Re: Tunnel UP but can't ping inside

Buy or Renew

3603

Views

Helpful

Replies

Dear all,

I have configured VPN server and client with trat .doc

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

The tunnel between VPN server and client is UP , but I can't ping inside...

SERVER:

...
aaa new-model
!
!
aaa authentication login lokalne local
aaa authorization exec lokalne local
aaa authorization network lokalne local
!
...
ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name otto.local
ip name-server 191.1.1.100
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn xxx
!
!
username xxx xxx

!
!

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
!
crypto isakmp client configuration group otto
key xxx
pool vpn
acl 110
crypto isakmp profile vi
    match identity group otto
    isakmp authorization list lokalne
    client configuration address respond
    virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN
bandwidth 3000
ip address 62.233.xx.xx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
interface Vlan1
description LAN
bandwidth 10000
ip address 191.1.1.155 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router rip
network 100.0.0.0
network 191.1.0.0
no auto-summary
!
ip local pool vpn 172.168.0.80 172.168.0.90
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
...
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 191.1.1.100 3389 62.233.xx.xx 3389 extendable
ip route 0.0.0.0 0.0.0.0 62.233.xx.xx
!
access-list 100 permit ip 191.1.1.0 0.0.0.255 any
access-list 110 permit ip 191.1.1.0 0.0.0.255 any
no cdp run

CLIENT:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
!
!
!
crypto ipsec client ezvpn ez
connect auto
group otto key xx
mode client
peer 62.233.xx.xx
xauth userid mode interactive
...
interface Loopback0
ip address 172.168.0.90 255.255.255.0
...
interface FastEthernet4
description WAN
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn ez
!
interface Vlan1
description LAN
bandwidth 10000
ip address 100.100.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ez inside
...
ip route 62.233.xx.0 255.255.255.0 dhcp

status of the tunnel:

#sh crypto session
Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 62.233.xx.xx port 4500
IKEv1 SA: local 100.100.0.59/4500 remote 62.233.xx.xx/4500 Active
IPSEC FLOW: permit ip 100.100.100.0/255.255.255.0 191.1.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

but Can't ping inside:

#ping 191.1.1.155 source vlan1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.1.1.155, timeout is 2 seconds:
Packet sent with a source address of 100.100.100.1
.....
Success rate is 0 percent (0/5)

16 Replies 16

You will need to configure NAT exemption for traffic between internal LAN and the ip pool as follows:

ip access-list extended 100

1 deny ip 191.1.1.0 0.0.0.255 172.168.0.0 0.0.0.255

Hope that helps.

added deny to NAT acl but still can't ping inside

access-list 100 deny ip 191.1.1.0 0.0.0.255 172.168.0.0 0.0.0.255
access-list 100 permit ip 191.1.1.0 0.0.0.255 any

there are no hits in this deny rule:

#sh access-list 100
Extended IP access list 100
10 deny ip 191.1.1.0 0.0.0.255 172.168.0.0 0.0.0.255
20 permit ip 191.1.1.0 0.0.0.255 any (1846 matches)

Hi,

It seems that you are trying to ping the IP address from Vlan1 of the EzVPN client

"#ping 191.1.1.155 source vlan1"

crypto ipsec client ezvpn ez
mode client

Since you have configured EzVPN in client mode, you will not be able to ping "from or to" the inside interface of the client. Try pinging from any device behind the client router and it should be sucessfull.

Sorry, where are you trying to ping from? You can't ping from the ezvpn client router itself. Please try to ping from a PC behind the ezvpn client.

But I can't ping inside interface of the client neither

#ping 100.100.100.1 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.100.100.1, timeout is 2 seconds:
Packet sent with a source address of 191.1.1.155
.....
Success rate is 0 percent (0/5)

Please kindly ping from a host behind the ezvpn client router to 191.1.1.155. Thanks.

no response.

any firewalls on host and ACL on the router that may be blocking traffic deactivate,

Can you please share the output of the following from the ezvpn server router:

show cry isa sa

show cry ipsec sa

There are no ACL configured on the routers that might be blocking the traffic.

#show cry isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
62.233.239.xx 62.87.176.xx QM_IDLE 2066 ACTIVE

IPv6 Crypto ISAKMP SA

#show cry ipsec sa

interface: Virtual-Access3
Crypto map tag: Virtual-Access3-head-0, local addr 62.233.239.xx

   protected vrf: (none)
   local ident (addr/mask/prot/port): (191.1.1.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (100.100.100.0/255.255.255.0/0/0)
   current_peer 62.87.176.xx port 4500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 100, #pkts decrypt: 100, #pkts verify: 100
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 62.233.239.xx, remote crypto endpt.: 62.87.176.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x3CB3D01C(1018417180)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xD11D7E65(3508371045)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 100, flow_id: Onboard VPN:100, sibling_flags 80000046, crypto map: Virtual-Access3-head-0
        sa timing: remaining key lifetime (k/sec): (4512280/2361)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

inbound ah sas:

inbound pcp sas:

     outbound esp sas:
      spi: 0x3CB3D01C(1018417180)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: Virtual-Access3-head-0
        sa timing: remaining key lifetime (k/sec): (4512305/2361)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

outbound ah sas:

outbound pcp sas:

Just double check the configuration, and saw that you are running RIP, and also has network 100.0.0.0. Can you please advise where 100.0.0.0 is pointing towards?

Please kindly remove that network from RIP process, and test again to see if you can ping from host behind the ezvpn client router.

Thanks.

In the sample configuratior there was:

router eigrp 1

network 192.168.1.0

network 192.168.20.0

no auto-summary

so on my router can't run eigrp 1 so I have changed it to rip and add two LANs.

when I remove router rip, still can't ping inside.

I believe that was smth wrong with ACl 110 applied to VPN clients.

crypto isakmp client configuration group otto
key xxx
acl 110

Previously:

access-list 110 permit ip 191.1.1.0 0.0.0.255 any

ping don't work

Now, after my changes

access-list 110 deny ip 191.1.1.0 0.0.0.255 172.168.0.0 0.0.0.255
access-list 110 permit ip any any

ping works fine - even from VPN client (router client)!

#ping 191.1.1.155 source vlan 1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.1.1.155, timeout is 2 seconds:
Packet sent with a source address of 100.100.100.1
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/32/36 ms

Doesn't sound right having the deny statement.

I would remove the ACL all together from the group configuration:

crypto isakmp client configuration group otto
no acl 110

with no acl 110 I can ping inside VPN tunnel, but have lost Internet connection.

So this ACL sould be to enable split tunneling -> how this acl would looks like to enable hosts connection to internet?

Learn, share, save

Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.

New here? Get started with these tips. How to use Community New member guide