Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
514
Views
0
Helpful
3
Replies

unable to ping inside network from vpn client

steven.wilson
Level 1
Level 1

‎06-24-2004 03:49 AM - edited ‎02-21-2020 01:12 PM

I configured a 1721 router to act an ADSL router that acted as an IOS firewall to only allow in SMTP to a mail-server on the inside. The cuatomer then required it to terminate a VPN client that would allow him to remote-desktop to his server. I wrote the additional configuration to allow a VPN client to connect, but it cannot ping the server. I have tried a few things like removing the previously written access-list 100 on the outside and the ip inspect command from the ethernet interface but I still cannot ping the server. The server has its default gateway set to the router. The configuration is listed below, please have a look and tell me if I am missing something.

hostname router

!

enable secret big-secret

enable password xxxx

username xxxx password xxxx

aaa new-model

!

!

aaa authentication login userlist local

aaa authorization network vpngroup local

aaa session-id common

ip subnet-zero

!

!

!

ip inspect name ethernetin cuseeme timeout 3600

ip inspect name ethernetin ftp timeout 3600

ip inspect name ethernetin h323 timeout 3600

ip inspect name ethernetin http timeout 3600

ip inspect name ethernetin rcmd timeout 3600

ip inspect name ethernetin realaudio timeout 3600

ip inspect name ethernetin smtp timeout 3600

ip inspect name ethernetin sqlnet timeout 3600

ip inspect name ethernetin streamworks timeout 3600

ip inspect name ethernetin tcp timeout 3600

ip inspect name ethernetin tftp timeout 30

ip inspect name ethernetin udp timeout 15

ip inspect name ethernetin vdolive timeout 3600

ip audit notify log

ip audit po max-events 100

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local localpool

crypto isakmp xauth timeout 60

!

crypto isakmp client configuration group vpngroup

key 1bellshill2

pool localpool

acl 160

!

!

crypto ipsec transform-set motherwell esp-3des esp-sha-hmac

!

crypto dynamic-map motherwell 1

set transform-set motherwell

!

!

crypto map motherwell client authentication list userlist

crypto map motherwell isakmp authorization list vpngroup

crypto map motherwell client configuration address respond

crypto map motherwell 1 ipsec-isakmp dynamic motherwell

!

!

!

!

interface ATM0

no ip address

no atm ilmi-keepalive

pvc 0/38

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

dsl operating-mode itu-dmt

!

interface FastEthernet0

ip address 192.168.0.222 255.255.255.0

ip nat inside

speed auto

!

interface Dialer0

ip address negotiated

ip nat outside

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname secret-hostname

ppp chap password secret-password

crypto map motherwell

!

ip local pool localpool 172.16.1.1 172.16.1.100

ip nat translation timeout 180

ip nat inside source route-map nonat interface Dialer0 overload

ip nat inside source static tcp 192.168.0.3 25 aaa.bbb.ccc.ddd 25 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

!

access-list 1 permit 192.168.0.0 0.0.0.255

access-list 100 permit tcp any host aaa.bbb.ccc.ddd eq smtp

access-list 100 permit udp any any eq isakmp

access-list 105 deny ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255

access-list 105 permit ip 192.168.0.0 0.0.0.255 any

access-list 160 permit ip 192.168.0.0 0.0.0.255 172.16.1.0 0.0.0.255

dialer-list 1 protocol ip permit

!

route-map nonat permit 10

match ip address 105

!

Thanks in advance

Steve.

Labels:
0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎06-24-2004 04:20 PM

Could be a couple of things here.

Can you ping the router interface, 192.168.0.222 over the VPN. If so, but you can't ping 192.168.0.3 then follow this:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml

Assume your router is Daphne, and your client is the other router (Fred), the important bit is the loopback int and policy routing on Daphne.

If you can't even ping 192.168.0.222, then try adding " no ip route-cache" onto the dialer int. There has been bugs with some versions of code with fast switching and IPSec on logical interfaces, not sure what code you're running though.

You may also need to apply the crypto map to the ATM interface, as it was necessary up till recently to have the map applied to both the physical and logical int. Again I don't know what version you're running specifically.

0 Helpful

steven.wilson
Level 1
Level 1
In response to gfullage

‎06-25-2004 12:35 AM

Thanks Glen,

I can ping the 192.168.0.222 address from the VPN Client, but not any other inside address. If I remove the port mapping nat statement I can ping everything on the inside. My concern is that I can only have one or the other situation. It seems that the port mapping statement causes the ICMP packets to be disallowed.

Here is the output from a SHOW VER.

router#sh ver

Cisco Internetwork Operating System Software

IOS (tm) C1700 Software (C1700-K9O3SY7-M), Version 12.2(13)T1, RELEASE SOFTWARE

(fc1)

TAC Support: http://www.cisco.com/tac

Copyright (c) 1986-2003 by cisco Systems, Inc.

Compiled Fri 03-Jan-03 22:11 by ccai

Image text-base: 0x80008120, data-base: 0x80E0A954

ROM: System Bootstrap, Version 12.2(7r)XM1, RELEASE SOFTWARE (fc1)

M&D-router uptime is 2 days, 15 hours, 37 minutes

System returned to ROM by power-on

System image file is "flash:c1700-k9o3sy7-mz.122-13.T1.bin"

cisco 1721 (MPC860P) processor (revision 0x100) with 56231K/9305K bytes of memor

y.

Processor board ID FOC07110G12 (2672054554), with hardware revision 0000

MPC860P processor: part number 5, mask 2

Bridging software.

X.25 software, Version 3.0.0.

1 FastEthernet/IEEE 802.3 interface(s)

1 ATM network interface(s)

1 Virtual Private Network (VPN) Module(s)

32K bytes of non-volatile configuration memory.

16384K bytes of processor board System flash (Read/Write)

Configuration register is 0x2102

I read through the article and I do not understand where the traffic diverted by the route-map goes to next. In my configuration the route-map statement is used to ensure that the packets destined for the address range of the localpool do not get natted and therefore travel straight through to the pool. If I remove the port mapping statement, I can ping. If it is on I can't.

Thanks so far,

Steve.

0 Helpful

steven.wilson
Level 1
Level 1
In response to steven.wilson

‎06-25-2004 07:43 AM

It may seem daft to reply to my own question, but I have resolved the issue. I thought that someone might be interested so here is the fix.

I changed the NAT lines from:

ip nat inside source route-map nonat interface Dialer0 overload

ip nat inside source static tcp 192.168.0.3 25 aaa.bbb.ccc.ddd 25 extendable

to:

ip nat inside source list 105 interface Dialer0 overload

ip nat inside source static tcp 192.168.0.3 25 aaa.bbb.ccc.ddd 25 extendable

and it all works fine.

Possibly a bug in the software, but it works and it is Friday.

Thanks for listening

Steve

0 Helpful
Customers Also Viewed These Support Documents