I can't ping through to my LAN

Unanswered Question
Sep 25th, 2009

Hi there experts,

I am having an issue with the ez vpn that i configured on the 2811 we just newly bought. Actually the thing is that i fully configured it ie ezvpn. It does work, i mean i do have my IKE phase 1 and 2 fully negotiated and it gets to the secure channels and all that it does when ever i connect with my cisco vpn client software. But the issue is that i can't access anything in my LAN i can only ping through to my LAN interface but anything beyond my lan interface i just can't. Please find below the config.

version 12.4

no service pad


hostname wisertr



boot system flash:c2800nm-advsecurityk9-mz.124-3g.bin



aaa new-model


aaa authentication login wisegroup_DB local

aaa authentication login wisegroupvpnclient local

aaa authorization exec wisegroup_DB local

aaa authorization network wisegroup local


aaa session-id common


resource policy


ip subnet-zero


ip cef


no ip bootp server

ip domain name wise.com

ip name-server

ip name-server



crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 20 3


crypto isakmp client configuration group WISE_REM_VPN

key sup3rs3cr3t



domain wisegroupng.com

pool wisepool



max-logins 5




crypto ipsec transform-set WISEREM_VPN esp-aes esp-sha-hmac


crypto dynamic-map WISEVPN_dynmap 10

set transform-set WISEREM_VPN



crypto map wisemap client authentication list mrsvpnclient

crypto map wisemap isakmp authorization list mrsgroups

crypto map wisemap client configuration address respond

crypto map wisemap 1000 ipsec-isakmp dynamic wisevpn_dynmap




interface FastEthernet0/0

description LAN_INT

ip address

ip nat inside

duplex half

speed 100


interface FastEthernet0/1

description WAN_INT

ip address 217.xx.xx.xx

ip nat outside

duplex full

crypto map wisemap


ip local pool wisepool

ip classless

ip route 217.xx.xx.xx


ip nat inside source list NAT_ADDRESS interface FastEthernet0/1 overload


ip access-list extended NAT_ADDRESS

deny ip

permit ip 172.16.0 any

ip access-list ext SPLITREMOTE

permit ip any


Please i need to know what is the wrong thing i am doing that i can't reach my lan only the LAN interface of my router that i could ping from the remote system. I am having the feeling that it's a routing issue but then i can't say. I Also intend configuring a s2s vpn to with same router and interface. Please advise!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Sat, 09/26/2009 - 06:56

modify the SPLITREMOTE tunnel acl and try again, it should be as:

deny ip

permit ip any

az.obiora Sun, 09/27/2009 - 04:19

Hi Jorgemcse,

Thank you for your response i would try it and sure do get back to you! I appreciate!



az.obiora Sun, 09/27/2009 - 17:29

Hi Jorgemcse!

Just to let you know that i added the acl as you said still wasn't able to reach my lan. Please any other suggestions. Like i said i am able to ping across my router Lan interface but to ping beyond the router LAN interface is where the problem lies! I do appreciate you suggestion earlier and do look out for more!



hansyin Thu, 11/12/2009 - 21:48

Hi, I think you should to make sure if traffic went through vpn tunnel firstly when you ping beyond the router lan interface. you can check by "show crypto ipsec sa", or even "debug ip packet acl".

If packet already reach router through vpn tunnel and did go out, then you should check gw of pc in your lan. if not reaching router at all, you should sniffer on your vpn client, or check its route table, to see why traffic cannot go into vpn tunnel.

mopaul Sat, 11/14/2009 - 20:09


Well i am not sure why were you suggested to modify the SPLITREMOTE tunnel acl to make it as:

deny ip

permit ip any

With the above suggested acl you are in a way denying the tunnel traffic from client to the router.

I have reviewed the configuration , it appears to be good. As a quick troubleshooting i would suggest this:

ip access-list ext SPLITREMOTE

permit ip

## By taking destination as ANY in the SPLITREMOTE you are no way splitting the tunnel traffic ##

Assuming that client talks to the LAN interface of router through the tunnel.

As a quick test , you can connect host to router and add a route using the Windows command prompt

## route ADD mask ##

Please do let me know how it goes...



bennygao2009 Sun, 11/15/2009 - 01:15


I think the Splitremote Tunnel ACL should be:

ip access-list ext SPLITREMOTE

permit ip

mopaul Sun, 11/15/2009 - 06:44

No, the access-list would be with a source of 172.16.1.x and destination 10.10.11.x

I know why you might be thinking it the other way because it is used under the client configuration. But its

not that way.

When you configure a s2s VPN tunnel, you configure ACLs for crypto on both VPN terminating end devices, which

are mirror image of each other.

For example:

local subnet on Site A is 10.10.11.x

Local Subnet on Site B is 172.16.1.x

On Site A

you will specify acl as

10.10.11.x >>> 172.16.1.x

On Site B ,

172.16.1.x >>> 10.10.11.x

Now,when you create a Dynamic Ipsec VPN .

You create crypto ACL , ONLY on the site with Dynamic IP address for the remote site with Static ip on it.

So, if Site B has a static public ip address of aa.aa.aa.bb and remote Site A is on dynamic ip...

Then a dynamic acl on site B will be created on its own when tunnel is negotiated from Site A .

Same is the case with Remote VPNs, they are dynamic Peers, when you make a VPN connection , all attributes under

the client configuration are pushed to the clients, a mirror image of the ACL (i.e configured under client

configuration) would be learnt by the client on its end, which in turn will take the LAN subnet behind router

as the tunnel destination and hence you will add a route in the client's routing table.

As a quick recreate you can configure dynamic Ipsec between 2 VPN devices and on the static end , once the VPN is up execute the command

show crypto ipsec sa and

you will find that your VPN device (on static ip) had learnt a VPN acl i.e reverse of what is defined on the dynamic site.

Hope this helps.




This Discussion