Cisco VPN Client connected to 1841 router but not pinging to remote LAN

shereefmamballi · ‎08-13-2012

Hi All,

Can anyone help me please...

I am trying to set up Remote access vpn in 1841 router. The vPN client is connecting to router, but cannot ping to remote LAN

Here is the config.

Current configuration : 3625 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

enable password mp**********14

!

aaa new-model

!

aaa authentication login AUTH local

aaa authorization network AUTH local

!

aaa session-id common

!

resource policy

!

no ip cef

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.107.200 192.168.107.250

ip dhcp excluded-address 192.168.107.24

!

ip dhcp pool mpo-dhcp

network 192.168.107.0 255.255.255.0

default-router 192.168.107.24

!

no ip domain lookup

ip name-server 4.2.2.6

ip name-server 4.2.2.5

ip ddns update method dyndns

HTTP

add http://username:password@members.dyndns.org/nic/update?system=dyndns&h password@members.dyndns.org/nic/update?system=dyndns&h

ostname=myip.dyndns.net&myip=<a>

interval maximum 0 0 1 0

!

vpdn enable

!

vpdn-group pppoe

!

username a***h privilege 15 password 0 ******************

!

crypto isakmp policy 10

encr aes

authentication pre-share

group 2

crypto isakmp client configuration address-pool lo

!

crypto isakmp client configuration group EZ

key m***********o7

dns 192.168.107.200 4.2.2.2

pool POOL

acl 101

netmask 255.255.255.0

crypto isakmp profile ISAKMP-P

match identity group EZ

client authentication list AUTH

isakmp authorization list AUTH

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set TS esp-aes esp-sha-hmac

mode transport

crypto ipsec profile IP-MPO

set transform-set TS

set isakmp-profile ISAKMP-P

!

interface FastEthernet0/0

ip address 192.168.107.24 255.255.255.0

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

duplex auto

speed auto

!

interface FastEthernet0/1

no ip address

ip virtual-reassembly

speed auto

full-duplex

pppoe enable

pppoe-client dial-pool-number 1

!

interface Virtual-Template1 type tunnel

no ip address

tunnel source FastEthernet0/1

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile IP-MPO

!

interface Dialer1

ip ddns update hostname mpo.dyndns.ws

ip ddns update dyndns

ip address negotiated

ip mtu 1492

ip nat outside

ip virtual-reassembly

encapsulation ppp

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname *********

ppp chap password 0 ************

ppp pap sent-username ********** password 0 ********

!

ip local pool POOL 10.0.0.10 10.0.0.15

ip route 0.0.0.0 0.0.0.0 Dialer1

!

no ip http server

no ip http secure-server

ip dns server

ip nat inside source route-map VPN-NAT interface Dialer1 overload

!

access-list 101 permit ip 192.168.107.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 102 deny ip 192.168.107.0 0.0.0.255 10.0.0.0 0.0.0.255

access-list 102 permit ip 192.168.107.0 0.0.0.255 any

dialer-list 1 protocol ip permit

!

route-map VPN-NAT permit 10

match ip address 102

!

control-plane

!

line con 0

exec-timeout 0 0

line aux 0

exec-timeout 0 0

line vty 0 4

password **********

logging synchronous

!

scheduler allocate 20000 1000

end

I am not getting any hit on the deny statement of 102 when i try pinging to client ip address (10.0.0.10). Please check this and help with a solution.

mvsheik123 · ‎08-16-2012

Hi Shereef,

Config looks fine (unless I miss something). Internal sw/LAN device has route to 10.0.0.0/255.255.255.0 (or default route)points to router LAN ip?

Thx

MS

shereefmamballi · ‎08-17-2012

Dear Sheik,

Thank you very much for your help. I was missing ip unnumbered command in

Virtual template interface, so ip services was disabled. Its working after the command.

Thank you again....