Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But ...

kantamrajusharma · ‎04-23-2013

Hii frnds,

here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...

Below is the out put from the router

r1#sh run

Building configuration...

Current configuration : 3488 bytes

! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana

! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana

!

version 15.1

service config

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname r1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.

!

aaa new-model

!

aaa authentication login local-console local

aaa authentication login userauth local

aaa authorization network groupauth local

!

aaa session-id common

!

dot11 syslog

ip source-route

!

ip cef

ip domain name r1.com

!

multilink bundle-name authenticated

!

license udi pid CISCO1841 sn FHK145171DM

username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.

username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.

!

redundancy

!

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ra-vpn

key xxxxxx

domain r1.com

pool vpn-pool

acl 150

save-password

include-local-lan

max-users 10

!

crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac

!

crypto dynamic-map RA 1

set transform-set my-vpn

reverse-route

!

crypto map ra-vpn client authentication list userauth

crypto map ra-vpn isakmp authorization list groupauth

crypto map ra-vpn client configuration address respond

crypto map ra-vpn 1 ipsec-isakmp dynamic RA

!

interface Loopback0

ip address 10.2.2.2 255.255.255.255

!

interface FastEthernet0/0

bandwidth 8000000

ip address 117.239.xx.xx 255.255.255.240

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map ra-vpn

!

interface FastEthernet0/1

description $ES_LAN$

ip address 192.168.10.252 255.255.255.0 secondary

ip address 10.10.10.1 255.255.252.0 secondary

ip address 172.16.0.1 255.255.252.0 secondary

ip address 10.10.7.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

ip local pool vpn-pool 172.18.1.1 172.18.1.100

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

!

ip dns server

ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240

ip nat inside source list 100 pool INTERNETPOOL overload

ip route 0.0.0.0 0.0.0.0 117.239.xx.xx

!

access-list 100 permit ip 10.10.7.0 0.0.0.255 any

access-list 100 permit ip 10.10.10.0 0.0.1.255 any

access-list 100 permit ip 172.16.0.0 0.0.3.255 any

access-list 100 permit ip 192.168.10.0 0.0.0.255 any

!

access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255

access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255

!

control-plane

!

line con 0

login authentication local-console

line aux 0

line vty 0 4

login authentication local-console

transport input telnet ssh

!

scheduler allocate 20000 1000

end

********************************************

r1>sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 117.239.xx.xx to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 117.239.xx.xx

10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks

C 10.2.2.2/32 is directly connected, Loopback0

C 10.10.7.0/24 is directly connected, FastEthernet0/1

L 10.10.7.1/32 is directly connected, FastEthernet0/1

C 10.10.8.0/22 is directly connected, FastEthernet0/1

L 10.10.10.1/32 is directly connected, FastEthernet0/1

117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 117.239.xx.xx/28 is directly connected, FastEthernet0/0

L 117.239.xx.xx/32 is directly connected, FastEthernet0/0

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

C 172.16.0.0/22 is directly connected, FastEthernet0/1

L 172.16.0.1/32 is directly connected, FastEthernet0/1

172.18.0.0/32 is subnetted, 1 subnets

S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0

192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.10.0/24 is directly connected, FastEthernet0/1

L 192.168.10.252/32 is directly connected, FastEthernet0/1

************************************************

r1#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE

IPv6 Crypto ISAKMP SA

************************************************

r1 #sh crypto ipsec sa

interface: FastEthernet0/0

Crypto map tag: giet-vpn, local addr 117.239.xx.xx

protected vrf: (none)

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)

current_peer 49.206.59.86 port 50083

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx

path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0

current outbound spi: 0x550E70F9(1427009785)

PFS (Y/N): N, DH group: none

inbound esp sas:

spi: 0x5668C75(90606709)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn

sa timing: remaining key lifetime (k/sec): (4550169/3437)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x550E70F9(1427009785)

transform: esp-3des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn

sa timing: remaining key lifetime (k/sec): (4550170/3437)

IV size: 8 bytes

replay detection support: Y

Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Maximilian88 · ‎04-25-2013

Maybe a NAT issue, try to configure a No NAT statement for your ext acl 100.

access-list 100 deny ip 10.10.7.0 0.0.0.255 172.18.1.0 0.0.0.255

access-list 100 deny ip 10.10.10.0 0.0.1.255 172.18.1.0 0.0.0.255

access-list 100 deny ip 172.16.0.0 0.0.3.255 172.18.1.0 0.0.0.255

access-list 100 deny ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255

kantamrajusharma · ‎04-26-2013

hi Maximilian Schojohann..

First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...

In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"

so plz give me an alternate solution ....thanks in advance....

Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??