Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN cannot communicate with network

I am running VPN client 4.0.2. I get connected and the tunnel is established, but I cant seem to transmit or receive any data. I cant browse the network or connect to my exchange server. I can however connect to our AS400 via the inside IP address. Has anyone had any problems like this?

4 REPLIES
Silver

Re: VPN cannot communicate with network

Post you config, and scrub password lines and ip addresses.

That said, check you nat 0 config lines if this is on a pix. If it isn't a pix, what device are you using?

New Member

Re: VPN cannot communicate with network

This is on a 1604 Router. I did add the access list 115 for the welchia virus. Are there any lines in that which may prevent my VPN from working?

version 12.2

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname "Cisco1604"

!

enable password xxxxx

!

username ************** password 7 **************

aaa new-model

!

!

aaa authorization network groupauthor local

aaa session-id common

ip subnet-zero

no ip domain lookup

!

ip inspect max-incomplete high 1100

ip inspect one-minute high 1100

ip inspect name Ethernet_0 tcp

ip inspect name Ethernet_0 udp

ip inspect name Ethernet_0 smtp

isdn switch-type basic-ni

isdn voice-call-failure 0

!

crypto isakmp policy 1

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 2

hash md5

authentication pre-share

crypto isakmp key ********** address ************** no-xauth

crypto isakmp key ************** address ************** no-xauth

crypto isakmp key ************** address ************** no-xauth

crypto isakmp keepalive 10 5

!

crypto isakmp client configuration group **************

key **************

wins 192.168.1.100

pool MYPOOL

!

!

crypto ipsec transform-set cm-transformset-1 esp-des esp-md5-hmac

crypto ipsec df-bit clear

!

crypto dynamic-map mymap 100

set transform-set cm-transformset-1

!

!

crypto map cm-cryptomap isakmp authorization list groupauthor

crypto map cm-cryptomap client configuration address respond

crypto map cm-cryptomap 1 ipsec-isakmp

set peer **************

set transform-set cm-transformset-1

match address 103

crypto map cm-cryptomap 5 ipsec-isakmp

set peer **************

set transform-set cm-transformset-1

match address 105

crypto map cm-cryptomap 10 ipsec-isakmp

set peer **************

set transform-set cm-transformset-1

match address 123

crypto map cm-cryptomap 100 ipsec-isakmp dynamic mymap

!

!

!

!

interface Loopback1

ip address 1.1.1.1 255.255.255.0

!

interface Ethernet0

description connected to 192.168.1.0/24

ip address 192.168.1.1 255.255.255.0

ip access-group 115 in

ip access-group 115 out

ip nat inside

no ip route-cache

ip policy route-map static

no ip mroute-cache

no cdp enable

!

interface BRI0

description connected to Internet

no ip address

ip nat outside

ip inspect Ethernet_0 out

encapsulation ppp

dialer rotary-group 1

dialer-group 1

isdn switch-type basic-ni

isdn spid1 **************

isdn spid2 **************

no cdp enable

crypto map cm-cryptomap

!

interface Dialer1

description connected to Internet

ip address ************** 255.255.255.248

ip nat outside

ip inspect Ethernet_0 out

encapsulation ppp

no ip split-horizon

dialer in-band

dialer idle-timeout 2147483

dialer string 5131

dialer hold-queue 10

dialer load-threshold 1 either

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname **************

ppp chap password xxxxx

ppp pap sent-username ************** password 7 xxxxx

ppp multilink

crypto map cm-cryptomap

!

router rip

version 2

passive-interface Dialer1

network 192.168.1.0

no auto-summary

!

ip local pool MYPOOL 172.16.0.1 172.16.0.254

ip nat pool Cisco1604-natpool-1 ************** ************** netmask 255.255.255

248

ip nat inside source route-map nonat pool Cisco1604-natpool-1 overload

ip nat inside source static 192.168.1.253 **************

ip nat inside source static tcp 192.168.1.100 110 ************** 110 extendable

ip nat inside source static tcp 192.168.1.100 25 ************** 25 extendable

ip nat inside source static tcp 192.168.1.101 2080 ************** 2080 extendabl

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

no ip http server

ip pim bidir-enable

!

!

ip access-list extended addr-pool

ip access-list extended dns-servers

ip access-list extended idletime

ip access-list extended tty1

ip access-list extended wins-servers

!

access-list 10 permit 192.168.1.0 0.0.0.255

access-list 103 permit ip 192.168.1.0 0.0.0.255 150.5.52.0 0.0.0.255

access-list 105 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 150.5.52.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 150.5.52.0 0.0.0.255

access-list 111 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 115 deny icmp any any echo

access-list 115 deny icmp any any echo-reply

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

access-list 115 deny udp any any eq tftp

access-list 115 deny udp any any eq netbios-ns

access-list 115 deny udp any any eq netbios-dgm

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq netbios-ss

access-list 115 deny tcp any any eq 445

access-list 115 deny tcp any any eq 593

access-list 115 permit ip any any

access-list 123 permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 177 permit udp any eq isakmp host **************

access-list 177 permit esp any host **************

access-list 177 permit ahp any host **************

access-list 177 permit ip host ************** host **************

access-list 177 permit udp any eq domain any

access-list 177 permit tcp any host ************** eq pop3

access-list 177 permit tcp any host ************** eq smtp

access-list 177 permit tcp any any established

access-list 177 permit ip 172.16.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 177 permit ip 150.5.52.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 177 permit tcp any host ************** eq 2080

dialer-list 1 protocol ip permit

no cdp run

!

route-map static permit 10

match ip address 110

set ip next-hop 1.1.1.2

!

route-map nonat permit 20

match ip address 111

!

snmp-server engineID local 00000009020000D0BA45C944

snmp-server community public RO

snmp-server location **************

snmp-server contact **************

snmp-server enable traps tty

radius-server authorization permit missing Service-Type

!

line con 0

exec-timeout 0 0

password xxxx

line vty 0 4

password xxxx

!

end

Silver

Re: VPN cannot communicate with network

access-list 115 deny icmp any any echo

access-list 115 deny icmp any any echo-reply

access-list 115 deny tcp any any eq 135

access-list 115 deny udp any any eq 135

access-list 115 deny udp any any eq tftp

access-list 115 deny udp any any eq netbios-ns

access-list 115 deny udp any any eq netbios-dgm

access-list 115 deny tcp any any eq 139

access-list 115 deny udp any any eq netbios-ss

access-list 115 deny tcp any any eq 445

access-list 115 deny tcp any any eq 593

access-list 115 permit ip any any

This ACL is going to block all MS windows networking and ping. What have you been using to test the VPN?

A safer bet is to rewrite the ACL with:

access-list 115 permit ip any 172.16.0.0 0.0.0.255

as the *first* line of the ACL, then reapply it to both interfaces - that should do the trick. This will open your network to being infected by home users' infected pcs though - firewalls and ACLs are no fix for issues that need patches and/or antivirus solutions though

New Member

Re: VPN cannot communicate with network

When you say both interfaces, you mean ethernet0 and which other? I did the re-write with the access-list 115 permit ip any 172.16.0.0 0.0.0.255 first, but I am still having the same problem. What is the other inteface I should apply this to?

Thanks for your help.

175
Views
0
Helpful
4
Replies
CreatePlease to create content