01-18-2011 07:21 AM - edited 02-21-2020 05:06 PM
Hi All,
I am trying to set up Remote access with Split tunneling to a Cisco 2801. I can connect to the VPN profile and get to the internet however I am unable to ping/reach any of the inside devices (10.10.10.X). The vpn users are getting the correct address assignments in the 172.15.10.X range. I can see that my remote PC is sending packets to the devices but not receiving anything back. Here is what my Config looks like...any thoughts on things to look at would be great!
Thanks
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address x.x.x.x
crypto isakmp key cisco123 address x.x.x.x
!
crypto isakmp client configuration group VPN_Client
key ******
dns 64.89.70.2 64.89.74.2
pool SDM_POOL_1
acl 120
max-users 25
netmask 255.255.255.0
!
!
crypto isakmp profile sdm-ike-profile-1
match identity group VPN_Client
client authentication list sdm_vpn_xauth_ml_1
isakmp authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile SiteA
keyring myring
match identity address 1.1.1.1 255.255.255.255
local-address FastEthernet0/0
crypto isakmp profile Site2
keyring Atlanta
match identity address 2.2.2.2 255.255.255.255
local-address FastEthernet0/0
!
!
crypto ipsec transform-set AES192 esp-aes 192 esp-sha-hmac
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile sdm-ike-profile-1
!
!
crypto dynamic-map RA-Map 10
set transform-set AES192 ESP-3DES-SHA1 ESP-3DES-SHA SDM_TRANSFORMSET_1 3DES-MD5
reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to 3.3.3.3
set peer 3.3.3.3
set transform-set AES192 ESP-3DES-SHA1 ESP-3DES-SHA SDM_TRANSFORMSET_1 3DES-MD5
set pfs group2
set isakmp-profile SiteA
match address 105
crypto map SDM_CMAP_1 2 ipsec-isakmp
description Tunnel to 4.4.4.4
set peer 4.4.4.4
set transform-set AES192 ESP-3DES-SHA1 ESP-3DES-SHA SDM_TRANSFORMSET_1 3DES-MD5
set pfs group2
set isakmp-profile SiteB
match address 106
crypto map SDM_CMAP_1 10 ipsec-isakmp dynamic RA-Map
!
!
!
!
!
interface FastEthernet0/0
description *** Outside ETH-LAN ***
ip address 174.1.1.2 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map SDM_CMAP_1
!
!
interface FastEthernet0/1
description *** Inside ETH-LAN ***
ip address 10.10.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Serial0/1/0
no ip address
shutdown
!
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
!
ip local pool SDM_POOL_1 172.15.10.1 172.15.10.50
ip forward-protocol nd
!
ip flow-top-talkers
top 10
sort-by bytes
!
ip http server
ip http secure-server
ip nat source list 110 interface FastEthernet0/0 overload
ip nat inside source list 110 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 174.1.1.1
!
access-list 105 permit ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 105 permit ip 172.15.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 106 permit ip 10.10.10.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 172.15.10.0 0.0.0.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 172.15.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit ip 10.10.10.0 0.0.0.255 any
access-list 120 permit ip 10.10.10.0 0.0.0.255 172.15.10.0 0.0.0.255
access-list 120 permit ip 172.20.0.0 0.0.255.255 172.15.10.0 0.0.0.255
access-list 130 remark SDM_ACL Category=17
access-list 130 permit udp host 4.2.2.2 eq domain any
access-list 130 permit esp host 65.79.168.6 host 174.141.59.195
access-list 130 permit ip host 65.79.168.6 host 174.141.59.195
access-list 130 permit ip any any
Solved! Go to Solution.
01-18-2011 07:59 AM
Are the VPN clients connecting to the F0/0 interface (where the crypto map is applied) or to the
virtual-template interface?
What if you do this:
crypto isakmp profile sdm-ike-profile-1
no virtual-template 1
Disconnect/reconnect.
Federico.
01-18-2011 07:30 AM
Hi,
Can you PING 10.10.10.254 which is the inside IP of the router?
If you can, but cannot PING the internal network, make sure the internal network has a default route pointing to 10.10.10.254 or at least there's a route to the VPN pool.
Federico.
01-18-2011 07:35 AM
Hi Federico,
I can not ping the inside router interface or the internal network.
01-18-2011 07:38 AM
You mention that the VPN client shows packets encrypted but not decrypted (received)?
This means the router should show packets decrypted. Check the output of ''sh cry ips sa''
Check if the router also shows packets encrypted to see if the router is sending the data back to the VPN client.
Federico.
01-18-2011 07:43 AM
The router is only showing Pkts decaps and not Pkts encaps as shown below.
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 6, #pkts decrypt: 6, #pkts verify: 6
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
01-18-2011 07:59 AM
Are the VPN clients connecting to the F0/0 interface (where the crypto map is applied) or to the
virtual-template interface?
What if you do this:
crypto isakmp profile sdm-ike-profile-1
no virtual-template 1
Disconnect/reconnect.
Federico.
01-18-2011 08:05 AM
Hi Federico,
That did the trick...thanks for the extra set of eyes!
01-18-2011 08:07 AM
Glad I could help :-)
Thank you Steve.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide