03-02-2010 04:23 PM
hi guys, I ahve setup a very simple vpn using cisco guides on internet.
I can successfully connect to the cisco vpn client using the config below.
My client pc gets the ip from the pool, lets say 14.1.1.100
but when I try to ping 14.1.1.100 from router. there is no reply.
when i ping from router using local lan interafce as source, it still doesnt work.
Can someone please look at the config and advise what have I been missing?
The config below wors and I ahev tested it successfully. It setup the vpn connection but I cannot ping any IP addresses.
Please help. Many thanks,
=======================Config for vpn connection =============================
!
version 12.4
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname vpn2611
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
memory-size iomem 15
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
fax interface-type fax-mail
username cisco password 0 cisco
!
!
!
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
crypto isakmp key cisco123 address 172.18.124.199 no-xauth
!
crypto isakmp client configuration group 3000client
key cisco123
dns 10.10.10.10
wins 10.10.10.20
domain cisco.com
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp
set peer 172.18.124.199
set transform-set myset
match address 100
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
ip address 10.10.10.1 255.255.255.0
speed auto
half-duplex
no keepalive
!
interface FastEthernet0/1
ip address 172.18.124.159 255.255.255.0
speed 100
full-duplex
crypto map clientmap
!
ip local pool ippool 14.1.1.100 14.1.1.200
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 172.18.124.1
!
!
ip http server
no ip http secure-server
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
snmp-server community foobar RO
!
!
!
control-plane
!
!
dial-peer cor custom
!
!
!
line con 0
exec-timeout 0 0
line aux 0
line vty 0 4
!
!
end
====================================END OF CONFIG ==========================
03-03-2010 12:31 PM
Can someone please help me with this urgently?
many thanks
03-04-2010 03:58 PM
Can you ping from the client to the rest of the network? Clients at times have firewalls that won't allow pings to return.
03-04-2010 09:42 PM
Hello,
I recommend using an RFC1918 network for your IP pool instead of a publically routable network such as 14.x.x.x. RFC1918 includes addresses like 10.0.0.0/8, 172.16.0.0 - 172.31.255.255, and 192.168.0.0/16.
You will likely also need to add that new IP pool network to the crypto acl (100).
James
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: