09-08-2013 10:43 PM
Hi,
I have created easyvpn server in router 1841, I can connect to the outside interface from a remote computer, but I can't ping any of internal lan devices.
Building configuration...
Current configuration : 3054 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname X_R_Z
!
boot-start-marker
boot system flash:c1841-advipservicesk9-mz.124-12.bin
boot-end-marker
!
no logging buffered
enable secret 5 $1$MNXK$lahi6sf17juTZIYm877hT.
enable password cisco
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.87
ip dhcp excluded-address 192.168.1.1 192.168.1.66
ip dhcp excluded-address 192.168.1.106
!
ip dhcp pool Xyz
network 192.168.1.0 255.255.255.0
default-router 192.168.1.77
dns-server 196.29.180.39 196.29.164.49 192.168.1.82
domain-name wr
!
!
no ip domain lookup
!
!
!
username w1 privilege 15 password 0 ww2
username fi privilege 15 secret 5 $1$oIDZ$JHpf0Hft0qMAi4oabOfM..
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group testvpn
key 111111
pool SDM_POOL_1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA1
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description WAN_INTERFACE
no ip address
no ip proxy-arp
ip mtu 1400
speed 100
full-duplex
!
interface FastEthernet0/0.71
encapsulation dot1Q 71
ip dhcp relay information trusted
ip address 192.168.1.77 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/0.75
encapsulation dot1Q 75
ip address 197.251.333.147 255.255.255.252
no ip proxy-arp
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 10.8.0.1 255.255.255.0
duplex auto
speed auto
!
ip local pool SDM_POOL_1 192.168.50.1 192.168.50.5
ip route 0.0.0.0 0.0.0.0 197.251.333.146
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0.75 overload
!
ip access-list extended X-Yh
remark SDM_ACL Category=16
deny ip any host 192.168.50.1
deny ip any host 192.168.50.2
deny ip any host 192.168.50.3
deny ip any host 192.168.50.4
deny ip any host 192.168.50.5
permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
match ip address X-Yh
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password Sr
!
scheduler allocate 20000 1000
end
09-09-2013 11:07 PM
Configuration looks OK to me.
Can you please share the output of:
show cry isa sa
show cry ipsec sa
09-09-2013 11:37 PM
thankyou very much
hostname X_R_Z#show cry isa sa
dst src state conn-id slot status
hostname X_R_Z#show cry ipsec sa
the second command gives nothing
09-09-2013 11:50 PM
Hmm. there is no output on both show commands.
Can you please connect with the VPN Client, tried to access internal resources and then grab the output?
BTW, the internal resources that you are trying to access, do they have firewall that might be blocking incoming access?
If you are able to ping the router LAN interface, that means the VPN seems to be fine.
09-10-2013 02:25 AM
X_R_Z#show cry isa sa
dst src state conn-id slot status
197.251.333.147 105.238.232.73 QM_IDLE 2 0 ACTIVE
hostname X_R_Z#show cry ipsec sa
interface: FastEthernet0/0.75
Crypto map tag: SDM_CMAP_1, local addr 197.251.333.147
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.50.2/255.255.255.255/0/0)
current_peer 105.238.232.73 port 4571
PERMIT, flags={}
#pkts encaps: 4, #pkts encrypt: 4, #pkts digest: 4
#pkts decaps: 71, #pkts decrypt: 71, #pkts verify: 71
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 197.251.333.147, remote crypto endpt.: 105.238.232.73
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0.75
current outbound spi: 0x50ED79CE(1357740494)
inbound esp sas:
spi: 0xFE36C8D(266562701)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3001, flow_id: FPGA:1, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4398315/3445)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x50ED79CE(1357740494)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 3002, flow_id: FPGA:2, crypto map: SDM_CMAP_1
sa timing: remaining key lifetime (k/sec): (4398326/3438)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
This is the output after I used a different pc to connect using mdsl internet and cisco vpn client software. the connection has established but I can't ping the router: 192.168.1.77 or any other Pcs, and there is no firewall restrictions
09-10-2013 06:29 AM
is it normal ?
09-10-2013 07:32 PM
that looks pretty normal to me...
base on the output, there are packets being decrypted, so traffic from VPN Client is getting into the router, and even though only 4 packets encrypted, the router is actually sending the reply back to the vpn client.
can you check if the PCs that you are trying to ping has any windows FW that might be blocking incoming access?
09-10-2013 10:47 PM
Hi,
there something wrong. is use FastEthernet0/0.75 right?.
I made the configuration on FasttEthernet0/0.75, its the outside interface with public ip.
the
FastEthernet0/0.71 is the local interface with internal ip which is 192.168.1.77 (router), I can't ping it.
when I connect from a client, I notice that under Transport in Statistics section in cisco vpn client program, the Local LAN field value is disabled?
09-10-2013 10:49 PM
I am trying to ping the router itself which has the ip 192.168.1.77 , but no reply
no firewall on this router.
09-10-2013 10:52 PM
the interfaces configuration is correct, i don't see anything wrong with that.
Is there any switch or internal router that you can try to ping instead?
09-10-2013 10:53 PM
or try to telnet to the router inside interface and see if that is working.
09-10-2013 11:25 PM
09-10-2013 11:26 PM
09-10-2013 11:29 PM
tried to telnet from outside but no success , from internal lan device I can
09-10-2013 11:37 PM
is it NAT issue?!!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide