Re: Cannot ping hosts on remote site through my SSL VPN connecti

Tommy Svensson · ‎05-20-2011

Hi.

I cant ping hosts on the remote network through my VPN connection, i can ping every interface on the remote router but not any hosts.

Here is my running config.

vpn#show run
Building configuration...

Current configuration : 14513 bytes
!
! Last configuration change at 10:07:38 +2 Fri May 20 2011 by iosoft
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname vpn
!
boot-start-marker
boot-end-marker
!
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_auth local
aaa authorization exec default local
!
!
!
!
!
aaa session-id common
!
clock timezone +2 2 0
!
no ipv6 cef
ip source-route
ip cef
!
ip ssh authentication-retries 5
ip ssh version 2
!
class-map type inspect match-any LAN_TO_WAN
match access-group name LAN_TO_WAN
class-map type inspect match-any WAN_TO_LAN
match access-group name WAN_TO_LAN
!
!
policy-map type inspect LAN_TO_WAN
class type inspect LAN_TO_WAN
inspect
class class-default
drop
policy-map type inspect WAN_TO_LAN
class type inspect WAN_TO_LAN
inspect
class class-default
drop
!
zone security WAN_ZONE
zone security LAN_ZONE
zone-pair security LAN_TO_WAN source LAN_ZONE destination WAN_ZONE
service-policy type inspect LAN_TO_WAN
zone-pair security WAN_TO_LAN source WAN_ZONE destination LAN_ZONE
service-policy type inspect WAN_TO_LAN
!
!
interface GigabitEthernet0/0
ip address xxxxxxxxxxxxxxxx 255.255.255.240
ip nat outside
ip virtual-reassembly in
zone-member security WAN_ZONE
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address xxxxxxxxxxxxxxxxxx 255.255.255.240
ip nat outside
ip virtual-reassembly in
zone-member security WAN_ZONE
duplex auto
speed auto
!
interface FastEthernet0/0/0
vlan-id dot1q 1
exit-vlan-config
!
!
interface FastEthernet0/0/1
!
interface FastEthernet0/0/2
!
interface FastEthernet0/0/3
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
!
interface Vlan1
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security LAN_ZONE
!
ip local pool vpn_pool 192.168.0.200 192.168.0.220
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
ip http secure-trustpoint SSL-CERT
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source route-map isp1 interface GigabitEthernet0/0 overload
ip nat inside source route-map isp2 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxxxx
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxxxxxxxx 10
!
ip access-list extended LAN_TO_WAN
permit gre any any
permit ip any any
ip access-list extended WAN_TO_LAN
permit tcp any eq 3389 any
permit tcp any eq www any
permit tcp any eq 22 any
permit tcp any eq 443 any
permit tcp any any eq 22
permit tcp any any eq 2087
permit tcp any any eq 443
permit tcp any any eq www
permit tcp any any eq smtp
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit ip 192.168.3.0 0.0.0.255 10.10.15.0 0.0.0.255
permit udp any any eq isakmp
permit icmp any any
permit tcp any any eq 3389
permit tcp any eq ftp-data any
permit tcp any eq ftp any
!
logging trap debugging
logging 10.10.50.5
access-list 9 permit 10.10.1.0 0.0.0.255
access-list 9 permit 10.10.15.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 150 permit ip any any log
access-list 151 permit ip host 10.10.1.0 any log
access-list 151 permit ip any host 10.10.1.0 log
!
no cdp run

!
!
!
route-map isp2 permit 10
match ip address 105
match interface GigabitEthernet0/1
!
route-map isp1 permit 10
match ip address 105
match interface GigabitEthernet0/0
!
!
!
!
control-plane
!
!
line con 0
timeout login response 300
logging synchronous
login authentication console
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
logging synchronous
transport input ssh
line vty 5 15
access-class 9 in
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
ntp server 194.35.252.7
!
webvpn gateway vpn
ip address xxxxxxxxxxxx port 443
http-redirect port 80
ssl trustpoint SSL-CERT
inservice
!
webvpn install svc flash0:/webvpn/anyconnect-win-2.5.2017-k9.pkg sequence 1
!
webvpn context vpn

secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
!
url-list "vpn"
heading "Quick Links"
url-text "VPN" url-value "https://xxxxxxxxxxxxxxx/vpn"
!
login-message "Welcome!"
!
policy group policy_1
url-list "vpn"
functions svc-enabled
svc address-pool "vpn_pool"
svc default-domain "xxxxxxxxxxxxxxx"
svc keep-client-installed
svc dns-server primary 8.8.8.8
virtual-template 1
default-group-policy policy_1
aaa authentication list vpn_auth
gateway vpn
inservice
!
end

vpn#

shabibrizvi · ‎05-24-2011

Hi Tommy,

How do you expect the traffic to flow from your router to the remote device?

I take it that it is going via the VPN not the WebVPN. However I do not see where the traffic to the remote side gets through at the other side after travelling down the tunnel?

The the access list on the remote side the same as this side?

ip access-list extended WAN_TO_LAN
permit tcp any eq 3389 any
permit tcp any eq www any
permit tcp any eq 22 any
permit tcp any eq 443 any
permit tcp any any eq 22
permit tcp any any eq 2087
permit tcp any any eq 443
permit tcp any any eq www
permit tcp any any eq smtp
permit tcp any any eq ftp
permit tcp any any eq ftp-data
permit ip 192.168.3.0 0.0.0.255 10.10.15.0 0.0.0.255
permit udp any any eq isakmp
permit icmp any any
permit tcp any any eq 3389
permit tcp any eq ftp-data any
permit tcp any eq ftp any

Regards,

Shabib

Cannot ping hosts on remote site through my SSL VPN connection