03-15-2004 10:23 AM - edited 02-21-2020 01:04 PM
Hello,
I have a 2691 router and I am connecting to it with Cisco VPN client 4.0.3E for Mac OSX.
I am able to connect and authenticate but I am unable to access any computers on the network.
The only thing I can ping is the loopback 127.0.0.1. I disabled NAT on the outside interface to see
if was part of the problem but it did not help.
Any ideas?
Thanks in advance.
aaa new-model
!
!
aaa authentication login vpn_auth local
aaa authentication login clientauth local
aaa authorization network groupauth local
aaa session-id common
ip subnet-zero
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local VPN_POOL
!
crypto isakmp client configuration group VPN_GROUP
key *************
dns 172.16.254.253 172.16.254.9
domain AAAAAAAAAAA.org
pool VPN_POOL
crypto isakmp profile ISAKMP_PROFILE
match identity group VPN_GROUP
client authentication list client_auth
isakmp authorization list groupauth
client configuration address initiate
client configuration address respond
initiate mode aggressive
!
!
crypto ipsec transform-set VPN_TRANSFORM esp-des esp-md5-hmac
!
crypto dynamic-map VPN_DYNAMIC 200
set transform-set VPN_TRANSFORM
!
!
crypto map VPN_MAP client configuration address initiate
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 50 ipsec-isakmp dynamic VPN_DYNAMIC
!
!
interface FastEthernet0/0.2
encapsulation dot1Q 2
ip address 172.16.254.10 255.255.255.0
ip nat inside
ip policy route-map www_redirect
appletalk cable-range 2-2 2.26
appletalk zone Default Zone
!
interface FastEthernet0/0.10
encapsulation dot1Q 10
ip address 10.1.1.219 255.255.255.192
ip nat outside
appletalk cable-range 10-10 10.93
appletalk zone Default Zone
crypto map VPN_MAP
!
interface FastEthernet0/1
ip address 172.16.255.253 255.255.255.0
ip nat inside
ip policy route-map www_redirect
duplex auto
speed auto
ip local pool VPN_POOL 172.16.254.245 172.16.254.250
ip nat translation tcp-timeout 300
ip nat pool nat-pool 10.1.1.220 10.1.1.225 netmask 255.255.255.192
ip nat inside source route-map nonat pool nat-pool overload
ip nat inside source static tcp 172.16.254.9 80 10.1.1.205 80 extendable
ip nat inside source static tcp 172.16.254.9 548 10.1.1.205 548 extendable
access-list 110 deny tcp 172.16.254.0 0.0.0.255 any eq www
access-list 110 permit tcp any any eq www
access-list 110 deny tcp any any
access-list 124 deny ip 10.1.1.192 0.0.0.63 any
access-list 124 deny esp 10.1.1.192 0.0.0.63 any
access-list 124 deny tcp any any eq 3689
access-list 124 deny udp any any eq 3689
access-list 124 deny tcp any any eq 4747
access-list 124 deny tcp any any eq 4748
access-list 124 deny udp any any eq 6144
access-list 124 deny tcp any any range 6346 6351
access-list 124 deny udp any any range 6346 6351
access-list 124 deny tcp any any eq 1214
access-list 124 deny udp any any eq 1214
access-list 124 permit ip any any
route-map www_redirect permit 10
match ip address 110
set ip next-hop 172.16.254.253
!
route-map nonat permit 10
match ip address 124
!
03-16-2004 06:33 AM
Here is a little more info. I connected from a win2k machine and the same problem.
No network access. Debug IpSec revealed no errors. I pinged 172.16.255.253 router
interface and I recieved no reply. Show crypto ipsec sa tells me that the ping
packet was recieved by the router and decrypted without error. Debug IP packet
shows the ping packet was recieved and a reply packet sent but there is an
encapsultion failed on the reply packet. What does this mean? Does this have
something to do me using sub-interfaces on the ethernet?
Thanks in advance.
Mar 15 22:07:21.769: IP: s=172.16.254.245 (FastEthernet0/0.10), d=172.16.255.253, len 60, rcvd 4
Mar 15 22:07:21.773: IP: s=172.16.255.253 (local), d=172.16.254.245 (FastEthernet0/0.2), len 60, sending
Mar 15 22:07:21.773: IP: s=172.16.255.253 (local), d=172.16.254.245 (FastEthernet0/0.2), len 60, encapsulation failed
Mar 15 22:07:21.857: IP: s=10.1.1.219 (local), d=65.32.238.50 (FastEthernet0/0.10), len 124, sending
interface: FastEthernet0/0.10
Crypto map tag: VPN_MAP, local addr. 10.1.1.219
protected vrf:
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.16.254.245/255.255.255.255/0/0)
current_peer: 65.32.238.50:61365
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0
#pkts decaps: 920, #pkts decrypt: 920, #pkts verify 920
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 10.1.1.219, remote crypto endpt.: 65.32.238.50
path mtu 1500, media mtu 1500
current outbound spi: 211B750A
inbound esp sas:
spi: 0xCDAE28B9(3450742969)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2000, flow_id: 1, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4577152/2121)
IV size: 8 bytes
replay detection support: Y
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x211B750A(555447562)
transform: esp-des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
slot: 0, conn id: 2001, flow_id: 2, crypto map: VPN_MAP
sa timing: remaining key lifetime (k/sec): (4577265/2121)
IV size: 8 bytes
replay detection support: Y
outbound ah sas:
outbound pcp sas:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide