Solved: vpdn l2tp internal network cannot ping - Page 2

kev_mas01 · ‎11-21-2020

i have the below config on the router VPN from windows 10 pc is connected but cannot ping internal network please guide me

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login telnet local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent telnet telnethandler
connection wait none
!
!
!
!
!
!
!
!
ip name-server 84.X.X.55 84.XX.X.230

multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication

!
crypto isakmp policy 1
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 no-xauth
!
crypto isakmp client configuration group cisco
key cisco123
pool vpnpool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
mode transport
!
!
!
!
crypto dynamic-map mymap 1
set nat demux
set transform-set myset
reverse-route
!
!
!
crypto map mymap client configuration address respond
crypto map mymap 1 ipsec-isakmp dynamic mymap

interface Loopback1
ip address 192.168.160.1 255.255.255.0
!
interface GigabitEthernet0/0/0
ip address 51.X.X.247 255.255.255.0
ip nat outside
negotiation auto
crypto map mymap
!
interface GigabitEthernet0/0/1
ip address 10.10.40.1 255.255.255.0
ip nat inside
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.2 255.255.255.0
ip nat inside
media-type sfp
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 50.50.50.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered Loopback1
ip nat inside
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
router ospf 1
network 10.10.40.1 0.0.0.0 area 0
network 51.211.161.247 0.0.0.0 area 0
!
ip local pool PP 192.168.0.10 192.168.0.15
ip local pool vpnpool 192.168.160.1 192.168.160.10
ip http server
ip http secure-server
ip forward-protocol nd
ip nat inside source list natlist interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 51.X.X.246
ip route 10.0.0.0 255.255.255.0 10.0.2.1
ip route 10.0.1.0 255.255.255.0 10.0.2.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip route 10.0.3.0 255.255.255.0 10.0.2.1
ip route 10.0.4.0 255.255.255.0 10.0.2.1
ip route 10.10.50.0 255.255.255.0 10.10.40.2
ip route 10.100.0.0 255.255.255.0 10.0.2.1
ip route 10.110.0.0 255.255.255.0 10.0.2.1
ip route 10.120.0.0 255.255.255.0 10.0.2.1
ip route 20.20.20.0 255.255.255.0 10.10.40.2
ip route 192.168.1.0 255.255.255.0 10.0.2.1
ip route 192.168.10.0 255.255.255.0 10.0.2.1
ip route 192.168.50.0 255.255.255.0 10.10.40.2
ip route 192.168.160.0 255.255.255.0 10.10.40.2
!

ip access-list extended natlist
10 permit ip 10.10.20.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
30 permit ip 10.0.3.0 0.0.0.255 any
40 permit ip 10.0.4.0 0.0.0.255 any
50 permit ip 10.100.0.0 0.0.0.255 any
60 permit ip 10.110.0.0 0.0.0.255 any
70 permit ip 10.120.0.0 0.0.0.255 any
80 permit ip 10.0.0.0 0.0.0.255 any
90 permit ip 10.0.1.0 0.0.0.255 any
100 permit ip 192.168.10.0 0.0.0.255 any
110 permit ip 192.168.50.0 0.0.0.255 any
120 permit ip 10.10.30.0 0.0.0.255 any
130 permit ip 192.168.40.0 0.0.0.255 any
140 permit ip 192.168.2.0 0.0.0.255 any
150 permit ip 20.20.20.0 0.0.0.255 any
160 permit ip 10.10.40.0 0.0.0.255 any
170 permit ip 10.10.50.0 0.0.0.255 any
180 permit ip 192.168.3.0 0.0.0.255 any
190 permit ip 192.168.160.0 0.0.0.255 any
200 permit ip 192.168.1.0 0.0.0.255 any
!
!

Please guide me to able to ping to internal network 10.10.40.2 as i have my core switch connected on this port

MHM Cisco World · ‎11-23-2020

yes you must reconnect the window l2tp to this router, after that you will get the PPP log message.
so can you reconnect now.

kev_mas01 · ‎11-24-2020

i did reconnect it .. still no logs generated at all nothing on the router screen

MHM Cisco World · ‎11-24-2020

........

MHM Cisco World · ‎11-24-2020

...

kev_mas01 · ‎11-24-2020

I HAVE DONE THE SAME CONFIG AND I M SELECTING L2TP/IPSEC FOR CONNECTION..BUT STILL WILL TRY THIS CONFIG TO WRITE AGAIN

MHM Cisco World · ‎11-24-2020

I check your original post config, for L2TP it OK but for IPSec it need some change,
please see the change in my config try it.

kev_mas01 · ‎11-24-2020

aaa authentication login default local
aaa authentication login telnet local
aaa authentication ppp default local
aaa authorization exec default local
!
!
!
!
!
!
aaa session-id common
!
transport-map type persistent telnet telnethandler
connection wait none
!
!
!
!
!
!
!
!
ip name-server 84.235.6.55 84.235.57.230
!
!
!
login on-success log
!

!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
no device-tracking logging theft
!
!
!
!
!
crypto pki trustpoint SLA-TrustPoint
enrollment pkcs12
revocation-check crl

crypto pki certificate pool
cabundle nvram:ios_core.p7b
!
!
license feature hseck9
license udi pid ISR4331/K9 sn FDO24370BT3
license boot level appxk9
license boot level securityk9
license smart transport callhome
memory free low-watermark processor 69096
!
diagnostic bootup level minimal
!
spanning-tree extend system-id
!
username admin privilege 15 password 0 kevin
username atheervpn password 0 cisco
username cisco password 0 cisco
!
redundancy
mode none
!
!
!
!
!
!
!
!
!
!
!
!
crypto vpn anyconnect bootflash:/webvpn/anyconnect-win-4.9.03047-webdeploy-k9.pkg sequence 1
!
!

!
crypto isakmp policy 10
encryption 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key cisco address 0.0.0.0 no-xauth
crypto isakmp keepalive 3600
!
!
crypto ipsec transform-set vpn esp-3des esp-sha-hmac
mode transport
!
!
!
crypto dynamic-map mymap 10
set nat demux
set transform-set vpn
!
!
!
crypto map cisco 10 ipsec-isakmp dynamic mymap
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
ip address 51.X.X.247 255.255.255.0
ip nat outside
negotiation auto
crypto map cisco
!
interface GigabitEthernet0/0/1
ip address 10.10.40.1 255.255.255.0
ip nat inside
media-type rj45
negotiation auto
!
interface GigabitEthernet0/0/2
ip address 10.0.2.2 255.255.255.0
ip nat inside
media-type sfp
negotiation auto
!
interface GigabitEthernet0
vrf forwarding Mgmt-intf
ip address 50.50.50.1 255.255.255.0
negotiation auto
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0/0
peer default ip address pool vpnpool
ppp encrypt mppe 128
ppp authentication ms-chap-v2
!
router ospf 1
network 10.10.40.1 0.0.0.0 area 0
network 51.X.X.247 0.0.0.0 area 0
!
ip local pool SSLVPN_POOL 192.168.11.1 192.168.11.10
ip local pool vpnpool 192.168.150.1 192.168.150.10
ip http server
ip http authentication aaa
ip http secure-server
ip forward-protocol nd
ip nat inside source list natlist interface GigabitEthernet0/0/0 overload
ip route 0.0.0.0 0.0.0.0 51.211.161.246
ip route 10.0.0.0 255.255.255.0 10.0.2.1
ip route 10.0.1.0 255.255.255.0 10.0.2.1
ip route 10.0.2.0 255.255.255.0 10.0.2.1
ip route 10.0.3.0 255.255.255.0 10.0.2.1
ip route 10.0.4.0 255.255.255.0 10.0.2.1
ip route 10.10.50.0 255.255.255.0 10.10.40.2
ip route 10.100.0.0 255.255.255.0 10.0.2.1
ip route 10.110.0.0 255.255.255.0 10.0.2.1
ip route 10.120.0.0 255.255.255.0 10.0.2.1
ip route 20.20.20.0 255.255.255.0 10.10.40.2
ip route 192.168.10.0 255.255.255.0 10.0.2.1
!
!
ip access-list extended natlist
10 permit ip 10.10.20.0 0.0.0.255 any
20 permit ip 10.0.2.0 0.0.0.255 any
30 permit ip 10.0.3.0 0.0.0.255 any
40 permit ip 10.0.4.0 0.0.0.255 any
50 permit ip 10.100.0.0 0.0.0.255 any
60 permit ip 10.110.0.0 0.0.0.255 any
70 permit ip 10.120.0.0 0.0.0.255 any
80 permit ip 10.0.0.0 0.0.0.255 any
90 permit ip 10.0.1.0 0.0.0.255 any
100 permit ip 192.168.10.0 0.0.0.255 any
110 permit ip 192.168.50.0 0.0.0.255 any
120 permit ip 10.10.30.0 0.0.0.255 any
130 permit ip 192.168.40.0 0.0.0.255 any
140 permit ip 192.168.2.0 0.0.0.255 any
150 permit ip 20.20.20.0 0.0.0.255 any
160 permit ip 10.10.40.0 0.0.0.255 any
170 permit ip 10.10.50.0 0.0.0.255 any
180 permit ip 192.168.3.0 0.0.0.255 any
!
!
!
!
!
!
!
control-plane
!
!
line con 0
password
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password kevin
transport input telnet
!
call-home
! If contact email address in call-home is configured as sch-smart-licensing@cisco.com
! the email address configured in Cisco Smart License Portal will be used as contact email address to send SCH notifications.
contact-email-addr sch-smart-licensing@cisco.com
profile "CiscoTAC-1"
active
destination transport-method h

Still i have the same port is closed error...this problem happened only after i activated the appxk9 feature and reloaded the router

MHM Cisco World · ‎11-24-2020

Device manager > network adapter > uninstall the miniport

and try connect again

MHM Cisco World · ‎11-24-2020

....

kev_mas01 · ‎11-24-2020

yes i have done it correctly ..

kev_mas01 · ‎11-24-2020

kev_mas01 · ‎11-24-2020

Technology Package License Information:

-----------------------------------------------------------------
Technology Technology-package Technology-package
Current Type Next reboot
------------------------------------------------------------------
appxk9 appxk9 Smart License appxk9
uck9 None Smart License None
securityk9 securityk9 Smart License securityk9
ipbase ipbasek9 Smart License ipbasek9

MHM Cisco World · ‎11-24-2020

show license udi

can I see the output for this?

kev_mas01 · ‎11-24-2020

UDI: PID:ISR4331/K9,SN:FDO24370BT3

i have tried uninstall miniport also and done today.. still same error i dont understand what is wrong.. do you think the service provider has blocked this .. is that possible.. as far as i know that should not be a problem

MHM Cisco World · ‎11-24-2020

....