cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2762
Views
0
Helpful
9
Replies

Stuck in troubleshooting ( VPN is UP , ping to the router ethernet(lan side) works but NO OTHER SERVERS...

game123
Level 1
Level 1

I have simple setup of remote access with 2 local database accounts on the router running secure IOS.

I have split tunnel enabled also and it seems to work fine also for remote vpn users, and vpn users are able to connect and get respective IPs also under their vpn adaptor (if we check them thru ipconfig in cmd , from windows 7 or anyother windows box)....

VPN Pool : 197.x.x.x   ( can see the config of the pool )

INSIDE(NETWORK) : 192.168.0.X/24 ,  where 192.168.0.99 is backside ethernet of the VPN Router facing LAN. LAN segment is L2 , and has only 1 vlan , no other subnet is present, using CE500 switch.

Simply want VPN users to access LAN resouces and have internet access thru  VPN...

Below is the config  : ( PLZ EXPERTS ,...let me know the issue here if any ... )

hostname Router-2-Internet
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging buffered 4096 debugging
enable secret 5 $1$W/jA$bkFGswtK1q5hs.iRvPgZR0
enable password 7 12170114190A01162B25
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
no ip source-route
no ip gratuitous-arps
!
!
ip cef
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
no ip bootp server
ip domain name KAMRAN.com
ip name-server 212.72.1.186
ip name-server 198.6.1.1
login block-for 60 attempts 5 within 5
!
!
!
!
username game123 privilege 15 password 7 050C07022443580C0B544541
username dracula password 7 00051F13075A1902
username kamran password 7 01110707500F090033
archive
log config
  logging enable
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group omanpost
key kobayashi
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Connected to OMANTEL Internet~
ip address 82.178.20.36 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
description Connected to LAN - Servers -
ip address 192.168.0.99 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 197.0.0.3 197.0.0.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 82.178.20.35
ip route 10.25.50.12 255.255.255.252 192.168.0.100
ip route 10.26.10.0 255.255.255.0 192.168.0.100
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip nat inside source static 192.168.0.10 82.178.20.37
!
!
logging trap debugging
logging facility local2
access-list 1 permit any
access-list 108 permit ip 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 108 permit icmp 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 deny   ip 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 199
!
!
!
control-plane
!
!
banner motd ^C This is a production box for OmanPost in NDC Muscat . Kindly make sure you are authrozied personnel
^C

line con 0
exec-timeout 0 0
login authentication local_auth
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
no exec
transport output telnet
line vty 0 4
password 7 000F1C0405420A1507280C
login authentication local_auth

THANKS , WAITING with CROSSED FINGERS ! "X"

kAmRan ShAkIL

1 Accepted Solution

Accepted Solutions

Great, sounds like windows server 2008 firewall policy issue if you can ping other ip addresses within the same subnet.

Please kindly mark the post as answered if you have no further questions. Thank you.

View solution in original post

9 Replies 9

Jennifer Halim
Cisco Employee
Cisco Employee

Are you able to ping 192.168.0.99 from the VPN client?

The router configuration looks correct to me.

Once the VPN is connected, can you try to access the internal resources, and share the output of the following:

show cry isa sa

show cry ipsec sa

You might also want to check if the internal hosts have any windows firewall that might be blocking inbound connection. Pls try to disable the windows firewall and see if you can access those internal networks.

I am assuming that Internet works fine once you are connected through the vpn client?

Yes. I am able to ping 192.168.0.99 without a break ! ,

Just to confirm, if 192.168.0.99 works fine then according to the configs , 192.168.0.X     x=anything 1-254 , SHALL work fine ? right !!!!

do you think i need to define a static route add on the servers to reach VPN network (197.x.y.z) ??? or no need !!!

Check for the default gateway on the machines you are trying to access across the VPN.

1. If the default gateway is not set, please set it.

2. If the default gateway is the Router's LAN interface IP address, everything should be cool.

3. If it were someother IP address or device, please add a static route on that device pointing traffic to the Pool to the VPN Router.

Let me know if it helps.


Cheers,


Nash

well, my friends, i noticed something with traceroute.

as i said ,my router ethernet (Facing lan side) is 192.168.0.99 and it pings fine, it also does successful trace route ..(Screenshot attachd)

but if i try to ping to 192.168.0.10 it fails (windows firewall is OFF )  plus trace also fails , and it goes to global ip and drops ....

click anything ????

Waiting plz...

you know with respect to my config i am not getting packet matches/hits against my ACL 108 ...is it normal ???

!
username game123 privilege 15 password 7 050C07022443580C0B544541
username dracula password 7 00051F13075A1902
username kamran password 7 01110707500F090033
archive
log config
  logging enable
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
!
crypto isakmp policy 3
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group omanpost
key kobayashi
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface FastEthernet0/0
description Connected to OMANTEL Internet~
ip address 82.178.20.36 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
description Connected to LAN - Servers -
ip address 192.168.0.99 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool ippool 197.0.0.3 197.0.0.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 82.178.20.35
ip route 10.25.50.12 255.255.255.252 192.168.0.100
ip route 10.26.10.0 255.255.255.0 192.168.0.100
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/0 overload
ip nat inside source static 192.168.0.10 82.178.20.37
!
!
logging trap debugging
logging facility local2
access-list 1 permit any
access-list 108 permit ip 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 108 permit icmp 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 deny   ip 192.168.0.0 0.0.0.255 197.0.0.0 0.0.0.255
access-list 199 permit ip 192.168.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 199
!
!
!
control-plane

i am not getting hits/matches against acl 108 , is it normal ?

On Mon, Dec 13, 2010 at 9:05 AM, halijenn <

If your internal LAN hosts' default gateway is 192.168.0.99, you do not need to configure any static route for 197.0.0.0/24 network. However, if their default gateway is not 192.168.0.99, then yes, definitely need to configure static route to access 197.0.0.0/24 via 192.168.0.99.

thanks...well, i put up another router on the same segment, with ip address

192.168.0.100 , even i can ping that ip from the vpn 197.x.y.z ...so i

believe the problem lies with the windows 2008 server firewall policies...

thanks again!

On Mon, Dec 13, 2010 at 11:14 AM, halijenn <

Great, sounds like windows server 2008 firewall policy issue if you can ping other ip addresses within the same subnet.

Please kindly mark the post as answered if you have no further questions. Thank you.