Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1103
Views
0
Helpful
7
Replies

871 VPN Server unable to ping lan.

bataviaphil
Level 1
Level 1

‎11-13-2012 06:22 AM - edited ‎03-07-2019 10:01 AM

I am stumped on a configuration issue and I am hoping that someone can lend a hand.  I don't think that it is a complex setup but it might be.

I have 2 routers, one is an Apple AirPort Extreme with a static outside IP address, I also have a Cisco 871 with a static outside IP address.  The Airport Extreme connects to a switch on the private network and has an IP address ending in .1.  The Cisco 871 connects to the same Private network and it ends in .2.  The 871 is setup as a VPN Server.  now when clients connect to the VPN they can ping the VLan IP Address on the 871, but they can t ping any other hosts on the smae network.  The hosts on the private network can ping the vlan on the 871.  So what am I missing?  Can some one point me to a doc or something that might shed some light on this?

Thank you in advance for yor help.   

Labels:
0 Helpful
7 Replies 7

John Blakley
VIP Alumni
VIP Alumni

‎11-13-2012 06:29 AM

Is the apple device the default gateway for all of your other hosts? Do you give a separate ip range to VPN users on the Cisco when they connect? If so, you'll need a static route on the airport pointing the VPN subnet to the Cisco.

Hth,
John

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***
0 Helpful

Abzal
Level 7
Level 7

‎11-13-2012 06:31 AM

Hi,

871 is default gateway of network? If not configure static ip routing pointing to default gateway.

ip route x.x.x.x y.y.y.y GW

x.x.x.x - subnet

y.y.y.y - subnet mask

GW - gateway ip address

And network diagram would help us much better.

Please rate helpful post.

Best regards,
Abzal
0 Helpful

bataviaphil
Level 1
Level 1

‎11-13-2012 06:52 AM

I am unable to up load the files I need so I am going to paste the config of the 871.  THe Airport is the default gateway.

Building configuration...

Current configuration : 8834 bytes

!

! Last configuration change at 08:42:55 PCTime Tue Nov 13 2012 by

! NVRAM config last updated at 05:36:47 PCTime Tue Nov 13 2012 by

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname gate

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

aaa session-id common

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-362596033

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-362596033

revocation-check none

rsakeypair TP-self-signed-362596033

!

!

crypto pki certificate chain TP-self-signed-362596033

certificate self-signed 01

      quit

dot11 syslog

no ip source-route

ip cef

!

!

!

!

no ip bootp server

ip domain name lan.net

ip name-server

ip name-server

!

multilink bundle-name authenticated

!

!

username xxxxxx privilege 15 secret 5

username xxxx secret 5

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp client configuration group home

key

dns 192.168.x.x

domain lan.net

pool SDM_POOL_1

acl 101

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

archive

log config

  hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ES_WAN$$FW_OUTSIDE$

ip address 108.198.xxx.xxx

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

ip route-cache flow

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered FastEthernet4

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.x.2 255.255.255.0

no ip redirects

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 192.168.x.x 192.168.x.x

ip default-gateway 192.168.x.x

ip default-network 192.168.x.x

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 108.198.xxx.xxx

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.x.x 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 108.198.xxx.xxx 0.0.0.7 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.x.x 0.0.0.255 any

no cdp run

!

!

!

!

control-plane

!

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

0 Helpful

Abzal
Level 7
Level 7
In response to bataviaphil

‎11-13-2012 07:05 AM

Try to put ip route to internal network:

ip route 192.168.x.0 255.255.255.0 192.168.x.1

Please rate helpful posts.

Best regards,
Abzal
0 Helpful

bataviaphil
Level 1
Level 1
In response to Abzal

‎11-13-2012 07:18 AM

No that did not work.  I even tried doing a route like this 192.168.x.0 0.0.0.255 192.168.x.1 but I get an error

%Inconsistent address and mask

0 Helpful

John Blakley
VIP Alumni
VIP Alumni
In response to bataviaphil

‎11-13-2012 07:35 AM

The route wouldn't go on your Cisco. It knows how to get to the LAN and VPN subnets. The problem is that your VPN clients send traffic to the LAN, but their default route points to the airport which drops the traffic because it tries to send to the service provider or whatever it's default is. The better way is to put a route that points to your VPN subnet on the airport and send that traffic to the Cisco.

Static route to VPN subnet --> Cisco LAN address.

John

Sent from Cisco Technical Support iPhone App

HTH, John *** Please rate all useful posts ***
0 Helpful

bataviaphil
Level 1
Level 1
In response to John Blakley

‎11-13-2012 08:05 AM

Ok, well that kills this.  There is no way to put a static route on the AirPort Extreme.  Maybe someone can answer this then. 

1) is there a way to pass the internal lan IP addresses to the VPN Clients?  Would that help?

2) The whole reason I want to keep the Airport as the default gateway is when I upgrade to the latest IOS 124.24 the internet is choicked down and it starts to throttle between 7-12 meg down when it should be 25 meg down.  Any ideas as to what that might be caused by in the config.  It would be the same config but only using 124.24.

Thank you again for all yor help.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card