cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
732
Views
0
Helpful
3
Replies

Remote Access VPN configuration

tomocisco
Level 1
Level 1

I configured remote access vpn such that remote users can access my LAN. I want some users to access an application server on my LAN.

I can connect to vpn using cisco VPN client but I cannot ping any IP address in the internal network. The vpn clien shows connected.

VPN Client Statistics are given below:

 

Address Information                       

Client: 192.168.1.1                            

Server 4.6.8.13   

 

Connection Information

Entry: VPN

Time 0 day 00:24:23

 

Bytes

Received 0

Sent 22957

 

Crypto

Encryption : 168bit 3-DES

Authentication HMAC-SHA1

 

Packets

Encrypted: 230

Decrypted: 0

Discarded: 0

Bypassed: 431

 

Transport

Transparent Tunneling: Inactive

Local LAN: Disabled

Compression: None

Router#sho crypto session
Crypto session current status

Interface: Virtual-Access2
Username: tomoooo
Profile: sdm-ike-profile-1
Group: gas
Assigned address: 192.168.1.1
Session status: UP-ACTIVE
Peer: 41.71.148.86 port 1066
  IKE SA: local 4.6.8.13/500 remote 41.71.148.86/1066 Active
  IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.1
        Active SAs: 2, origin: crypto map

 

Attached is the sho running config.

 

Please can someone help me on why the vpn shows connected and yet the internal system are not reachable from remote end.

Thanks for your help.

Thomas

 

                            

3 Replies 3

Abaji Rawool
Level 3
Level 3

Hi,

The configuration looks fine, are you able to ping the Router's interfaces? If yes, then check the internal server has return route for VPN pool and its OS firewall is turned off.

Could you check output for "show crypto ipsec sa peer <>" and if you see no decap / decrypts then it could be client side issue or ISP issue. If there is no encap/ encrypts then it is LAN side issue.

For ISP issue, you can try connecting from different location?

What OS you are using the client on? Please note that client is EOL and supported only up to win7.

Regards,

Abaji.

 

 

Hello Abaji,

 

Thank you for your prompt response.

The VPN client is running on a window xp system. when i put off the firewall on the system on the local LAN, I can ping them from the remote system, though the ping is not very steady, time out rate is  somewhat high and user may not be able to access local resources.

Is there anything I can do to improve on the ping reply rate?

You mentioned that the client is EOL and supported only up to win 7. What other client can I use to achieve the same access as cisco client assuming I am to use win 8 systems?

Putting off the firewall permanently may not be a secure option, how can I configure firewall to permit access?

After running for about 30minutes all the ping to the internal systems began to time out even though the vpn still shows connected.

Attached is the show crytpo ipsec.

 

Thanks once more for your help.

 

Thomas

Hi,

You need to make sure client has clean internet connection to have better connectivity over VPN

For Win 8 and above you need to plan to migrate to anyconnect VPN client.

Checked the windows documentation to allow certain ports through windows firewall.

HTH

Abaji.