Re: easyvpn server has created but Can't access local LAN using - Page 2

mkabbashi · ‎09-08-2013

Hi,

I have created easyvpn server in router 1841, I can connect to the outside interface from a remote computer, but I can't ping any of internal lan devices.

Building configuration...

Current configuration : 3054 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname X_R_Z

!

boot-start-marker

boot system flash:c1841-advipservicesk9-mz.124-12.bin

boot-end-marker

!

no logging buffered

enable secret 5 $1$MNXK$lahi6sf17juTZIYm877hT.

enable password cisco

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network sdm_vpn_group_ml_2 local

!

aaa session-id common

ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.87

ip dhcp excluded-address 192.168.1.1 192.168.1.66

ip dhcp excluded-address 192.168.1.106

!

ip dhcp pool Xyz

network 192.168.1.0 255.255.255.0

default-router 192.168.1.77

dns-server 196.29.180.39 196.29.164.49 192.168.1.82

domain-name wr

!

no ip domain lookup

!

username w1 privilege 15 password 0 ww2

username fi privilege 15 secret 5 $1$oIDZ$JHpf0Hft0qMAi4oabOfM..

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group testvpn

key 111111

pool SDM_POOL_1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA1

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface FastEthernet0/0

description WAN_INTERFACE

no ip address

no ip proxy-arp

ip mtu 1400

speed 100

full-duplex

!

interface FastEthernet0/0.71

encapsulation dot1Q 71

ip dhcp relay information trusted

ip address 192.168.1.77 255.255.255.0

no ip proxy-arp

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0.75

encapsulation dot1Q 75

ip address 197.251.333.147 255.255.255.252

no ip proxy-arp

ip nat outside

ip virtual-reassembly

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

ip address 10.8.0.1 255.255.255.0

duplex auto

speed auto

!

ip local pool SDM_POOL_1 192.168.50.1 192.168.50.5

ip route 0.0.0.0 0.0.0.0 197.251.333.146

!

ip http server

ip http authentication local

ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0.75 overload

!

ip access-list extended X-Yh

remark SDM_ACL Category=16

deny ip any host 192.168.50.1

deny ip any host 192.168.50.2

deny ip any host 192.168.50.3

deny ip any host 192.168.50.4

deny ip any host 192.168.50.5

permit ip 192.168.1.0 0.0.0.255 any

!

route-map SDM_RMAP_1 permit 1

match ip address X-Yh

!

control-plane

!

line con 0

line aux 0

line vty 0 4

privilege level 15

password Sr

!

scheduler allocate 20000 1000

end

mkabbashi · ‎09-12-2013

Do I need OUT to IN procedures to make vpn traffics work?

Jennifer Halim · ‎09-14-2013

Doesn't seem to be NAT issue, nor you need out to in procedures.

Are you able to ping 192.168.1.82, or RDP to that server or do nslookup against that server?

Peter Koltl · ‎09-14-2013

Is 192.168.1.0 used on the client LAN by any chance?

If your client pool is a part of 192.168.1.0 LAN subnet you must remove

no ip proxy-arp

from Fa0/0.71 or add static route for pool addresses pointing towards outside.

mkabbashi · ‎09-15-2013

mkabbashi · ‎09-15-2013

Hi

I got the image above when trying to test a vpn client

Jeniffer,

failed ping to .1.82

Peter,

192.168.1.0 , this is the local LAN

the vpn clients pool is :192.168.50.0

vpn client cannot ping any of 192.168.1.0 ip

how to remove " no ip proxy-arp" ?

mkabbashi · ‎09-15-2013

Hi,

I tried to connect from a different pc using cisco vpn client and it succeed

, the pc uses another ISP,

but I can't from my laptop.

I noticed that when I connected from the pc the ip in the local Lan route tape in cisco vpn client was 192.1.0.0, and their sent and receive packets

but from my laptop the local Lan route tape was strange ip (public) and there are sent packets but no receive

something wrong, no restriction on laptop,

Peter Koltl · ‎09-15-2013

Please show us

show crypto isakmp sa det

show ip route

for both PCs as well as the Statistics screenshots from both.

mkabbashi · ‎09-16-2013

mkabbashi · ‎09-16-2013

mkabbashi · ‎09-16-2013

XTR# show crypto isakmp sa det

Codes: C - IKE configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal

X - IKE Extended Authentication

psk - Preshared key, rsig - RSA signature

renc - RSA encryption

C-id Local Remote I-VRF Status Encr Hash Auth DH Lifetime Cap.

2 197.251.333.147 143.278.134.74 ACTIVE 3des sha 2 06:41:25 CX

Connection-id:Engine-id = 2:1(software)

XTR # show ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 197.251.333.146 to network 0.0.0.0

197.251.333.0/30 is subnetted, 1 subnets

C 197.251.333.147 is directly connected, FastEthernet0/0.75

C 192.168.1.0/24 is directly connected, FastEthernet0/0.71

S* 0.0.0.0/0 [1/0] via197.251.333.146

mkabbashi · ‎09-16-2013

the above are from the laptop, the issue that when my friend use my ISP connection, then he get the same problem.

is it routing issue?

Peter Koltl · ‎09-16-2013

Do the PCs on your ISP (bad) and other ISP (good) have both private or public addresses? Or is that the difference ?

You can try to apply a Virtual template like in

http://ltlnetworker.wordpress.com/2010/05/10/ios-easy-vpn-with-radius-and-aaa-cache-2/

mkabbashi · ‎09-16-2013

the 2 PCs have the same standard config., no special thing about any of them. when my friend's pc uses my internet connection then the problem occur, but no special thing about ISP. do you thing the IOS of the router corrupt or has a bug somewhere inside

do I need to do something with routing?

Gareth Gudger · ‎01-28-2014

You may need to enable NAT Traversal. Type this.

CRYPTO ISAKMP NAT-TRAVERSAL 30

easyvpn server has created but Can't access local LAN using cisco cpn client