Re: Unable to ping internal LAN devices?

dilipratna · ‎12-05-2009

I have a Cisco 877W (IOS version 12.4(15)T9) setup at an office which is used primarily for Internet access for the users. They have a requirement for remote workers to connect to resources sitting on the local LAN. I have configured the router so that they can connect using the Cisco VPN Client (version 5.0.06.0160). There is no issue connecting using the VPN client, I can ping the internal IP address of the router but I have issues pinging other devices on the LAN? I have read many articles regarding similar issues in the forums and I believe that I have configured the router up correctly. Any assistance or documents which may assist are truly appreciated.

The internal LAN sits on the 192.168.1.0/24 range and the ip pool created for the remote users sits on the 192.168.2.0/24 range. The IP address is allocated correctly when users connect and all show commands to view the VPN connection do not show any issues to my knowledge.

I have included a copy of the router configuration. If you require further information let me know.

junshah22 · ‎12-06-2009

Check your ACL applied to crypto isakmp client........

Junaid,

dilipratna · ‎12-06-2009

Junaid,

Thanks for your feedback. The ACL applied to the crypto isakmp client (acl 108) looks fine to me?

access-list 108 remark ****** Split Tunnel Encrypted Traffic ******
access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

I am allowing the internal LAN of 192.168.1.0 to the IP address which is allocated to the remote user from the ip pool created.

Regards,

Dilip

spremkumar · ‎12-06-2009

Hi

Have you tried tracing the internal lan ip from the remote pc, if not can you do a trace to the internal lan ips from the remote pc once the connection is established ? also check for trace from internal lan to the external ip and check where the trace is getting blocked.

regds

dilipratna · ‎12-07-2009

spremkumar,

I have obtained a successful connection via the VPN client and from the remote laptop I can tracert to the internal IP address of the router (192.168.1.1) and it achieves this on the 1st hop.

When I try to tracert to an IP address of a server (192.168.1.51) the first hop shows up as the external IP address of Dialer1 and then the rest of the hops timeout.

When I tracert from a workstation on the internal LAN to the laptop which has been given an IP address from the pool it gets as far as the router and no further. From the router I can see the route to the remote laptop. When I try and do a traceroute from the router the first hop just times out??

I hope this may assist you further? It is so puzzling. I even changed my local pool to a 172.16.118.0 range but this made no difference.

Regards,

Dilip

Petar Milanov · ‎12-09-2009

Hi,

I would suggest first to disable the Windows Firewall on the machines that you are trying to PING. Very often this is the reason for unsuccessful pings.

If this is the reason, you can enable the firewall, but to make an exeption for ICMP packets.

Good Luck

Tihomir

dilipratna · ‎12-20-2009

Tihomir,

Thanks you for your feedback. I currently have a NAS device which is sharing out a directory and I am not able to ping the NAS device. This does not have any form of firewall or security so I should be able to ping that?

Any other suggestions?

Regards,

Dilip

Petar Milanov · ‎12-21-2009

Hi Dilip,

pls try this:

access-list 108 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 108 permit icmp 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 108 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 108 permit icmp 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

Regards,

Tihomir