Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1202
Views
0
Helpful
3
Replies

ssl vpn connected successfully but I can't ping inside hosts

YuriyKalinin
Level 1
Level 1

‎07-06-2014 12:26 PM

I have one RV320 and 871 router, 320 connects successfully to 871, tunnel is active, but i can't ping second net. What is wrong? 

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
service internal
!
hostname V871_router
!
boot-start-marker
boot-end-marker
!
enable secret 5 secret
!
no aaa new-model
!
resource policy
!
clock timezone Moscow 3
clock summer-time Moscow recurring last Sun Mar 2:00 last Sun Oct 2:00
ip subnet-zero
no ip gratuitous-arps
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.99
ip dhcp excluded-address 10.1.1.200
!
ip dhcp pool LAN
   network 10.1.1.0 255.255.255.0
   dns-server 10.1.1.1 
   default-router 10.1.1.1 
!
!
ip domain name router.com
ip name-server 8.8.8.8
ip name-server 4.2.2.2
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip multicast-routing 
ip ssh version 2
ip ddns update method DNSupdate
 HTTP
  add http://zzzzz:login@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
  remove http://zzzzzzz:login@dynupdate.no-ip.com/nic/update?hostname=<h>&myip=<a>
 interval maximum 1 0 0 0
!
vpdn enable
!
vpdn-group 1
 request-dialin
  protocol pptp
  rotary-group 0
 initiate-to ip 192.168.117.249
!
vpdn-group VPN
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
!
username user secret 5 secret
archive   
 log config
  logging enable
  hidekeys
!

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 lifetime 28800
crypto isakmp key my_key address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set MYSET ah-sha-hmac esp-aes 256 esp-sha-hmac 
!
crypto dynamic-map hq-vpn 10
 set security-association lifetime seconds 28800
 set transform-set MYSET 
 match address 100
!
!
!
!
crypto map VPNMAP 1 ipsec-isakmp dynamic hq-vpn 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 mac-address 0015.5898.dd6a
 ip address dhcp client-id FastEthernet4
 ip access-group RDP in
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1 
 ip unnumbered Vlan1
 peer default ip address pool VPN
 no keepalive
 ppp encrypt mppe auto
 ppp authentication pap chap ms-chap ms-chap-v2
!
interface Vlan1
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
 ip nat enable
 ip virtual-reassembly
!
interface Dialer0
 mtu 1440
 ip ddns update hostname router.ddns.com
 ip ddns update DNSupdate
 ip address negotiated
 ip pim dense-mode
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip tcp adjust-mss 1400
 dialer in-band
 dialer idle-timeout 0
 dialer string kerch.net
 dialer vpdn
 dialer-group 1
 no cdp enable
 ppp chap hostname login
 ppp chap password 0 passwd
 crypto map VPNMAP
!
ip local pool VPN 10.1.1.50 10.1.1.75
ip default-gateway 10.1.1.1
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 192.168.0.0 255.255.0.0 FastEthernet4 dhcp
!
ip dns server
!
no ip http server
no ip http secure-server
ip nat inside source static tcp 10.1.1.200 445 interface FastEthernet4 445
ip nat inside source static tcp 10.1.1.200 139 interface FastEthernet4 139
ip nat inside source static tcp 10.1.1.200 138 interface FastEthernet4 138
ip nat inside source static tcp 10.1.1.200 137 interface FastEthernet4 137
ip nat inside source route-map INTERNET interface Dialer0 overload
ip nat inside source route-map LOCAL interface FastEthernet4 overload
ip nat inside source static tcp 10.1.1.200 3389 interface FastEthernet4 3389
!
ip access-list standard INSIDE_NAT
 permit 10.1.1.0 0.0.0.255
!
ip access-list extended RDP
 permit tcp host 192.168.104.109 any eq 3389
 permit tcp host 192.168.138.152 any eq 3389
 permit tcp host 192.168.74.130 any eq 3389
 permit tcp host 192.168.138.152 any range 137 139
 permit tcp host 192.168.138.152 any eq 445
 permit tcp host 192.168.74.130 any range 137 139
 permit tcp host 192.168.74.130 any eq 445
 deny   tcp any any eq 3389 log
 deny   tcp any any range 137 139
 deny   tcp any any eq 445
 permit ip any any
!
access-list 100 permit ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
dialer-list 1 protocol ip permit
!
route-map INTERNET permit 10
 match ip address INSIDE_NAT
 match interface Dialer0
!
route-map LOCAL permit 10
 match ip address INSIDE_NAT
 match interface FastEthernet4
!
!
control-plane
!
!
line con 0
 logging synchronous
 no modem enable
line aux 0
line vty 0 4
 login local
 transport input ssh
!
scheduler max-task-time 5000
ntp clock-period 17175059
ntp master
ntp server 67.215.65.132
ntp server 91.236.251.12
end

 

Labels:
0 Helpful
3 Replies 3

chrebert
Level 4
Level 4

‎07-09-2014 07:51 PM

Hello,

What are the subnets on both routers, and which direction is the ping not working?  It looks like 10.1.1.0/24 is the LAN on the 881, and you are currently sending all traffic for 192.168.0.0/16 out of interface 4, but what is the traffic that is supposed to be going to the 320?

The config is useful, but without some more information it is hard to come up with a solution for you.

Thank you for choosing Cisco,

Christopher Ebert - Advanced Network Support Engineer

Cisco Small Business Support Center

*please rate helpful posts*

0 Helpful

YuriyKalinin
Level 1
Level 1
In response to chrebert

‎07-10-2014 08:52 AM

Hello, 

I've attached network scheme and RV320 tunnel config, hope it will help you to find the answer. 

Ping not working from any direction. 

I tried to ping from 10.1.2.1 (rv320) to 10.1.1.1 (cisco 871), no answer.

Tried ping 10.1.2.1 source 10.1.1.1 (from 871 to rv320) - no answer

 

"but what is the traffic that is supposed to be going to the 320?"

I'm not sure that I understand your question right, what kind of traffic should go to tunnel? For example RDP and VNC traffic.

Preview file
200 KB
Preview file
61 KB
Preview file
88 KB
0 Helpful

YuriyKalinin
Level 1
Level 1
In response to YuriyKalinin

‎07-11-2014 12:00 AM

I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.

 

router#sh crypto session detail 

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection     
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE     
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 192.168.1.100
      Desc: (none)
  IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
          Capabilities:(none) connid:2001 lifetime:07:19:22
  IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
        Active SAs: 4, origin: dynamic crypto map
        Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
        Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

 

0 Helpful
Customers Also Viewed These Support Documents