09-15-2015 08:50 AM - edited 02-21-2020 08:27 PM
I configured remote access vpn such that remote users can access my LAN. I want some users to access an application server on my LAN.
I can connect to vpn using cisco VPN client but I cannot ping any IP address in the internal network. The vpn clien shows connected.
VPN Client Statistics are given below:
Address Information
Client: 192.168.1.1
Server 4.6.8.13
Connection Information
Entry: VPN
Time 0 day 00:24:23
Bytes
Received 0
Sent 22957
Crypto
Encryption : 168bit 3-DES
Authentication HMAC-SHA1
Packets
Encrypted: 230
Decrypted: 0
Discarded: 0
Bypassed: 431
Transport
Transparent Tunneling: Inactive
Local LAN: Disabled
Compression: None
Router#sho crypto session
Crypto session current status
Interface: Virtual-Access2
Username: tomoooo
Profile: sdm-ike-profile-1
Group: gas
Assigned address: 192.168.1.1
Session status: UP-ACTIVE
Peer: 41.71.148.86 port 1066
IKE SA: local 4.6.8.13/500 remote 41.71.148.86/1066 Active
IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 192.168.1.1
Active SAs: 2, origin: crypto map
Attached is the sho running config.
Please can someone help me on why the vpn shows connected and yet the internal system are not reachable from remote end.
Thanks for your help.
Thomas
09-15-2015 09:06 AM
Hi,
The configuration looks fine, are you able to ping the Router's interfaces? If yes, then check the internal server has return route for VPN pool and its OS firewall is turned off.
Could you check output for "show crypto ipsec sa peer <>" and if you see no decap / decrypts then it could be client side issue or ISP issue. If there is no encap/ encrypts then it is LAN side issue.
For ISP issue, you can try connecting from different location?
What OS you are using the client on? Please note that client is EOL and supported only up to win7.
Regards,
Abaji.
09-15-2015 10:29 AM
Hello Abaji,
Thank you for your prompt response.
The VPN client is running on a window xp system. when i put off the firewall on the system on the local LAN, I can ping them from the remote system, though the ping is not very steady, time out rate is somewhat high and user may not be able to access local resources.
Is there anything I can do to improve on the ping reply rate?
You mentioned that the client is EOL and supported only up to win 7. What other client can I use to achieve the same access as cisco client assuming I am to use win 8 systems?
Putting off the firewall permanently may not be a secure option, how can I configure firewall to permit access?
After running for about 30minutes all the ping to the internal systems began to time out even though the vpn still shows connected.
Attached is the show crytpo ipsec.
Thanks once more for your help.
Thomas
10-22-2015 11:07 PM
Hi,
You need to make sure client has clean internet connection to have better connectivity over VPN
For Win 8 and above you need to plan to migrate to anyconnect VPN client.
Checked the windows documentation to allow certain ports through windows firewall.
HTH
Abaji.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide