Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2125
Views
5
Helpful
2
Replies

VPN client connect to CISCO 887 VPN Server bat they stop at router!!

nunziofalcone
Level 1
Level 1

‎04-29-2012 02:32 AM

Hi

my scenario is as follows

SERVER1 on lan (192.168.5.2/24)

|

|

CISCO-887 (192.168.5.4) with VPN server

|

|

INTERNET

|

|

VPN Cisco client on xp machine

My connection have public ip address assegned by ISP, after ppp login.

I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).

All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.

But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.

They can ping only router!!!

They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".

What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)

Peraps ACL problem?

Building configuration...

Current configuration : 5019 bytes

!

! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm

version 15.2

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname gate

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

aaa session-id common

memory-size iomem 10

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-453216506

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-453216506

revocation-check none

rsakeypair TP-self-signed-453216506

!

!

crypto pki certificate chain TP-self-signed-453216506

certificate self-signed 01

  ***** ******* ***** *******

  ***** ******* ***** *******

        quit

!

!

!

ip name-server 212.216.112.222

ip cef

no ipv6 cef

!

!

password encryption aes

license udi pid CISCO887VA-K9 sn ********

!

!

username adm privilege 15 secret 5 *****************

username user1 secret 5 ******************

!

!

controller VDSL 0

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EXTERNALS

key 6 *********\*******

dns 192.168.5.2

wins 192.168.5.2

domain domain.local

pool SDM_POOL_1

save-password

crypto isakmp profile ciscocp-ike-profile-1

   match identity group EXTERNALS

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

interface Loopback0

ip address 10.10.10.10 255.255.255.0

!

interface Ethernet0

no ip address

shutdown

!

interface ATM0

no ip address

no atm ilmi-keepalive

!

interface ATM0.1 point-to-point

pvc 8/35

  encapsulation aal5snap

  protocol ppp dialer

  dialer pool-member 1

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Virtual-Template1 type tunnel

ip unnumbered Dialer0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

ip address 192.168.5.4 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly in

!

interface Dialer0

ip address negotiated

ip nat outside

ip virtual-reassembly in

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication chap pap callin

ppp chap hostname ******@*******.****

ppp chap password 0 alicenewag

ppp pap sent-username ******@*******.**** password 0 *********

!

ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

!

ip nat inside source list 1 interface Dialer0 overload

ip route 0.0.0.0 0.0.0.0 Dialer0

!

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.5.0 0.0.0.255

access-list 100 remark CCP_ACL Category=4

access-list 100 permit ip 192.168.5.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

!

line con 0

line aux 0

line vty 0 4

transport input all

!        

end

Labels:
0 Helpful
2 Replies 2

olpeleri
Cisco Employee
Cisco Employee

‎04-29-2012 11:36 AM

Hello,

Your pool of VPN addresses is overlapping with the interface vlan1.

Since proxy-arp is disabled on that interface, it will never work

2 solutions

1- Pool uses a different network than 192.168.5

2- Enable ip proxy-arp on interface vlan1

Cheers,

Olivier

fotismark
Level 1
Level 1
In response to olpeleri

‎12-16-2017 10:03 AM

saved me my men! stubled to this article by mistake! for me it was the Enable ip proxy-arp on interface vlan1
Now i m looking on making Split tunnel :) think its just an access list and apply it to isakm group....
0 Helpful
Customers Also Viewed These Support Documents