Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
5
Replies

remote access vpn - can only ping inside interface ip, not inside hosts

tachyon05
Level 1
Level 1

‎10-14-2010 03:26 PM - edited ‎02-21-2020 04:54 PM

i can ping the inside interface ip address from outside through the vpn, but i cannot ping any internal hosts connected to the inside interface.

i appended a deny ip any any log at the end of the acl, but did not see any icmp being denied.  further more, i do see egress acl of the inside interface allowing icmp echo reply

and yes, inside hosts are configured to respond to pings and rdp requests.

Labels:
0 Helpful
5 Replies 5

manish arora
Level 6
Level 6

‎10-14-2010 04:12 PM

Check for NAT EXEMPT for the vpn client ip address pool. Post configuration if possible.

manish

0 Helpful

tachyon05
Level 1
Level 1
In response to manish arora

‎10-14-2010 04:21 PM

access-list 122 remark NAT acl
access-list 122 deny   ip 172.16.45.0 0.0.0.255 10.45.10.0 0.0.0.31
access-list 122 permit ip 172.16.45.0 0.0.0.255 any

!
route-map NAT_Bypass permit 1
match ip address 122
!

ip nat inside source route-map NAT_Bypass interface BVI3 overload

!
crypto isakmp client configuration group xxxxx
key xxxxx

pool EZVPN_POOL
!

ip local pool EZVPN_POOL 10.45.10.1 10.45.10.30

if i ping a server connected to the inside interface, i got request timed out and the following acl does not get hit as its count does not increase

access-list 122 deny   ip 172.16.45.0 0.0.0.255 10.45.10.0 0.0.0.31

if i ping the inside interface ip address, the same acl above increases its count and i get replies on my ping

0 Helpful

manish arora
Level 6
Level 6
In response to tachyon05

‎10-14-2010 05:16 PM

Post complete configuration & I am hoping that this router is the gateway for the servers right ? also verify there isnt any firewall/ids/iptables dropping packets on the server.

manish

0 Helpful

Jitendriya Athavale
Cisco Employee
Cisco Employee
In response to manish arora

‎10-14-2010 05:27 PM

do you have any firewall on the router like ZBF???

also put an acl in the inbound direction on the inside interface of router for traffic from your internal to vpn pool and see if you get any hit counts on that acl. this will clarify if the reply packets are making it back to the router

so your acl will be something like this

ip access-list extended abc

permit ip

permit ip any any

you should see hit counts when you do show access-list abc

also please paste the output of show crypto ipsec sa

0 Helpful

tachyon05
Level 1
Level 1
In response to Jitendriya Athavale

‎10-15-2010 01:32 PM

it turned out this is a bug on some versions of IOS 15.  in this case it is c180x-advipservicesk9-mz.151-2.T1.bin.

i contacted TAC, and there are 2 ways to fix this.

-- just add the NO IP CEF command

or

-- in the crypto map, instead of just saying reverse-route say reverse-route remote-peer x.x.x.x where the x.x.x.x is the gateway of the router.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents