Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
395
Views
0
Helpful
1
Replies

IOS router to VPN client no network access

admin_2
Level 3
Level 3

‎03-15-2004 10:23 AM - edited ‎02-21-2020 01:04 PM

Hello,

I have a 2691 router and I am connecting to it with Cisco VPN client 4.0.3E for Mac OSX.

I am able to connect and authenticate but I am unable to access any computers on the network.

The only thing I can ping is the loopback 127.0.0.1. I disabled NAT on the outside interface to see

if was part of the problem but it did not help.

Any ideas?

Thanks in advance.

aaa new-model

!

!

aaa authentication login vpn_auth local

aaa authentication login clientauth local

aaa authorization network groupauth local

aaa session-id common

ip subnet-zero

!

crypto isakmp policy 3

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local VPN_POOL

!

crypto isakmp client configuration group VPN_GROUP

key *************

dns 172.16.254.253 172.16.254.9

domain AAAAAAAAAAA.org

pool VPN_POOL

crypto isakmp profile ISAKMP_PROFILE

match identity group VPN_GROUP

client authentication list client_auth

isakmp authorization list groupauth

client configuration address initiate

client configuration address respond

initiate mode aggressive

!

!

crypto ipsec transform-set VPN_TRANSFORM esp-des esp-md5-hmac

!

crypto dynamic-map VPN_DYNAMIC 200

set transform-set VPN_TRANSFORM

!

!

crypto map VPN_MAP client configuration address initiate

crypto map VPN_MAP client configuration address respond

crypto map VPN_MAP 50 ipsec-isakmp dynamic VPN_DYNAMIC

!

!

interface FastEthernet0/0.2

encapsulation dot1Q 2

ip address 172.16.254.10 255.255.255.0

ip nat inside

ip policy route-map www_redirect

appletalk cable-range 2-2 2.26

appletalk zone Default Zone

!

interface FastEthernet0/0.10

encapsulation dot1Q 10

ip address 10.1.1.219 255.255.255.192

ip nat outside

appletalk cable-range 10-10 10.93

appletalk zone Default Zone

crypto map VPN_MAP

!

interface FastEthernet0/1

ip address 172.16.255.253 255.255.255.0

ip nat inside

ip policy route-map www_redirect

duplex auto

speed auto

ip local pool VPN_POOL 172.16.254.245 172.16.254.250

ip nat translation tcp-timeout 300

ip nat pool nat-pool 10.1.1.220 10.1.1.225 netmask 255.255.255.192

ip nat inside source route-map nonat pool nat-pool overload

ip nat inside source static tcp 172.16.254.9 80 10.1.1.205 80 extendable

ip nat inside source static tcp 172.16.254.9 548 10.1.1.205 548 extendable

access-list 110 deny tcp 172.16.254.0 0.0.0.255 any eq www

access-list 110 permit tcp any any eq www

access-list 110 deny tcp any any

access-list 124 deny ip 10.1.1.192 0.0.0.63 any

access-list 124 deny esp 10.1.1.192 0.0.0.63 any

access-list 124 deny tcp any any eq 3689

access-list 124 deny udp any any eq 3689

access-list 124 deny tcp any any eq 4747

access-list 124 deny tcp any any eq 4748

access-list 124 deny udp any any eq 6144

access-list 124 deny tcp any any range 6346 6351

access-list 124 deny udp any any range 6346 6351

access-list 124 deny tcp any any eq 1214

access-list 124 deny udp any any eq 1214

access-list 124 permit ip any any

route-map www_redirect permit 10

match ip address 110

set ip next-hop 172.16.254.253

!

route-map nonat permit 10

match ip address 124

!

Labels:
0 Helpful
1 Reply 1

Not applicable

‎03-16-2004 06:33 AM

Here is a little more info. I connected from a win2k machine and the same problem.

No network access. Debug IpSec revealed no errors. I pinged 172.16.255.253 router

interface and I recieved no reply. Show crypto ipsec sa tells me that the ping

packet was recieved by the router and decrypted without error. Debug IP packet

shows the ping packet was recieved and a reply packet sent but there is an

encapsultion failed on the reply packet. What does this mean? Does this have

something to do me using sub-interfaces on the ethernet?

Thanks in advance.

Mar 15 22:07:21.769: IP: s=172.16.254.245 (FastEthernet0/0.10), d=172.16.255.253, len 60, rcvd 4

Mar 15 22:07:21.773: IP: s=172.16.255.253 (local), d=172.16.254.245 (FastEthernet0/0.2), len 60, sending

Mar 15 22:07:21.773: IP: s=172.16.255.253 (local), d=172.16.254.245 (FastEthernet0/0.2), len 60, encapsulation failed

Mar 15 22:07:21.857: IP: s=10.1.1.219 (local), d=65.32.238.50 (FastEthernet0/0.10), len 124, sending

interface: FastEthernet0/0.10

Crypto map tag: VPN_MAP, local addr. 10.1.1.219

protected vrf:

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)

remote ident (addr/mask/prot/port): (172.16.254.245/255.255.255.255/0/0)

current_peer: 65.32.238.50:61365

PERMIT, flags={}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0

#pkts decaps: 920, #pkts decrypt: 920, #pkts verify 920

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 10.1.1.219, remote crypto endpt.: 65.32.238.50

path mtu 1500, media mtu 1500

current outbound spi: 211B750A

inbound esp sas:

spi: 0xCDAE28B9(3450742969)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4577152/2121)

IV size: 8 bytes

replay detection support: Y

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0x211B750A(555447562)

transform: esp-des esp-md5-hmac ,

in use settings ={Tunnel UDP-Encaps, }

slot: 0, conn id: 2001, flow_id: 2, crypto map: VPN_MAP

sa timing: remaining key lifetime (k/sec): (4577265/2121)

IV size: 8 bytes

replay detection support: Y

outbound ah sas:

outbound pcp sas:

0 Helpful
Customers Also Viewed These Support Documents