cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6371
Views
0
Helpful
27
Replies

VPN client able to connect but unable to ping router

michaelchandra
Beginner
Beginner

Hi, I'm new to cisco and I'm trying to make my own vpn. I've created the VPN using SDM because I'm not familiar with the Cisco IOS so I thought it'll be easier. When I'm trying to connect to my VPN, i was able to connect but I can't ping the router. I've done googling all day but I can't find the answer.

Below is my configuration :

Building configuration...

Current configuration : 5784 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname michael

!

boot-start-marker

boot-end-marker

!

memory-size iomem 5

no logging console

enable secret 5

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1

!

ip dhcp pool michael

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 202.134.0.155

!

ip dhcp pool excluded-address

   host 192.168.1.4 255.255.255.0

   hardware-address 01c8.d719.957a.b9

!

!

ip cef

ip name-server 202.134.0.155

ip name-server 203.130.193.74

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

vpdn enable

!

!

!

!

username michael privilege 15 secret 5

username danny privilege 10 secret 5

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp xauth timeout 15

!

crypto isakmp client configuration group michaelvpn

key vpnpassword

pool SDM_POOL_1

netmask 255.255.255.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set transform-set ESP-3DES-SHA

reverse-route

!

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

!

!

interface Ethernet0

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface Ethernet2

no ip address

shutdown

hold-queue 100 out

!

interface ATM0

no ip address

no atm ilmi-keepalive

dsl operating-mode auto

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet1

duplex auto

speed auto

!

interface FastEthernet2

duplex auto

speed auto

!

interface FastEthernet3

duplex auto

speed auto

!

interface FastEthernet4

duplex auto

speed auto

!

interface Virtual-PPP1

no ip address

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip access-group 101 in

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

encapsulation ppp

dialer pool 1

ppp chap hostname ispusername

ppp chap password 0 xxxxxxxxxx

ppp pap sent-username ispusername password 0 xxxxxxx

crypto map SDM_CMAP_1

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.5

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

no ip http secure-server

!

ip nat inside source static tcp 192.168.1.4 21 interface Dialer1 21

ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload

!

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.0.0.0 0.255.255.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 permit ip host 192.168.2.1 any

access-list 101 permit ip host 192.168.2.2 any

access-list 101 permit ip host 192.168.2.3 any

access-list 101 permit ip host 192.168.2.4 any

access-list 101 permit ip host 192.168.2.5 any

access-list 101 permit udp any any eq non500-isakmp

access-list 101 permit udp any any eq isakmp

access-list 101 permit esp any any

access-list 101 permit ahp any any

access-list 101 permit tcp any any eq ftp

access-list 101 permit udp host 203.130.193.74 eq domain any

access-list 101 permit udp host 202.134.0.155 eq domain any

access-list 101 deny   ip 192.168.1.0 0.0.0.255 any

access-list 101 permit icmp any any echo-reply

access-list 101 permit icmp any any time-exceeded

access-list 101 permit icmp any any unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 remark SDM_ACL Category=2

access-list 102 deny   ip any host 192.168.2.1

access-list 102 deny   ip any host 192.168.2.2

access-list 102 deny   ip any host 192.168.2.3

access-list 102 deny   ip any host 192.168.2.4

access-list 102 deny   ip any host 192.168.2.5

access-list 102 permit ip 192.0.0.0 0.255.255.255 any

route-map SDM_RMAP_1 permit 1

match ip address 102

!

!

control-plane

!

banner motd ^C

Authorized Access Only

UNAUTHORIZED ACCESS TO THIS DEVICE IS PROHIBITED

You must have explicit permission to access this device.

All activities performed on this device are logged.

Any violations of access policy will result in disciplinary action.

^C

!

line con 0

no modem enable

line aux 0

line vty 0 4

!

scheduler max-task-time 5000

end

Here is the client log :

1      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.0

    Netmask    255.255.255.240

    Gateway    192.168.2.2

    Interface    192.168.2.1

2      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a00, Netmask: fffffff0, Interface: c0a80201, Gateway: c0a80202.

3      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    172.20.10.6

    Netmask    255.255.255.255

    Gateway    192.168.2.2

    Interface    192.168.2.1

4      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: ac140a06, Netmask: ffffffff, Interface: c0a80201, Gateway: c0a80202.

5      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.81.0

    Netmask    255.255.255.0

    Gateway    192.168.2.2

    Interface    192.168.2.1

6      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a85100, Netmask: ffffff00, Interface: c0a80201, Gateway: c0a80202.

7      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.0

    Netmask    255.255.255.0

    Gateway    192.168.2.2

    Interface    192.168.2.1

8      18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ff00, Netmask: ffffff00, Interface: c0a80201, Gateway: c0a80202.

9      18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.1

    Netmask    255.255.255.255

    Gateway    192.168.2.2

    Interface    192.168.2.1

10     18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ff01, Netmask: ffffffff, Interface: c0a80201, Gateway: c0a80202.

