collapse

Search


User Info

 
 
Welcome, Guest. Please login or register.
Did you miss your activation email?

Author Topic: I can't ping or access any of resources connected on the VPN server router.  (Read 33085 times)

Offline mokenned

  • Cisco Newbie
  • *
  • Posts: 1
  • Reputation: 0
  • Certification: N/A
Hello,

I have created EasyVPN server and Remote client router for teleworkers , I can establish a VPN tunnel connection but I can't ping or access to 192.168.10.0/24 resources connected on the VPN server router from 192.168.30.0/24.  Network diagram as attachment.

The configuration is based on:
You are not allowed to view links. Register or Login.



EzVPN-Server#sh run
Building configuration...


Current configuration : 3515 bytes
!
version 15.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname EzVPN-Server
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
enable secret 5 $1$NhzO$Kd11RkFZY1xI6T1vfKTI0.
!
aaa new-model
!
aaa authentication login USER_AAA local
aaa authentication login USERLIST local
aaa authorization network GROUP_AAA local
!
aaa session-id common
memory-size iomem 15
!
ip dhcp excluded-address 192.168.10.1 192.168.10.50
!
ip dhcp pool Inside-LAN
 import all
 network 192.168.10.0 255.255.255.0
 default-router 192.168.10.1
 dns-server 9.9.9.9
!
no ip domain lookup
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
username admin secret 5 $1$ogrE$UQS7SIfOMziIamJZnV5L/0
!
redundancy
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp keepalive 90 12
!         
crypto isakmp client configuration group VPN1
 key 1234567890
 dns 9.9.9.9
 pool VPN-POOL
 acl SPLIT_T
 save-password
!
crypto ipsec transform-set TRANSFORM-1 esp-3des esp-md5-hmac
 mode tunnel
!
crypto dynamic-map INT_MAP 1
 set security-association lifetime kilobytes 530000000
 set security-association lifetime seconds 14400
 set transform-set TRANSFORM-1
!
!
crypto map INT_MAP client authentication list USER_AAA
crypto map INT_MAP isakmp authorization list GROUP_AAA
crypto map INT_MAP client configuration address respond
crypto map INT_MAP 30000 ipsec-isakmp dynamic INT_MAP
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description INTERNET#
 ip address 5.5.5.5 255.255.255.248
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map INT_MAP
!
interface GigabitEthernet0/1
 description INSIDE-LAN#
 ip address 192.168.10.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 no ip address
 shutdown
 duplex auto
 speed auto
!
interface GigabitEthernet1/0
 no ip address
 shutdown
!
interface GigabitEthernet1/1
 description Internal switch interface connected to Service Module
 no ip address
!
interface Vlan1
 no ip address
!
!
ip local pool VPN-POOL 192.168.100.100 192.168.100.200
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 5.5.5.1
!
ip access-list extended SPLIT_T
 permit ip 192.168.0.0 0.0.255.255 any
!
access-list 1 permit 192.168.10.0 0.0.0.255
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
gatekeeper
 shutdown
!
line con 0
 exec-timeout 0 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line 67
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
 flowcontrol software
line vty 0 4
 password 7 03055F060F01
 transport input all
!
scheduler allocate 20000 1000
!
end


EzVPN-Client#sh run
Building configuration...

Current configuration : 3459 bytes
!
! Last configuration change at 17:56:46 UTC Tue Jul 15 2014
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname EzVPN-Client
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
enable password admin
!
no aaa new-model
!
ip cef
!
!
!         
!


!
ip dhcp excluded-address 192.168.30.1 192.168.30.15
!
ip dhcp pool INSIDE
 import all
 network 192.168.30.0 255.255.255.0
 default-router 192.168.30.1
!
!
!
no ipv6 cef
!
multilink bundle-name authenticated
username admin privilege 15 password 0 admin
!
redundancy
!
crypto ipsec client ezvpn CLIENT1
 connect auto
 group VPN1 key 1234567890
 mode network-plus
 peer 5.5.5.5
 username admin password admin
 xauth userid mode local
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description $ETH-WAN$
 ip address dhcp
 duplex auto
 speed auto
 crypto ipsec client ezvpn CLIENT1
!
interface GigabitEthernet0/1
 description $ETH-LAN$
 ip address 192.168.30.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto ipsec client ezvpn CLIENT1 inside
!
interface Virtual-Template2 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 1 permit 192.168.30.0 0.0.0.255
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password admin
 login
 transport input all
!
scheduler allocate 20000 1000
!
end

EzVPN-Client#




« Last Edit: July 15, 2014, 03:20:35 PM by mokenned »

Offline MC

  • Global Moderator
  • Cisco Guru
  • *****
  • Posts: 401
  • Reputation: 606
  • CCIE x3 (RS,Sec,SP)
  • Certification: CCIE
When you says VPN tunnel connects, I assume it completed both phase 1 & 2 and you get output when doing "sh cry isa sa" and "sh cry ipse sa", correct? If so, what you do see on the encrypt/decrypt packet counters.
Based on the client side config, you have PAT configured for the whole 192.168.30/24 subnet to internet. You will need to exempt VPN traffic from being NAT otherwise the traffic won't enter the tunnel.

 

Related Topics

  Subject / Started by Replies Last post
1 Replies
20715 Views
Last post March 07, 2014, 12:19:23 PM
by MC
1 Replies
29146 Views
Last post September 11, 2016, 11:48:36 AM
by MC
4 Replies
60853 Views
Last post February 05, 2018, 01:40:43 PM
by amsa
3 Replies
65421 Views
Last post April 21, 2024, 09:13:05 PM
by MC
1 Replies
21338 Views
Last post September 30, 2024, 08:00:18 AM
by Administrator

SimplePortal 2.3.7 © 2008-2024, SimplePortal