VPN Client Connected fine i can ping host but when i try to reach port 80 on browser nothing happens...

AlbGenius · ‎04-16-2020

Hi all,

I got an 2900 series Router. I have configured ok the Client i get connected and i actually can ping the host i need 172.17.5.14 but when i try to reach it via browser port 80 i cannot open the page. I can even set RDP connection with the server.

Any idea

Georg Pauwen · ‎04-16-2020

Hello,

are you using NAT ? Post the running configuration of your 2900 router...

AlbGenius · ‎04-16-2020

crypto isakmp policy 97
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 98
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 99
encr aes 256
authentication pre-share
group 2
!
crypto isakmp policy 100
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 101
encr aes
authentication pre-share
group 2

!
crypto isakmp client configuration group KVPN
key *****
dns 8.8.8.8
domain pg.local
pool vpnpool
acl VPNACL
include-local-lan
max-logins 10
netmask 255.255.255.0
!
crypto isakmp peer address *******
set aggressive-mode password *******
set aggressive-mode client-endpoint ipv4-address *********
crypto isakmp profile ITS
match identity group KVPN
client authentication list vpnclient
isakmp authorization list KVPN
client configuration address respond
crypto isakmp profile Site-SRV
keyring Site-auth
match identity address ********** 255.255.255.255
!
!
crypto ipsec transform-set ipsec-transform esp-3des esp-sha-hmac
crypto ipsec transform-set UKT-SRV50 esp-aes esp-sha-hmac
crypto ipsec transform-set UKT-SRV50-MD5 esp-3des esp-md5-hmac
!
!
!
crypto dynamic-map KVPN 100
set transform-set ipsec-transform
reverse-route
!
crypto dynamic-map dynmap 1000
set isakmp-profile ITS
!
!
crypto map VPNMAP client authentication list XAuthVPN
crypto map VPNMAP isakmp authorization list VPNAuth
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 35 ipsec-isakmp
set peer **********
set security-association lifetime seconds 28800
set transform-set UKT-SRV50-MD5
set pfs group2
match address UKT-SRV50
crypto map VPNMAP 100 ipsec-isakmp dynamic KVPN discover
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
no ip address
no ip route-cache
duplex auto
speed auto
!
interface GigabitEthernet0/0.5
description Servers
encapsulation dot1Q 5
ip address 172.17.5.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet0/0.6
description Users
encapsulation dot1Q 6
ip address 172.17.6.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
!
interface GigabitEthernet0/0.10
description Mikrotik_Outside
encapsulation dot1Q 10
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache
no cdp enable
!
interface GigabitEthernet0/1
ip address ********** 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map VPNMAP
!
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
!
ip local pool REMOTEVPN 192.168.40.5 192.168.40.100
ip local pool vpnpool 192.168.33.1 192.168.33.10
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
!
ip nat inside source route-map nonat interface GigabitEthernet0/1 overload
ip nat inside source static tcp 172.17.5.14 8001 ********* 8001 extendable
ip nat inside source static tcp 172.17.5.14 80 ********* 30000 extendable
ip nat inside source static tcp 172.17.5.13 80 ********* 80 extendable
ip nat inside source static tcp 172.17.5.13 3389 ********* 3389 extendable
ip nat inside source static tcp 172.17.5.13 28596 ********** 28596 extendable
ip route 0.0.0.0 0.0.0.0 ***********
ip route 10.10.10.0 255.255.255.0 172.17.5.60
ip route 10.10.11.0 255.255.255.0 172.17.5.60
!
ip access-list extended UKT-SRV50
permit ip 172.17.5.0 0.0.0.255 host 192.168.50.5
permit ip 172.17.5.0 0.0.0.255 host 192.168.50.10
ip access-list extended VPNACL
permit ip 172.17.6.0 0.0.0.255 192.168.33.0 0.0.0.255
permit ip 172.17.5.0 0.0.0.255 192.168.33.0 0.0.0.255
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 100 deny ip 172.17.5.0 0.0.0.255 172.17.6.0 0.0.0.255
access-list 100 deny ip 172.17.6.0 0.0.0.255 172.17.5.0 0.0.0.255
access-list 100 deny ip 172.17.5.0 0.0.0.255 192.168.33.0 0.0.0.255
access-list 100 deny ip 172.17.5.0 0.0.0.255 host 192.168.50.5
access-list 100 deny ip 172.17.5.0 0.0.0.255 host 192.168.50.10
access-list 100 permit ip 172.17.6.0 0.0.0.255 any
access-list 100 permit ip 172.17.5.0 0.0.0.255 any
access-list 100 deny ip any any
!
route-map nonat permit 10
match ip address 100
!
!
!
!
!
control-plane
!
!

Georg Pauwen · ‎04-16-2020

Hello,

the config looks ok as far as I can tell. The problem could be with MTU, try and ping the webserver with different MTU sizes:

ping -l 1472 -f 172.17.5.14

Increase the packet size until you get the message 'Packet needs to be fragmented but DF set'.

Is the webserver unreachable both with IP and DNS ?

AlbGenius · ‎04-16-2020

Hi,

Webserver is IP only.

Everything above 1272 size, I get the message 'Packet needs to be fragmented but DF set'.

So should i increase MTU size?

Thnx