09-15-2016 04:33 AM
Ladies and gentlemen,
I am fully aware that this topic has been discussed several times bit I do not find the error in my config.
I have a 1941, configured an IPSEC VPN access and would like to have access to the hosts on the inside LAN. NAT is working perfectly fine as I can browse the internet through the VPN tunnel. The one thing missing is there's no access to the hosts on the inside LAN.
Please advise what to do...
version 15.2 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname 1941 ! boot-start-marker boot system flash0:c1900-universalk9-mz.SPA.152-4.M1.bin boot-end-marker ! ! enable secret 4 xxx ! aaa new-model ! ! aaa authentication login default local aaa authentication login clientauth local aaa authorization network groupauth local ! aaa session-id common clock timezone CET 2 0 clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00 ! ip dhcp excluded-address 192.168.178.60 192.168.178.254 ! ip dhcp pool Mowgli_LAN host 192.168.178.2 255.255.255.0 client-identifier xxx client-name Mowgli default-router 192.168.178.254 dns-server 192.168.178.254 lease infinite ! ip dhcp pool Mowgli_WLAN host 192.168.178.5 255.255.255.0 client-identifier xxx client-name Mowgli default-router 192.168.178.254 dns-server 192.168.178.254 lease infinite ! ip dhcp pool Macbook host 192.168.178.3 255.255.255.0 client-identifier xxx client-name Mowgli default-router 192.168.178.254 dns-server 192.168.178.254 lease infinite ! ip dhcp pool Macbook_WLAN host 192.168.178.4 255.255.255.0 client-identifier xxx client-name Macbook_WLAN default-router 192.168.178.254 dns-server 192.168.178.254 lease infinite ! ip domain name james.brown ip name-server 194.25.0.60 ip name-server 194.25.0.52 ip ddns update method gioia HTTP add http://xxx:yyy@members.dyndns.org/nic/update?system=dyndns&hostname=gioia.dyndns.org&myip=<a> remove http://xxx:yyy@members.dyndns.org/nic/update?system=dyndns&hostname=gioia.dyndns.org&myip=<a> ! ip cef no ipv6 cef ! multilink bundle-name authenticated ! ! crypto pki trustpoint TP-self-signed-2100661747 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-2100661747 revocation-check none rsakeypair TP-self-signed-2100661747 ! ! crypto pki certificate chain TP-self-signed-2100661747 certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 32313030 36363137 3437301E 170D3132 30393134 32303137 35355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31303036 36313734 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100A8BA 5D82156A 9788B037 6B005C83 CFE4AE39 57DA749E FC26E362 9E7A56F0 E0E5AAEE DB9CECA4 34ABE468 96884099 23A4972C 7B109AD6 F4195D6A DB663B08 73510A58 49AC517C 60D9B1EB 8183782C 97DD1A12 05DF592B 77F3F94D CDC3D184 6285D909 18BEAED4 BC7DD142 5796B065 D6A37E2F EF65AA1E DDC4CFCB 90BD7E00 36C70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 14ECF0B4 EFEE3A56 671D4560 4BA0BEA9 DA1A4479 C0301D06 03551D0E 04160414 ECF0B4EF EE3A5667 1D45604B A0BEA9DA 1A4479C0 300D0609 2A864886 F70D0101 05050003 8181006E 402B6DF5 72E37777 4A68E82B 4EFAC366 9E5ECCF0 824967E2 B6748C9E 579234CD B87443F4 F7CF2E0D FF154ABB DF1C6F74 023F5291 519653EC 71D86D7B 8BC46F55 FC8464D1 94E6895D B53926F4 B9EC2958 822F6D4D FC347C81 1C2C7783 864D2FBB E2C9DBCC C2FEB95B 82B9EC43 9C8D3B65 7DECC95C DB7D385C CF859D51 F818DB quit ! ! username admin privilege 15 secret 4 yxyx username vpntest password 0 5678 username vpngroup password 0 1234 ! redundancy ! controller Cellular 0/0 ! no ip ftp passive ip ssh version 2 ! ! crypto isakmp policy 10 encr aes 256 authentication pre-share group 2 ! crypto isakmp client configuration group vpngroup key Pass4VPNGroup dns 192.168.178.254 domain vpn.123.local pool vpnpool save-password max-users 10 banner ^C Welcome to The Jungle^C crypto isakmp profile VPNclient description VPN Client Profil match identity group vpngroup client authentication list clientauth isakmp authorization list groupauth client configuration address respond virtual-template 2 ! ! crypto ipsec transform-set myset esp-aes esp-sha-hmac ! ! crypto ipsec profile vpn-vti2 set transform-set myset ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description $ETH-WAN$ no ip address no ip proxy-arp ip flow ingress duplex auto speed auto pppoe enable group global pppoe-client dial-pool-number 1 no mop enabled ! interface GigabitEthernet0/1 no ip address shutdown duplex auto speed auto ! interface GigabitEthernet0/1/0 no ip address ! interface GigabitEthernet0/1/1 no ip address ! interface GigabitEthernet0/1/2 no ip address ! interface GigabitEthernet0/1/3 no ip address ! interface Cellular0/0/0 no ip address encapsulation slip ! interface Cellular0/0/1 no ip address encapsulation slip ! interface Virtual-Template1 ip unnumbered Dialer1 ! interface Virtual-Template2 type tunnel description IPsec VPN Dialin ip unnumbered Vlan1 ip nat inside ip virtual-reassembly in tunnel mode ipsec ipv4 tunnel protection ipsec profile vpn-vti2 ! interface Vlan1 description LAN ip address 192.168.178.254 255.255.255.0 no ip proxy-arp ip nat inside ip virtual-reassembly in ip tcp adjust-mss 1452 ! interface Vlan2 no ip address ! interface Dialer1 ip ddns update hostname gioia.dyndns.org ip ddns update gioia ip address negotiated no ip proxy-arp ip mtu 1452 ip flow ingress ip nat outside ip virtual-reassembly in encapsulation ppp ip tcp adjust-mss 1452 load-interval 30 dialer pool 1 dialer idle-timeout 0 dialer-group 1 ppp authentication chap callin ppp chap hostname xxx@yyy ppp chap password 0 top_secret no cdp enable ! ip local pool vpnpool 192.168.178.190 192.168.178.198 ip forward-protocol nd ! no ip http server ip http authentication local ip http secure-server ! ip dns server ip nat inside source list 1 interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 1 permit 192.168.178.0 0.0.0.255 access-list 1 remark dialer-list 1 protocol ip permit ! ! snmp-server community public RO snmp-server enable traps entity-sensor threshold ! ! ! control-plane ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 0/0/0 exec-timeout 0 0 no exec line 0/0/1 no exec line vty 0 4 transport input ssh ! scheduler allocate 20000 1000 ntp master ntp server de.pool.ntp.org ! |
09-15-2016 04:54 AM
what is the source of the remote end subnet?
you need to add a deny in the access-list 1 for your local lan to remote lan traffic at the first seq
09-15-2016 05:32 AM
Thanks for the answer but I seem to be a little slow today...
Could you please explain...??
Thanks!
09-15-2016 05:40 AM
can you give me the source subnet from where you are pinging and the destination as well
09-15-2016 09:32 PM
Good morning,
the source subnet (the subnet the VPN clients are located in) is the very same as the destination subnet (192.168.178.0/24).
What I just found out is quite confusing. I can ping exactly one host in the network: a Gigaset VoIP phone. The Cisco phones, Servers, Windows and Linux clients I can't ping...
Best regards,
Joerg
09-18-2016 07:35 AM
It's getting more strange...
Now the VoIP phone is not pingable any more but another device (PoE Midspan).
All other hosts are still not responsive...
Is there no one who can give me a hint?
Regards,
Joerg
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide