Solved: vpdn l2tp internal network cannot ping

kev_mas01 · ‎11-21-2020

i have the below config on the router VPN from windows 10 pc is connected but cannot ping internal network please guide me

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent telnet telnethandler
connection wait none
!
!
!
!
!
!
!
!
ip name-server 84.X.X.55 84.XX.X.230

multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 no-xauth
!
crypto isakmp client configuration group cisco
key cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
reverse-route
!
!
!
crypto map mymap client configuration address respond
crypto map mymap 1 ipsec-isakmp dynamic mymap

interface Loopback1
ip address 192.168.160.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 51.X.X.247 255.255.255.0
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/0/1
ip address 10.10.40.1 255.255.255.0
ip nat inside
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.2 255.255.255.0
ip nat inside
media-type sfp
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 50.50.50.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
router ospf 1
network 10.10.40.1 0.0.0.0 area 0
network 51.211.161.247 0.0.0.0 area 0
!
ip local pool PP 192.168.0.10 192.168.0.15
ip local pool vpnpool 192.168.160.1 192.168.160.10
ip http server
ip http secure-server
ip forward-protocol nd
ip nat inside source list natlist interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 51.X.X.246
ip route 10.0.0.0 255.255.255.0 10.0.2.1
ip route 10.0.1.0 255.255.255.0 10.0.2.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip route 10.0.3.0 255.255.255.0 10.0.2.1
ip route 10.0.4.0 255.255.255.0 10.0.2.1
ip route 10.10.50.0 255.255.255.0 10.10.40.2
ip route 10.100.0.0 255.255.255.0 10.0.2.1
ip route 10.110.0.0 255.255.255.0 10.0.2.1
ip route 10.120.0.0 255.255.255.0 10.0.2.1
ip route 20.20.20.0 255.255.255.0 10.10.40.2
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 192.168.10.0 255.255.255.0 10.0.2.1
ip route 192.168.50.0 255.255.255.0 10.10.40.2
ip route 192.168.160.0 255.255.255.0 10.10.40.2
!

ip access-list extended natlist
10 permit ip 10.10.20.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
30 permit ip 10.0.3.0 0.0.0.255 any
40 permit ip 10.0.4.0 0.0.0.255 any
50 permit ip 10.100.0.0 0.0.0.255 any
60 permit ip 10.110.0.0 0.0.0.255 any
70 permit ip 10.120.0.0 0.0.0.255 any
80 permit ip 10.0.0.0 0.0.0.255 any
90 permit ip 10.0.1.0 0.0.0.255 any
100 permit ip 192.168.10.0 0.0.0.255 any
110 permit ip 192.168.50.0 0.0.0.255 any
120 permit ip 10.10.30.0 0.0.0.255 any
130 permit ip 192.168.40.0 0.0.0.255 any
140 permit ip 192.168.2.0 0.0.0.255 any
150 permit ip 20.20.20.0 0.0.0.255 any
160 permit ip 10.10.40.0 0.0.0.255 any
170 permit ip 10.10.50.0 0.0.0.255 any
180 permit ip 192.168.3.0 0.0.0.255 any
190 permit ip 192.168.160.0 0.0.0.255 any
200 permit ip 192.168.1.0 0.0.0.255 any
!
!

Please guide me to able to ping to internal network 10.10.40.2 as i have my core switch connected on this port

amikat · ‎12-01-2020

Hi,

Thanks for the information supplied. I regret I have not emphasized I am interested to see the router commands output at the time VPN client is connected - my fault.

Can you please add the following line at the beginning of the ip access-list extended natlist:

"5 deny ip any 172.31.1.0 0.0.0.255"

and try to ping your router local interfaces (from the VPN connected PC) with the "Use default gateway on remote network" parameter of your WAN miniport L2TP set (ie.default).

Best regards,

Antonin

View solution in original post

MHM Cisco World · ‎12-01-2020

I am so so happy for you, good work friends
for split tunnel please see this link
https://support.zyxel.eu/hc/en-us/articles/360001121480-L2TP-Over-IPSEC-VPN-Split-Tunneling.

good luck friend.

View solution in original post

balaji.bandi · ‎11-22-2020

As per my understanding, you able to ping 10.10.40.2 and not able to ping other Local LAN Address space is this correct ( before i can go through the configuration you posted ?)

if you able to ping 10.10.40.2 - Do you have a route back From 10.10.40.2 to 10.10.40.1 for the below address space? ( or you learning this route any other method ?)

192.168.160.1 192.168.160.10

Other Observation :

You Need to Deny the VPN traffic in the NAT ACL. (192.168.160.1 192.168.160.10) and apply the correct split tunnel. ( hope you only looking to access Lan resources and send internet traffic locally breakout ?)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kev_mas01 · ‎11-22-2020

hi there is another extreme coreswitch connected to the router isr 4331

so the static routes are for those network .

i cant ping 10.10.40.1 or 10.10.40.2

kev_mas01 · ‎11-22-2020

can you please guide me with command what changes i will need to make for denying and making split tunnel

kev_mas01 · ‎11-22-2020

i only want to access local resources on lan not internet.. i dont want internet traffic via vpn tunnel only need to access local system resources.. please guide me accordingly what changes i have to make for it to work

Georg Pauwen · ‎11-22-2020

Hello,

I cannot really figure out what all the static routes are for. With only a default route, you should be able to access at least the connected networks. At the very least, delete this route:

--> no ip route 192.168.160.0 255.255.255.0 10.10.40.2

Also, change the IP address of the Loopback interface so it is not part of the VPDN pool, e.g.:

interface Loopback1
ip address 172.16.1.1 255.255.255.0

kev_mas01 · ‎11-22-2020

let me remove the static route and the loopback interface changed ..still not being able to ping loopback also from the client windows 10.

Georg Pauwen · ‎11-22-2020

Hello,

what CAN you ping from your Windows PC ? Can you access the Internet ?

kev_mas01 · ‎11-22-2020

yes i can access internet and ping the public ip of the router thats it..

i cant ping the 10.10.40.1 thats the router port ip and my core switch ip is 10.10.40.2

Georg Pauwen · ‎11-22-2020

What IP address is your PC getting ?

kev_mas01 · ‎11-22-2020

let me share the screenshot of the vpn details of my connected windows 10pc

Georg Pauwen · ‎11-22-2020

Hello,

I cannot really see anything wrong with either configuration. Try and disable the Windows firewall.

kev_mas01 · ‎11-22-2020

hi i need to reboot to activate appxk9 license but till yest i was able to connect to vpn after reboot now i m getting the message on windows pc stating that " a connection to remote computer could not established , so the port used for this connection was closed"

I dont understand this error at alll Please help

MHM Cisco World · ‎11-23-2020

....

kev_mas01 · ‎11-23-2020

i just did debug ppp negotiation

it just says debuggin is on

after that nothing