Hi, all

I couldn't understand why unpossible ping Local Network from EazyVPN Router in client mode. Please, help. Network diagram is follow

R1 --192.168.1.x/24-- R2(VPN HUB) --77.1.1.x/24-- R4 --172.16.1.x/24-- R7 --192.168.2.x/24

I setup R7 as a EazyVPN hardware client and R2 as a VPN Server. I coundn't ping 192.168.1.x/24 from 192.168.2.x/24 and opposite.

Router2#

aaa new-model

!

aaa authorization network LOCAL-AUTHOR local

crypto isakmp policy 10

 authentication pre-share

 group 2

!        

crypto isakmp client configuration group VPN-CLIENT-GROUP

 key vpnclientcisco

 pool VPN-LOCAL-POOL

 acl 100

crypto isakmp profile PROFILE-ISAKMP

   match identity group VPN-CLIENT-GROUP

   isakmp authorization list LOCAL-AUTHOR

   client configuration address respond

   client configuration group VPN-CLIENT-GROUP

   virtual-template 1

!

crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac

!

crypto ipsec profile PROFILE-IPSEC

 set transform-set TRANSFORM-IPSEC

 set isakmp-profile PROFILE-ISAKMP

interface Ethernet0/0

 ip address 192.168.1.2 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface Ethernet0/1

 ip address 77.1.1.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

!

interface Virtual-Template1 type tunnel

 ip unnumbered Ethernet0/1

 ip nat inside

 ip virtual-reassembly in

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile PROFILE-IPSEC

!

ip local pool VPN-LOCAL-POOL 172.16.40.1 172.16.40.100

ip nat inside source list TONAT interface Ethernet0/1 overload

R7#

crypto ipsec client ezvpn EZVPN-CLIENT

 connect auto

 group VPN-CLIENT-GROUP key vpnclientcisco

 mode client

 peer 77.1.1.2

 username cisco password cisco

 xauth userid mode local

!

interface Ethernet0/0

 ip address 172.16.1.7 255.255.255.0

 crypto ipsec client ezvpn EZVPN-CLIENT

!

interface Ethernet0/2

 ip address 192.168.2.7 255.255.255.0

 ip nat inside

 crypto ipsec client ezvpn EZVPN-CLIENT inside

R7 get ip from R2 (VPN Server)

R7_Router#sh ip int br

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                172.16.1.7      YES NVRAM  up                    up     

Ethernet0/2                192.168.2.7     YES NVRAM  up                    up     

Loopback0                  7.7.7.7         YES NVRAM  up                    up     

Loopback10000              172.16.40.49    YES TFTP   up                    up     

NVI0                       172.16.1.7      YES unset  up                    up      

And I have automatic created NAT translations

R7_Router#sh ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Peak translations: 0

Outside interfaces:

  Ethernet0/0

Inside interfaces:

  Ethernet0/2

Hits: 0  Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 106] access-list EZVPN-CLIENT_internet-list interface Ethernet0/0 refcount 0

[Id: 105] access-list EZVPN-CLIENT_enterprise-list pool EZVPN-CLIENT refcount 0

 pool EZVPN-CLIENT: netmask 255.255.255.0

        start 172.16.40.49 end 172.16.40.49

        type generic, total addresses 1, allocated 0 (0%), misses 0

!

R7_Router#sh access-lists EZVPN-CLIENT_internet-list (не локальные сети пускать в инет)

Extended IP access list EZVPN-CLIENT_internet-list

    10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    20 deny ip 192.168.2.0 0.0.0.255 2.2.2.0 0.0.0.255

    30 permit ip 192.168.2.0 0.0.0.255 any

!

R7_Router#sh access-lists EZVPN-CLIENT_enterprise-list (локальные сети натить в назначенный IP)

Extended IP access list EZVPN-CLIENT_enterprise-list

    10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    20 permit ip 192.168.2.0 0.0.0.255 2.2.2.0 0.0.0.255

But 

R7_Router#ping 192.168.1.2 source 192.168.2.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.7 
.....
Success rate is 0 percent (0/5)

INFO

R7_Router#sho crypto ipsec client ezvpn 
Easy VPN Remote Phase: 8

Tunnel name : EZVPN-CLIENT
Inside interface list: Ethernet0/2
Outside interface: Ethernet0/0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.40.54 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
       Address    : 192.168.1.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 2
       Address    : 2.2.2.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 77.1.1.2

R7_Router#sh crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 172.16.1.7

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.40.54/255.255.255.255/256/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
   current_peer 77.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.1.7, remote crypto endpt.: 77.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xEDDC1FF4(3990626292)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB13AC0A(185838602)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 117, flow_id: SW:117, sibling_flags 80000040, crypto map: Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4180674/2025)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)