Tunnel UP but can't ping inside

Buy or Renew

3986

Views

Helpful

Replies

Dear all,

I have configured VPN server and client with trat .doc

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

The tunnel between VPN server and client is UP , but I can't ping inside...

SERVER:

...
aaa new-model
!
!
aaa authentication login lokalne local
aaa authorization exec lokalne local
aaa authorization network lokalne local
!
...
ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name otto.local
ip name-server 191.1.1.100
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn xxx
!
!
username xxx xxx

!
!

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
!
crypto isakmp client configuration group otto
key xxx
pool vpn
acl 110
crypto isakmp profile vi
    match identity group otto
    isakmp authorization list lokalne
    client configuration address respond
    virtual-template 1
!
!
crypto ipsec transform-set set esp-3des esp-sha-hmac
!
crypto ipsec profile vi
set transform-set set
set isakmp-profile vi
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN
bandwidth 3000
ip address 62.233.xx.xx 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel source FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile vi
!
interface Vlan1
description LAN
bandwidth 10000
ip address 191.1.1.155 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
router rip
network 100.0.0.0
network 191.1.0.0
no auto-summary
!
ip local pool vpn 172.168.0.80 172.168.0.90
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
...
!
ip nat inside source list 100 interface FastEthernet4 overload
ip nat inside source static tcp 191.1.1.100 3389 62.233.xx.xx 3389 extendable
ip route 0.0.0.0 0.0.0.0 62.233.xx.xx
!
access-list 100 permit ip 191.1.1.0 0.0.0.255 any
access-list 110 permit ip 191.1.1.0 0.0.0.255 any
no cdp run

CLIENT:

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth
crypto isakmp keepalive 10
!
!
!
crypto ipsec client ezvpn ez
connect auto
group otto key xx
mode client
peer 62.233.xx.xx
xauth userid mode interactive
...
interface Loopback0
ip address 172.168.0.90 255.255.255.0
...
interface FastEthernet4
description WAN
ip address dhcp
duplex auto
speed auto
crypto ipsec client ezvpn ez
!
interface Vlan1
description LAN
bandwidth 10000
ip address 100.100.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn ez inside
...
ip route 62.233.xx.0 255.255.255.0 dhcp

status of the tunnel:

#sh crypto session
Crypto session current status

Interface: FastEthernet4
Session status: UP-ACTIVE
Peer: 62.233.xx.xx port 4500
IKEv1 SA: local 100.100.0.59/4500 remote 62.233.xx.xx/4500 Active
IPSEC FLOW: permit ip 100.100.100.0/255.255.255.0 191.1.1.0/255.255.255.0
Active SAs: 2, origin: crypto map

but Can't ping inside:

#ping 191.1.1.155 source vlan1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 191.1.1.155, timeout is 2 seconds:
Packet sent with a source address of 100.100.100.1
.....
Success rate is 0 percent (0/5)