cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
3
Replies

ios vpn, no traffic to client, nat or acl problem?

mrjaylewis
Level 1
Level 1

Hi all, still no luck passing traffic from the router to the client. No matter what approach I've tried I still can't get traffic to come back through the VPN tunnel to the client. I can see my pings on the router while debugging but they refuse to return to the client. I can also send other traffic like WOL udp packets, but nothing from the router to the client. It's a Cisco SOHO 91 running NAT with a dhcp address on the outside interface from a DSL connection. I've tried everything I could think of with the access list, a route map, a nat pool, removing all of the unneeded access lists, all with no luck. There is absolulely no problems connecting and the routes look good on both sides (I think). I still need to run overloaded NAT for my inside web server and other services, so I need a solution that works with my current config... Could someone please look at my attached config and hopefully suggest something that can get the normal 2 way traffic going? I'm all out of ideas on this one... Thanks in advance, Jay.

Here's my version info, and I attached my running config:

Cisco Internetwork Operating System Software

IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

Synched to technology version 12.3(1.6)T

T

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)

ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

3 Replies 3

Hello mrjaylewis,

can you please post the output from

"debug ip packets detailed"

"debug ip routing st r 0.0.0.0 0.0.0.0"

"debug ip nat detailed"

while you send ICMP signals e.g. ping from the client to the router?

After you do that please post the output from

"sh ip route"

Furthermore I can't find any route entry in your posted config.

Kind regards,

Christian

Hi Christian,

Thanks for taking the time to assist me... I performed the debugging you wanted to see and ending up capturing about 2 megs of NAT output while the pinging was taking place. The strange thing is that the vpn client IP (10.10.1.5) did not show up one single time in the debugging output. I even tried debugging all three items separately and never saw the ip of the client show up once. I did see TONS of nat translations between the public IP of the client and the public IP of the router, but I'm not sure if you want to see any of that, I posted a sample below so you could see there was some natting taking place. The other important point to mention is that I'm located away from the home router now and I'm doing all this through a putty ssh connection, so there is A LOT of the ssh port traffic in the output. I'm using port 8080 for my ssh vty because I use port 22 on an inside server for another purpose. Anyway, I also captured the route information for both the vpn client and the router while the tunnel is up, here they are:

Router:

MyCisco91#sh ip route

Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2

ia - IS-IS inter area, * - candidate default, U - per-user static route

o - ODR, P - periodic downloaded static route

Gateway of last resort is 72.234.216.1 to network 0.0.0.0

10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

S 10.10.1.5/32 [1/0] via 128.190.95.9

C 10.10.10.0/24 is directly connected, Ethernet0

72.0.0.0/23 is subnetted, 1 subnets

C 72.234.216.0 is directly connected, Ethernet1

S* 0.0.0.0/0 [254/0] via 72.234.216.1

Client:

C:\Documents and Settings\Administrator>route print

===========================================================================

Interface List

0x1 ........................... MS TCP Loopback interface

0x2 ...00 0b db 5b e4 1b ...... Broadcom 570x Gigabit Integrated Controller - Pa

cket Scheduler Miniport

0x1f0004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule

r Miniport

Active Routes:

Network Destination Netmask Gateway Interface Metric

0.0.0.0 0.0.0.0 128.190.95.1 128.190.95.9 20

10.0.0.0 255.0.0.0 10.10.1.5 10.10.1.5 10

10.10.1.0 255.255.255.0 10.10.1.5 10.10.1.5 1

10.10.1.5 255.255.255.255 127.0.0.1 127.0.0.1 10

10.255.255.255 255.255.255.255 10.10.1.5 10.10.1.5 10

72.234.216.118 255.255.255.255 128.190.95.1 128.190.95.9 1

127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1

128.190.95.0 255.255.255.224 128.190.95.9 128.190.95.9 20

128.190.95.9 255.255.255.255 127.0.0.1 127.0.0.1 20

128.190.255.255 255.255.255.255 128.190.95.9 128.190.95.9 20

224.0.0.0 240.0.0.0 10.10.1.5 10.10.1.5 10

224.0.0.0 240.0.0.0 128.190.95.9 128.190.95.9 20

255.255.255.255 255.255.255.255 10.10.1.5 10.10.1.5 1

255.255.255.255 255.255.255.255 128.190.95.9 128.190.95.9 1

Default Gateway: 128.190.95.1

Persistent Routes:

None

And here's some nat debug output, but as I said, I don't think it shows any important info about the nat/access-list problem that I think is occurring.

