Established VPN connection but cannot ping subnet

Answered Question
Sep 25th, 2008

Hello, I have an 851 router that I am trying to learn with, I have a working config that gets me online and has a basic firewall and dhcp for clients. I then wanted to add a VPN using the 851 and the Cisco VPN client.

Using this tutorial "http://www.cisco.com/en/US/customer/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml"

I was able to get partially to my goal as I can establish a vpn and it is showing me 192.168.1.0 as the secured route but I cannot ping or communicate with anything with in the 192.168.1.1 network.

I have this problem too.
0 votes
Correct Answer by singhsaju about 8 years 2 months ago

Try this one also.

Instead of using access-list in NAT statement , use Route-map and see if it resolves the issue.

1.Deny the Ipsec traffic in the NAT access-list.

access-list 120 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit 192.168.1.0 0.0.0 any

2 create a Route Map

route-map nonat permit 10

match ip address 120

3. no ip nat inside source list 1 interface FastEthernet4 overload

4. ip nat inside source route-map nonat interface FastEthernet4 overload

5. Clear ip nat translations *

Then check.

HTH

Saju

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (3 ratings)
Loading.
bparker277 Thu, 09/25/2008 - 06:52

here is my config so far...

hostname MSM-Guest

!

boot-start-marker

boot-end-marker

!

no logging buffered

enable secret xxx

enable password xxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.50

!

ip dhcp pool MSM-Guest-DHCP

import all

network 192.168.1.0 255.255.255.0

dns-server 216.220.230.24 216.220.230.25

default-router 192.168.1.1

!

!

ip cef

ip inspect name MYFW tcp

ip inspect name MYFW udp

ip domain name MSM-Guest

ip name-server 216.220.230.24

ip name-server 216.220.230.25

!

!

crypto pki trustpoint TP-self-signed-2169386341

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2169386341

revocation-check none

rsakeypair TP-self-signed-2169386341

!

!

crypto pki certificate chain TP-self-signed-2169386341

certificate self-signed xxx

quit

username **** privilege 15

password 7 ****

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group vpn

key ****

dns 192.168.1.1

wins 192.168.1.1

domain msm-guest

pool SDM_POOL_1

acl 100

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group vpn

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

!

!

interface Loopback0

ip address 10.0.0.1 255.255.255.0

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description $ETH-WAN$

ip address 216.220.228.125 255.255.255.224

ip access-group Internet-inbound-ACL in

ip access-group Internet-outbound-ACL out

ip inspect MYFW out

ip nat outside

ip virtual-reassembly

ip tcp adjust-mss 1460

duplex auto

speed auto

no cdp enable

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description Internal Network

ip address 192.168.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10

ip classless

ip route 0.0.0.0 0.0.0.0 216.220.228.97

!

ip http server

ip http secure-server

ip nat inside source list 1 interface FastEthernet4 overload

!

ip access-list extended Internet-inbound-ACL

remark SDM_ACL Category=17

permit udp any host 216.220.228.125 eq non500-isakmp

permit udp any host 216.220.228.125 eq isakmp

permit esp any host 216.220.228.125

permit ahp any host 216.220.228.125

permit udp host 216.220.230.25 eq domain any

permit udp host 216.220.230.24 eq domain any

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any traceroute

permit gre any any

permit esp any any

ip access-list extended Internet-outbound-ACL

permit ip any any

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 remark SDM_ACL Category=4

access-list 100 permit ip 192.168.1.0 0.0.0.255 any

!

control-plane

!

line con 0

password 7 ****

no modem enable

line aux 0

line vty 0 4

password 7 ****

!

scheduler max-task-time 5000

end

singhsaju Thu, 09/25/2008 - 09:21

This is happening because the IPSEC traffic is not bypassing NAT . Do the following changes and then check and post results.

1.Deny the Ipsec traffic in the NAT access-list.

access-list 120 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit 192.168.1.0 0.0.0 any

2. no ip nat inside source list 1 interface FastEthernet4 overload

3.ip nat inside source list 120 interface FastEthernet4 overload

HTH

Saju

Pls rate helpful posts

bparker277 Thu, 09/25/2008 - 13:26

This appeared to get me closer, I can now ping 192.168.1.1 but not 192.168.1.51 which is a valid host.

when I tracert 192.168.1.51 my first hop is 10.0.0.1 then dies after that.

my secured route is 192.168.1.0 which I was thinking it would be 192.168.2.0 because that is the subnet that dhcp gave me.

singhsaju Thu, 09/25/2008 - 15:08

You need to route VPN pool address in your network .Whats the default gateway on 192.168.1.51 ?

bparker277 Fri, 09/26/2008 - 04:27

the default gateway is 192.168.1.1 which is the ip address assigned to the vlan interface

Correct Answer
singhsaju Fri, 09/26/2008 - 05:11

Try this one also.

Instead of using access-list in NAT statement , use Route-map and see if it resolves the issue.

1.Deny the Ipsec traffic in the NAT access-list.

access-list 120 deny 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 120 permit 192.168.1.0 0.0.0 any

2 create a Route Map

route-map nonat permit 10

match ip address 120

3. no ip nat inside source list 1 interface FastEthernet4 overload

4. ip nat inside source route-map nonat interface FastEthernet4 overload

5. Clear ip nat translations *

Then check.

HTH

Saju

bparker277 Fri, 09/26/2008 - 09:55

Yes!! it is finally working, although I may of been chasing my own tail for a while there, the host I was trying to ping had the windows firewall turned on causing it to not respond to ping.

Thanks for the help, I will backup this config to a safe spot and expand upon it when I get some additional hardware. I also want to add a site to site vpn in to the mix with a second 851 router.

Actions

This Discussion