Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
837
Views
0
Helpful
7
Replies

I can't ping through to my LAN

az.obiora
Level 1
Level 1

‎09-25-2009 09:25 PM

Hi there experts,

I am having an issue with the ez vpn that i configured on the 2811 we just newly bought. Actually the thing is that i fully configured it ie ezvpn. It does work, i mean i do have my IKE phase 1 and 2 fully negotiated and it gets to the secure channels and all that it does when ever i connect with my cisco vpn client software. But the issue is that i can't access anything in my LAN i can only ping through to my LAN interface but anything beyond my lan interface i just can't. Please find below the config.

version 12.4

no service pad

!

hostname wisertr

!

boot-start-marker

boot system flash:c2800nm-advsecurityk9-mz.124-3g.bin

boot-end-marker

!

aaa new-model

!

aaa authentication login wisegroup_DB local

aaa authentication login wisegroupvpnclient local

aaa authorization exec wisegroup_DB local

aaa authorization network wisegroup local

!

aaa session-id common

!

resource policy

!

ip subnet-zero

!

ip cef

!

no ip bootp server

ip domain name wise.com

ip name-server 198.6.1.2

ip name-server 172.16.1.252

!

!

crypto isakmp policy 100

encr aes

authentication pre-share

group 2

crypto isakmp keepalive 20 3

!

crypto isakmp client configuration group WISE_REM_VPN

key sup3rs3cr3t

dns 198.6.1.2 172.16.1.252

wins 172.16.1.252

domain wisegroupng.com

pool wisepool

save-password

include-local-lan

max-logins 5

acl SPLITREMOTE

!

!

crypto ipsec transform-set WISEREM_VPN esp-aes esp-sha-hmac

!

crypto dynamic-map WISEVPN_dynmap 10

set transform-set WISEREM_VPN

!

!

crypto map wisemap client authentication list mrsvpnclient

crypto map wisemap isakmp authorization list mrsgroups

crypto map wisemap client configuration address respond

crypto map wisemap 1000 ipsec-isakmp dynamic wisevpn_dynmap

!

!

!

interface FastEthernet0/0

description LAN_INT

ip address 172.16.1.7 255.255.255.0

ip nat inside

duplex half

speed 100

!

interface FastEthernet0/1

description WAN_INT

ip address 217.xx.xx.xx 255.255.255.248

ip nat outside

duplex full

crypto map wisemap

!

ip local pool wisepool 10.10.11.20 10.10.11.30

ip classless

ip route 0.0.0.0 0.0.0.0 217.xx.xx.xx

!

ip nat inside source list NAT_ADDRESS interface FastEthernet0/1 overload

!

ip access-list extended NAT_ADDRESS

deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255

permit ip 172.16.0 0.0.0.255 any

ip access-list ext SPLITREMOTE

permit ip 172.16.1.0 0.0.0.255 any

end

Please i need to know what is the wrong thing i am doing that i can't reach my lan only the LAN interface of my router that i could ping from the remote system. I am having the feeling that it's a routing issue but then i can't say. I Also intend configuring a s2s vpn to with same router and interface. Please advise!

Labels:
0 Helpful
7 Replies 7

JORGE RODRIGUEZ
Level 10
Level 10

‎09-26-2009 06:56 AM

modify the SPLITREMOTE tunnel acl and try again, it should be as:

deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 any

Jorge Rodriguez
0 Helpful

az.obiora
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-27-2009 04:19 AM

Hi Jorgemcse,

Thank you for your response i would try it and sure do get back to you! I appreciate!

Thanx

Teddy

0 Helpful

az.obiora
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-27-2009 05:29 PM

Hi Jorgemcse!

Just to let you know that i added the acl as you said still wasn't able to reach my lan. Please any other suggestions. Like i said i am able to ping across my router Lan interface but to ping beyond the router LAN interface is where the problem lies! I do appreciate you suggestion earlier and do look out for more!

Thanx

Teddy

0 Helpful

hansyin
Level 1
Level 1
In response to az.obiora

‎11-12-2009 09:48 PM

Hi, I think you should to make sure if traffic went through vpn tunnel firstly when you ping beyond the router lan interface. you can check by "show crypto ipsec sa", or even "debug ip packet acl".

If packet already reach router through vpn tunnel and did go out, then you should check gw of pc in your lan. if not reaching router at all, you should sniffer on your vpn client, or check its route table, to see why traffic cannot go into vpn tunnel.

0 Helpful

mopaul
Cisco Employee
Cisco Employee

‎11-14-2009 08:09 PM

Hi,

Well i am not sure why were you suggested to modify the SPLITREMOTE tunnel acl to make it as:

deny ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255

permit ip 172.16.1.0 0.0.0.255 any

With the above suggested acl you are in a way denying the tunnel traffic from client to the router.

I have reviewed the configuration , it appears to be good. As a quick troubleshooting i would suggest this:

ip access-list ext SPLITREMOTE

permit ip 172.16.1.0 0.0.0.255 10.10.11.0 0.0.0.255

## By taking destination as ANY in the SPLITREMOTE you are no way splitting the tunnel traffic ##

Assuming that client talks to the LAN interface of router through the tunnel.

As a quick test , you can connect host to router and add a route using the Windows command prompt

## route ADD 10.10.11.0 mask 255.255.255.0 172.16.1.7 ##

Please do let me know how it goes...

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful

bennygao2009
Level 1
Level 1
In response to mopaul

‎11-15-2009 01:15 AM

Hi,

I think the Splitremote Tunnel ACL should be:

ip access-list ext SPLITREMOTE

permit ip 10.10.11.0 0.0.0.255 172.16.1.0 0.0.0.255

0 Helpful

mopaul
Cisco Employee
Cisco Employee
In response to bennygao2009

‎11-15-2009 06:44 AM

No, the access-list would be with a source of 172.16.1.x and destination 10.10.11.x

I know why you might be thinking it the other way because it is used under the client configuration. But its

not that way.

When you configure a s2s VPN tunnel, you configure ACLs for crypto on both VPN terminating end devices, which

are mirror image of each other.

For example:

local subnet on Site A is 10.10.11.x

Local Subnet on Site B is 172.16.1.x

On Site A

you will specify acl as

10.10.11.x >>> 172.16.1.x

On Site B ,

172.16.1.x >>> 10.10.11.x

Now,when you create a Dynamic Ipsec VPN .

You create crypto ACL , ONLY on the site with Dynamic IP address for the remote site with Static ip on it.

So, if Site B has a static public ip address of aa.aa.aa.bb and remote Site A is on dynamic ip...

Then a dynamic acl on site B will be created on its own when tunnel is negotiated from Site A .

Same is the case with Remote VPNs, they are dynamic Peers, when you make a VPN connection , all attributes under

the client configuration are pushed to the clients, a mirror image of the ACL (i.e configured under client

configuration) would be learnt by the client on its end, which in turn will take the LAN subnet behind router

as the tunnel destination and hence you will add a route in the client's routing table.

As a quick recreate you can configure dynamic Ipsec between 2 VPN devices and on the static end , once the VPN is up execute the command

show crypto ipsec sa and

you will find that your VPN device (on static ip) had learnt a VPN acl i.e reverse of what is defined on the dynamic site.

Hope this helps.

Regards

M

Mohit Paul CCIE-Security 35496 P.S Please do rate this post if you find it helpful to make it easier for others seeking answers to similar queries
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents