06-14-2011 05:45 PM
Hi,
i have configured an EZ-VPN on my Router but after successful login into the VPN i cant ping my internal network or access any resources. I also cant ping my VPN Client IP from the Router.
Can somebody take a look at my Config ?
Here my config:
Current configuration : 7730 bytes
!
! Last configuration change at 16:24:55 UTC Tue Jun 14 2011 by suncci
! NVRAM config last updated at 20:21:30 UTC Fri Jun 10 2011 by suncci
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login AUTH_VPN local
aaa authorization exec default local
aaa authorization network AUTHORIZE_VPN local
!
!
aaa session-id common
ip cef
!
!
!
!
ip name-server 208.67.222.222
ip name-server 205.188.146.145
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1861908046
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1861908046
revocation-check none
rsakeypair TP-self-signed-1861908046
!
!
crypto pki certificate chain TP-self-signed-1861908046
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31383631 39303830 3436301E 170D3032 30333031 30313431
30365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 38363139
30383034 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AD30 FB88278D F9010218 AD58E479 21C00A39 76974A87 DF43C948 D56E65CC
98F484A1 1F5BA429 449E416F 78598186 B3C5729C 8873A168 DB9EEAAA B0521523
C8011877 14888C9A 193E43E3 C3575491 74A940A2 B2970549 FE436E4A 4DA6FB23
21C20110 0CD3A8F6 32EAD292 648F9E32 7EE6C86F 181FC3C2 8F91DA66 A3886F5C
467D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 FD800727
5FA9AD41 6EAE99B0 1EDA2735 C0DBBBCC 301D0603 551D0E04 160414FD 8007275F
A9AD416E AE99B01E DA2735C0 DBBBCC30 0D06092A 864886F7 0D010104 05000381
810076CE E5030E51 5BD6FE9F A8A42483 53E7D250 CDE09E87 6AD77195 09D225AF
25858304 034D146B C4970C31 F6EF496B 7F57C772 7A1F0DFE 8A06B878 919AFD58
212E475A 0346ADA6 D629BDFC AE58C42A 919816A1 36D971D1 3BAB8541 EAC0AA10
52086757 E22F5015 2171A4C7 6832C2BC 89ADEF72 95A81A51 0B888B1C 9EE9EE58 8E65
quit
!
!
username xxxxxx privilege 15 password 0 xxxxx
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp nat keepalive 5
!
crypto isakmp client configuration group Sun-VPN-Group
key 12345
dns 208.67.222.222
pool VPN_Pool
acl VPN_Test
crypto isakmp profile ISAKMP_Profile_EZVPN
match identity group Sun-VPN-Group
client authentication list AUTH_VPN
isakmp authorization list AUTHORIZE_VPN
client configuration address respond
client configuration group Sun-VPN-Group
virtual-template 1
!
!
crypto ipsec transform-set Sun-VPN esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC_Profile_EZVPN
set transform-set Sun-VPN
set isakmp-profile ISAKMP_Profile_EZVPN
!
!
!
!
!
!
!
!
class-map type inspect match-any Internal
match protocol tcp
match protocol udp
match protocol dns
match protocol http
match protocol https
match protocol icmp
class-map type inspect match-any Internet
match protocol tcp
match protocol udp
match protocol icmp
class-map type inspect match-any InterNet-IntraNet-Traffic
match protocol tcp
match protocol udp
match protocol icmp
match access-group name InterNet-to-IntraNet-ACL
class-map type inspect match-any IntraNet-InterNet-Traffic
match protocol tcp
match protocol udp
match protocol icmp
!
!
policy-map type inspect InterNet-to-IntraNet-Policy
class type inspect InterNet-IntraNet-Traffic
inspect
class class-default
drop
policy-map type inspect IntraNet-to-InterNet-Policy
class type inspect IntraNet-InterNet-Traffic
inspect
class class-default
drop
policy-map type inspect sdm-policy-Internet
class type inspect Internet
inspect
class class-default
policy-map type inspect sdm-policy-Internal
class type inspect Internal
inspect
class class-default
drop
!
zone security Internet
zone security Internal
zone security IntraNet
description All Interfaces connected to the Intranet
zone security InterNet
description All Interfaces connected to the Internet
zone-pair security sdm-zp-Internal-self source Internal destination self
service-policy type inspect sdm-policy-Internet
zone-pair security IntraNet-InterNet source IntraNet destination InterNet
service-policy type inspect IntraNet-to-InterNet-Policy
zone-pair security InterNet-IntraNet source InterNet destination IntraNet
service-policy type inspect InterNet-to-IntraNet-Policy
!
!
!
!
interface Loopback0
ip address 192.168.1.1 255.255.255.0
!
interface FastEthernet0/0
description Outside PPPOE Interface$ETH-WAN$
no ip address
ip mask-reply
ip nat outside
ip virtual-reassembly
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface FastEthernet0/1
switchport access vlan 10
!
interface FastEthernet0/2
switchport access vlan 10
!
interface FastEthernet0/3
switchport access vlan 10
!
interface FastEthernet0/4
switchport access vlan 10
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
zone-member security IntraNet
tunnel source Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_Profile_EZVPN
!
interface Vlan10
description $FW_INSIDE$
ip address 192.168.0.3 255.255.255.0
ip mask-reply
no ip redirects
no ip unreachables
ip nat inside
ip virtual-reassembly
zone-member security IntraNet
ip route-cache flow
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
zone-member security InterNet
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname pty/69733
ppp chap password 0 DSLconnect
ppp pap sent-username pty/69733 password 0 DSLconnect
!
ip local pool VPN_Pool 192.168.1.30 192.168.1.40
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.1.0 255.255.255.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NAT interface Dialer1 overload
!
ip access-list extended InterNet-to-IntraNet-ACL
permit tcp any 192.168.0.0 0.0.0.255
permit udp any 192.168.0.0 0.0.0.255
permit icmp any 192.168.0.0 0.0.0.255
deny ip any any
ip access-list extended Internet
remark Internet
remark SDM_ACL Category=2
remark ALL
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
ip access-list extended VPN_Test
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
!
!
!
route-map NAT permit 10
match ip address NAT
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 12
privilege level 15
logging synchronous
transport input telnet ssh
!
ntp clock-period 17208070
ntp server 17.151.16.21
end
Solved! Go to Solution.
06-15-2011 11:51 PM
As I advised earlier, you can of course ping from the router to 192.168.0.2 because they are in the same subnet. It uses ARP instead of routing to reach the device when you are pinging from the same subnet.
Is the switch configured with the correct default gateway? The switch needs to be configured with the default gateway of 192.168.0.3.
You also mention that you can ping 192.168.0.30 which is beyond the router. That means that it's not the router VPN configuration error, but rather the end device that you are trying to ping since you can ping 192.168.0.30.
06-14-2011 11:44 PM
The NAT access-list is in the incorrect order, the deny should come first before the permit statement.
Currently you have:
ip access-list extended NAT
permit ip 192.168.0.0 0.0.0.255 any
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
It should have been:
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
06-15-2011 03:02 AM
Hi Jennifer,
thanks a lot for the reply. I corrected the access-list but i still cant access 192.168.0.2.
I can access 192.168.0.30 and the router itself 192.168.0.3.
I cant access the IP :
192.168.0.2 <--- Windows Server
192.168.0.5 <- Cisco Switch
If i do a traceroute from the Notebook where the VPN Client is installed and connected:
192.168.0.3: Router
traceroute to 192.168.0.3 (192.168.0.3), 64 hops max, 52 byte packets
1 my.router (192.168.1.1) 111.534 ms * 115.537 ms
192.168.0.30 <- Another Cisco 1760
traceroute to 192.168.0.30 (192.168.0.30), 64 hops max, 52 byte packets
1 my.router (192.168.1.1) 112.083 ms 112.063 ms 111.943 ms
2 192.168.0.30 (192.168.0.30) 110.865 ms * 160.165 ms
But if i do a traceroute to my Windows Server (192.168.0.2)
traceroute to 192.168.0.2 (192.168.0.2), 64 hops max, 52 byte packets
1 my.router (192.168.1.1) 114.713 ms 112.230 ms 113.807 ms
2 * * *
3 * * *
I can ping the Windows Server from the router itself. So the Windows Server is reachable from the router.
I also cant ping from the Router to my VPN Client IP. I dont know if this is normal.
Do you have an idea ?
Cheers,
Bjoern
ip nat inside source route-map NAT interface Dialer1 overload
!
ip access-list extended InterNet-to-IntraNet-ACL
permit tcp any 192.168.0.0 0.0.0.255
permit udp any 192.168.0.0 0.0.0.255
permit icmp any 192.168.0.0 0.0.0.255
deny ip any any
ip access-list extended Internet
remark Internet
remark SDM_ACL Category=2
remark ALL
permit tcp any any
permit udp any any
permit icmp any any
permit ip any any
ip access-list extended NAT
deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.0.0 0.0.0.255 any
ip access-list extended VPN_Test
permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 5 permit any
access-list 10 permit 192.168.0.0 0.0.0.255
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
no cdp run
06-15-2011 05:00 AM
If you can ping the router ip address as well as beyond the router, then i do not believe it is anything to do with the router configuration.
For the Cisco Switch, you might want to check if there is any ACL that might be blocking access, and also if the switch knows how to route towards the 192.168.1.0/24 subnet, ie: via the router (192.168.0.3).
For the Windows server, you might want to check if there is any Windows Firewall enabled that might be blocking inbound connection from other subnets. Normally that is blocked by default, and it only allows inbound connection from host in the same subnet (eg: your router).
06-15-2011 07:47 AM
Hi Jennifer,
i can only ping from the route to 192.168.0.2 but not from the VPC Client. Since i can access from the router 192.168.0.2 it also should be possible to ping from the VPN Client (192.168.1.31). But it does not work. The ping only work when i am connected directly on the router shell. Maybe it is a routing problem ?
06-15-2011 11:51 PM
As I advised earlier, you can of course ping from the router to 192.168.0.2 because they are in the same subnet. It uses ARP instead of routing to reach the device when you are pinging from the same subnet.
Is the switch configured with the correct default gateway? The switch needs to be configured with the default gateway of 192.168.0.3.
You also mention that you can ping 192.168.0.30 which is beyond the router. That means that it's not the router VPN configuration error, but rather the end device that you are trying to ping since you can ping 192.168.0.30.
06-16-2011 03:34 AM
Hi Jennifer,
you might be right that the switch has no default gateway. The 192.168.0.30 is a 1760 route that has the default route 192.168.0.3 that could be the reason why i can ping the router. But i am not sure if the Windows Server 192.168.0.2 has the right route to 192.168.0.3. I will check when i am back at home. I will consider you answer as the right answer.
Thanks a lot.
Many greeting from Rome. ;-)
06-16-2011 06:55 PM
Great, thanks for the update. Much appreciated.
Greetings from Sydney
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide