please guide me
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent telnet telnethandler
connection wait none
!
!
!
!
!
!
!
!
ip name-server 84.X.X.55 84.XX.X.230
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 no-xauth
!
crypto isakmp client configuration group cisco
key cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
reverse-route
!
!
!
crypto map mymap client configuration address respond
crypto map mymap 1 ipsec-isakmp dynamic mymap
interface Loopback1
ip address 192.168.160.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 51.X.X.247 255.255.255.0
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/0/1
ip address 10.10.40.1 255.255.255.0
ip nat inside
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.2 255.255.255.0
ip nat inside
media-type sfp
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 50.50.50.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
router ospf 1
network 10.10.40.1 0.0.0.0 area 0
network 51.211.161.247 0.0.0.0 area 0
!
ip local pool PP 192.168.0.10 192.168.0.15
ip local pool vpnpool 192.168.160.1 192.168.160.10
ip http server
ip http secure-server
ip forward-protocol nd
ip nat inside source list natlist interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 51.X.X.246
ip route 10.0.0.0 255.255.255.0 10.0.2.1
ip route 10.0.1.0 255.255.255.0 10.0.2.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip route 10.0.3.0 255.255.255.0 10.0.2.1
ip route 10.0.4.0 255.255.255.0 10.0.2.1
ip route 10.10.50.0 255.255.255.0 10.10.40.2
ip route 10.100.0.0 255.255.255.0 10.0.2.1
ip route 10.110.0.0 255.255.255.0 10.0.2.1
ip route 10.120.0.0 255.255.255.0 10.0.2.1
ip route 20.20.20.0 255.255.255.0 10.10.40.2
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 192.168.10.0 255.255.255.0 10.0.2.1
ip route 192.168.50.0 255.255.255.0 10.10.40.2
ip route 192.168.160.0 255.255.255.0 10.10.40.2
!
ip access-list extended natlist
10 permit ip 10.10.20.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
30 permit ip 10.0.3.0 0.0.0.255 any
40 permit ip 10.0.4.0 0.0.0.255 any
50 permit ip 10.100.0.0 0.0.0.255 any
60 permit ip 10.110.0.0 0.0.0.255 any
70 permit ip 10.120.0.0 0.0.0.255 any
80 permit ip 10.0.0.0 0.0.0.255 any
90 permit ip 10.0.1.0 0.0.0.255 any
100 permit ip 192.168.10.0 0.0.0.255 any
110 permit ip 192.168.50.0 0.0.0.255 any
120 permit ip 10.10.30.0 0.0.0.255 any
130 permit ip 192.168.40.0 0.0.0.255 any
140 permit ip 192.168.2.0 0.0.0.255 any
150 permit ip 20.20.20.0 0.0.0.255 any
160 permit ip 10.10.40.0 0.0.0.255 any
170 permit ip 10.10.50.0 0.0.0.255 any
180 permit ip 192.168.3.0 0.0.0.255 any
190 permit ip 192.168.160.0 0.0.0.255 any
200 permit ip 192.168.1.0 0.0.0.255 any
!
!
Please guide me to able to ping to internal network 10.10.40.2 as i have my core switch connected on this port
Solved! Go to Solution.
11-24-2020 10:52 AM
AtheerISR#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
11-24-2020 10:36 AM - edited 12-01-2020 09:49 AM
.....
11-24-2020 09:25 AM
is there any other way to connect remote clients to use vpn and use internal network resources other than l2tp .. becoz i would like to try that ...
11-24-2020 10:08 AM
as I know secure and L2 for window this is only solution.
But we must try and try until success.
11-24-2020 10:35 AM
IPv4 Crypto ISAKMP SA
dst src state conn-id status
51.211.161.247 109.183.131.74 QM_IDLE 1019 ACTIVE
IPv6 Crypto ISAKMP SA
this is what i got i cleared everything as per your command.. still same.. do i need to reboot with appxk9 no boot
11-24-2020 10:37 AM
AtheerISR#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
51.211.161.247 2.88.118.195 MM_NO_STATE 1024 ACTIVE (deleted)
51.211.161.247 2.88.118.195 MM_NO_STATE 1023 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
now when i m trying to connect i get this msg thats my comp public ip
11-24-2020 10:39 AM - edited 11-24-2020 11:23 AM
....
11-24-2020 10:41 AM - edited 11-24-2020 11:23 AM
....
11-24-2020 11:04 AM
i m still not connected... still same error
11-24-2020 11:36 AM - edited 12-01-2020 09:50 AM
...
11-24-2020 11:03 AM - edited 11-27-2020 05:03 AM
.....
11-24-2020 11:33 AM
this was there earlier now i m not getting that..
AtheerISR#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
51.211.161.247 2.88.118.195 MM_NO_STATE 1024 ACTIVE (deleted)
51.211.161.247 2.88.118.195 MM_NO_STATE 1023 ACTIVE (deleted)
IPv6 Crypto ISAKMP SA
this is what i m getting now...
11-24-2020 12:12 PM
show license in ISR ? let see what license appear and if it active or not.
11-24-2020 12:18 PM - edited 11-24-2020 12:42 PM
Hi,
In addition to my previous post I would like to let you know that I have set up your original router configuration in my lab and could ping all the router interfaces including LAN 10.10.40.1 from my PC connected via L2TP/IPSEC just fine. I am sorry I could not provide any further advice.
Best regards,
Antonin
11-24-2020 12:30 PM - edited 11-27-2020 05:02 AM
....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide