Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco Easy VPN Server, Can't Ping Network Once Connected

Hi,

I have a 2561XM and with the SDM I setup Easy VPN server. My internal networks are 192.168.4.0/24  and 172.16.20.252/30. My pool is 192.168.70.1-8.

The router is using NAT behind a single static IP. I am VPN'ing from my home which is behind a non-static single public IP.

I can connect to the VPN using the Cisco client, but when I ping I see the below response from the inside interface of the router...


>ping 192.168.4.103

Pinging 192.168.4.103 with 32 bytes of data:
Reply from 172.16.20.253: Destination port unreachable.
Reply from 172.16.20.253: Destination port unreachable.
Reply from 172.16.20.253: Destination port unreachable.
Reply from 172.16.20.253: Destination port unreachable.

Ping statistics for 192.168.4.103:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),


Please see  my config below.

boot-start-marker
boot-end-marker
!
no logging buffered
no logging console
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
no network-clock-participate slot 1
no network-clock-participate wic 0
ip cef
!
!
!
!
ip name-server X.X.X.X
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-1315735208
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1315735208
revocation-check none
rsakeypair TP-self-signed-1315735208
!
!
crypto pki certificate chain TP-self-signed-1315735208
certificate self-signed 01
  XXXXXXX


  quit
username xxxxxxxxxxxxxx


!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group XXXX_VPN
key XXXXXXXXXXXXXX
pool SDM_POOL_2
acl 100
max-users 3
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
description XXXXXX Outside$ETH-WAN$
ip address 96.x.x.x 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no cdp enable
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/1.20
description Office Network
encapsulation dot1Q 20
ip address 172.16.20.254 255.255.255.252
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0/1.30
description Public Network
encapsulation dot1Q 30
ip address 172.16.30.254 255.255.255.252
ip access-group Public_ACL in
ip nat inside
ip virtual-reassembly
no cdp enable
!
ip local pool SDM_POOL_1 172.16.50.1 172.16.50.8
ip local pool SDM_POOL_2 192.168.70.1 192.168.70.5
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.x.x.x
ip route 192.168.4.0 255.255.255.0 172.16.20.253
ip route 192.168.12.0 255.255.255.0 172.16.30.253
!
!
ip http server
ip http authentication local
no ip http secure-server
ip nat inside source static tcp 192.168.4.215 443 interface FastEthernet0/0 44
ip nat inside source static tcp 192.168.4.215 22 interface FastEthernet0/0 22
ip nat inside source static tcp 192.168.4.214 443 interface FastEthernet0/0 43
ip nat inside source static tcp 192.168.4.214 22 interface FastEthernet0/0 222
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended Public_ACL
deny   ip 192.168.212.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip any any
!
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.4.0 0.0.0.255 any
access-list 100 permit ip 172.16.20.252 0.0.0.3 any
access-list 101 remark SDM_ACL Category=18
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.1
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.2
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.3
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.4
access-list 101 deny   ip 172.16.20.252 0.0.0.3 host 192.168.70.5
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.1
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.2
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.3
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.4
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.70.5
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 permit ip 192.168.12.0 0.0.0.255 any
access-list 101 permit ip 172.16.20.0 0.0.0.255 any
access-list 101 permit ip 172.16.30.0 0.0.0.255 any
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!

1289
Views
0
Helpful
0
Replies