Hello guys, I have a Cisco 881-k9 router with IOS 15.1(4)M4 at my office.
I already configured the VPN tunnel and it is working fine with Cisco VPN Client Version 5.0.07.0440, and when I say that it is working fine is because the connection gets established without any problem, but, at the beginning, I could only ping from the client's computer to the router, but not to any computer in the network behind it, and when I tried to ping from the router to the client's PC, the ping didn't go through.
I disabled the windows firewall on the computers behind the router and I started to ping all of them...but, I still can't do it from the router or any other computer behind it to the client's computer. I think that I am not routing the interesting traffic through the tunnel, it might be an ACL problem, but I still can't figure it out.
Please, help me with this issue.
Frank.
____________________________________________________________________________________________________________
Cisco IOS Software, C880 Software (C880DATA-UNIVERSALK9-M), Version 15.1(4)M4, RELEASE SOFTWARE (fc1)
Cisco Systems VPN Client Version 5.0.07.0440
________________________________________________________________________________
EJTL-ROUTER#sh run
Building configuration...
Current configuration : 5754 bytes
!
! Last configuration change at 22:48:26 UTC Sun Dec 18 2016 by doppler
! NVRAM config last updated at 19:24:00 UTC Sun Dec 18 2016 by doppler
! NVRAM config last updated at 19:24:00 UTC Sun Dec 18 2016 by doppler
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EJTL-ROUTER
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login AUTH-LOGIN local
aaa authorization console
aaa authorization exec AUTH-EXEC local if-authenticated
aaa authorization network AUTHOR local
!
!
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-1040526994
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1040526994
revocation-check none
rsakeypair TP-self-signed-1040526994
!
!
crypto pki certificate chain TP-self-signed-1040526994
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
2BAD3398 A3FB2676 5C99C0AF 0A0425
quit
ip source-route
!
!
ip dhcp excluded-address 172.16.10.1 172.16.10.100
!
ip dhcp pool EJTRADE-MIA
network 172.16.10.0 255.255.255.0
default-router 172.16.10.1
dns-server 172.16.10.1 8.8.8.8
!
!
ip cef
no ip domain lookup
ip domain name ejtradelogistics.com
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FGL165225SU
!
!
username doppler privilege 15 secret 4 yb.kittZ3iteEYg/PfzlqFiIGhjkzhp2FBkdAhpvJrE
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp keepalive 10 3
crypto isakmp xauth timeout 5
!
crypto isakmp client configuration group EZVPN_GROUP
key ejtrade
dns 172.16.10.1 8.8.8.8
domain ejtradelogistics.com
pool EZVPN_POOL
acl EZVPN_ST_ACL
pfs
netmask 255.255.255.0
crypto isakmp profile EZVPN_ISAKMP_PROFILE
self-identity address
match identity group EZVPN_GROUP
client authentication list AUTH-LOGIN
isakmp authorization list AUTHOR
client configuration address respond
keepalive 10 retry 3
!
!
crypto ipsec transform-set ESP_AES256_SHA esp-aes 256 esp-sha-hmac
!
crypto dynamic-map EZVPN_MAP 10
set security-association lifetime kilobytes 1024000
set security-association lifetime seconds 28800
set transform-set ESP_AES256_SHA
set pfs group2
set isakmp-profile EZVPN_ISAKMP_PROFILE
reverse-route
!
!
crypto map VPN_MAP 65000 ipsec-isakmp dynamic EZVPN_MAP
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 96.XXX.XXX.113 255.255.255.248
ip nat enable
duplex auto
speed auto
crypto map VPN_MAP
!
interface Vlan1
ip address 172.16.10.1 255.255.255.0
ip nat enable
!
ip local pool EZVPN_POOL 192.168.100.10 192.168.100.20
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat source list EZVPN_ST_ACL interface FastEthernet4 overload
ip nat source static tcp 172.16.10.70 3389 96.XXX.XXX.113 3390 extendable
ip route 0.0.0.0 0.0.0.0 96.XXX.XXX.113
!
ip access-list extended EZVPN_ST_ACL
permit ip 172.16.10.0 0.0.0.255 any
!
!
line con 0
exec-timeout 0 0
privilege level 15
authorization exec AUTH-EXEC
logging synchronous
login authentication AUTH-LOGIN
line aux 0
line vty 0 4
exec-timeout 0 0
privilege level 15
authorization exec AUTH-EXEC
logging synchronous
transport input ssh
!
end
___________________________________________________________________
EJTL-ROUTER#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is 96.XXX.XXX.113 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 96.XXX.XXX.113
96.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 96.XXX.XXX.112/29 is directly connected, FastEthernet4
L 96.XXX.XXX.113/32 is directly connected, FastEthernet4
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.10.0/24 is directly connected, Vlan1
L 172.16.10.1/32 is directly connected, Vlan1
192.168.100.0/32 is subnetted, 1 subnets
S 192.168.100.14 [1/0] via 108.XXX.XXX.12
__________________________________________________________________________
EJTL-ROUTER#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
96.XXX.XXX.113 108.XXX.XXX.12 QM_IDLE 2005 ACTIVE
IPv6 Crypto ISAKMP SA
_________________________________________________________________________
EJTL-ROUTER#sh crypto ipsec sa
interface: FastEthernet4
Crypto map tag: VPN_MAP, local addr 96.XXX.XXX.113
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.100.14/255.255.255.255/0/0)
current_peer 108.XXX.XXX.12 port 58696
PERMIT, flags={}
#pkts encaps: 2916, #pkts encrypt: 2916, #pkts digest: 2916
#pkts decaps: 3606, #pkts decrypt: 3606, #pkts verify: 3606
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 96.XXX.XXX.113, remote crypto endpt.: 108.XXX.XXX.12
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x9ABB48C6(2595965126)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x3719D2F6(924439286)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 9, flow_id: Onboard VPN:9, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (972787/17261)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x9ABB48C6(2595965126)
transform: esp-256-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 10, flow_id: Onboard VPN:10, sibling_flags 80000046, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (972917/17261)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
_____________________________________________________________________________________
Route Print from Client PC with VPN Established
===========================================================================
ILista de interfaces
13...f0 de f1 a5 af 52 ......Intel(R) 82579LM Gigabit Network Connection
8...24 77 03 25 b0 11 ......Microsoft Wi-Fi Direct Virtual Adapter
14...00 05 9a 3c 78 00 ......Cisco Systems VPN Adapter for 64-bit Windows
5...24 77 03 25 b0 10 ......Intel(R) Centrino(R) Ultimate-N 6300 AGN
1...........................Software Loopback Interface 1
6...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter
12...00 00 00 00 00 00 00 e0 Microsoft Teredo Tunneling Adapter
3...00 00 00 00 00 00 00 e0 Microsoft ISATAP Adapter #5
===========================================================================
IPv4 Tabla de enrutamiento
===========================================================================
Rutas activas:
Destino de red Máscara de red Puerta de enlace Interfaz Métrica
0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.70 25
96.XXX.XXX.113 255.255.255.255 192.168.1.254 192.168.1.70 100
127.0.0.0 255.0.0.0 En vínculo 127.0.0.1 306
127.0.0.1 255.255.255.255 En vínculo 127.0.0.1 306
127.255.255.255 255.255.255.255 En vínculo 127.0.0.1 306
172.16.10.0 255.255.255.0 192.168.100.1 192.168.100.14 100
192.168.1.0 255.255.255.0 En vínculo 192.168.1.70 281
192.168.1.70 255.255.255.255 En vínculo 192.168.1.70 281
192.168.1.254 255.255.255.255 En vínculo 192.168.1.70 100
192.168.1.255 255.255.255.255 En vínculo 192.168.1.70 281
192.168.100.0 255.255.255.0 En vínculo 192.168.100.14 276
192.168.100.14 255.255.255.255 En vínculo 192.168.100.14 276
192.168.100.255 255.255.255.255 En vínculo 192.168.100.14 276
224.0.0.0 240.0.0.0 En vínculo 127.0.0.1 306
224.0.0.0 240.0.0.0 En vínculo 192.168.1.70 281
224.0.0.0 240.0.0.0 En vínculo 192.168.100.14 276
255.255.255.255 255.255.255.255 En vínculo 127.0.0.1 306
255.255.255.255 255.255.255.255 En vínculo 192.168.1.70 281
255.255.255.255 255.255.255.255 En vínculo 192.168.100.14 276
===========================================================================
Rutas persistentes:
Ninguno
===========================================================================
Rutas persistentes:
Ninguno
