Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
481
Views
1
Helpful
8
Replies

Cisco c1113, L2TP over IPSEC, VPN working but no local lan access

Go to solution
roccogi68
Level 1
Level 1

‎12-28-2023 01:15 AM

Hi, here my configuration.

Ii can correctly establish the vpn, i can ping the router (VLan1 192.168.4.1), but i have no ping or communication with the local network 192.168.4.0/24. Where do I go wrong?

Building configuration...
Current configuration : 9996 bytes
!
! Last configuration change at 10:26:57 GMT Mon Dec 25 2023 by admin
!
version 17.12
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
platform qfp utilization monitor load 80
platform punt-keepalive disable-kernel-core
platform hardware throughput crypto 50000
!
hostname ggsrouter
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
aaa session-id common
clock timezone GMT 1 0
!
ip name-server 8.8.8.8 8.8.4.4
ip domain name ggs.local
!
!
!
ip nbar http-services
!
!
ip nbar attribute-map webui-default
attribute business-relevance default
!
!
ip nbar attribute-set youtube webui-default
!
!
ip dhcp excluded-address 192.168.4.255 255.255.255.255
ip dhcp excluded-address 192.168.4.0 192.168.4.43
!
ip dhcp pool local_lan
import all
network 192.168.4.0 255.255.255.0
dns-server 8.8.8.8 8.8.4.4
default-router 192.168.4.1
lease 0 2
!
!
!
login on-success log
!
!
!
!
!
!
!
subscriber templating
!
!
!
!
!
vtp version 1
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group l2tp
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
!
!
!
!
diagnostic bootup level minimal
!
!
!
!
!
object-group network local_lan_subnets
192.168.4.0 255.255.255.0
!
object-group network vpn_remote_subnets
10.4.4.0 255.255.255.0
!
no license feature hseck9
license udi pid C1113-8PLTEEAWE sn XXXXXXXXXXXX
license boot level appxk9
license boot level uck9
license boot level securityk9
memory free low-watermark processor 64521
et-analytics
!
spanning-tree extend system-id
!
username remoteuser privilege 15 password 7 08064D4208011C5943595F50
!
redundancy
mode none
!
!
controller Cellular 0/2/0
!
controller VDSL 0/3/0
!
!
vlan internal allocation policy ascending
!
!
class-map type inspect match-any Web_app
match protocol tcp
match protocol udp
match protocol ftp
match protocol icmp
class-map type inspect match-all Web
match class-map Web_app
match access-group name Web_acl
!
policy-map type inspect INSIDE-OUTSIDE-POLICY
class type inspect Web
inspect
class class-default
drop log
!
!
zone security INSIDE
description Zone for inside interfaces
zone security OUTSIDE
description Zone for outside interfaces
zone security default
zone-pair security INSIDE-OUTSIDE source INSIDE destination OUTSIDE
service-policy type inspect INSIDE-OUTSIDE-POLICY
!
!
!
!
!
!
!
!
crypto isakmp policy 10
encryption aes 256
hash sha
authentication pre-share
group 14
crypto isakmp key xxxxxxxxxxxx address 0.0.0.0
crypto isakmp aggressive-mode disable
!
!
crypto ipsec transform-set myset esp-aes 256 esp-sha-hmac
mode transport
!
!
crypto ipsec profile myprofile
set transform-set myset
!
!
crypto dynamic-map mydynamicmap 10
set nat demux
set transform-set myset
match address 101
!
!
crypto map mymap 10 ipsec-isakmp dynamic mydynamicmap
!
!
!
!
!
!
!
!
interface GigabitEthernet0/0/0
no ip address
ip access-group 197 in
negotiation auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface GigabitEthernet0/1/0
switchport mode access
!
interface GigabitEthernet0/1/1
switchport mode access
!
interface GigabitEthernet0/1/2
switchport mode access
!
interface GigabitEthernet0/1/3
switchport mode access
!
interface GigabitEthernet0/1/4
switchport mode access
!
interface GigabitEthernet0/1/5
switchport mode access
!
interface GigabitEthernet0/1/6
switchport
switchport mode access
!
interface GigabitEthernet0/1/7
switchport
switchport mode access
!
interface Wlan-GigabitEthernet0/1/8
!
interface Cellular0/2/0
ip address negotiated
ipv6 enable
!
interface Cellular0/2/1
no ip address
!
interface ATM0/3/0
no ip address
atm oversubscribe factor 2
!
interface Ethernet0/3/0
no ip address
no negotiation auto
!
interface Virtual-Template1
ip unnumbered Vlan1
peer default ip address pool l2tp-pool
ppp mtu adaptive
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
ip address 192.168.4.1 255.255.255.0
ip nat inside
ip access-group 100 in
zone-member security INSIDE
no mop enabled
!
interface Dialer1
description Tim Fttc
mtu 1492
ip address negotiated
no ip redirects
ip nat outside
zone-member security OUTSIDE
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
ppp mtu adaptive
ppp authentication pap callin
ppp pap sent-username xxxxxxxxxx password 7 120D0C1A130F1F08
crypto map mymap
!
ip local pool l2tp-pool 10.4.4.4 10.4.4.44
ip forward-protocol nd
ip dns server
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 197 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
ip ssh bulk-mode 131072
!
ip access-list extended Web_acl
10 permit ip any any
!
ip access-list standard 1
10 permit 192.168.4.0 0.0.0.255
ip access-list extended 100
10 deny ip host 255.255.255.255 any
20 deny ip 127.0.0.0 0.255.255.255 any
30 permit ip any any
ip access-list extended 101
40 permit udp any eq 1701 any
ip access-list extended 197
20 permit ip 192.168.4.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
line con 0
transport input none
stopbits 1
line vty 0 4
length 0
transport input ssh
line vty 5 14
transport input ssh
!
!
!
!
!
!
!
end

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎12-28-2023 02:48 AM

@roccogi68 you need to explictly permit the VPN user initiated traffic in your Zone Based Firewall configuration. You should also amend your NAT ACL to ensure traffic between the local network (192.168.4.0) and the VPN pool network ( 10.4.4.0) is not translated, place a deny in the first line of ACL 197.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎12-28-2023 02:15 AM - edited ‎12-28-2023 04:07 AM

Check if you activate the security k9 license

MHM

0 Helpful

Go to solution
roccogi68
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2023 02:30 AM

Thank you for your reply.

Sorry but i am a beginner with cisco. How can I activate the license ?

0 Helpful

Go to solution
roccogi68
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2023 02:40 AM

This is the license usage:

#show license usage
License Authorization:
Status: Not Applicable

appxk9 (ISR_1100_8P_Application):
Description: appxk9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: appxk9
Feature Description: appxk9
Enforcement type: NOT ENFORCED
License type: Perpetual

uck9 (ISR_1100_8P_UnifiedCommunication):
Description: uck9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: uck9
Feature Description: uck9
Enforcement type: NOT ENFORCED
License type: Perpetual

securityk9 (ISR_1100_8P_Security):
Description: securityk9
Count: 1
Version: 1.0
Status: IN USE
Export status: NOT RESTRICTED
Feature Name: securityk9
Feature Description: securityk9
Enforcement type: NOT ENFORCED
License type: Perpetual

 

Go to solution
MHM Cisco World
VIP
VIP
In response to roccogi68

‎12-28-2023 02:56 AM - edited ‎12-28-2023 03:05 AM 

Router#show policy-map type inspect zone-pair INSIDE-OUTSIDE

share this please after do ping many times
for license it OK the K9 is IN-USE  

MHM

0 Helpful

Go to solution
roccogi68
Level 1
Level 1
In response to MHM Cisco World

‎12-28-2023 03:27 AM

#show policy-map type inspect zone-pair INSIDE-OUTSIDE
Zone-pair: INSIDE-OUTSIDE
Service-policy inspect : INSIDE-OUTSIDE-POLICY

Class-map: Web (match-all)
Match: class-map match-any Web_app
Match: protocol tcp
Match: protocol udp
Match: protocol ftp
Match: protocol icmp
Match: access-group name Web_acl
Inspect
Packet inspection statistics [process switch:fast switch]
tcp packets: [0:971840]
udp packets: [0:1632541]
icmp packets: [0:564]
Session creations since subsystem startup or last reset 5915
Current session counts (estab/half-open/terminating) [74:0:0]
Maxever session counts (estab/half-open/terminating) [207:8:0]
Last session created 00:00:06
Last statistic reset never
Last session creation rate 29
Last half-open session total 0

Class-map: class-default (match-any)
Match: any
Drop
0 packets, 0 bytes

0 Helpful

Go to solution
Rob Ingram
VIP
VIP

‎12-28-2023 02:48 AM

@roccogi68 you need to explictly permit the VPN user initiated traffic in your Zone Based Firewall configuration. You should also amend your NAT ACL to ensure traffic between the local network (192.168.4.0) and the VPN pool network ( 10.4.4.0) is not translated, place a deny in the first line of ACL 197.

0 Helpful

Go to solution
roccogi68
Level 1
Level 1
In response to Rob Ingram

‎12-28-2023 03:53 AM - edited ‎12-28-2023 04:00 AM

...

0 Helpful

Go to solution
roccogi68
Level 1
Level 1
In response to Rob Ingram

‎12-28-2023 04:00 AM

The problem was the firewall.

Solved, thank you.

0 Helpful
Customers Also Viewed These Support Documents