09-30-2014 12:46 PM - edited 02-21-2020 07:51 PM
I have a Cisco 881 router, which is configured with a site-to-site IPSec tunnel and VPN client IPSec access. The site-to-site IPSec tunnel works fine. When I connect to the router with the Cisco VPN Client using IPsec, it also works fine and I connect. The problem that I have is that I can't Telnet to the router 192.168.4.1 or ping 192.168.4.1. From the remote site that is connected via the site to site tunnel, I can Telnet and ping 192.168.4.1. I must be doing something wrong with the VPN client portion of the configuration but I can't seem to figured it out. The config is below. Hopefully someone can see what I'm doing wrong.
Thank you
Cisco 881 Router - Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1), c880data-universalk9-mz.152-4.M6.bin
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
no logging console
enable secret 5 xxxxxx
!
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.189
!
ip dhcp pool sdm-pool1
import all
network 192.168.4.0 255.255.255.0
default-router 192.168.4.1
!
!
!
ip flow-cache timeout active 5
no ip bootp server
ip inspect name FW tcp
ip inspect name FW udp
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
!
no spanning-tree vlan 41
username test view root secret 5 xxxxxxxxxxxxxx
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0
!
crypto keyring site2site
pre-shared-key address 10.1.1.1 key 6 xxxxxxxxx
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group remote-clients
key 6 xxx
pool VPN-clients
acl 104
max-logins 1
crypto isakmp profile site-to-site
description Site to site VPN Tunnel profile connection
keyring site2site
match identity address 10.1.1.1 255.255.255.255
keepalive 30 retry 3
crypto isakmp profile vpnclients
description VPN Clients profile connection
match identity group remote-clients
client authentication list vpnclientauth
isakmp authorization list vpngroupauth
client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
!
!
crypto dynamic-map SDM_DYNMAP_1 2
set transform-set ESP-3DES-SHA
set isakmp-profile vpnclients
reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
set peer 10.1.1.1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile site-to-site
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
!
interface FastEthernet0
description Inside FastEthernet0 Default Gateway
switchport access vlan 41
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
shutdown
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface FastEthernet4
description Outside FastEthernet4
ip address dhcp client-id FastEthernet4
ip access-group 103 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat outside
ip inspect FW out
ip virtual-reassembly in
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface Vlan1
no ip address
ip tcp adjust-mss 1452
!
interface Vlan41
description Inside FastEthernet0 Default Gateway
ip address 192.168.4.1 255.255.255.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip flow egress
ip nat inside
ip inspect FW out
ip virtual-reassembly in
!
ip local pool VPN-clients 192.168.40.1
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
!
logging trap notifications
logging source-interface FastEthernet0
logging host 192.168.0.110
access-list 80 permit 192.168.0.110
access-list 80 deny any log
access-list 100 remark IPSec Tunnel Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny ip any any log
access-list 101 remark ------ NAT Rules ------
access-list 101 deny ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny ip 192.168.4.0 0.0.0.255 host 192.168.40.1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 deny ip any any log
access-list 102 remark ------ Inside Interface IN Rules ------
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip any any
access-list 103 remark ------ Outside Interface IN Rules -------
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 deny ip any any log
access-list 104 remark ------ IPSEC Remote Clients Rules ------
access-list 104 permit ip 192.168.4.0 0.0.0.255 host 192.168.40.1
access-list 104 deny ip any any log
access-list 105 remark ------ TTY Access Rules ------
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 permit ip 192.168.40.0 0.0.0.255 any
access-list 105 deny ip any any log
no cdp run
!
route-map NONAT permit 1
match ip address 101
!
end
10-01-2014 08:28 AM
Just to clarify:
You can telnet over the site to site tunnel, but not from the VPN client?
10-01-2014 08:34 AM
Yes. I can Telnet over the site to site tunnel to the Cisco 881. I can not Telnet via the VPN Client to the Cisco 881 or ping it's LAN interface.
GM
10-01-2014 08:37 AM
Can you ping anything else behind it's LAN interface?
10-01-2014 09:38 AM
No. I can not ping anything else behind it's LAN interface.
10-01-2014 09:48 AM
Try this:
access-list 101 deny 192.168.40.0 0.0.0.255 any
10-01-2014 10:03 AM
Ok. I thought a "access-list 101 deny ip 192.168.4.0 0.0.0.255 host 192.168.40.1" would work, which I already have defined.
Thanks
10-01-2014 10:06 AM
Did you add that command and test?
10-01-2014 10:57 AM
Not yet. I will be testing tomorrow. I will let you know. Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: