08-13-2012 10:25 AM
Hi All,
Can anyone help me please...
I am trying to set up Remote access vpn in 1841 router. The vPN client is connecting to router, but cannot ping to remote LAN
Here is the config.
Current configuration : 3625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password mp**********14
!
aaa new-model
!
!
aaa authentication login AUTH local
aaa authorization network AUTH local
!
aaa session-id common
!
resource policy
!
no ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.107.200 192.168.107.250
ip dhcp excluded-address 192.168.107.24
!
ip dhcp pool mpo-dhcp
network 192.168.107.0 255.255.255.0
default-router 192.168.107.24
!
!
no ip domain lookup
ip name-server 4.2.2.6
ip name-server 4.2.2.5
ip ddns update method dyndns
HTTP
HTTP
add http://username:password@members.dyndns.org/nic/update?system=dyndns&hpassword@members.dyndns.org/nic/update?system=dyndns&h
ostname=myip.dyndns.net&myip=<a>
interval maximum 0 0 1 0
!
vpdn enable
!
vpdn-group pppoe
!
!
!
!
username a***h privilege 15 password 0 ******************
!
!
!
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration address-pool lo
!
crypto isakmp client configuration group EZ
key m***********o7
dns 192.168.107.200 4.2.2.2
pool POOL
acl 101
netmask 255.255.255.0
crypto isakmp profile ISAKMP-P
match identity group EZ
client authentication list AUTH
isakmp authorization list AUTH
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TS esp-aes esp-sha-hmac
mode transport
crypto ipsec profile IP-MPO
set transform-set TS
set isakmp-profile ISAKMP-P
!
!
!
!
!
interface FastEthernet0/0
ip address 192.168.107.24 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
duplex auto
speed auto
!
interface FastEthernet0/1
no ip address
ip virtual-reassembly
speed auto
full-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface Virtual-Template1 type tunnel
no ip address
tunnel source FastEthernet0/1
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile IP-MPO
!
interface Dialer1
ip ddns update hostname mpo.dyndns.ws
ip ddns update dyndns
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname *********
ppp chap password 0 ************
ppp pap sent-username ********** password 0 ********
!
ip local pool POOL 10.0.0.10 10.0.0.15
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip dns server
ip nat inside source route-map VPN-NAT interface Dialer1 overload
!
access-list 101 permit ip 192.168.107.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 deny ip 192.168.107.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 102 permit ip 192.168.107.0 0.0.0.255 any
dialer-list 1 protocol ip permit
!
!
!
route-map VPN-NAT permit 10
match ip address 102
!
control-plane
!
!
line con 0
exec-timeout 0 0
line aux 0
exec-timeout 0 0
line vty 0 4
password **********
logging synchronous
!
scheduler allocate 20000 1000
end
I am not getting any hit on the deny statement of 102 when i try pinging to client ip address (10.0.0.10). Please check this and help with a solution.
08-16-2012 08:42 PM
Hi Shereef,
Config looks fine (unless I miss something). Internal sw/LAN device has route to 10.0.0.0/255.255.255.0 (or default route)points to router LAN ip?
Thx
MS
08-17-2012 03:50 AM
Dear Sheik,
Thank you very much for your help. I was missing ip unnumbered command in
Virtual template interface, so ip services was disabled. Its working after the command.
Thank you again....
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide