Remote VPN on Cisco 1811 - Unable to ping internal addresses

Unanswered Question
Mar 3rd, 2010
User Badges:

To All,


We are trying to setup a remote VPN on an 1811.  We are able to successfully log into the 1811 utilizing the VPN vlient, but when I try to ping an internal address, we get no response.  I can ping the internal interfaces on the router after authenticating and when I am on the router itself, I can ping the internal address (192.168.1.50), but no success pinging 192.168.1.50 through the VPN client.  Have made several adjustments without success and the configuration is bare-bones at this point.  Any advice offered would be sincerely appreciated.  Sensitive information has been X'ed out.


Brian


----


router#sh run
Building configuration...

Current configuration : 5893 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname
!
boot-start-marker
boot-end-marker
!
logging buffered 4096

!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_5 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2261330571
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2261330571
revocation-check none
rsakeypair TP-self-signed-2261330571
!
!
crypto pki certificate chain TP-self-signed-2261330571
certificate self-signed 01
  30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32323631 33333035 3731301E 170D3130 30333031 31333431
  33395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 32363133
  33303537 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100AA3D B481DA9D 3972220E 8BB05F23 299783EE F374867D 4500B15C 9C5B5DB7
  3FB0DB3E 24FD9AFE 691B153E ACA7712E E6C391C9 689D4EA0 3FDFD797 ECAD578D
  A9170D95 2DCEA096 AC0DA797 6BA28D8A D19AFD31 11A1B309 5C11FA68 5C2104B9
  8A345A04 3274B788 05A12D86 9359418E 34392DD6 14C2A0DF BE139444 11C3A04D
  F5670203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
  551D1104 0E300C82 0A4D4944 53726F75 74657230 1F060355 1D230418 30168014
  FC2C4666 96B9B1F2 F059E195 D051B385 3C4EC1D2 301D0603 551D0E04 160414FC
  2C466696 B9B1F2F0 59E195D0 51B3853C 4EC1D230 0D06092A 864886F7 0D010104
  05000381 81009BBF DD40E3CB E4BFBE4C 2EEB544E 565B41B3 C3F521B5 E10F3532
  CE65159D 26EFF9C4 49881F08 090F7320 719334B1 7D415667 9E2CF3DD 070F2B81
  F81410C9 116DBCB7 E46E23BD 904F9349 DA7978C2 98AD71BE F4E45E51 6D8B7B8B
  EC7B2F7A 7D57C17B 13A933FB 0456F3E2 E06A741A 7F0E7059 CFCFF6D7 302687D9
  D2F80859 E43B
        quit
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.99
ip dhcp excluded-address 192.168.1.151 192.168.1.254
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   domain-name XXXXXXX.XXX
   dns-server x.x.x.x
!
!
ip name-server x.x.x.x
ip name-server x.x.x.x
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
request-dialin
  protocol pppoe
!
!
!
username XXXXX privilege 15 password 0 XXXXX
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN
key test
dns x.x.x.x
pool SDM_POOL_2
acl 101

banner ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an Authorized user^C




crypto isakmp profile MIDSVPN-ike-profile-1
   match identity group VPN
   client authentication list sdm_vpn_xauth_ml_5
   isakmp authorization list sdm_vpn_group_ml_5
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-sha-hmac
!
crypto ipsec profile MIDSVPN
set transform-set SDM_TRANSFORMSET_1
set isakmp-profile MIDSVPN-ike-profile-1
!
!
archive
log config
  hidekeys
!
!
!
!
bba-group pppoe global
!
!
interface Loopback0
ip address 192.168.10.1 255.255.255.255
!
interface Loopback1
no ip address
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet1
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile MIDSVPN
!
interface Vlan1
description Int Address
ip address 192.168.1.1 255.255.255.0
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
interface Dialer0
no ip address
!
interface Dialer1
mtu 1400
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxx

ppp chap password xxxx

ppp pap sent-username xxxx password xxxx
ppp ipcp address accept
!
ip local pool SDM_POOL_2 192.168.3.1 192.168.3.10
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
logging trap debugging
logging 192.168.1.1
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.3.0 0.0.0.255
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 101 permit ip 192.168.3.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
!
!
!
control-plane
!
banner login
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
!
end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 03/03/2010 - 13:01
User Badges:
  • Gold, 750 points or more

I would like to suggest the following

1. check the route on 192.168.1.50, does this host have route to 192.168.3.0 network or a default route?

2. NAT, from the configuration, you already exluded VPN packet from being NATed. You can try use 'route-map' instead of ACL to see if it make any difference.

bjrogers Wed, 03/03/2010 - 14:42
User Badges:

Kevin,


I had already tried suggestion number 2 before posting, but it did not help.


In regards to suggestion 1, I wrongly presumed/assumed there were default-gateways on their PC's/printers.  The symptoms definately match up.....for a test, I took off NAT, and sourced a ping from loopback0, and did not get a response from 192.168.1.50.


Customer will be onsite early next week to check PC's/printers as I was working on this remotely.


Thanks for the response.  (every once in a while it can be embarassingly simple)


Brian

Actions

This Discussion