11     18:17:44.729  02/27/13  Sev=Warning/2    CVPND/0xE3400013

AddRoute failed to add a route with metric of 0: code 160

    Destination    192.168.255.255

    Netmask    255.255.255.255

    Gateway    192.168.2.2

    Interface    192.168.2.1

12     18:17:44.729  02/27/13  Sev=Warning/2    CM/0xA3100024

Unable to add route. Network: c0a8ffff, Netmask: ffffffff, Interface: c0a80201, Gateway: c0a80202.

Thank you

27 Replies 27

Is your router interface where the ip 192.168.1.1 is UP ?

Per sistance router not showing is OK .No issue here .

For the ACl 199 you are getting the below Route

192.168.1.0    255.255.255.0      192.168.2.1      192.168.2.4    100

1> Remove this ip inspect SDM_LOW out from your router dialer interface

2> no access-list102

access-list 102 remark SDM_ACL Category=2

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

Ping and trace the router Ip and see whats happening

Thank you for the response. I'm sure that my interface is up because I can ping the router interface inside the network. I've try to remove ip inspect and access list but it still showing request time out. But at some point I can ping my router. This made me confuse because some time I can ping the router and some time I can't. My 837 router is connected to linksys router which act as wifi router. I really appreciate your help. Thank you.

I try to trace route the router but what I get is only * * *. Is there something to do with the DNS server ? Because my VPN adapter seems to have strange DNS. Here is my adapter configuration :

Windows IP Configuration

   Host Name . . . . . . . . . . . . : Michael-Desktop

   Primary Dns Suffix  . . . . . . . :

   Node Type . . . . . . . . . . . . : Mixed

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No

Wireless LAN adapter Wireless Network Connection 4:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft Virtual WiFi Miniport Adapter #

3

   Physical Address. . . . . . . . . : D8-5D-4C-8F-54-EF

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection 3:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Cisco Systems VPN Adapter

   Physical Address. . . . . . . . . : 00-05-9A-3C-78-00

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::dd76:cfba:967:3822%43(Preferred)

   IPv4 Address. . . . . . . . . . . : 192.168.2.3(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . :

   DHCPv6 IAID . . . . . . . . . . . : 1006634394

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-B5-99-1B-1C-6F-65-89-41-28

   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1

                                       fec0:0:0:ffff::2%1

                                       fec0:0:0:ffff::3%1

   NetBIOS over Tcpip. . . . . . . . : Enabled

Wireless LAN adapter Wireless Network Connection:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : 802.11 USB Wireless LAN Card

   Physical Address. . . . . . . . . : D8-5D-4C-8F-54-EE

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

   Link-local IPv6 Address . . . . . : fe80::2038:b3eb:414d:b2cf%34(Preferred)

   IPv4 Address. . . . . . . . . . . : 172.20.10.3(Preferred)

   Subnet Mask . . . . . . . . . . . : 255.255.255.240

   Lease Obtained. . . . . . . . . . : 01 Maret 2013 17:00:17

   Lease Expires . . . . . . . . . . : 02 Maret 2013 16:45:52

   Default Gateway . . . . . . . . . : 172.20.10.1

   DHCP Server . . . . . . . . . . . : 172.20.10.1

   DHCPv6 IAID . . . . . . . . . . . : 366501196

   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-14-B5-99-1B-1C-6F-65-89-41-28

   DNS Servers . . . . . . . . . . . : 202.152.165.39

                                       202.155.0.10

   NetBIOS over Tcpip. . . . . . . . : Enabled

Ethernet adapter Tunngle:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : TAP-Win32 Adapter V9 (Tunngle)

   Physical Address. . . . . . . . . : 00-FF-C7-D9-93-69

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Bluetooth Network Connection 3:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Bluetooth Device (Personal Area Network)

#3

   Physical Address. . . . . . . . . : 00-11-B1-07-A3-D3

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Ethernet adapter Local Area Connection:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller

   Physical Address. . . . . . . . . : 1C-6F-65-89-41-28

   DHCP Enabled. . . . . . . . . . . : Yes

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter isatap.{680E748D-EEC7-40FE-A882-09F0240F8824}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #4

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Tunnel adapter Teredo Tunneling Pseudo-Interface:

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

   IPv6 Address. . . . . . . . . . . : 2001:0:9d38:6ab8:38ef:3278:8757:fe6d(Pref

erred)

   Link-local IPv6 Address . . . . . : fe80::38ef:3278:8757:fe6d%33(Preferred)

   Default Gateway . . . . . . . . . : ::

   NetBIOS over Tcpip. . . . . . . . : Disabled

Tunnel adapter isatap.{FB13218B-34DF-459E-8BCE-A992E4D479EA}:

   Media State . . . . . . . . . . . : Media disconnected

   Connection-specific DNS Suffix  . :

   Description . . . . . . . . . . . : Microsoft ISATAP Adapter #7

   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0

   DHCP Enabled. . . . . . . . . . . : No

   Autoconfiguration Enabled . . . . : Yes

Thank you.

Please Temp Remove Inspection from your Router and then check.

Jawad