Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Issue with VPN Client IPSec to Cisco 881 Router

I have a Cisco 881 router, which is configured with a site-to-site IPSec tunnel and VPN client IPSec access. The site-to-site IPSec tunnel works fine. When I connect to the router with the Cisco VPN Client using IPsec, it also works fine and I connect. The problem that I have is that I can't Telnet to the router 192.168.4.1 or ping 192.168.4.1. From the remote site that is connected via the site to site tunnel, I can Telnet and ping 192.168.4.1. I must be doing something wrong with the VPN client portion of the configuration but I can't seem to figured it out. The config is below. Hopefully someone can see what I'm doing wrong.

Thank you

Cisco 881 Router -  Version 12.4(22r)YB5, RELEASE SOFTWARE (fc1), c880data-universalk9-mz.152-4.M6.bin

 

security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
no logging console
enable secret 5 xxxxxx
!
!
!
ip dhcp excluded-address 192.168.4.1 192.168.4.189
!
ip dhcp pool sdm-pool1
 import all
 network 192.168.4.0 255.255.255.0
 default-router 192.168.4.1 
!
!
!
ip flow-cache timeout active 5
no ip bootp server
ip inspect name FW tcp
ip inspect name FW udp
ip cef
login on-failure log
login on-success log
no ipv6 cef
!
!
!
!
!
no spanning-tree vlan 41
username test view root secret 5 xxxxxxxxxxxxxx
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh source-interface FastEthernet0

crypto keyring site2site  
  pre-shared-key address 10.1.1.1 key 6 xxxxxxxxx
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group remote-clients
 key 6 xxx
 pool VPN-clients
 acl 104
 max-logins 1
crypto isakmp profile site-to-site
   description Site to site VPN Tunnel profile connection
   keyring site2site
   match identity address 10.1.1.1 255.255.255.255 
   keepalive 30 retry 3
crypto isakmp profile vpnclients
   description VPN Clients profile connection
   match identity group remote-clients
   client authentication list vpnclientauth
   isakmp authorization list vpngroupauth
   client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
 mode tunnel
crypto ipsec fragmentation after-encryption
crypto ipsec df-bit clear
!
!
!
crypto dynamic-map SDM_DYNMAP_1 2
 set transform-set ESP-3DES-SHA 
 set isakmp-profile vpnclients
 reverse-route
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
 set peer 10.1.1.1
 set security-association idle-time 86400
 set transform-set ESP-3DES-SHA 
 set isakmp-profile site-to-site
 match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
!
interface FastEthernet0
 description Inside FastEthernet0 Default Gateway
 switchport access vlan 41
 no ip address
 no cdp enable
!
interface FastEthernet1
 no ip address
 shutdown
!
interface FastEthernet2
 no ip address
 shutdown
!
interface FastEthernet3
 no ip address
 shutdown
!
interface FastEthernet4
 description Outside FastEthernet4
 ip address dhcp client-id FastEthernet4
 ip access-group 103 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat outside
 ip inspect FW out
 ip virtual-reassembly in
 duplex auto
 speed auto
 no cdp enable
 crypto map SDM_CMAP_1
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
!
interface Vlan41
 description Inside FastEthernet0 Default Gateway
 ip address 192.168.4.1 255.255.255.0
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip inspect FW out
 ip virtual-reassembly in
!
ip local pool VPN-clients 192.168.40.1
no ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip nat inside source route-map NONAT interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
!
logging trap notifications
logging source-interface FastEthernet0
logging host 192.168.0.110
access-list 80 permit 192.168.0.110
access-list 80 deny   any log
access-list 100 remark IPSec Tunnel Rule
access-list 100 permit ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 100 deny   ip any any log
access-list 101 remark ------ NAT Rules ------
access-list 101 deny   ip 192.168.4.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 101 deny   ip 192.168.4.0 0.0.0.255 host 192.168.40.1
access-list 101 permit ip 192.168.4.0 0.0.0.255 any
access-list 101 deny   ip any any log
access-list 102 remark ------ Inside Interface IN Rules ------
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 permit ip any any
access-list 103 remark ------ Outside Interface IN Rules -------
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit icmp any any echo-reply
access-list 103 permit icmp any any time-exceeded
access-list 103 permit icmp any any unreachable
access-list 103 permit udp any any eq domain
access-list 103 permit udp any eq domain any
access-list 103 permit udp any eq bootps any eq bootpc
access-list 103 deny   ip any any log
access-list 104 remark ------ IPSEC Remote Clients Rules ------
access-list 104 permit ip 192.168.4.0 0.0.0.255 host 192.168.40.1
access-list 104 deny   ip any any log
access-list 105 remark ------ TTY Access Rules ------
access-list 105 permit ip 192.168.0.0 0.0.0.255 any
access-list 105 permit ip 192.168.4.0 0.0.0.255 any
access-list 105 permit ip 192.168.40.0 0.0.0.255 any
access-list 105 deny   ip any any log
no cdp run
!
route-map NONAT permit 1
 match ip address 101
!
end

Everyone's tags (3)
8 REPLIES
New Member

Just to clarify:You can

Just to clarify:

You can telnet over the site to site tunnel, but not from the VPN client? 

New Member

Yes. I can Telnet over the

Yes. I can Telnet over the site to site tunnel to the Cisco 881. I can not Telnet via the VPN Client to the Cisco 881 or ping it's LAN interface.

 

GM

New Member

Can you ping anything else

Can you ping anything else behind it's LAN interface? 

New Member

No. I can not ping anything

No. I can not ping anything else behind it's LAN interface.

New Member

Try this:access-list 101 deny

Try this:

access-list 101 deny 192.168.40.0 0.0.0.255 any

New Member

Ok. I thought a "access-list

Ok. I thought a "access-list 101 deny ip 192.168.4.0 0.0.0.255 host 192.168.40.1" would work, which I already have defined.

Thanks

New Member

Did you add that command and

Did you add that command and test?

New Member

Not yet. I will be testing

Not yet. I will be testing tomorrow. I will let you know. Thanks

402
Views
0
Helpful
8
Replies
CreatePlease login to create content