Thanks for any help you can provide, and please let me know if there are other tests you think are needed...

Jay.

Note, I had to send the NAT output in a separate post, too long for this one...

mrjaylewis
Level 1
Level 1

Christian, here's some of the NAT output:

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [510]

2d20h: NAT: i: tcp (10.10.10.1, 8080) -> (128.190.95.9, 1287) [511]

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [511]

2d20h: NAT: i: tcp (10.10.10.1, 8080) -> (128.190.95.9, 1287) [512]

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [512]

2d20h: NAT*: o: tcp (121.128.133.37, 15779) -> (72.234.216.118, 4698) [30326]

2d20h: NAT*: s=121.128.133.37, d=72.234.216.118->10.10.10.2 [30326]

2d20h: NAT*: o: tcp (121.128.133.38, 15779) -> (72.234.216.118, 4667) [31455]

2d20h: NAT*: s=121.128.133.38, d=72.234.216.118->10.10.10.2 [31455]

2d20h: NAT*: i: tcp (10.10.10.2, 4698) -> (121.128.133.37, 15779) [28975]

2d20h: NAT*: s=10.10.10.2->72.234.216.118, d=121.128.133.37 [28975]

2d20h: NAT*: i: tcp (10.10.10.2, 4667) -> (121.128.133.38, 15779) [28976]

2d20h: NAT*: s=10.10.10.2->72.234.216.118, d=121.128.133.38 [28976]

2d20h: NAT*: o: tcp (121.128.133.37, 15779) -> (72.234.216.118, 4660) [30349]

2d20h: NAT*: s=121.128.133.37, d=72.234.216.118->10.10.10.2 [30349]

2d20h: NAT*: i: tcp (10.10.10.2, 4660) -> (121.128.133.37, 15779) [28977]

2d20h: NAT*: s=10.10.10.2->72.234.216.118, d=121.128.133.37 [28977]

2d20h: NAT: i: tcp (10.10.10.1, 8080) -> (128.190.95.9, 1287) [513]

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [513]

2d20h: NAT: i: tcp (10.10.10.1, 8080) -> (128.190.95.9, 1287) [514]

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [514]

2d20h: NAT: i: tcp (10.10.10.1, 8080) -> (128.190.95.9, 1287) [515]

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [515]

2d20h: NAT: i: tcp (10.10.10.1, 8080) -> (128.190.95.9, 1287) [516]

2d20h: NAT: s=10.10.10.1->72.234.216.118, d=128.190.95.9 [516]

2d20h: NAT*: o: tcp (121.128.133.36, 15779) -> (72.234.216.118, 4687) [12096]

2d20h: NAT*: s=121.128.133.36, d=72.234.216.118->10.10.10.2 [12096]

2d20h: NAT*: i: tcp (10.10.10.2, 4698) -> (121.128.133.37, 15779) [28978]

2d20h: NAT*: s=10.10.10.2->72.234.216.118, d=121.128.133.37 [28978]

2d20h: NAT*: i: tcp (10.10.10.2, 4687) -> (121.128.133.36, 15779) [28979]

2d20h: NAT*: s=10.10.10.2->72.234.216.118, d=121.128.133.36 [28979]

2d20h: NAT*: o: tcp (121.128.133.37, 15779) -> (72.234.216.118, 4698) [33042]

2d20h: NAT*: s=121.128.133.37, d=72.234.216.118->10.10.10.2 [33042]

2d20h: NAT*: o: tcp (121.128.133.37, 15779) -> (72.234.216.118, 4660) [33091]

2d20h: NAT*: s=121.128.133.37, d=72.234.216.118->10.10.10.2 [33091]

2d20h: NAT*: o: tcp (121.128.133.38, 15779) -> (72.234.216.118, 4667) [34125]

2d20h: NAT*: s=121.128.133.38, d=72.234.216.118->10.10.10.2 [34125]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54982]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54982]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54983]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54983]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54984]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54984]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54985]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54985]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54990]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54990]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54991]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54991]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54992]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54992]

2d20h: NAT*: o: tcp (128.190.95.9, 1287) -> (72.234.216.118, 8080) [54993]

2d20h: NAT*: s=128.190.95.9, d=72.234.216.118->10.10.10.1 [54993]

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: