cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

76045
Views
0
Helpful
26
Replies
Highlighted
Beginner

VPN client gets connected but cannot ping LOCAL LAN

Dear All,

I am trying to connect my 2800 Series CIsco Office router with VPN client software from home. I can successfully authenticate and get the IP address from the pool configured  but couldnt ping any LAN Ips including default gateway. I am pasting my router's configuration. Any urgent help would be really appreciated:

IP Address Of LAN: 192.168.22.x/ 24

IP Addresses handed out to Clients: 10.10.10.5- 10.10.10.20

aaa new-model

!

!

aaa authentication login default local

aaa authentication login future_tech local

aaa authorization exec default local

aaa authorization network ft-network local

username ftvpn privilege 15 password 7 047E11301F2F

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group  ft-network

key x.x.x.x

dns 202.125.148.x 8.8.8.x

domain future.com.pk

pool ft_pool

save-password

max-users 10

netmask 255.255.255.0

crypto isakmp profile ISAKMP_PRO

   match identity group ft-network

   client authentication list future_tech

   isakmp authorization list ft-network

   client configuration address respond

   client configuration group ft-network

   virtual-template 100

crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC_PRO

set security-association idle-time 86400

set transform-set easy_vpn

set isakmp-profile ISAKMP_PRO

interface Multilink1

description WAN INTERFACE

ip address y.y.y.y 255.255.255.248

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

no cdp enable

ppp multilink

ppp multilink group 1

interface GigabitEthernet0/1

description LAN INTERFACE

ip address z.z.z.z 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

interface Virtual-Template100 type tunnel

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PRO

ip nat inside

ip local pool ft_pool 10.10.10.5 10.10.10.20

ip route 0.0.0.0 0.0.0.0 Multilink1

access-list 120 deny   ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 120 permit ip 192.168.22.0 0.0.0.255 any

ip nat inside source list 120 interface Multilink1 overload

I have noticed that my virtual-access interface comes up but the line protocol of virtual-interface remains down as follows:

Virtual-Template100        x.x.x.x YES TFTP   up                    down

Also The client PC picks up a random gateway of 10.10.10.1 which I never configured anywhere on the server.

Regards

KhiZ

Everyone's tags (6)
26 REPLIES 26
Rising star

VPN client gets connected but cannot ping LOCAL LAN

Hi,

Refer this link

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00800949db.shtml

Hope it will help.

Best regards,
Abzal

Hope it will help. Best regards, Abzal
Beginner

Re: VPN client gets connected but cannot ping LOCAL LAN

Dear Abzal,

Thanks for your reply. I have seen the link and what I understand from the diagram is that the Client PC is also having a public address which is not in my case. I only have one Public IP Address which is applied on a multilink Interface. Iam successfully able to authenticate and get the IP Address from the address pool but having the following problems:

1. I cannot ping the LAN Interface where I have applied IP NAT INSIDE.

2. I cannot ping any LAN Devices behind that LAN Interface.

3. My virtual-access interface is up and up in Sh ip int br, but Virtual-template is up and down.

4. On PC with VPN Client, I am getting a default gateway of 10.10.10.1 even though I have not configured it anywhere on my server.

Please take a look at the config I attached.

IP Address Of LAN: 192.168.22.x/ 24

IP Addresses handed out to Clients: 10.10.10.5- 10.10.10.20

aaa new-model

!

!

aaa authentication login default local

aaa authentication login future_tech local

aaa authorization exec default local

aaa authorization network ft-network local

username ftvpn privilege 15 password 7 047E11301F2F

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration group  ft-network

key x.x.x.x

dns 202.125.148.x 8.8.8.x

domain future.com.pk

pool ft_pool

save-password

max-users 10

netmask 255.255.255.0

crypto isakmp profile ISAKMP_PRO

   match identity group ft-network

   client authentication list future_tech

   isakmp authorization list ft-network

   client configuration address respond

   client configuration group ft-network

   virtual-template 100

crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac

!

crypto ipsec profile IPSEC_PRO

set security-association idle-time 86400

set transform-set easy_vpn

set isakmp-profile ISAKMP_PRO

interface Multilink1

description WAN INTERFACE

ip address y.y.y.y 255.255.255.248

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

no cdp enable

ppp multilink

ppp multilink group 1

interface GigabitEthernet0/1

description LAN INTERFACE

ip address z.z.z.z 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

interface Virtual-Template100 type tunnel

ip unnumbered GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PRO

ip nat inside

ip local pool ft_pool 10.10.10.5 10.10.10.20

ip route 0.0.0.0 0.0.0.0 Multilink1

access-list 120 deny   ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 120 permit ip 192.168.22.0 0.0.0.255 any

ip nat inside source list 120 interface Multilink1 overload


Rising star

Re:VPN client gets connected but cannot ping LOCAL LAN

Hi,

You need to add Split tunnel ACL. As connection is established, server may create a static route,  corresponding to the client VPN IP address using process know as Reverse  Route Injection (RRI).

access-list 110 permit ip 192.168.22.0 0.0.0.255 any

crypto isakmp client configuration group  ft-network

key x.x.x.x

dns 202.125.148.x 8.8.8.x

domain future.com.pk

pool ft_pool

save-password

max-users 10

netmask 255.255.255.0

acl 110

interface Virtual-Template100 type tunnel

ip unnumbered Multilink1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PRO

no ip nat inside

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps6659/prod_white_paper0900aecd80313bf8.pdf

Hope it will help.

Best regards,
Abzal

Hope it will help. Best regards, Abzal
Beginner

Re:VPN client gets connected but cannot ping LOCAL LAN

Dear Abzal,

Thanks for writing in. Is this acl 110 under crypto client config group means that this traffic will be encrypted by IPSEC ??

Also is it necessary to use public IP on virtual template interface without IP NAT inside; as I have read on another discussion that Virtual-template interface should have an IP address of any LAN interface with IP NAT inside configured.

Cisco Employee

VPN client gets connected but cannot ping LOCAL LAN

Yes, split tunnel ACL is correct, but you can configure it to be more specific by configuring the vpn client pool as the destination:

access-list 110 permit ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255

Also with Virtual-Template, you can use either private or public ip address for "ip unnumbered" just to bring the interface up.

Multilink is probably a good idea because if your multilink interface is down, then you won't be able to VPN in anyway.

Beginner

VPN client gets connected but cannot ping LOCAL LAN

Dear Jennifer,

Thanks for your reply. I have done exactly what you said but unfortunately I am not able to ping anything including my Routers LAN interface (192.168.22.199). There is no firewall or anything that is blocking; I am successfully able to connect and client gets the IP from the pool but still no luck with acccessing the LAN network. Following is my configuration:

aaa new-model

!

!

aaa authentication login default local

aaa authentication login future_tech local

aaa authorization exec default local

aaa authorization network ft-network local

crypto isakmp policy 20

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 10

ip local pool ft_pool 10.10.10.5 10.10.10.20

crypto isakmp client configuration group ft-network

key x.x..x.x

dns 202.125.148.x 8.8.x.x

domain future.com.pk

pool ft_pool

acl SPLIT_TUNEL

save-password

max-users 10

netmask 255.255.255.0

crypto isakmp profile ISAKMP_PRO

   match identity group ft-network

   client authentication list future_tech

   isakmp authorization list ft-network

   client configuration address respond

   client configuration group ft-network

   virtual-template 100

crypto ipsec transform-set easy_vpn esp-3des esp-sha-hmac

crypto ipsec profile IPSEC_PRO

set security-association idle-time 86400

set transform-set easy_vpn

set isakmp-profile ISAKMP_PRO

interface Virtual-Template100 type tunnel

ip unnumbered Multilink1

no ip redirects

no ip proxy-arp

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_PRO

ACL used for Not NATTING the traffic between 192.168.22.x and 10.10.10.x networks as some static mappings are already configured

ip access-list extended DENY_NAT

deny   ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.22.0 0.0.0.255 any

Split tunnel ACL for encryption of interested Traffic

ip access-list extended SPLIT_TUNEL

permit ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255

ip nat inside source list DENY_NAT interface Multilink1 overload

ip route 10.10.10.0 255.255.255.0 multilink1 (Interface with the Public IP Address assigned)

interface Multilink1

description WAN INTERFACE

ip address  pUBLIC IP

ip verify unicast reverse-path

ip inspect SDM_LOW out

ip nat outside

ip virtual-reassembly

no cdp enable

ppp multilink

ppp multilink group 1

interface GigabitEthernet0/1

description LAN INTERFACE

ip address 192.168.22.199 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no mop enabled

end


From VPN SERVER

FTNet#show crypto isakmp sa

dst             src             state          conn-id slot status

x.x.x.x  119.157.184.65  QM_IDLE              1    0 ACTIVE

FTNet#show crypto ipsec sa

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr x.x.x.x

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.10.9/255.255.255.255/0/0)

   current_peer 119.157.184.65 port 62365(IP Add of my EVO Dongle)

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

Beginner

VPN client gets connected but cannot ping LOCAL LAN

Following are the images of CISCO VPN Client used on Windows 7 64-bit machine:

http://tinypic.com/r/2vd5lbt/6

http://i50.tinypic.com/vqns7q.jpg

Rising star

Re: VPN client gets connected but cannot ping LOCAL LAN

Hi Muhammed,

Can you show routing table from VPN client while it's connected to VPN server?

route print

And traceroute:

tracert 192.168.22.199

Once VPN client connected check the router if there is a route through VTI to remote network:

sh ip route

sh crypto route

Hope it will help.

Best regards,
Abzal

Hope it will help. Best regards, Abzal
Beginner

Re: VPN client gets connected but cannot ping LOCAL LAN

Dear Abzal,

I am getting incosistent results. Some times I am able to ping the LAN gateway and most of the time I doesnt: Anyways following is what you asked for:

C:\Users\nadeem>ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : future.com.pk

   Link-local IPv6 Address . . . . . : fe80::18b:5440:e353:5ad%43

   IPv4 Address. . . . . . . . . . . : 10.10.10.19

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

C:\Users\nadeem>route pr

Manipulates network routing tables.

ROUTE [-f] [-p] [-4|-6] command [destination]

                  [MASK netmask]  [gateway] [METRIC metric]  [IF interface]

  -f           Clears the routing tables of all gateway entries.  If this is

               used in conjunction with one of the commands, the tables are

               cleared prior to running the command.

  -p           When used with the ADD command, makes a route persistent across

               boots of the system. By default, routes are not preserved

               when the system is restarted. Ignored for all other commands,

               which always affect the appropriate persistent routes. This

               option is not supported in Windows 95.

  -4           Force using IPv4.

  -6           Force using IPv6.

  command      One of these:

                 PRINT     Prints  a route

                 ADD       Adds    a route

                 DELETE    Deletes a route

                 CHANGE    Modifies an existing route

  destination  Specifies the host.

  MASK         Specifies that the next parameter is the 'netmask' value.

  netmask      Specifies a subnet mask value for this route entry.

               If not specified, it defaults to 255.255.255.255.

  gateway      Specifies gateway.

  interface    the interface number for the specified route.

  METRIC       specifies the metric, ie. cost for the destination.

All symbolic names used for destination are looked up in the network database

file NETWORKS. The symbolic names for gateway are looked up in the host name

database file HOSTS.

If the command is PRINT or DELETE. Destination or gateway can be a wildcard,

(wildcard is specified as a star '*'), or the gateway argument may be omitted.

If Dest contains a * or ?, it is treated as a shell pattern, and only

matching destination routes are printed. The '*' matches any string,

and '?' matches any one char. Examples: 157.*.1, 157.*, 127.*, *224*.

Pattern match is only allowed in PRINT command.

Diagnostic Notes:

    Invalid MASK generates an error, that is when (DEST & MASK) != DEST.

    Example> route ADD 157.0.0.0 MASK 155.0.0.0 157.55.80.1 IF 1

             The route addition failed: The specified mask parameter is invalid

(Destination & Mask) != Destination.

Examples:

    > route PRINT

    > route PRINT -4

    > route PRINT -6

    > route PRINT 157*          .... Only prints those matching 157*

    > route ADD 157.0.0.0 MASK 255.0.0.0  157.55.80.1 METRIC 3 IF 2

             destination^      ^mask      ^gateway     metric^    ^

                                                         Interface^

      If IF is not given, it tries to find the best interface for a given

      gateway.

    > route ADD 3ffe::/32 3ffe::1

    > route CHANGE 157.0.0.0 MASK 255.0.0.0 157.55.80.5 METRIC 2 IF 2

      CHANGE is used to modify gateway and/or metric only.

    > route DELETE 157.0.0.0

    > route DELETE 3ffe::/32

C:\Users\nadeem>tracert 192.168.22.199

Tracing route to 192.168.22.199 over a maximum of 30 hops

  1    36 ms    33 ms    34 ms  192.168.22.199

Trace complete.

At this time I was able to ping only the default gateway but not any other IP. When I am also not able to ping gateway; traceroute shows only *

C:\Users\nadeem>

Rising star

Re: VPN client gets connected but cannot ping LOCAL LAN

Ok, I see

try now to trace any host on the LAN behind router

traceroute 192.168.22.X

And the correct command is

route print

not route pr

And on the router:

show crypto route

Hope it will help.

Best regards,
Abzal

Hope it will help. Best regards, Abzal
Beginner

Re: VPN client gets connected but cannot ping LOCAL LAN

Dear Abzal,

Following is the information you asked for: at the time I am unable to ping the default gateway:

C:\Users\nadeem> ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : future.com.pk

   Link-local IPv6 Address . . . . . : fe80::18b:5440:e353:5ad%35

   IPv4 Address. . . . . . . . . . . : 10.10.10.5

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

C:\Users\nadeem>ping 192.168.22.199

Pinging 192.168.22.199 with 32 bytes of data:

Request timed out.

Ping statistics for 192.168.22.199:

    Packets: Sent = 1, Received = 0, Lost = 1 (100% loss),

Control-C

^C

C:\Users\nadeem>tracert 192.168.22.199


Tracing route to 192.168.22.199 over a maximum of 30 hops

  1     *        *        *     Request timed out.

  2     *        *        *     Request timed out.

  3  ^C

C:\Users\nadeem>route print

===========================================================================

Interface List

35...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows

22...00 1e 10 1f 79 c9 ......HUAWEI Mobile Connect - 3G Network Card

19...00 ff 58 bd 48 9a ......Spotflux Network Device Driver

13...00 23 14 51 5d c5 ......Microsoft Virtual WiFi Miniport Adapter #2

12...00 23 14 51 5d c5 ......Microsoft Virtual WiFi Miniport Adapter

11...00 23 14 51 5d c4 ......Intel(R) Centrino(R) Advanced-N 6200 AGN

10...54 42 49 0d 0d fb ......Marvell Yukon 88E8059 PCI-E Gigabit Ethernet Contr

oller

20...00 50 56 c0 00 01 ......VMware Virtual Ethernet Adapter for VMnet1

21...00 50 56 c0 00 08 ......VMware Virtual Ethernet Adapter for VMnet8

  1...........................Software Loopback Interface 1

28...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter

29...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #2

34...00 00 00 00 00 00 00 e0 Microsoft 6to4 Adapter

30...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #4

25...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5

16...00 00 00 00 00 00 00 e0 Teredo Tunneling Pseudo-Interface

31...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #6

27...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #7

32...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #8

24...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #9

33...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #10

===========================================================================

IPv4 Route Table

===========================================================================

Active Routes:

Network Destination        Netmask          Gateway       Interface  Metric

          0.0.0.0          0.0.0.0      192.168.0.5      192.168.0.3    281

          0.0.0.0          0.0.0.0   119.157.188.41   119.157.188.42    296

       10.10.10.0    255.255.255.0         On-link        10.10.10.5    281

       10.10.10.5  255.255.255.255         On-link        10.10.10.5    281

     10.10.10.255  255.255.255.255         On-link        10.10.10.5    281

   119.157.188.40  255.255.255.252         On-link    119.157.188.42    296

   119.157.188.42  255.255.255.255         On-link    119.157.188.42    296

   119.157.188.43  255.255.255.255         On-link    119.157.188.42    296

        127.0.0.0        255.0.0.0         On-link         127.0.0.1    306

        127.0.0.1  255.255.255.255         On-link         127.0.0.1    306

  127.255.255.255  255.255.255.255         On-link         127.0.0.1    306

      192.168.0.0    255.255.255.0         On-link       192.168.0.3    281

      192.168.0.3  255.255.255.255         On-link       192.168.0.3    281

      192.168.0.5  255.255.255.255         On-link       192.168.0.3    100

    192.168.0.255  255.255.255.255         On-link       192.168.0.3    281

     192.168.22.0    255.255.255.0       10.10.10.1       10.10.10.5    100

     192.168.31.0    255.255.255.0         On-link      192.168.31.1    276

     192.168.31.1  255.255.255.255         On-link      192.168.31.1    276

   192.168.31.255  255.255.255.255         On-link      192.168.31.1    276

    192.168.142.0    255.255.255.0         On-link     192.168.142.1    276

    192.168.142.1  255.255.255.255         On-link     192.168.142.1    276

  192.168.142.255  255.255.255.255         On-link     192.168.142.1    276

  221.120.193.212  255.255.255.255      192.168.0.5      192.168.0.3    100

        224.0.0.0        240.0.0.0         On-link         127.0.0.1    306

        224.0.0.0        240.0.0.0         On-link     192.168.142.1    276

        224.0.0.0        240.0.0.0         On-link      192.168.31.1    276

        224.0.0.0        240.0.0.0         On-link    119.157.188.42    296

        224.0.0.0        240.0.0.0         On-link       192.168.0.3    281

        224.0.0.0        240.0.0.0         On-link        10.10.10.5    281

  255.255.255.255  255.255.255.255         On-link         127.0.0.1    306

  255.255.255.255  255.255.255.255         On-link     192.168.142.1    276

  255.255.255.255  255.255.255.255         On-link      192.168.31.1    276

  255.255.255.255  255.255.255.255         On-link    119.157.188.42    296

  255.255.255.255  255.255.255.255         On-link       192.168.0.3    281

  255.255.255.255  255.255.255.255         On-link        10.10.10.5    281

===========================================================================

Persistent Routes:

  Network Address          Netmask  Gateway Address  Metric

          0.0.0.0          0.0.0.0       20.20.20.1  Default

===========================================================================

IPv6 Route Table

===========================================================================

Active Routes:

If Metric Network Destination      Gateway

  1    306 ::1/128                  On-link

34   1040 2002::/16                On-link

34    296 2002:1414:1464::1414:1464/128

                                    On-link

34    296 2002:779d:bc2a::779d:bc2a/128

                                    On-link

20    276 fe80::/64                On-link

21    276 fe80::/64                On-link

11    281 fe80::/64                On-link

35    281 fe80::/64                On-link

30    286 fe80::5efe:192.168.0.3/128

                                    On-link

35    281 fe80::18b:5440:e353:5ad/128

                                    On-link

25    296 fe80::200:5efe:119.157.188.42/128

                                    On-link

21    276 fe80::7063:e48e:2976:ea9b/128

                                    On-link

20    276 fe80::ccc3:3d59:7b60:dde8/128

                                    On-link

11    281 fe80::f141:928f:6bf9:f6f/128

                                    On-link

  1    306 ff00::/8                 On-link

20    276 ff00::/8                 On-link

21    276 ff00::/8                 On-link

11    281 ff00::/8                 On-link

35    281 ff00::/8                 On-link

===========================================================================

Persistent Routes:

  None

C:\Users\nadeem>


From VPN Server

FTNet#show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

       E1 - OSPF external type 1, E2 - OSPF external type 2

       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

       ia - IS-IS inter area, * - candidate default, U - per-user static route

       o - ODR, P - periodic downloaded static route

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S       10.10.10.5/32 [1/0] via 0.0.0.0, Virtual-Access2

C       10.255.211.1/32 is directly connected, Loopback0

S       10.111.1.0/24 [1/0] via 192.168.22.197

S       10.101.0.0/16 [1/0] via 192.168.22.197

S       10.116.0.0/16 [1/0] via 192.168.22.197

There is no command show crypto route on my IOS; so I used the following

FTNet#show crypto sess

Crypto session current status

Interface: Virtual-Access2

Session status: UP-ACTIVE

Peer: 39.48.78.131 port 12003

  IKE SA: local x.x.x.x.x/500 remote 39.48.78.131/12003 Active

  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.10.10.5

        Active SAs: 2, origin: crypto map

FTNet#show crypto isakmp sa

dst             src             state          conn-id slot status

x.x.x.x.     39.48.78.131    QM_IDLE              1    0 ACTIVE

Config on the router is same as before!!

Thanks

Rising star

Re: VPN client gets connected but cannot ping LOCAL LAN

Ok, let's try this one

route-map nonat permit 10

match ip add DENY_NAT

ip access-list extended DENY_NAT

deny   ip 192.168.22.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.22.0 0.0.0.255 any

ip nat inside source route-map nonat interface Multilink1 overload

Hope it will help.

Best regards,
Abzal

Hope it will help. Best regards, Abzal
Beginner

Re: VPN client gets connected but cannot ping LOCAL LAN

Well this easy VPN doesnt seem so easy. Still the same result however I noticed the following on VPN SERVER

FTNet#show crypto isakmp sa

dst             src             state          conn-id slot status

221.120.193.212 39.48.78.131    QM_IDLE              1    0 ACTIVE ISAKMP_PRO

Its showing ISAKMP_PRO; the isakmp profile that I created. Previously it shows just active:

show ip route

       10.10.10.6/32 [1/0] via 0.0.0.0, Virtual-Access3


Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . : future.com.pk

   Link-local IPv6 Address . . . . . : fe80::18b:5440:e353:5ad%35

   IPv4 Address. . . . . . . . . . . : 10.10.10.6

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

Still cant ping the default gateway!!
I also noticed on most of the Cisco examples on cisco website that they have used the similar pool which is used on the LAN. Just a thought. I tried that as well and it didnt worked   

Beginner

Re: VPN client gets connected but cannot ping LOCAL LAN

I also noticed that when I remove split-tunnel ACL; the counters on VPN client software begin to increase but still I  couldnt ping the default gateway. Snapshot is attached:

http://i49.tinypic.com/15wnjas.jpg


From VPN Server:

interface: Virtual-Access2

    Crypto map tag: Virtual-Access2-head-0, local addr x.x.x.x

   protected vrf: (none)

   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

   remote ident (addr/mask/prot/port): (10.10.10.7/255.255.255.255/0/0)

   current_peer 39.48.78.131 port 13796

     PERMIT, flags={origin_is_acl,}

    #pkts encaps: 8, #pkts encrypt: 8, #pkts digest: 8

    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

    #pkts compressed: 0, #pkts decompressed: 0

    #pkts not compressed: 0, #pkts compr. failed: 0

    #pkts not decompressed: 0, #pkts decompress failed: 0

    #send errors 0, #recv errors 0

     local crypto endpt.: x.x.x.x, remote crypto endpt.: 39.48.78.131

     path mtu 1500, ip mtu 1500, ip mtu idb Multilink1

     current outbound spi: 0x6F81FEBC(1870790332)

     inbound esp sas:

      spi: 0x96E19D7E(2531368318)

        transform: esp-3des esp-sha-hmac ,

        in use settings ={Tunnel UDP-Encaps, }

        conn id: 3001, flow_id: NETGX:1, crypto map: Virtual-Access2-head-0

        sa timing: remaining key lifetime (k/sec): (4496251/2648)

        IV size: 8 bytes

        replay detection support: Y

        Status: ACTIVE

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here