Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Can't ping through EazyVPN in client mode

Hi, all

I couldn't understand why unpossible ping Local Network from EazyVPN Router in client mode. Please, help. Network diagram is follow

R1 --192.168.1.x/24-- R2(VPN HUB) --77.1.1.x/24-- R4 --172.16.1.x/24-- R7 --192.168.2.x/24

I setup R7 as a EazyVPN hardware client and R2 as a VPN Server. I coundn't ping 192.168.1.x/24 from 192.168.2.x/24 and opposite.


aaa new-model


aaa authorization network LOCAL-AUTHOR local

crypto isakmp policy 10

 authentication pre-share

 group 2


crypto isakmp client configuration group VPN-CLIENT-GROUP

 key vpnclientcisco


 acl 100

crypto isakmp profile PROFILE-ISAKMP

   match identity group VPN-CLIENT-GROUP

   isakmp authorization list LOCAL-AUTHOR

   client configuration address respond

   client configuration group VPN-CLIENT-GROUP

   virtual-template 1


crypto ipsec transform-set TRANSFORM-IPSEC esp-aes esp-sha-hmac


crypto ipsec profile PROFILE-IPSEC

 set transform-set TRANSFORM-IPSEC

 set isakmp-profile PROFILE-ISAKMP

interface Ethernet0/0

 ip address

 ip nat inside

 ip virtual-reassembly in


interface Ethernet0/1

 ip address

 ip nat outside

 ip virtual-reassembly in


interface Virtual-Template1 type tunnel

 ip unnumbered Ethernet0/1

 ip nat inside

 ip virtual-reassembly in

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile PROFILE-IPSEC


ip local pool VPN-LOCAL-POOL

ip nat inside source list TONAT interface Ethernet0/1 overload



crypto ipsec client ezvpn EZVPN-CLIENT

 connect auto

 group VPN-CLIENT-GROUP key vpnclientcisco

 mode client


 username cisco password cisco

 xauth userid mode local


interface Ethernet0/0

 ip address

 crypto ipsec client ezvpn EZVPN-CLIENT


interface Ethernet0/2

 ip address

 ip nat inside

 crypto ipsec client ezvpn EZVPN-CLIENT inside


R7 get ip from R2 (VPN Server)

R7_Router#sh ip int br

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0/0            YES NVRAM  up                    up     

Ethernet0/2           YES NVRAM  up                    up     

Loopback0                 YES NVRAM  up                    up     

Loopback10000        YES TFTP   up                    up     

NVI0                   YES unset  up                    up      


And I have automatic created NAT translations

R7_Router#sh ip nat statistics

Total active translations: 0 (0 static, 0 dynamic; 0 extended)

Peak translations: 0

Outside interfaces:


Inside interfaces:


Hits: 0  Misses: 0

CEF Translated packets: 0, CEF Punted packets: 0

Expired translations: 0

Dynamic mappings:

-- Inside Source

[Id: 106] access-list EZVPN-CLIENT_internet-list interface Ethernet0/0 refcount 0

[Id: 105] access-list EZVPN-CLIENT_enterprise-list pool EZVPN-CLIENT refcount 0

 pool EZVPN-CLIENT: netmask

        start end

        type generic, total addresses 1, allocated 0 (0%), misses 0


R7_Router#sh access-lists EZVPN-CLIENT_internet-list (не локальные сети пускать в инет)

Extended IP access list EZVPN-CLIENT_internet-list

    10 deny ip

    20 deny ip

    30 permit ip any


R7_Router#sh access-lists EZVPN-CLIENT_enterprise-list (локальные сети натить в назначенный IP)

Extended IP access list EZVPN-CLIENT_enterprise-list

    10 permit ip

    20 permit ip



R7_Router#ping source
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Packet sent with a source address of 
Success rate is 0 percent (0/5)


R7_Router#sho crypto ipsec client ezvpn 
Easy VPN Remote Phase: 8

Tunnel name : EZVPN-CLIENT
Inside interface list: Ethernet0/2
Outside interface: Ethernet0/0 
Current State: IPSEC_ACTIVE
Last Event: SOCKET_UP
Address: (applied on Loopback10000)
Save Password: Disallowed
Split Tunnel List: 1
       Address    :
       Mask       :
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Split Tunnel List: 2
       Address    :
       Mask       :
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer:


R7_Router#sh crypto ipsec sa

interface: Ethernet0/0
    Crypto map tag: Ethernet0/0-head-0, local addr

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (
   current_peer port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.:, remote crypto endpt.:
     path mtu 1500, ip mtu 1500, ip mtu idb Ethernet0/0
     current outbound spi: 0xEDDC1FF4(3990626292)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xB13AC0A(185838602)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 117, flow_id: SW:117, sibling_flags 80000040, crypto map: Ethernet0/0-head-0
        sa timing: remaining key lifetime (k/sec): (4180674/2025)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE(ACTIVE)

Everyone's tags (1)

Hi, If you look on to the sh



If you look on to the sh crypto ipsec output..... your encryption domain saying that it is local  ident (addr/mask/prot/port): ( and it should be /24. That is why it is not pinging to the other end....

Issue is here:

protected vrf: (none)
   local  ident (addr/mask/prot/port): (
   remote ident (addr/mask/prot/port): (


If this gets corrected ... if am not wrong... you have to get the acl 100 corrected on VPN Server....

 acl 100 should be like this to to







New Member

Thank you for your reply

Thank you for your reply!

Sorry, i didn't attached information about ACL on R2. Current configuration on R2 abour ACL

ip access-list extended TONAT
 deny   ip
 permit ip any
access-list 100 permit ip

Second, i think that (addr/mask/prot/port): ( is correct, because it's specific work of client mode of EZVPN, when hardware client get ip address and hide directly connected local networks under PAT

CreatePlease to create content