Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1306
Views
0
Helpful
1
Replies

VPN Client - connected but cannot ping Router subnet

cheonghomtai
Level 1
Level 1

‎11-18-2011 12:09 AM

Hi Techies...

Previously it was working flawlessly.

I had to rework the router from scratch (don't ask).

This time, VPN Client can connect but the local subnet cannot be reached.

I can ping the router's LAN(int fa0 - 192.168.100.0/24) but not beyond that it fails.

Been searching the net for answers.. but can't find any.

Previously- i read somewhere, that the inside interface, have to disable with "no ip proxy-arp" and it works!

Now, i did the same thing, but no such luck ;-(

Secondly, if i add the router w another interface (fa1 - 192.168.110.0) - will reverse route, inject this route to the VPN client?

Thirdly, what't the best way if I want to VPN remotely to a server (via one internet line) using RDP

but the server will going out to internet (on another internet line) due the static public ip address requirement.

Any help is greatly appreciated.

Thanks!

=======================================

aaa new-model
!
!
aaa authentication login WHOAMI local enable
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization network sdm_vpn_group_ml_1 local

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 20
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_1

key xxx

dns 202.188.1.5 202.188.0.133
domain TEST.COM.MY
pool VPN_POOL_1

acl ACL_4_VLAN
max-logins 2
netmask 255.255.255.0
!
crypto isakmp client configuration group VPN_2

key zzz

dns 202.188.1.5 202.188.0.133
domain TEST.COM.MY
pool VPN_POOL_2

acl ACL_4_VLAN
max-logins 5
netmask 255.255.255.0
!
!
crypto ipsec transform-set TRANSFORMERS esp-3des esp-md5-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 1800
set transform-set TRANSFORMERS
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

interface ATM0
description USING ATM on PVC0/35 with AAL5Mux
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
no ip route-cache cef
no ip mroute-cache
no atm ilmi-keepalive
pvc 0/35
encapsulation aal5mux ppp dialer
dialer pool-member 11
!
!
interface FastEthernet0
description $FW_INSIDE$
ip address 192.168.100.253 255.255.255.0
ip access-group ACL_1_OUTGOING in
no ip redirects
no ip unreachables
ip nbar protocol-discovery
ip flow ingress
ip nat inside
ip virtual-reassembly
ip route-cache flow
load-interval 60
speed auto
full-duplex
ipv6 address 2002:3C36:F119::/64 eui-64
!
interface Dialer11
description CONNECT USING SDSL to 1.544Mbps (60.54.241.25)$FW_OUTSIDE$
ip address negotiated
ip access-group ACL_2_INCOMING in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip nat outside
ip inspect SDM_LOW out
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 11
dialer idle-timeout 0
no cdp enable
ppp authentication pap callin
ppp pap sent-username abc@isp password 7 secret

crypto map SDM_CMAP_1
!
ip local pool VPN_POOL_1 172.16.1.10 172.16.1.19
ip local pool VPN_POOL_2 172.16.2.10 172.16.2.19
ip route 0.0.0.0 0.0.0.0 Dialer11
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map DENY_VPN2NAT interface Dialer11 overload

!

ip access-list extended ACL_1_OUTGOING
deny   ip host 255.255.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
permit icmp any any
permit ip any any

!
ip access-list extended ACL_2_INCOMING
permit ip host 172.16.1.14 host 192.168.100.251
permit ip host 172.16.1.14 host 192.168.100.8
permit ip host 172.16.1.10 192.168.100.0 0.0.0.255
permit ip host 172.16.1.11 192.168.100.0 0.0.0.255
permit ip host 172.16.1.12 192.168.100.0 0.0.0.255
permit ip host 172.16.1.13 192.168.100.0 0.0.0.255
permit ip host 172.16.1.14 192.168.100.0 0.0.0.255
permit ip host 172.16.1.15 192.168.100.0 0.0.0.255
permit ip host 172.16.1.16 192.168.100.0 0.0.0.255
permit ip host 172.16.1.17 192.168.100.0 0.0.0.255
permit ip host 172.16.1.18 192.168.100.0 0.0.0.255
permit ip host 172.16.1.19 192.168.100.0 0.0.0.255
permit ip host 172.16.2.10 192.168.100.0 0.0.0.255
permit ip host 172.16.2.11 192.168.100.0 0.0.0.255
permit ip host 172.16.2.12 192.168.100.0 0.0.0.255
permit ip host 172.16.2.13 192.168.100.0 0.0.0.255
permit ip host 172.16.2.14 192.168.100.0 0.0.0.255
permit ip host 172.16.2.15 192.168.100.0 0.0.0.255
permit ip host 172.16.2.16 192.168.100.0 0.0.0.255
permit ip host 172.16.2.17 192.168.100.0 0.0.0.255
permit ip host 172.16.2.18 192.168.100.0 0.0.0.255
permit ip host 172.16.2.19 192.168.100.0 0.0.0.255
permit udp any any eq non500-isakmp
permit udp any any eq isakmp
permit esp any any
permit ahp any any
permit udp host 202.188.0.133 eq domain any
permit udp host 202.188.1.5 eq domain any
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit icmp any any unreachable
deny   ip 10.0.0.0 0.255.255.255 any
deny   ip 172.16.0.0 0.15.255.255 any
deny   ip 192.168.0.0 0.0.255.255 any
deny   ip 127.0.0.0 0.255.255.255 any
deny   ip host 255.255.255.255 any
deny   ip host 0.0.0.0 any log

!
ip access-list extended ACL_3_NONAT
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.10
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.11
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.12
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.13
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.14
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.15
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.16
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.17
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.18
deny   ip 192.168.100.0 0.0.0.255 host 172.16.1.19
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.10
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.11
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.12
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.13
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.14
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.15
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.16
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.17
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.18
deny   ip 192.168.100.0 0.0.0.255 host 172.16.2.19
permit ip 192.168.100.0 0.0.0.255 any log

!
ip access-list extended ACL_4_VLAN
permit ip 192.168.100.0 0.0.0.255 any
permit ip 192.168.110.0 0.0.0.255 any
permit ip 192.168.120.0 0.0.0.255 any

!

route-map DENY_VPN2NAT permit 10
match ip address ACL_3_NONAT

---------------------------------------------------------------------

Labels:
0 Helpful
1 Reply 1

cheonghomtai
Level 1
Level 1

‎11-20-2011 05:03 PM

HI,

Anyone with similar problems before?

Thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents