11-21-2021 06:42 PM - edited 11-21-2021 07:02 PM
I set up a VPN I can connect, I can ping between connected host and every Vlan interface on my network on a couple switches and access points but can't ping any hosts connected to switch ports I would like to be able to see and connect to vlan3 hosts here is my router config:
Using 5572 out of 262136 bytes
!
! Last configuration change at 01:30:46 UTC Mon Nov 22 2021 by #####
! NVRAM config last updated at 01:42:13 UTC Mon Nov 22 2021 by ####
! NVRAM config last updated at 01:42:13 UTC Mon Nov 22 2021 by #####
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 #########################
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username ###### password 7 ############################
username ##### privilege 15 password 7 ####################################
username ###### privilege 15 password 7 ######################
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
!
class-map type inspect match-all IPSEC_CM
match access-group name ISAKMP_IPSEC
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
class-map type inspect match-all DHCP_CM
match access-group name DHCP
!
!
policy-map type inspect OUT_SELF_PM
class type inspect IPSEC_CM
pass
class type inspect DHCP_CM
pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############# address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
ip address 192.168.2.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.2.100 192.168.2.150
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 #########
ip route 0.0.0.0 0.0.0.0 ########## 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DHCP
permit udp any any eq bootpc
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 1701
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 ############################
transport input ssh
!
scheduler allocate 20000 1000
end
11-22-2021 09:52 AM
After playing with it a bunch I removed
nterface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
---->zone-member security inside
And found that my ping made it through so my firewall blocks the VPN connection from getting ping through not sure how to solve this any suggestions?
11-22-2021 10:42 AM
@JLVB83 possibly because your traffic is being unintentially translated. Change the order of your NAT rules as you are currently natting the traffic.
ip access-list extended NAT
permit ip 192.168.1.0 0.0.0.255 any
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
to this...
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
Ensure the deny rule is above the permit.
11-22-2021 10:53 AM
Good to know that there is a order to things like that, but unfortunately did not solve my problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide