Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2987
Views
0
Helpful
4
Replies

VPN tunnel is up but can't ping to LAN stations

Go to solution
phyopaingag
Level 1
Level 1

‎04-20-2011 07:20 PM

Hi,

I am trying to set up the easy vpn server on cisco 881/k9 router.

By using cisco vpn client version 5.0, i can connect to vpn server.

Can get the IP from the LAN subnet on the vpn client.

On the vpn side, I can see the vpn session by using #show crypto isakmp sa

But I can't ping from vpn client to any LAN stations.

Someone please check my configuration and educate me.

This is my first time setting up vpn on the cisco router.


Building configuration...

Current configuration : 5938 bytes
!
! Last configuration change at 01:38:31 UTC Thu Apr 21 2011 by evantage
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FarEastP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3333835941
revocation-check none
rsakeypair TP-self-signed-3333835941
!
!
crypto pki certificate chain TP-self-signed-3333835941
certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333333 38333539 3431301E 170D3131 30343230 31363434
  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333338
  33353934 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810094A1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A145915 E67EF01D 350558E3
  AAB44CA5 040B6379 E6360CB3 4D184225 0360DA61 6BE23D05 55DAA45A 4647FEB5
  6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
  DD926D88 ABA3546D 25D23143 AC91B2F8 11C66750 3B16E5AE C38B62C4 68267C61
  02D30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
  551D1104 0C300A82 08466172 45617374 50301F06 03551D23 04183016 8014E95E
  66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
  B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092A8648 86F70D01 01040500
  03818100 05803840 EFBF9A3B F4D64899 8E03C836 34861307 57193CC5 DA510446
  E4081D1A 2CF243BF 41AC9F36 83DAE9DB 9480F154 7CF792A5 76C1452C EEFD8661
  8443DC4C 8E507A8F B2ECCAEB CDE26E41 E477E290 79AE5D72 FD81057C B5DCE1C2
  65108014 36E0F740 A8992360 92F0423D E14F9240 1D162BC3 EFBB75A2 9E64ABC6 D76BE894
   quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool1
   network 192.168.1.0 255.255.255.0
   domain-name FarEastP
   default-router 192.168.1.1
   dns-server 192.168.1.2 165.21.83.88
!
!
no ip cef
no ip domain lookup
ip name-server 192.168.1.2
ip name-server 165.21.83.88
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FHK142971LH
!
!
username admin privilege 15 secret 5 $1$W2eu$lr.TpEfJuOE1iKQjFPHIT/
username evantage privilege 15 secret 5 $1$P602$8TeJh5.SCHsY2TGd0.TnD1
username sshukla privilege 5 secret 5 $1$oflM$cHZdlpLdWr.nn1UwiCEs7/
username rtandon privilege 5 secret 5 $1$yGAU$BxJ6eQqG32WeI2gI4BDWh1
username sagrawal privilege 5 secret 5 $1$1Kkz$E6NOTt9LCXiGTarAxrc/i1
username asarie privilege 5 secret 5 $1$CVw.$0ohz3WtLqU8USiMBqxIjA/
username rbiyani privilege 5 secret 5 $1$KkY/$02lEPCahuIpzoQcXln2yD.
username clovejoy privilege 5 secret 5 $1$WMbu$t.er4RPRTnYNNwwkVGMuX/
username Lakshmi privilege 5 secret 5 $1$ZMC4$Sjlcmcw2uvhzU9bwEw1Us.
username vanisha privilege 5 secret 5 $1$yPMa$I.q.7NW2uQo0s5FTHkxZM1
username usha privilege 5 secret 5 $1$bX1I$X6X4eSSeq48k0Kq8Qt7Rn/
username aditya privilege 5 secret 5 $1$w2Vt$HOz81M2UfLeni.PNUX2aJ/
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
!
crypto isakmp client configuration group VPN
key tp!zlflN\2\4go,xtP+xFapuWlKDvr#dVrS6L4TF5NJl2GXugUgv%LfQ+!drgUK
dns 192.168.1.2 165.21.83.88
domain fareastp
pool SDM_POOL_1
acl 101
max-users 20
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
set transform-set ESP-3DES-SHA
!
!
crypto map clientmap client authentication list ciscocp_vpn_xauth_ml_1
crypto map clientmap isakmp authorization list ciscocp_vpn_group_ml_1
crypto map clientmap client configuration address respond
crypto map clientmap 65535 ipsec-isakmp dynamic DYNVPN
!
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN$ES_WAN$
ip address 119.75.60.170 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
description LAN
ip address 116.12.248.81 255.255.255.240 secondary
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.1.201 192.168.1.254
ip local pool POOL_2 10.10.1.2 10.10.1.200
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.4 5003 interface FastEthernet4 5003
ip nat inside source static tcp 192.168.1.4 16000 interface FastEthernet4 16000
ip nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
ip nat inside source list 111 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 119.75.60.169
!
logging trap debugging
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-20-2011 09:06 PM

The VPN pool assigned to the VPN client needs to be in a different unique subnet than the internal networks.

Please also post all your ACL to see if NAT and crypto ACL has been correctly configured.

Your NAT ACL needs to include "deny ip " above all the permit statements.

View solution in original post

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1
In response to phyopaingag

‎04-21-2011 01:03 AM

Hi,

It should be like below.

Access-list for split tunnel not applied correctly:

no access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

access-list 101 permit ip 192.168.2.192 0.0.0.63 192.168.1.0 0.0.0.255

!

Need to Deny the VPN traffic in the NAT ACL.

ip nat inside source list 111 interface FastEthernet4 overload -------------------------------> What is the need of this? I believe you can remove this.
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

no access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.63

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101

Apply the above and test.

Do rate helpful post.

Thanks,

Kasi.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎04-20-2011 09:06 PM

The VPN pool assigned to the VPN client needs to be in a different unique subnet than the internal networks.

Please also post all your ACL to see if NAT and crypto ACL has been correctly configured.

Your NAT ACL needs to include "deny ip " above all the permit statements.

0 Helpful

Go to solution
phyopaingag
Level 1
Level 1
In response to Jennifer Halim

‎04-21-2011 12:30 AM

I amend my configuration as you suggested.

Could you please check again.

I do really thanks your help.

-------------------------------------------------------------------------


Building configuration...

Current configuration : 6043 bytes
!
! Last configuration change at 07:22:17 UTC Thu Apr 21 2011 by evantage
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FarEastP
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-3333835941
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3333835941
revocation-check none
rsakeypair TP-self-signed-3333835941
!
!
crypto pki certificate chain TP-self-signed-3333835941
certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33333333 38333539 3431301E 170D3131 30343230 31363434
  30355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 33333338
  33353934 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  810094A1 7C2D79CE A6BEE368 3EB0B5B7 9A2CFE42 6A145915 E67EF01D 350558E3
  AAB44CA5 040B6379 E6360CB3 4D184225 0360DA61 6BE23D05 55DAA45A 4647FEB5
  6F143346 6BF18824 EFC3A31F 2A48AD8D 524F2324 EB331E50 8407577F E751DFF2
  DD926D88 ABA3546D 25D23143 AC91B2F8 11C66750 3B16E5AE C38B62C4 68267C61
  02D30203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
  551D1104 0C300A82 08466172 45617374 50301F06 03551D23 04183016 8014E95E
  66B6A8C2 CF1BD38F 684FD4DF C3854AEB ACA7301D 0603551D 0E041604 14E95E66
  B6A8C2CF 1BD38F68 4FD4DFC3 854AEBAC A7300D06 092A8648 86F70D01 01040500
  03818100 05803840 EFBF9A3B F4D64899 8E03C836 34861307 57193CC5 DA510446
  E4081D1A 2CF243BF 41AC9F36 83DAE9DB 9480F154 7CF792A5 76C1452C EEFD8661
  8443DC4C 8E507A8F B2ECCAEB CDE26E41 E477E290 79AE5D72 FD81057C B5DCE1C2
  65108014 36E0F740 A8992360 92F0423D E14F9240 1D162BC3 EFBB75A2 9E64ABC6 D76BE894
   quit
no ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.201 192.168.1.254
!
ip dhcp pool ccp-pool1
   network 192.168.1.0 255.255.255.0
   domain-name FarEastP
   default-router 192.168.1.1
   dns-server 192.168.1.2 165.21.83.88
!
!
no ip cef
no ip domain lookup
ip name-server 192.168.1.2
ip name-server 165.21.83.88
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn xxxxxxxxx
!
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxx
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
dns 192.168.1.2 165.21.83.88
domain fareastp
pool SDM_POOL_1
acl 101
include-local-lan
max-users 20
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map DYNVPN 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map clientmap client authentication list ciscocp_vpn_xauth_ml_1
crypto map clientmap isakmp authorization list ciscocp_vpn_group_ml_1
crypto map clientmap client configuration address respond
crypto map clientmap 65535 ipsec-isakmp dynamic DYNVPN
!
!
!
!
!
interface Loopback0
ip address 192.168.250.99 255.255.255.0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description WAN$ES_WAN$
ip address 119.75.60.170 255.255.255.252
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
description LAN
ip address 116.12.248.81 255.255.255.240 secondary
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.2.201 192.168.2.254
ip local pool POOL_2 10.10.1.2 10.10.1.200
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.1.2 1723 interface FastEthernet4 1723
ip nat inside source static tcp 192.168.1.4 5003 interface FastEthernet4 5003
ip nat inside source static tcp 192.168.1.4 16000 interface FastEthernet4 16000
ip nat inside source static tcp 192.168.1.4 16001 interface FastEthernet4 16001
ip nat inside source list 111 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 119.75.60.169
!
logging trap debugging
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

0 Helpful

Go to solution
Kasiraman S
Level 1
Level 1
In response to phyopaingag

‎04-21-2011 01:03 AM

Hi,

It should be like below.

Access-list for split tunnel not applied correctly:

no access-list 101 permit ip 192.168.1.0 0.0.0.255 any

!

access-list 101 permit ip 192.168.2.192 0.0.0.63 192.168.1.0 0.0.0.255

!

Need to Deny the VPN traffic in the NAT ACL.

ip nat inside source list 111 interface FastEthernet4 overload -------------------------------> What is the need of this? I believe you can remove this.
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload

!

no access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.192 0.0.0.63

access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101

Apply the above and test.

Do rate helpful post.

Thanks,

Kasi.

0 Helpful

Go to solution
phyopaingag
Level 1
Level 1
In response to Kasiraman S

‎04-21-2011 03:37 AM

Hi Jennifer and Kasiraman,

I do really really thanks your help.

I tried to fix this problem for 2 days already.

You guys save my days and many many things.

Thanks with all my heart.

0 Helpful
Customers Also Viewed These Support Documents