cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1534
Views
0
Helpful
7
Replies

Cisco EZ-VPN cant access Internal Network

Hi,

i have configured an EZ-VPN on my Router but after successful login into the VPN i cant ping my internal network or access any resources. I also cant ping my VPN Client IP from the Router.

Can somebody take a look at my Config ?

Here my config:

Current configuration : 7730 bytes

!

! Last configuration change at 16:24:55 UTC Tue Jun 14 2011 by suncci

! NVRAM config last updated at 20:21:30 UTC Fri Jun 10 2011 by suncci

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname Router

!

boot-start-marker

boot-end-marker

!

no logging buffered

no logging console

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login AUTH_VPN local

aaa authorization exec default local

aaa authorization network AUTHORIZE_VPN local

!

!

aaa session-id common

ip cef

!

!

!

!

ip name-server 208.67.222.222

ip name-server 205.188.146.145

!

multilink bundle-name authenticated

!

!

!

!

!

!

!

!

!        

!

!

!

!

crypto pki trustpoint TP-self-signed-1861908046

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1861908046

revocation-check none

rsakeypair TP-self-signed-1861908046

!

!

crypto pki certificate chain TP-self-signed-1861908046

certificate self-signed 01

  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 31383631 39303830 3436301E 170D3032 30333031 30313431

  30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363139

  30383034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100AD30 FB88278D F9010218 AD58E479 21C00A39 76974A87 DF43C948 D56E65CC

  98F484A1 1F5BA429 449E416F 78598186 B3C5729C 8873A168 DB9EEAAA B0521523

  C8011877 14888C9A 193E43E3 C3575491 74A940A2 B2970549 FE436E4A 4DA6FB23

  21C20110 0CD3A8F6 32EAD292 648F9E32 7EE6C86F 181FC3C2 8F91DA66 A3886F5C

  467D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603

  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 FD800727

  5FA9AD41 6EAE99B0 1EDA2735 C0DBBBCC 301D0603 551D0E04 160414FD 8007275F

  A9AD416E AE99B01E DA2735C0 DBBBCC30 0D06092A 864886F7 0D010104 05000381

  810076CE E5030E51 5BD6FE9F A8A42483 53E7D250 CDE09E87 6AD77195 09D225AF

  25858304 034D146B C4970C31 F6EF496B 7F57C772 7A1F0DFE 8A06B878 919AFD58

  212E475A 0346ADA6 D629BDFC AE58C42A 919816A1 36D971D1 3BAB8541 EAC0AA10

  52086757 E22F5015 2171A4C7 6832C2BC 89ADEF72 95A81A51 0B888B1C 9EE9EE58 8E65

            quit

!

!

username xxxxxx privilege 15 password 0 xxxxx

archive

log config

  hidekeys

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp nat keepalive 5

!

crypto isakmp client configuration group Sun-VPN-Group

key 12345

dns 208.67.222.222

pool VPN_Pool

acl VPN_Test

crypto isakmp profile ISAKMP_Profile_EZVPN

   match identity group Sun-VPN-Group

   client authentication list AUTH_VPN

   isakmp authorization list AUTHORIZE_VPN

   client configuration address respond

   client configuration group Sun-VPN-Group

   virtual-template 1

!

!

crypto ipsec transform-set Sun-VPN esp-aes esp-sha-hmac

!

crypto ipsec profile IPSEC_Profile_EZVPN

set transform-set Sun-VPN

set isakmp-profile ISAKMP_Profile_EZVPN

!

!

!

!

!

!

!

!

class-map type inspect match-any Internal

match protocol tcp

match protocol udp

match protocol dns

match protocol http

match protocol https

match protocol icmp

class-map type inspect match-any Internet

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-any InterNet-IntraNet-Traffic

match protocol tcp

match protocol udp

match protocol icmp

match access-group name InterNet-to-IntraNet-ACL

class-map type inspect match-any IntraNet-InterNet-Traffic

match protocol tcp

match protocol udp

match protocol icmp

!

!

policy-map type inspect InterNet-to-IntraNet-Policy

class type inspect InterNet-IntraNet-Traffic

  inspect

class class-default

  drop

policy-map type inspect IntraNet-to-InterNet-Policy

class type inspect IntraNet-InterNet-Traffic

  inspect

class class-default

  drop

policy-map type inspect sdm-policy-Internet

class type inspect Internet

  inspect

class class-default

policy-map type inspect sdm-policy-Internal

class type inspect Internal

  inspect

class class-default

  drop

!

zone security Internet

zone security Internal

zone security IntraNet

description All Interfaces connected to the Intranet

zone security InterNet

description All Interfaces connected to the Internet

zone-pair security sdm-zp-Internal-self source Internal destination self

service-policy type inspect sdm-policy-Internet

zone-pair security IntraNet-InterNet source IntraNet destination InterNet

service-policy type inspect IntraNet-to-InterNet-Policy

zone-pair security InterNet-IntraNet source InterNet destination IntraNet

service-policy type inspect InterNet-to-IntraNet-Policy

!

!

!

!

interface Loopback0

ip address 192.168.1.1 255.255.255.0

!

interface FastEthernet0/0

description Outside PPPOE Interface$ETH-WAN$

no ip address

ip mask-reply

ip nat outside

ip virtual-reassembly

speed auto

pppoe enable group global

pppoe-client dial-pool-number 1

no cdp enable

!

interface FastEthernet0/1

switchport access vlan 10

!

interface FastEthernet0/2

switchport access vlan 10

!

interface FastEthernet0/3

switchport access vlan 10

!

interface FastEthernet0/4

switchport access vlan 10

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

zone-member security IntraNet

tunnel source Dialer1

tunnel mode ipsec ipv4

tunnel protection ipsec profile IPSEC_Profile_EZVPN

!

interface Vlan10

description $FW_INSIDE$

ip address 192.168.0.3 255.255.255.0

ip mask-reply

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly

zone-member security IntraNet

ip route-cache flow

!

interface Dialer1

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1492

ip nat outside

ip virtual-reassembly

zone-member security InterNet

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname pty/69733

ppp chap password 0 DSLconnect

ppp pap sent-username pty/69733 password 0 DSLconnect

!

ip local pool VPN_Pool 192.168.1.30 192.168.1.40

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

ip route 192.168.1.0 255.255.255.0 Dialer1

!

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map NAT interface Dialer1 overload

!

ip access-list extended InterNet-to-IntraNet-ACL

permit tcp any 192.168.0.0 0.0.0.255

permit udp any 192.168.0.0 0.0.0.255

permit icmp any 192.168.0.0 0.0.0.255

deny   ip any any

ip access-list extended Internet

remark Internet

remark SDM_ACL Category=2

remark ALL

permit tcp any any

permit udp any any

permit icmp any any

permit ip any any

ip access-list extended NAT

permit ip 192.168.0.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

ip access-list extended VPN_Test

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!        

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 5 permit any

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

no cdp run

!

!

!

route-map NAT permit 10

match ip address NAT

!

!

!

control-plane

!

!

!

!        

!

!

!

!

!

line con 0

line aux 0

line vty 0 4

exec-timeout 30 12

privilege level 15

logging synchronous

transport input telnet ssh

!

ntp clock-period 17208070

ntp server 17.151.16.21

end

1 Accepted Solution

Accepted Solutions

As I advised earlier, you can of course ping from the router to 192.168.0.2 because they are in the same subnet. It uses ARP instead of routing to reach the device when you are pinging from the same subnet.

Is the switch configured with the correct default gateway? The switch needs to be configured with the default gateway of 192.168.0.3.

You also mention that you can ping 192.168.0.30 which is beyond the router. That means that it's not the router VPN configuration error, but rather the end device that you are trying to ping since you can ping 192.168.0.30.

View solution in original post

7 Replies 7

Jennifer Halim
Cisco Employee
Cisco Employee

The NAT access-list is in the incorrect order, the deny should come first before the permit statement.

Currently you have:

ip access-list extended NAT

permit ip 192.168.0.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

It should have been:

ip access-list extended NAT

deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

Hi Jennifer,

thanks a lot for the reply. I corrected the access-list but i still cant access 192.168.0.2.

I can access 192.168.0.30 and the router itself 192.168.0.3.

I cant access the IP :

192.168.0.2 <--- Windows Server

192.168.0.5 <- Cisco Switch

If i do a traceroute from the Notebook where the VPN Client is installed and connected:

192.168.0.3: Router

traceroute to 192.168.0.3 (192.168.0.3), 64 hops max, 52 byte packets

1  my.router (192.168.1.1)  111.534 ms *  115.537 ms

192.168.0.30 <- Another Cisco 1760

traceroute to 192.168.0.30 (192.168.0.30), 64 hops max, 52 byte packets

1  my.router (192.168.1.1)  112.083 ms  112.063 ms  111.943 ms

2  192.168.0.30 (192.168.0.30)  110.865 ms *  160.165 ms

But if i do a traceroute to my Windows Server (192.168.0.2)

traceroute to 192.168.0.2 (192.168.0.2), 64 hops max, 52 byte packets

1  my.router (192.168.1.1)  114.713 ms  112.230 ms  113.807 ms

2  * * *

3  * * *

I can ping the Windows Server from the router itself. So the Windows Server is reachable from the router.

I also cant ping from the Router to my VPN Client IP. I dont know if this is normal.

Do you have an idea ?

Cheers,

Bjoern

ip nat inside source route-map NAT interface Dialer1 overload

!

ip access-list extended InterNet-to-IntraNet-ACL

permit tcp any 192.168.0.0 0.0.0.255

permit udp any 192.168.0.0 0.0.0.255

permit icmp any 192.168.0.0 0.0.0.255

deny   ip any any

ip access-list extended Internet

remark Internet

remark SDM_ACL Category=2

remark ALL

permit tcp any any

permit udp any any

permit icmp any any

permit ip any any

ip access-list extended NAT

deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 192.168.0.0 0.0.0.255 any

ip access-list extended VPN_Test

permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

!        

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 2 remark SDM_ACL Category=2

access-list 2 permit 192.168.1.0 0.0.0.255

access-list 5 permit any

access-list 10 permit 192.168.0.0 0.0.0.255

access-list 102 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.0.0 0.0.0.255 any

no cdp run

If you can ping the router ip address as well as beyond the router, then i do not believe it is anything to do with the router configuration.

For the Cisco Switch, you might want to check if there is any ACL that might be blocking access, and also if the switch knows how to route towards the 192.168.1.0/24 subnet, ie: via the router (192.168.0.3).

For the Windows server, you might want to check if there is any Windows Firewall enabled that might be blocking inbound connection from other subnets. Normally that is blocked by default, and it only allows inbound connection from host in the same subnet (eg: your router).

Hi Jennifer,

i can only ping from the route to 192.168.0.2 but not from the VPC Client. Since i can access from the router 192.168.0.2 it also should be possible to ping from the VPN Client (192.168.1.31). But it does not work. The ping only work when i am connected directly on the router shell. Maybe it is a routing problem ?

As I advised earlier, you can of course ping from the router to 192.168.0.2 because they are in the same subnet. It uses ARP instead of routing to reach the device when you are pinging from the same subnet.

Is the switch configured with the correct default gateway? The switch needs to be configured with the default gateway of 192.168.0.3.

You also mention that you can ping 192.168.0.30 which is beyond the router. That means that it's not the router VPN configuration error, but rather the end device that you are trying to ping since you can ping 192.168.0.30.

Hi Jennifer,

you might be right that the switch has no default gateway. The 192.168.0.30 is a 1760 route that has the default route 192.168.0.3 that could be the reason why i can ping the router. But i am not sure if the Windows Server 192.168.0.2 has the right route to 192.168.0.3. I will check when i am back at home. I will consider you answer as the right answer.

Thanks a lot.

Many greeting from Rome. ;-)

Great, thanks for the update. Much appreciated.

Greetings from Sydney