Solved: Re: vpdn l2tp internal network cannot ping - Page 5

kev_mas01 · ‎11-21-2020

i have the below config on the router VPN from windows 10 pc is connected but cannot ping internal network please guide me

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent telnet telnethandler
connection wait none
!
!
!
!
!
!
!
!
ip name-server 84.X.X.55 84.XX.X.230

multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 no-xauth
!
crypto isakmp client configuration group cisco
key cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
reverse-route
!
!
!
crypto map mymap client configuration address respond
crypto map mymap 1 ipsec-isakmp dynamic mymap

interface Loopback1
ip address 192.168.160.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 51.X.X.247 255.255.255.0
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/0/1
ip address 10.10.40.1 255.255.255.0
ip nat inside
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.2 255.255.255.0
ip nat inside
media-type sfp
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 50.50.50.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
router ospf 1
network 10.10.40.1 0.0.0.0 area 0
network 51.211.161.247 0.0.0.0 area 0
!
ip local pool PP 192.168.0.10 192.168.0.15
ip local pool vpnpool 192.168.160.1 192.168.160.10
ip http server
ip http secure-server
ip forward-protocol nd
ip nat inside source list natlist interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 51.X.X.246
ip route 10.0.0.0 255.255.255.0 10.0.2.1
ip route 10.0.1.0 255.255.255.0 10.0.2.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip route 10.0.3.0 255.255.255.0 10.0.2.1
ip route 10.0.4.0 255.255.255.0 10.0.2.1
ip route 10.10.50.0 255.255.255.0 10.10.40.2
ip route 10.100.0.0 255.255.255.0 10.0.2.1
ip route 10.110.0.0 255.255.255.0 10.0.2.1
ip route 10.120.0.0 255.255.255.0 10.0.2.1
ip route 20.20.20.0 255.255.255.0 10.10.40.2
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 192.168.10.0 255.255.255.0 10.0.2.1
ip route 192.168.50.0 255.255.255.0 10.10.40.2
ip route 192.168.160.0 255.255.255.0 10.10.40.2
!

ip access-list extended natlist
10 permit ip 10.10.20.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
30 permit ip 10.0.3.0 0.0.0.255 any
40 permit ip 10.0.4.0 0.0.0.255 any
50 permit ip 10.100.0.0 0.0.0.255 any
60 permit ip 10.110.0.0 0.0.0.255 any
70 permit ip 10.120.0.0 0.0.0.255 any
80 permit ip 10.0.0.0 0.0.0.255 any
90 permit ip 10.0.1.0 0.0.0.255 any
100 permit ip 192.168.10.0 0.0.0.255 any
110 permit ip 192.168.50.0 0.0.0.255 any
120 permit ip 10.10.30.0 0.0.0.255 any
130 permit ip 192.168.40.0 0.0.0.255 any
140 permit ip 192.168.2.0 0.0.0.255 any
150 permit ip 20.20.20.0 0.0.0.255 any
160 permit ip 10.10.40.0 0.0.0.255 any
170 permit ip 10.10.50.0 0.0.0.255 any
180 permit ip 192.168.3.0 0.0.0.255 any
190 permit ip 192.168.160.0 0.0.0.255 any
200 permit ip 192.168.1.0 0.0.0.255 any
!
!

Please guide me to able to ping to internal network 10.10.40.2 as i have my core switch connected on this port

kev_mas01 · ‎12-01-2020

hey all works except one thing now.. if i uncheck ipv4 default in vpn.. i can access internet.. but when i check it i can access my internal resources and cannot access internet... can there be a way i can access both internet and internal resources on vpn...

amikat · ‎12-01-2020

Hi,

Yes, there may be a way to overcome this issue but before we start to dig for the solution can you please post the outputs I asked for in my previous post - the reason being that in my view what you are experiencing is an indication of another problem we should try to solve first.

I am sorry to say that in the next few hours I will not be able to act and answer as I am rather busy today but come back to you later. In the meantime can you please also check your WiFi settings (if used) as these may inerfere with your VPN addressing.

Best regards,

Antonin

kev_mas01 · ‎12-01-2020

AtheerISR#sh ip int br
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/0/0 51.211.161.247 YES NVRAM up up
GigabitEthernet0/0/1 10.10.40.1 YES NVRAM up up
GigabitEthernet0/0/2 10.0.2.2 YES NVRAM up up
GigabitEthernet0 50.50.50.1 YES NVRAM down down
Loopback0 172.10.1.1 YES manual up up
Virtual-Access1 unassigned YES unset down down
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 unassigned YES unset down down
Virtual-Template2 172.10.1.1 YES unset down down

AtheerISR#sh ip rou
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 51.211.161.246 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 51.211.161.246
10.0.0.0/8 is variably subnetted, 6 subnets, 2 masks
C 10.0.2.0/24 is directly connected, GigabitEthernet0/0/2
L 10.0.2.2/32 is directly connected, GigabitEthernet0/0/2
O 10.10.20.0/24 [110/2] via 10.10.40.2, 4d21h, GigabitEthernet0/0/1
C 10.10.40.0/24 is directly connected, GigabitEthernet0/0/1
L 10.10.40.1/32 is directly connected, GigabitEthernet0/0/1
O 10.10.50.0/24 [110/2] via 10.10.40.2, 4d21h, GigabitEthernet0/0/1
51.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 51.211.161.0/24 is directly connected, GigabitEthernet0/0/0
L 51.211.161.247/32 is directly connected, GigabitEthernet0/0/0
172.10.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.10.1.0/24 is directly connected, Loopback0
L 172.10.1.1/32 is directly connected, Loopback0
O 192.168.2.0/24 [110/2] via 10.10.40.2, 4d21h, GigabitEthernet0/0/1
O 192.168.50.0/24 [110/2] via 10.10.40.2, 4d21h, GigabitEthernet0/0/1
AtheerISR#

after connecting vpn in my system:

the below output:

C:\Users\Developer>ipconfig /all

Windows IP Configuration

Host Name . . . . . . . . . . . . : AT
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Ethernet 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82579LM Gigabit Network Connection
Physical Address. . . . . . . . . : 90-B1-1C-83-EC-B9
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 1:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter
Physical Address. . . . . . . . . : CE-D7-19-1D-33-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

Wireless LAN adapter Local Area Connection* 2:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Wi-Fi Direct Virtual Adapter #2
Physical Address. . . . . . . . . : CA-D7-19-1D-33-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

PPP adapter office:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : office
Physical Address. . . . . . . . . :
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 172.31.1.6(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
DNS Servers . . . . . . . . . . . : 84.235.6.55
84.235.57.230
NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wi-Fi 2:

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Linksys AE3000
Physical Address. . . . . . . . . : C8-D7-19-1D-33-44
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::3c07:a136:b4e2:a173%2(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.3.85(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, November 30, 2020 5:06:28 PM
Lease Expires . . . . . . . . . . : Wednesday, December 2, 2020 5:06:27 AM
Default Gateway . . . . . . . . . : 192.168.3.1
DHCP Server . . . . . . . . . . . : 192.168.3.1
DHCPv6 IAID . . . . . . . . . . . : 466147097
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-FE-16-E1-98-90-96-D8-D6-08
DNS Servers . . . . . . . . . . . : 192.168.3.1
NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Bluetooth Network Connection 4:

Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network) #4
Physical Address. . . . . . . . . : 00-1A-7D-DA-71-13
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes

C:\Users\Developer>

amikat · ‎12-01-2020

Hi,

Thanks for the information supplied. I regret I have not emphasized I am interested to see the router commands output at the time VPN client is connected - my fault.

Can you please add the following line at the beginning of the ip access-list extended natlist:

"5 deny ip any 172.31.1.0 0.0.0.255"

and try to ping your router local interfaces (from the VPN connected PC) with the "Use default gateway on remote network" parameter of your WAN miniport L2TP set (ie.default).

Best regards,

Antonin

kev_mas01 · ‎12-05-2020

thanks all for the help.. its all working perfectly fine now...

MHM Cisco World · ‎12-01-2020

I am so so happy for you, good work friends
for split tunnel please see this link
https://support.zyxel.eu/hc/en-us/articles/360001121480-L2TP-Over-IPSEC-VPN-Split-Tunneling.

good luck friend.

amikat · ‎11-24-2020

Hi,

I was trying to connect to see if I can help you to troubleshoot (109.183.131.74 is my IP address) - unfortunately failed. I also checked the configuration supplied and could not find any issue. Sorry to disturb.

Best regards,

Antonin

MHM Cisco World · ‎11-22-2020

.....

MHM Cisco World · ‎11-30-2020

https://www.magnumvpn.com/setup-windows-10-firewall-l2tp.html

check this link first.
for me the config is good no problem but i will double check.

kev_mas01 · ‎11-30-2020

i have tried the firewall and have attached the new debug

MHM Cisco World · ‎11-30-2020

....

MHM Cisco World · ‎12-01-2020

....

kev_mas01 · ‎12-05-2020

thanks for the help.. its all working fine.. solved finally all ...