cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
805
Views
0
Helpful
8
Replies
GW M
Beginner

Issue with VPN Client IPSec to Cisco 881 Router

I have a Cisco 881 router, which is configured with a site-to-site IPSec tunnel and VPN client IPSec access. The site-to-site IPSec tunnel works fine. When I connect to the router with the Cisco VPN Client using IPsec, it also works fine and I connect. The problem that I have is that I can't Telnet to the router 192.168.4.1 or ping 192.168.4.1. From the remote site that is connected via the site to site tunnel, I can Telnet and ping 192.168.4.1. I must be doing something wrong with the VPN client portion of the configuration but I can't seem to figured it out. The config is below. Hopefully someone can see what I'm doing wrong.

Thank you

Cisco 881 Router -  Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1), c880data-universalk9-mz.152-4.M6.bin

 

security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
no logging console
enable secret 5 xxxxxx
!
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.189
!
ip dhcp pool sdm-pool1
 import all
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1 
!
!
!
ip flow-cache timeout active 5
no ip bootp server
ip inspect name FW tcp
ip inspect name FW udp
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
!
no spanning-tree vlan 41
username test view root secret 5 xxxxxxxxxxxxxx
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0

crypto keyring site2site  
  pre-shared-key address 10.1.1.1 key 6 xxxxxxxxx
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group remote-clients
 key 6 xxx
 pool VPN-clients
 acl 104
 max-logins 1
crypto isakmp profile site-to-site
   description Site to site VPN Tunnel profile connection
   keyring site2site
   match identity address 10.1.1.1 255.255.255.255 
   keepalive 30 retry 3
crypto isakmp profile vpnclients
   description VPN Clients profile connection
   match identity group remote-clients
   client authentication list vpnclientauth
   isakmp authorization list vpngroupauth
   client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
!
!
crypto dynamic-map SDM_DYNMAP_1 2
 set transform-set ESP-3DES-SHA 
 set isakmp-profile vpnclients
 reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 set peer 10.1.1.1
 set security-association idle-time 86400
 set transform-set ESP-3DES-SHA 
 set isakmp-profile site-to-site
 match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
!
interface FastEthernet0
 description Inside FastEthernet0 Default Gateway
 switchport access vlan 41
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 description Outside FastEthernet4
 ip address dhcp client-id FastEthernet4
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
!
interface Vlan41
 description Inside FastEthernet0 Default Gateway
 ip address 192.168.4.1 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect FW out
 ip virtual-reassembly in
!
ip local pool VPN-clients 192.168.40.1
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
!
logging trap notifications
logging source-interface FastEthernet0
logging host 192.168.0.110
access-list 80 permit 192.168.0.110
access-list 80 deny   any log
access-list 100 remark IPSec Tunnel Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny   ip any any log
access-list 101 remark ------ NAT Rules ------
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.40.1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 deny   ip any any log
access-list 102 remark ------ Inside Interface IN Rules ------
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip any any
access-list 103 remark ------ Outside Interface IN Rules -------
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 deny   ip any any log
access-list 104 remark ------ IPSEC Remote Clients Rules ------
access-list 104 permit ip 192.168.4.0 0.0.0.255 host 192.168.40.1
access-list 104 deny   ip any any log
access-list 105 remark ------ TTY Access Rules ------
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 permit ip 192.168.40.0 0.0.0.255 any
access-list 105 deny   ip any any log
no cdp run
!
route-map NONAT permit 1
 match ip address 101
!
end

8 REPLIES 8
adamtodd16
Participant

Just to clarify:

You can telnet over the site to site tunnel, but not from the VPN client? 

Yes. I can Telnet over the site to site tunnel to the Cisco 881. I can not Telnet via the VPN Client to the Cisco 881 or ping it's LAN interface.

 

GM

Can you ping anything else behind it's LAN interface? 

No. I can not ping anything else behind it's LAN interface.

Try this:

access-list 101 deny 192.168.40.0 0.0.0.255 any

Ok. I thought a "access-list 101 deny ip 192.168.4.0 0.0.0.255 host 192.168.40.1" would work, which I already have defined.

Thanks

Did you add that command and test?

Not yet. I will be testing tomorrow. I will let you know. Thanks

Content for Community-Ad