Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
231
Views
0
Helpful
2
Replies

EzVPN Problem - Cannot transfer Data

mnlatif
Level 3
Level 3

‎06-03-2003 04:40 PM - edited ‎03-09-2019 03:31 AM

Hi All,

I have a Cisco 1721 Router configured as an EzVPN Server and trying to connect using a Cisco 3.6.3 VPN Client.

The problem is that i get connected fine and also get a IP Address. The remote Subnet also appears in my Cisco Client , however i cannot ping etc any other device on the Remote Subnet (i.e. connected to Cisco 1721).

Setup is

172.28.2.x---Cisco 1721----Public IP Address-----Cisco Client

IP Pool=172.28.5.x

Relevant 1721 Config is

hostname naman-router

!

!

username naman secret 5 xxxxxxxxx

clock timezone PST -8

clock summer-time PDT recurring

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

aaa authorization network mylist local

aaa session-id common

ip subnet-zero

no ip source-route

!

!

ip domain name xxxx.com

crypto isakmp policy 1

authentication pre-share

group 2

!

crypto isakmp policy 2

hash md5

authentication pre-share

group 2

crypto isakmp identity hostname

crypto isakmp client configuration address-pool local mypool1

!

crypto isakmp client configuration group yyyyyy

key xxxxx

dns 172.28.2.10

wins 172.28.2.10

domain xxxxx.com

pool mypool1

acl 121

!

!

crypto ipsec transform-set myset esp-des esp-sha-hmac

crypto ipsec transform-set myset1 esp-des esp-md5-hmac

!

crypto dynamic-map mymap 1

set transform-set myset1

reverse-route

!

!

crypto map mymap client authentication list default

crypto map mymap isakmp authorization list mylist

crypto map mymap client configuration address respond

crypto map mymap 1 ipsec-isakmp dynamic mymap

!

!

!

!

interface Ethernet0

ip address x.x.x.x 255.255.255.192

no ip redirects

half-duplex

no cdp enable

crypto map mymap

!

interface FastEthernet0

ip address 172.28.2.1 255.255.255.0

no ip proxy-arp

speed auto

!

ip local pool mypool1 172.28.5.1 172.28.5.100

ip classless

ip route 0.0.0.0 0.0.0.0 x.x.x.x

no ip http server

no ip http secure-server

!

access-list 121 permit ip 172.28.2.0 0.0.0.255 any

!

!

!

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎06-03-2003 06:05 PM

You're missing the group authorization AAA list reference (actually I'm surprised you get connected without it). Add:

> aaa authorization network mylist local

This references your:

> crypto map mymap isakmp authorization list mylist

command. I would also change:

> access-list 121 permit ip 172.28.2.0 0.0.0.255 any

to:

> access-list 121 permit ip 172.28.2.0 0.0.0.255 172.28.5.0 0.0.0.255

0 Helpful

mnlatif
Level 3
Level 3
In response to gfullage

‎06-05-2003 08:15 AM

> aaa authorization network mylist local was already there in the script, as you can see from the above posted config.

However i was going through a Static Mapping through a PIX firewall and wasn't allowing in-coming ESP packets, so it was a mis-configuration on my part. It works now.

Thanks \\ Naman

0 Helpful
Customers Also Viewed These Support Documents