easyvpn server has created but Can't access local LAN using cisc

mkabbashi · ‎09-08-2013

Hi,

I have created easyvpn server in router 1841, I can connect to the outside interface from a remote computer, but I can't ping any of internal lan devices.

Building configuration...

Current configuration : 3054 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname X_R_Z

!

boot-start-marker

boot system flash:c1841-advipservicesk9-mz.124-12.bin

boot-end-marker

!

no logging buffered

enable secret 5 $1$MNXK$lahi6sf17juTZIYm877hT.

enable password cisco

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.87

ip dhcp excluded-address 192.168.1.1 192.168.1.66

ip dhcp excluded-address 192.168.1.106

!

ip dhcp pool Xyz

network 192.168.1.0 255.255.255.0

default-router 192.168.1.77

dns-server 196.29.180.39 196.29.164.49 192.168.1.82

domain-name wr

!

no ip domain lookup

!

username w1 privilege 15 password 0 ww2

username fi privilege 15 secret 5 $1$oIDZ$JHpf0Hft0qMAi4oabOfM..

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group testvpn

key 111111

pool SDM_POOL_1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0/0

description WAN_INTERFACE

no ip address

no ip proxy-arp

ip mtu 1400

speed 100

full-duplex

!

interface FastEthernet0/0.71

encapsulation dot1Q 71

ip dhcp relay information trusted

ip address 192.168.1.77 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.75

encapsulation dot1Q 75

ip address 197.251.333.147 255.255.255.252

no ip proxy-arp

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

ip address 10.8.0.1 255.255.255.0

duplex auto

speed auto

!

ip local pool SDM_POOL_1 192.168.50.1 192.168.50.5

ip route 0.0.0.0 0.0.0.0 197.251.333.146

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0.75 overload

!

ip access-list extended X-Yh

remark SDM_ACL Category=16

deny ip any host 192.168.50.1

deny ip any host 192.168.50.2

deny ip any host 192.168.50.3

deny ip any host 192.168.50.4

deny ip any host 192.168.50.5

permit ip 192.168.1.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address X-Yh

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password Sr

!

scheduler allocate 20000 1000

end

Jennifer Halim · ‎09-09-2013

Configuration looks OK to me.

Can you please share the output of:

show cry isa sa

show cry ipsec sa

mkabbashi · ‎09-09-2013

thankyou very much

hostname X_R_Z#show cry isa sa

dst src state conn-id slot status

hostname X_R_Z#show cry ipsec sa

easyvpn server has created but Can't access local LAN using cisco cpn client

the second command gives nothing

Jennifer Halim · ‎09-09-2013

Hmm. there is no output on both show commands.

Can you please connect with the VPN Client, tried to access internal resources and then grab the output?

BTW, the internal resources that you are trying to access, do they have firewall that might be blocking incoming access?

If you are able to ping the router LAN interface, that means the VPN seems to be fine.

mkabbashi · ‎09-10-2013

X_R_Z#show cry isa sa

dst src state conn-id slot status

197.251.333.147 105.238.232.73 QM_IDLE 2 0 ACTIVE

hostname X_R_Z#show cry ipsec sa

interface: FastEthernet0/0.75

Crypto map tag: SDM_CMAP_1, local addr 197.251.333.147

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (192.168.50.2/255.255.255.255/0/0)

current_peer 105.238.232.73 port 4571

PERMIT, flags={}

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4

#pkts decaps: 71, #pkts decrypt: 71, #pkts verify: 71

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 197.251.333.147, remote crypto endpt.: 105.238.232.73

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.75

current outbound spi: 0x50ED79CE(1357740494)

inbound esp sas:

spi: 0xFE36C8D(266562701)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3001, flow_id: FPGA:1, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4398315/3445)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x50ED79CE(1357740494)

transform: esp-3des esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 3002, flow_id: FPGA:2, crypto map: SDM_CMAP_1

sa timing: remaining key lifetime (k/sec): (4398326/3438)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

This is the output after I used a different pc to connect using mdsl internet and cisco vpn client software. the connection has established but I can't ping the router: 192.168.1.77 or any other Pcs, and there is no firewall restrictions

mkabbashi · ‎09-10-2013

is it normal ?

Jennifer Halim · ‎09-10-2013

that looks pretty normal to me...

base on the output, there are packets being decrypted, so traffic from VPN Client is getting into the router, and even though only 4 packets encrypted, the router is actually sending the reply back to the vpn client.

can you check if the PCs that you are trying to ping has any windows FW that might be blocking incoming access?

mkabbashi · ‎09-10-2013

Hi,

there something wrong. is use FastEthernet0/0.75 right?.

I made the configuration on FasttEthernet0/0.75, its the outside interface with public ip.

the

FastEthernet0/0.71 is the local interface with internal ip which is 192.168.1.77 (router), I can't ping it.

when I connect from a client, I notice that under Transport in Statistics section in cisco vpn client program, the Local LAN field value is disabled?

mkabbashi · ‎09-10-2013

I am trying to ping the router itself which has the ip 192.168.1.77 , but no reply

no firewall on this router.

Jennifer Halim · ‎09-10-2013

the interfaces configuration is correct, i don't see anything wrong with that.

Is there any switch or internal router that you can try to ping instead?

Jennifer Halim · ‎09-10-2013

or try to telnet to the router inside interface and see if that is working.

mkabbashi · ‎09-10-2013

mkabbashi · ‎09-10-2013

mkabbashi · ‎09-10-2013

tried to telnet from outside but no success , from internal lan device I can

mkabbashi · ‎09-10-2013

is it NAT issue?!!