Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Can't ping through EazyVPN in client mode

Hi, all

I couldn't understand why unpossible ping Local Network from EazyVPN Router in client mode. Please, help. Network diagram is follow

R1 --192.168.1.x/24-- R2(VPN HUB) --77.1.1.x/24-- R4 --172.16.1.x/24-- R7 --192.168.2.x/24

I setup R7 as a EazyVPN hardware client and R2 as a VPN Server. I coundn't ping 192.168.1.x/24 from 192.168.2.x/24 and opposite.

Router2#

aaa new-model

!

aaa authorization network LOCAL-AUTHOR local

crypto isakmp policy 10

 authentication pre-share

 group 2

!        

crypto isakmp client configuration group VPN-CLIENT-GROUP

 key vpnclientcisco

 pool VPN-LOCAL-POOL

 acl 100

crypto isakmp profile PROFILE-ISAKMP

   match identity group VPN-CLIENT-GROUP

   isakmp authorization list LOCAL-AUTHOR

   client configuration address respond

   client configuration group VPN-CLIENT-GROUP

   virtual-template 1

!

crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac

!

crypto ipsec profile PROFILE-IPSEC

 set transform-set TRANSFORM-IPSEC

 set isakmp-profile PROFILE-ISAKMP

interface Ethernet0/0

 ip address 192.168.1.2 255.255.255.0

 ip nat inside

 ip virtual-reassembly in

!

interface Ethernet0/1

 ip address 77.1.1.2 255.255.255.0

 ip nat outside

 ip virtual-reassembly in

!

interface Virtual-Template1 type tunnel

 ip unnumbered Ethernet0/1

 ip nat inside

 ip virtual-reassembly in

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile PROFILE-IPSEC

!

ip local pool VPN-LOCAL-POOL 172.16.40.1 172.16.40.100

ip nat inside source list TONAT interface Ethernet0/1 overload

 

R7#

crypto ipsec client ezvpn EZVPN-CLIENT

 connect auto

 group VPN-CLIENT-GROUP key vpnclientcisco

 mode client

 peer 77.1.1.2

 username cisco password cisco

 xauth userid mode local

!

interface Ethernet0/0

 ip address 172.16.1.7 255.255.255.0

 crypto ipsec client ezvpn EZVPN-CLIENT

!

interface Ethernet0/2

 ip address 192.168.2.7 255.255.255.0

 ip nat inside

 crypto ipsec client ezvpn EZVPN-CLIENT inside

 

R7 get ip from R2 (VPN Server)

R7_Router#sh ip int br

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0                172.16.1.7      YES NVRAM  up                    up     

Ethernet0/2                192.168.2.7     YES NVRAM  up                    up     

Loopback0                  7.7.7.7         YES NVRAM  up                    up     

Loopback10000              172.16.40.49    YES TFTP   up                    up     

NVI0                       172.16.1.7      YES unset  up                    up      

 

And I have automatic created NAT translations

R7_Router#sh ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Peak translations: 0

Outside interfaces:

  Ethernet0/0

Inside interfaces:

  Ethernet0/2

Hits: 0  Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 106] access-list EZVPN-CLIENT_internet-list interface Ethernet0/0 refcount 0

[Id: 105] access-list EZVPN-CLIENT_enterprise-list pool EZVPN-CLIENT refcount 0

 pool EZVPN-CLIENT: netmask 255.255.255.0

        start 172.16.40.49 end 172.16.40.49

        type generic, total addresses 1, allocated 0 (0%), misses 0

!

R7_Router#sh access-lists EZVPN-CLIENT_internet-list (не локальные сети пускать в инет)

Extended IP access list EZVPN-CLIENT_internet-list

    10 deny ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    20 deny ip 192.168.2.0 0.0.0.255 2.2.2.0 0.0.0.255

    30 permit ip 192.168.2.0 0.0.0.255 any

!

R7_Router#sh access-lists EZVPN-CLIENT_enterprise-list (локальные сети натить в назначенный IP)

Extended IP access list EZVPN-CLIENT_enterprise-list

    10 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

    20 permit ip 192.168.2.0 0.0.0.255 2.2.2.0 0.0.0.255

 

But 

R7_Router#ping 192.168.1.2 source 192.168.2.7
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
Packet sent with a source address of 192.168.2.7 
.....
Success rate is 0 percent (0/5)

INFO

R7_Router#sho crypto ipsec client ezvpn 
Easy VPN Remote Phase: 8

Tunnel name : EZVPN-CLIENT
Inside interface list: Ethernet0/2
Outside interface: Ethernet0/0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: 172.16.40.54 (applied on Loopback10000)
Mask: 255.255.255.255
Save Password: Disallowed
Split Tunnel List: 1
       Address    : 192.168.1.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 2
       Address    : 2.2.2.0
       Mask       : 255.255.255.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: 77.1.1.2

 

R7_Router#sh crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr 172.16.1.7

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.40.54/255.255.255.255/256/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)
   current_peer 77.1.1.2 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 172.16.1.7, remote crypto endpt.: 77.1.1.2
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xEDDC1FF4(3990626292)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB13AC0A(185838602)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 117, flow_id: SW:117, sibling_flags 80000040, crypto map: Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4180674/2025)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Everyone's tags (1)
2 REPLIES

Hi, If you look on to the sh

Hi,

 

If you look on to the sh crypto ipsec output..... your encryption domain saying that it is local  ident (addr/mask/prot/port): (172.16.40.54/255.255.255.255/256/0) and it should be 192.168.2.0 /24. That is why it is not pinging to the other end....

Issue is here:

protected vrf: (none)
   local  ident (addr/mask/prot/port): (172.16.40.54/255.255.255.255/256/0)
   remote ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/256/0)

 

If this gets corrected ... if am not wrong... you have to get the acl 100 corrected on VPN Server....

 acl 100 should be like this

192.168.1.0 0.0.0.255 to 192.168.2.0 0.0.0.255

2.2.2.0 0.0.0.255 to 192.168.2.0 0.0.0.255

 

Regards

Karthik

 

Regards

Karthik

New Member

Thank you for your reply

Thank you for your reply!

Sorry, i didn't attached information about ACL on R2. Current configuration on R2 abour ACL

!
ip access-list extended TONAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

Second, i think that (addr/mask/prot/port): (172.16.40.54/255.255.255.255/256/0) is correct, because it's specific work of client mode of EZVPN, when hardware client get ip address and hide directly connected local networks under PAT

110
Views
0
Helpful
2
Replies
CreatePlease to create content