05-14-2013 03:29 PM - edited 02-21-2020 06:54 PM
Been trying for a few days to get this working, have no clue what could be wrong maybe someone can help me.
Vpn client connects fine (Shrewsoft and Cisco client) but cannot ping internal vlan on 10.10.10.0
This is the config
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
!
aaa session-id common
!
ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
ip dhcp excluded-address 10.10.10.199 10.10.10.254
!
ip dhcp pool ccp-pool
import all
network 10.10.10.0 255.255.255.0
dns-server 212.*.*.* 212.*.*.*
default-router 10.10.10.1
lease 0 2
!
!
ip cef
ip domain name yourdomain.com
ip name-server 212.*.*.*
ip name-server 212.*.*.*
ip inspect name INSPECT http java-list 99
ip inspect name INSPECT https
ip inspect name INSPECT dns
ip inspect name INSPECT smtp
ip inspect name INSPECT tcp
ip inspect name INSPECT udp
ip inspect name INSPECT icmp
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username ciscoadmin privilege 15 secret 5 **************
username SDMciscoadmin privilege 15 secret 5 **************
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_Pool
key **********
pool SDM_POOL_2
acl 100
crypto isakmp profile sdm-ike-profile-1
match identity group VPN_Pool
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address initiate
client configuration address respond
virtual-template 1
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-SHA
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
switchport access vlan 2
shutdown
!
interface FastEthernet2
switchport access vlan 2
shutdown
!
interface FastEthernet3
switchport access vlan 9
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
no ip address
!
interface Vlan2
description LAN
no ip address
ip virtual-reassembly
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan9
description $FW_OUTSIDE$
ip address 213.*.*.152 255.255.255.224
ip nat outside
ip inspect INSPECT out
ip virtual-reassembly
!
interface BVI1
description $ES_LAN$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_2 10.10.20.10 10.10.20.50
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 213.*.*.129
ip http server
ip http access-class 10
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source list 10 interface Vlan9 overload
!
!
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 199 permit icmp any any
no cdp run
!
!
!
!
!
control-plane
!
bridge 1 route ip
!
line con 0
logging synchronous
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
end
Any help is greatly appreciated!
05-14-2013 04:45 PM
Joe,
You are missing nat exempt on router. Here is what you have to do on router:
ip access-list ext nat
deny 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
permit 10.10.10.0 0.0.0.255 any
ip nat inside source list nat interface Vlan9 overload
no ip nat inside source list 10 interface Vlan9 overload
Regards,
Varinder
P.S. Please mark this post as 'Answered' if you find the above information helpful so that it brings goodness to other community users
05-15-2013 11:57 PM
Thank you, I tried that earlier - had all kinds of problems with inside to outside nat using an extended acl.
However I still tried it and these are the changes made:
Extended IP access list nat
10 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
20 permit ip 10.10.10.0 0.0.0.255 any
ip nat inside source list nat interface Vlan9 overload
and a debug of icmp replies gives the following:
*Nov 30 19:48:35.633: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 19:48:35.637: IP: tableid=0, s=10.10.20.10 (Virtual-Access2), d=10.10.10.1 (BVI1), routed via RIB
*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1 (BVI1), len 60, output feature, NAT Inside(7), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Acces
, d=10.10.10.1 (BVI1), len 60, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1, len 60, rcvd 4
*Nov 30 19:48:35.637: IP: s=10.10.20.10 (Virtual-Access2), d=10.10.10.1, len 60, stop process pak for forus packet
*Nov 30 19:48:35.637: IP: s=10.10.10.1 (local), d=10.10.20.10, len 60, local feature, NAT(2), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 19:48:35.637: IP: s=10.10.10.1 (local), d=10.10.20.10 (Virtual-Access2), len 60, sending
It's still natting?
05-16-2013 01:34 AM
Hello Joe,
Try these changes if it helps.
ip access-list extend nat
no 10
10 deny ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255
no access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255
Best Regards
Please rate all helpful posts and close solved questions
05-16-2013 02:06 AM
Still no joy but I do get an encapsulation failed now.
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1, len 60, input feature, MCI Check(64), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: tableid=0, s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), routed via RIB
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Post-routing NAT Outside(17), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Stateful Inspection(20), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, IPSec output classification(25), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Firewall (NAT)(33), rtype 1, forus FALSE, sendself FALSE,
mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Firewall (inspect)(38), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, IPSec: to crypto engine(54), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, output feature, Pos
t-encryption output features(55), rtype 1, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.727: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), g=10.10.10.1, len 60, forward
*Nov 30 21:58:04.731: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, post-encap feature, (1), rtype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.731: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, post-encap feature, FastEther Channel(2), rt
cliniccisco(config-ext-nacl)#ype 0, forus FALSE, sendself FALSE, mtu 0, fwdchk FALSE
*Nov 30 21:58:04.731: IP: s=10.10.20.15 (Virtual-Access2), d=10.10.10.1 (Vlan9), len 60, encapsulation failed
05-16-2013 03:27 AM
I just realised i'm missing the ip classless command, since I'm using 10.10.10.0 that should give routing issues. I'll try later.
05-16-2013 11:13 AM
ip classless is there by default so I'm back to square one.
I don't understand why this wouldn't work, I scoured google for info and it seems a pretty basic configuration.
05-20-2013 06:42 AM
Still can't get this to work. Anyone has any more ideas?
05-21-2013 05:14 AM
Solved it by putting the vpn pool on the same subnet 10.10.10.0 - very weird issue though...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide