Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1411
Views
0
Helpful
2
Replies

Cisco Vpn ipsec connects but cant communicate with lan

Go to solution
cgruppo
Level 1
Level 1

‎11-10-2013 12:36 PM - edited ‎02-21-2020 07:18 PM

I have a cisco 1921 version 15.2 (4) M3 I have setup a ipsec vpn and can have clients connect but can't ping anything on the inside.  Any insight into what could be wrong with my config would be greatly appreciated.  I have posted the running config along with some ipsec outputs.  I have also tried this with multiple OS using cisco vpn client as well as shrewsoft.  I am able to connect to other ipsec vpns running on 1921's from both of those computers using either client.

Thanks for any assistace

Sh run

!
aaa new-model
!
!
aaa authentication login radius_auth group radius local
aaa authentication login VPN_AUTHEN group radius local
aaa authorization network network_vpn_author local
!
!
!
!
!
aaa session-id common
clock timezone PST -8 0
clock summer-time PST recurring
!
no ip source-route
ip options drop
ip cef
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip domain name XXX.local
ip inspect max-incomplete high 3000
ip inspect max-incomplete low 2800
ip inspect one-minute low 2800
ip inspect one-minute high 3000
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW ssh
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-2909270577
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2909270577
revocation-check none
rsakeypair TP-self-signed-2909270577
!
!
crypto pki certificate chain TP-self-signed-2909270577
certificate self-signed 01
license udi pid CISCO1921/K9 sn FTX1715818R
!
!
archive
log config
  logging enable
  logging size 1000
  notify syslog contenttype plaintext
object-group network ADMIN_HOSTS
range 71.X.X.X 71.X.X.X
!
username name1 privilege 15 secret 4 XXXXXXX

!
redundancy
!
!
!
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group roaming_vpn
key XXXXX
dns 192.168.10.10 10.1.1.1
domain XXX.local
pool VPN_POOL_1
acl client_vpn_traffic
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map VPN_DYNMAP_1 1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list VPN_AUTHEN
crypto map SDM_CMAP_1 isakmp authorization list network_vpn_author
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic VPN_DYNMAP_1
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address 76.W.E.R 255.255.255.248
ip access-group ATT_Outside_In in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly in
load-interval 30
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
no ip address
load-interval 30
duplex auto
speed auto
!
interface GigabitEthernet0/1.10
encapsulation dot1Q 1 native
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting access-violations
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.100
encapsulation dot1Q 100
ip address 10.1.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.200
encapsulation dot1Q 200
ip address 10.1.2.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
ip local pool VPN_POOL_1 192.168.168.193 192.168.168.254
ip forward-protocol nd
!
ip http server
ip http authentication aaa login-authentication ADMIN_AUTHEN
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map ATT_NAT_LIST interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.10.10 25 76.W.E.R 25 extendable
ip nat inside source static tcp 192.168.10.10 80 76.W.E.R 80 extendable
ip nat inside source static tcp 192.168.10.10 443 76.W.E.R 443 extendable
ip nat inside source static tcp 192.168.10.10 987 76.W.E.R 987 extendable
ip route 0.0.0.0 0.0.0.0 76.W.E.F
!
ip access-list extended ATT_Outside_In
permit tcp object-group ADMIN_HOSTS any eq 22
permit tcp any host 76.W.E.R eq www
permit tcp any host 76.W.E.R eq 443
permit tcp any host 76.W.E.R eq 987
permit tcp any host 76.W.E.R eq smtp
permit icmp any any echo-reply
permit icmp any any
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp any any eq non500-isakmp
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any
ip access-list extended NAT_LIST
permit ip 10.1.0.0 0.0.255.255 any
permit ip 192.168.10.0 0.0.0.255 any
deny   ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
deny   ip 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
deny   ip 10.1.2.0 0.0.0.255 192.168.168.192 0.0.0.63
ip access-list extended client_vpn_traffic
permit ip 192.168.10.0 0.0.0.255 192.168.168.192 0.0.0.63
permit ip 10.1.1.0 0.0.0.255 192.168.168.192 0.0.0.63
permit ip 10.1.2.0 0.0.0.255 10.1.1.0 0.0.0.255
!
ip radius source-interface GigabitEthernet0/1.10
logging trap errors
logging origin-id hostname
logging source-interface GigabitEthernet0/1.10
!
route-map ATT_NAT_LIST permit 20
match ip address NAT_LIST
match interface GigabitEthernet0/0
!
!
snmp-server community r3@dth!s RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps auth-framework sec-violation
snmp-server enable traps c3g
snmp-server enable traps entity-sensor threshold
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps bgp cbgp2
snmp-server enable traps isis
snmp-server enable traps ospfv3 state-change
snmp-server enable traps ospfv3 errors
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps waas
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps gdoi gm-start-registration
snmp-server enable traps gdoi gm-registration-complete
snmp-server enable traps gdoi gm-re-register
snmp-server enable traps gdoi gm-rekey-rcvd
snmp-server enable traps gdoi gm-rekey-fail
snmp-server enable traps gdoi ks-rekey-pushed
snmp-server enable traps gdoi gm-incomplete-cfg
snmp-server enable traps gdoi ks-no-rsa-keys
snmp-server enable traps gdoi ks-new-registration
snmp-server enable traps gdoi ks-reg-complete
snmp-server enable traps firewall serverstatus
snmp-server enable traps ike policy add
snmp-server enable traps ike policy delete
snmp-server enable traps ike tunnel start
snmp-server enable traps ike tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps ethernet cfm alarm
snmp-server enable traps rf
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
radius-server dead-criteria time 2
radius-server host 192.168.10.10
radius-server timeout 2
radius-server key XXXXXXX
!
!
!
control-plane
!
!

line con 0
privilege level 15
login authentication radius_auth
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login authentication radius_auth
transport input ssh
line vty 5 15
privilege level 15
login authentication radius_auth
transport input ssh
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 192.168.10.10
ntp server 64.250.229.100
!
end

router#sh crypto ipsec sa

interface: GigabitEthernet0/0
    Crypto map tag: SDM_CMAP_1, local addr 76.W.E.R

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.168.213/255.255.255.255/0/0)
   current_peer 75.X.X.X port 2642
     PERMIT, flags={}
    #pkts encaps: 1953, #pkts encrypt: 1953, #pkts digest: 1953
    #pkts decaps: 1963, #pkts decrypt: 1963, #pkts verify: 1963
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 76.W.E.R, remote crypto endpt.: 75.X.X.X
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
     current outbound spi: 0x5D423270(1564619376)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x2A5177DD(709982173)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2115, flow_id: Onboard VPN:115, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4301748/2809)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x5D423270(1564619376)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2116, flow_id: Onboard VPN:116, sibling_flags 80000040, crypto map: SDM_CMAP_1
        sa timing: remaining key lifetime (k/sec): (4301637/2809)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

     outbound ah sas:

     outbound pcp sas:

router#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
76.W.E.R   75.X.X.X  QM_IDLE           1055 ACTIVE

IPv6 Crypto ISAKMP SA

ipsec 1.JPG

ipsec 2.JPG

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
pope30349
Level 1
Level 1

‎11-10-2013 02:58 PM

In your nat acl you need to deny your VPN traffic before you allow the subnet to any. Just put all the deny statements before the permit statements.

Sent from Cisco Technical Support iPhone App

View solution in original post

0 Helpful
2 Replies 2

Go to solution
pope30349
Level 1
Level 1

‎11-10-2013 02:58 PM

In your nat acl you need to deny your VPN traffic before you allow the subnet to any. Just put all the deny statements before the permit statements.

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
cgruppo
Level 1
Level 1
In response to pope30349

‎11-10-2013 03:07 PM

I made that change and everything is working perfectly.  Thanks for the help always better to have another set of eyes!

0 Helpful
Customers Also Viewed These Support Documents