Solved: UC520 VPN connected but no ping

Bryan Lemeer · ‎12-09-2010

Our UC520 has been configured for using a VPN setup. The router has been configured to allow port 500, 10000 and 4500. When we start a connection via the Cisco VPN Client it will connect and receive an IP-address. Looking in the UC520 ip route table we see the correct routes. Although when we try to ping the UC520 from the client it fails, when we try to ping the client from the UC520 it fails as well. The UC520 is configured with NAT behind a Netgear WNDR3700

These are the commands we entered for adding VPN functionality to the UC520:

aaa new-model

!

aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local

aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local

!

username vpn secret 5 $1$8mLF$OY9VTfy0Lo5O4aPR60wkb1

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPN_GROUP_1

key P@ssw0rd1

dns 192.168.2.1

pool SDM_POOL_1

save-password

max-users 10

crypto isakmp profile sdm-ike-profile-1

match identity group EZVPN_GROUP_1

client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1

isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!!

crypto isakmp nat keepalive 20

!!

interface Virtual-Template1 type tunnel

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!!

ip local pool SDM_POOL_1 192.168.2.150 192.168.2.159

!

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1/8 overload

!

access-list 105 remark SDM_ACL Category=2

access-list 105 permit ip 10.10.10.0 0.0.0.3 any

access-list 105 permit ip 192.168.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

!

!route-map SDM_RMAP_1 permit 1

match ip address 105

!

This is the show ip-route output from the UC520 whilst the client is connected:

Gateway of last resort is 192.168.1.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 192.168.1.1

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 10.10.10.0/24 is directly connected, Vlan100

L 10.10.10.1/32 is directly connected, Vlan100

192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.1.0/24 is directly connected, Vlan1

L 192.168.1.25/32 is directly connected, Vlan1

192.168.2.0/24 is variably subnetted, 3 subnets, 2 masks

C 192.168.2.0/24 is directly connected, Loopback2

L 192.168.2.25/32 is directly connected, Loopback2

S 192.168.2.152/32 [1/0] via 93.95.xxx.xxx, Virtual-Access2

192.168.10.0/24 is variably subnetted, 3 subnets, 2 masks

C 192.168.10.0/30 is directly connected, Loopback0

L 192.168.10.1/32 is directly connected, Loopback0

S 192.168.10.2/32 is directly connected, Integrated-Service-Engine0/0

Client configuration whilst connected:

IP: 192.168.2.152

Mask: 255.255.255.0

Gateway: 192.168.2.25

DNS: 192.168.2.1

greenturtlesteak · ‎12-09-2010

Looks like the NAT configuration isn't right. Add the following to access-list 105 and make sure these are the first entries for the ACL:

access-list 105 deny ip 10.10.10.0 0.0.0.3 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

Cole

View solution in original post

greenturtlesteak · ‎12-09-2010

Looks like the NAT configuration isn't right. Add the following to access-list 105 and make sure these are the first entries for the ACL:

access-list 105 deny ip 10.10.10.0 0.0.0.3 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

Cole

Bryan Lemeer · ‎12-09-2010

Thanks for your reply. The ACL has been changed but the result is the same, no reply to the ping request.

Below the adjusted ACL:

access-list 105 remark SDM_ACL Category=2

access-list 105 deny ip 10.10.10.0 0.0.0.3 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip 192.168.10.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 105 deny ip any host 192.168.1.150

access-list 105 deny ip any host 192.168.1.151

access-list 105 deny ip any host 192.168.1.152

access-list 105 deny ip any host 192.168.1.153

access-list 105 deny ip any host 192.168.1.154

access-list 105 deny ip any host 192.168.1.155

access-list 105 deny ip any host 192.168.1.156

access-list 105 deny ip any host 192.168.1.157

access-list 105 deny ip any host 192.168.1.158

access-list 105 deny ip any host 192.168.1.159

access-list 105 permit ip 10.10.10.0 0.0.0.3 any

access-list 105 permit ip 192.168.1.0 0.0.0.255 any

access-list 105 permit ip 192.168.10.0 0.0.0.255 any

access-list 105 permit ip 192.168.2.0 0.0.0.255 any

Bryan Lemeer · ‎12-10-2010

We have decided to remove NAT and work without it. This solved our problem instantly.