04-16-2014 12:22 AM - edited 02-21-2020 07:36 PM
Hi Guys
Really hope you can help me out here, I am kind of stock.
I have a Remote Access VPN to a router that seems to be working. The problem is that I only have access to some host in remote end.
The hosts I really need to access is the following:
Server - 192.168.18.240
Switch - 192.168.18.251
Switch - 192.168.18.252
But I can´t reach them, only all other hosts on the network. Their default gatway is 192.168.18.1 (the router)
What might be the problem?
-------------------------------------------------
Hostes on the network:
PUFESTI-R#sh arp | e Inc
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.18.1 - 442b.0346.244e ARPA Vlan1
Internet 192.168.18.20 58 f0f7.5557.c468 ARPA Vlan1
Internet 192.168.18.21 0 f0f7.5557.c472 ARPA Vlan1
Internet 192.168.18.100 29 0090.c2e3.6234 ARPA Vlan1
Internet 192.168.18.101 0 0040.48b2.534e ARPA Vlan1
Internet 192.168.18.171 62 0050.c2e4.00d7 ARPA Vlan1
Internet 192.168.18.172 57 0050.c2e4.00cf ARPA Vlan1
Internet 192.168.18.181 0 0090.e82c.482a ARPA Vlan1
Internet 192.168.18.182 0 0090.e82c.4594 ARPA Vlan1
Internet 192.168.18.240 0 0001.0516.e473 ARPA Vlan1
Internet 192.168.18.251 0 08d0.9f6c.61dd ARPA Vlan1
Internet 192.168.18.252 0 08d0.9f6c.61c7 ARPA Vlan1
Internet 217.156.34.161 0 0017.95e0.7bca ARPA FastEthernet4
Internet 217.156.34.167 - 442b.0346.2452 ARPA FastEthernet4
Internet 217.156.34.168 - 442b.0346.2452 ARPA FastEthernet4
Internet 217.156.34.169 - 442b.0346.2452 ARPA FastEthernet4
--------------------------------------------
Hosts I can reach on the network:
IP Ping Hostname Ports
192.168.18.1 66 ms [n/a] [n/s]
192.168.18.20 66 ms [n/a] [n/s]
192.168.18.100 68 ms [n/a] [n/s]
192.168.18.21 69 ms [n/a] [n/s]
192.168.18.101 69 ms [n/a] [n/s]
192.168.18.171 71 ms [n/a] [n/s]
192.168.18.172 71 ms [n/a] [n/s]
192.168.18.181 76 ms [n/a] [n/s]
192.168.18.182 78 ms [n/a] [n/s]
--------------------------------------------------
VPN info:
PUFESTI-R#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
217.156.34.167 87.104.81.49 QM_IDLE 2006 ACTIVE
217.156.34.167 89.249.1.238 QM_IDLE 2001 ACTIVE
IPv6 Crypto ISAKMP SA
PUFESTI-R#
PUFESTI-R#sh crypto ips sa
interface: FastEthernet4
Crypto map tag: outside_map, local addr 217.156.34.167
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.18.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
current_peer 89.249.1.238 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 2320, #pkts encrypt: 2320, #pkts digest: 2320
#pkts decaps: 2352, #pkts decrypt: 2352, #pkts verify: 2352
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 217.156.34.167, remote crypto endpt.: 89.249.1.238
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x952A4954(2502576468)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x7EC90F3A(2127105850)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000046, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4491363/2676)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x952A4954(2502576468)
transform: esp-aes esp-md5-hmac ,
in use settings ={Tunnel, }
conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000046, crypto map: outside_map
sa timing: remaining key lifetime (k/sec): (4491346/2676)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
interface: Virtual-Access2
Crypto map tag: Virtual-Access2-head-0, local addr 217.156.34.167
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.253.5/255.255.255.255/0/0)
current_peer 87.104.81.49 port 40425
PERMIT, flags={origin_is_acl,}
#pkts encaps: 1088, #pkts encrypt: 1088, #pkts digest: 1088
#pkts decaps: 4087, #pkts decrypt: 4087, #pkts verify: 4087
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 217.156.34.167, remote crypto endpt.: 87.104.81.49
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0xE7B9F329(3887723305)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x1D30192F(489691439)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4437881/2919)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xE7B9F329(3887723305)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
sa timing: remaining key lifetime (k/sec): (4438107/2919)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
PUFESTI-R#
---------------------------
Attached is running-config of the router.
Thanks in advance
Regards
Mikkel
04-16-2014 04:47 AM
The switches you cannot reach (192.168.18.240/251/252) are addressed from a range in your VPN DHCP pool (=192.168.18.200-254 once you take into account your exclusions):
ip dhcp excluded-address 192.168.17.1 192.168.17.199 ip dhcp excluded-address 192.168.18.1 192.168.18.199 ! ip dhcp pool ccp-pool1 import all network 192.168.18.0 255.255.255.0 dns-server 8.8.8.8 208.67.222.222 default-router 192.168.18.1
Try excluding those specific /32s as well:
04-21-2014 10:43 PM
Hi Marvin
Thanks for the reply. Just got back from easter holiday.
The suggested did not help.
Any other ideas? Mayby some debug commands to use.
Regards
Mikkel
04-22-2014 11:28 PM
i agreed with you Marvin, this is the problem and somethings may be wrong in consideration because vpn is good to go.
your VPN is based on this ACL:
ip access-list extended customer permit ip 192.168.18.0 0.0.0.255 10.2.0.0 0.0.0.255
it should be on other end:
ip access-list extended customer permit ip 10.2.0.0 0.0.0.255 192.168.18.0 0.0.0.255
Another thing keep in mind, the switches will be access only from this sub net hosts :10.2.0.0 0.0.0.255
HTH
04-27-2014 10:43 PM
Hi
Thanks for the reply. I think that some things here is mixed up. The
ip access-list extended customer permit ip 192.168.18.0 0.0.0.255 10.2.0.0 0.0.0.255
Is used for LAN to LAN VPN connection, and this is working just fine.
The problem is in the Remote access VPN.
Can you tell me why DHCP exclutions could solve the problem? It makes no sense in my world.
Regards
Mikkel
04-28-2014 12:41 AM
Hi Mikkel,
I do not think DHCP mis-configuration cause the issue, The remote ezVPN client(192.168.253.5) has setup the ipsec session without any issue. I think it is route issue, Did you forget to configure default gateway or default route on those 3 devices?
Regards,
David
04-28-2014 01:55 AM
Hi mikkel003,
welcome
sorry, do not need to exclude, i did not look carefully before.
regards,
syed
"plz don't forget to rate for helpful post"
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide