Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
354
Views
0
Helpful
0
Replies

VPN - cannot ping hosts

Marcin Maciejewicz
Level 1
Level 1

‎02-09-2023 04:16 AM - edited ‎02-09-2023 05:54 AM

Hi

For learning purposes I'm trying to establish a VPN connection from my remote PC to a C819 router. I'm using config from a popular cisco tutorial website. I've managed to establish a connection, but I can't ping any host in LAN or remote PC from the inside. I guess something is wrong with my acl but can't figure what.

sh crypto isa sa:

IPv4 Crypto ISAKMP SA
dst src state conn-id status
X.X.X.X Y.Y.Y.Y QM_IDLE 2025 ACTIVE

sh crypto ipsec sa:

interface: Virtual-Access1
Crypto map tag: Virtual-Access1-head-0, local addr X.X.X.X

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.10.24/255.255.255.255/0/0)
current_peer Y.Y.Y.Y port 41992
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X, remote crypto endpt.: Y.Y.Y.Y
plaintext mtu 1438, path mtu 1500, ip mtu 1500, ip mtu idb Cellular0
current outbound spi: 0x9DEDCBCB(2649607115)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0xDEFDB9F5(3741170165)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 47, flow_id: Onboard VPN:47, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4330348/3308)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0x9DEDCBCB(2649607115)
transform: esp-3des esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 48, flow_id: Onboard VPN:48, sibling_flags 80000040, crypto map: Virtual-Access1-head-0
sa timing: remaining key lifetime (k/sec): (4330348/3308)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE(ACTIVE)

outbound ah sas:

outbound pcp sas:

Below is my running-config:

version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname C819G
!
!
!
enable secret 9 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPNAUTH local
aaa authentication login sslvpn local
aaa authorization network VPNNET local
!
aaa session-id common
clock timezone GMT 1 0
!
ip dhcp excluded-address 172.16.0.1 172.16.0.100
!
ip dhcp pool LAN
import all
network 172.16.0.0 255.255.255.0
dns-server 1.1.1.1
default-router 172.16.0.1
lease infinite
!
ip domain name LTE
ip name-server 1.1.1.1
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
cts logging verbose
license udi pid C819G-4G-GA-K9 sn FCZ2130904E
!
!
vtp mode transparent
username poligon privilege 15 password 7 xxx
username vpn819 password 7 xxx
!
redundancy
!
!
!
!
!
controller Cellular 0
lte sim data-profile 1 attach-profile 1 slot 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPNGROUP
key xxx
domain LTE
pool VPNPOOL
acl 120
netmask 255.255.255.0
crypto isakmp profile ISAPROFILE
match identity group VPNGROUP
client authentication list VPNAUTH
isakmp authorization list VPNNET
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TRANSFORMSET esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPNPROFILE
set transform-set TRANSFORMSET
!
!
!
crypto dynamic-map DYNMAP 10
set transform-set TRANSFORMSET
reverse-route
!
!
crypto map CLIENTMAP client authentication list VPNAUTH
crypto map CLIENTMAP isakmp authorization list VPNNET
crypto map CLIENTMAP client configuration address respond
crypto map CLIENTMAP 10 ipsec-isakmp dynamic DYNMAP
!
!
!
!
!
!
interface Loopback0
ip address 10.10.10.10 255.255.255.255
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
ip tcp adjust-mss 1460
dialer in-band
dialer string lte
dialer-group 1
async mode interactive
crypto map CLIENTMAP
!
interface Cellular1
no ip address
encapsulation slip
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface GigabitEthernet0
no ip address
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip address 172.16.10.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPNPROFILE
!
interface Vlan1
ip address 172.16.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool VPNPOOL 172.16.10.20 172.16.10.29
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 100 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
ip ssh pubkey-chain
username poligon
!
dialer-list 1 protocol ip permit
ipv6 ioam timestamp
!
access-list 100 deny ip 172.16.0.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 100 permit ip 172.16.0.0 0.0.0.255 any
access-list 120 permit ip 172.16.0.0 0.0.0.255 172.16.10.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
script dialer lte
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
modem InOut
no exec
transport input all
rxspeed 100000000
txspeed 50000000
line 8
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
privilege level 15
password 7 xxx
transport input ssh
!
scheduler allocate 20000 1000
ntp master 1
ntp server 194.146.251.100 prefer
ntp server 194.146.251.101
!
!
!
!
!
!
!
end

 

VPN Client 2.jpgVPN Client.jpg

sh ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S* 0.0.0.0/0 is directly connected, Cellular0
X.0.0.0/32 is subnetted, 1 subnets
C X.X.X.X is directly connected, Cellular0
10.0.0.0/32 is subnetted, 1 subnets
C 10.10.10.10 is directly connected, Loopback0
172.16.0.0/16 is variably subnetted, 3 subnets, 2 masks
C 172.16.0.0/24 is directly connected, Vlan1
L 172.16.0.1/32 is directly connected, Vlan1
S 172.16.10.24/32 is directly connected, Virtual-Access1

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents