cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1254
Views
0
Helpful
3
Replies

URGENT: Unable to ping vpn client ip from router

Aun Iqbal
Level 1
Level 1

hi guys, I ahve setup a very simple vpn using cisco guides on internet.

I can successfully connect to the cisco vpn client using the config below.

My client pc gets the ip from the pool, lets say 14.1.1.100

but when I try to ping 14.1.1.100 from router. there is no reply.

when i ping from router using local lan interafce as source, it still doesnt work.

Can someone please look at the config and advise what have I been missing?

The config below wors and I ahev tested it successfully. It setup the vpn connection but I cannot ping any IP addresses.

Please help. Many thanks, 

=======================Config for vpn connection =============================

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname vpn2611

!

boot-start-marker

boot-end-marker

!

!

aaa new-model

!

!

aaa authentication login userauthen local

aaa authorization network groupauthor local

!

aaa session-id common

memory-size iomem 15

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

!

!

!

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

!

!

fax interface-type fax-mail

username cisco password 0 cisco

!

!

!

!

crypto isakmp policy 3

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 10

hash md5

authentication pre-share

crypto isakmp key cisco123 address 172.18.124.199 no-xauth

!

crypto isakmp client configuration group 3000client

key cisco123

dns 10.10.10.10

wins 10.10.10.20

domain cisco.com

pool ippool

!

!

crypto ipsec transform-set myset esp-3des esp-md5-hmac

!

crypto dynamic-map dynmap 10

set transform-set myset

!

!

crypto map clientmap client authentication list userauthen

crypto map clientmap isakmp authorization list groupauthor

crypto map clientmap client configuration address respond

crypto map clientmap 1 ipsec-isakmp

set peer 172.18.124.199

set transform-set myset

match address 100

crypto map clientmap 10 ipsec-isakmp dynamic dynmap

!

!

!

!

interface FastEthernet0/0

ip address 10.10.10.1 255.255.255.0

speed auto

half-duplex

no keepalive

!

interface FastEthernet0/1

ip address 172.18.124.159 255.255.255.0

speed 100

full-duplex

crypto map clientmap

!

ip local pool ippool 14.1.1.100 14.1.1.200

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 172.18.124.1

!

!

ip http server

no ip http secure-server

!

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255

snmp-server community foobar RO

!

!

!

control-plane

!

!

dial-peer cor custom

!

!

!

line con 0

exec-timeout 0 0

line aux 0

line vty 0 4

!

!

end

====================================END OF CONFIG ==========================

3 Replies 3

Aun Iqbal
Level 1
Level 1

Can someone please help me with this urgently?

many thanks

Can you ping from the client to the rest of the network? Clients at times have firewalls that won't allow pings to return.

busterswt
Level 1
Level 1

Hello,

I recommend using an RFC1918 network for your IP pool instead of a publically routable network such as 14.x.x.x. RFC1918 includes addresses like 10.0.0.0/8, 172.16.0.0 - 172.31.255.255, and 192.168.0.0/16.

You will likely also need to add that new IP pool network to the crypto acl (100).

James

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: