Cisco Easy VPN Server, Can't Ping Network Once Connected

Unanswered Question
Nov 21st, 2009

Hi,

I have a 2561XM and with the SDM I setup Easy VPN server. My internal networks are 192.168.4.0/24  and 172.16.20.252/30. My pool is 192.168.70.1-8.

The router is using NAT behind a single static IP. I am VPN'ing from my home which is behind a non-static single public IP.

I can connect to the VPN using the Cisco client, but when I ping I see the below response from the inside interface of the router...


>ping 192.168.4.103

Pinging 192.168.4.103 with 32 bytes of data:
Reply from 172.16.20.253: Destination port unreachable.
Reply from 172.16.20.253: Destination port unreachable.
Reply from 172.16.20.253: Destination port unreachable.
Reply from 172.16.20.253: Destination port unreachable.

Ping statistics for 192.168.4.103:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


Please see  my config below.

boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server X.X.X.X
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1315735208
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1315735208
revocation-check none
rsakeypair TP-self-signed-1315735208
!
!
crypto pki certificate chain TP-self-signed-1315735208
certificate self-signed 01
  XXXXXXX


  quit
username xxxxxxxxxxxxxx


!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXX_VPN
key XXXXXXXXXXXXXX
pool SDM_POOL_2
acl 100
max-users 3
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
description XXXXXX Outside$ETH-WAN$
ip address 96.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.20
description Office Network
encapsulation dot1Q 20
ip address 172.16.20.254 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.30
description Public Network
encapsulation dot1Q 30
ip address 172.16.30.254 255.255.255.252
ip access-group Public_ACL in
ip nat inside
ip virtual-reassembly
no cdp enable
!
ip local pool SDM_POOL_1 172.16.50.1 172.16.50.8
ip local pool SDM_POOL_2 192.168.70.1 192.168.70.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.x.x.x
ip route 192.168.4.0 255.255.255.0 172.16.20.253
ip route 192.168.12.0 255.255.255.0 172.16.30.253
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.4.215 443 interface FastEthernet0/0 44
ip nat inside source static tcp 192.168.4.215 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.4.214 443 interface FastEthernet0/0 43
ip nat inside source static tcp 192.168.4.214 22 interface FastEthernet0/0 222
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended Public_ACL
deny   ip 192.168.212.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip any any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.20.252 0.0.0.3 any
access-list 101 remark SDM_ACL Category=18
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.1
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.2
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.3
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.4
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.5
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.1
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.2
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.3
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.4
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.5
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 permit ip 172.16.20.0 0.0.0.255 any
access-list 101 permit ip 172.16.30.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion