11-13-2012 06:22 AM - edited 03-07-2019 10:01 AM
I am stumped on a configuration issue and I am hoping that someone can lend a hand. I don't think that it is a complex setup but it might be.
I have 2 routers, one is an Apple AirPort Extreme with a static outside IP address, I also have a Cisco 871 with a static outside IP address. The Airport Extreme connects to a switch on the private network and has an IP address ending in .1. The Cisco 871 connects to the same Private network and it ends in .2. The 871 is setup as a VPN Server. now when clients connect to the VPN they can ping the VLan IP Address on the 871, but they can t ping any other hosts on the smae network. The hosts on the private network can ping the vlan on the 871. So what am I missing? Can some one point me to a doc or something that might shed some light on this?
Thank you in advance for yor help.
11-13-2012 06:29 AM
Is the apple device the default gateway for all of your other hosts? Do you give a separate ip range to VPN users on the Cisco when they connect? If so, you'll need a static route on the airport pointing the VPN subnet to the Cisco.
Hth,
John
Sent from Cisco Technical Support iPhone App
11-13-2012 06:31 AM
Hi,
871 is default gateway of network? If not configure static ip routing pointing to default gateway.
ip route x.x.x.x y.y.y.y GW
x.x.x.x - subnet
y.y.y.y - subnet mask
GW - gateway ip address
And network diagram would help us much better.
Please rate helpful post.
11-13-2012 06:52 AM
I am unable to up load the files I need so I am going to paste the config of the 871. THe Airport is the default gateway.
Building configuration...
Current configuration : 8834 bytes
!
! Last configuration change at 08:42:55 PCTime Tue Nov 13 2012 by
! NVRAM config last updated at 05:36:47 PCTime Tue Nov 13 2012 by
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-362596033
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-362596033
revocation-check none
rsakeypair TP-self-signed-362596033
!
!
crypto pki certificate chain TP-self-signed-362596033
certificate self-signed 01
quit
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name lan.net
ip name-server
ip name-server
!
multilink bundle-name authenticated
!
!
username xxxxxx privilege 15 secret 5
username xxxx secret 5
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group home
key
dns 192.168.x.x
domain lan.net
pool SDM_POOL_1
acl 101
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 108.198.xxx.xxx
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
zone-member security out-zone
ip route-cache flow
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.x.2 255.255.255.0
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 192.168.x.x 192.168.x.x
ip default-gateway 192.168.x.x
ip default-network 192.168.x.x
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 108.198.xxx.xxx
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.x.x 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 108.198.xxx.xxx 0.0.0.7 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.x.x 0.0.0.255 any
no cdp run
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
11-13-2012 07:05 AM
Try to put ip route to internal network:
ip route 192.168.x.0 255.255.255.0 192.168.x.1
Please rate helpful posts.
11-13-2012 07:18 AM
No that did not work. I even tried doing a route like this 192.168.x.0 0.0.0.255 192.168.x.1 but I get an error
%Inconsistent address and mask
11-13-2012 07:35 AM
The route wouldn't go on your Cisco. It knows how to get to the LAN and VPN subnets. The problem is that your VPN clients send traffic to the LAN, but their default route points to the airport which drops the traffic because it tries to send to the service provider or whatever it's default is. The better way is to put a route that points to your VPN subnet on the airport and send that traffic to the Cisco.
Static route to VPN subnet --> Cisco LAN address.
John
Sent from Cisco Technical Support iPhone App
11-13-2012 08:05 AM
Ok, well that kills this. There is no way to put a static route on the AirPort Extreme. Maybe someone can answer this then.
1) is there a way to pass the internal lan IP addresses to the VPN Clients? Would that help?
2) The whole reason I want to keep the Airport as the default gateway is when I upgrade to the latest IOS 124.24 the internet is choicked down and it starts to throttle between 7-12 meg down when it should be 25 meg down. Any ideas as to what that might be caused by in the config. It would be the same config but only using 124.24.
Thank you again for all yor help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide