04-10-2003 02:30 PM - edited 02-21-2020 12:28 PM
If I ping from the client to the network (behind the router), the debug shows the client encrypting and the router decrypting. The ping will not reply, because the router is not encrypting and thus the client is not getting anything to decrypt.
The setup is a little different because the default route is to the inside of the network as this is not the regular internet gateway. I have to add routes to point onto the internet to the connecting client. Also, one machine does use this as a gateway (using a routemap). To troubleshoot, I have removed the custom routemap to no avail. I am thinking about changing the default route, but I can't see how it would affect it.
Any ideas? Am i missing something?
cisco 2621 running 12.2T(15) to latest client.
username XXX password 7 XXXXXX
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXX
key XXXXX
pool ippool
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
interface Loopback1
ip address 192.168.254.1 255.255.255.0
!
interface FastEthernet0/0
ip address 200.x.x.x 255.255.x.x
no ip proxy-arp
ip nat outside
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip policy route-map CUSTOMGATE
duplex auto
speed auto
!
ip local pool ippool 10.172.10.100 10.172.10.200
ip nat inside source route-map nonat interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.30
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.172.10.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
username XXX password 7 XXXXXX
aaa new-model
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXX
key XXXXX
pool ippool
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
interface Loopback1
ip address 192.168.254.1 255.255.255.0
!
interface FastEthernet0/0
ip address 200.x.x.x 255.255.x.x
no ip proxy-arp
ip nat outside
duplex auto
speed auto
crypto map clientmap
!
interface FastEthernet0/1
ip address 10.0.0.1 255.255.255.0
no ip proxy-arp
ip nat inside
ip policy route-map CUSTOMGATE
duplex auto
speed auto
!
ip local pool ippool 10.172.10.100 10.172.10.200
ip nat inside source route-map nonat interface FastEthernet0/0 overload
no ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.30
ip route 20.x.x.x 255.255.255.255 200.x.x.x (this is here to let it talk to the client)
access-list 100 deny ip 10.0.0.0 0.0.0.255 10.172.10.0 0.0.0.255
access-list 100 permit ip 10.0.0.0 0.0.0.255 any
access-list 110 deny ip host 10.0.0.73 10.1.0.0 0.0.0255
access-list 110 permit ip host 10.0.0.73 any
!
route-map CUSTOMGATE permit 10
match ip address 110
set ip next-hop 200.x.x.x
!
route-map nonat permit 10
match ip address 100
!
!
route-map CUSTOMGATE permit 10
match ip address 110
set ip next-hop 200.x.x.x
!
route-map nonat permit 10
match ip address 100
!
Solved! Go to Solution.
04-10-2003 10:55 PM
At least add:
> ip route 10.172.10.0 255.255.255.0 200.x.x.x
to force the traffic for the VPN clients out the outside interface. also make sure you hav a route for the clients actual IP address (not the VPN negotiated one) that points out the outside interface also.
The fact the router is not encrypting means that it's not even seeing the replies from the inside hosts, indicating that your internal network doesn't have a route to 10.172.10.0 pointing to this router, OR the router is receiving the replies but is sending them back out the inside interface, which will be fixed by the first route I mentioned above.
04-10-2003 10:55 PM
At least add:
> ip route 10.172.10.0 255.255.255.0 200.x.x.x
to force the traffic for the VPN clients out the outside interface. also make sure you hav a route for the clients actual IP address (not the VPN negotiated one) that points out the outside interface also.
The fact the router is not encrypting means that it's not even seeing the replies from the inside hosts, indicating that your internal network doesn't have a route to 10.172.10.0 pointing to this router, OR the router is receiving the replies but is sending them back out the inside interface, which will be fixed by the first route I mentioned above.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: