Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Remote Access VPN - Only access to some remote hosts

Hi Guys

 

Really hope you can help me out here, I am kind of stock.

 

I have a Remote Access VPN to a router that seems to be working. The problem is that I only have access to some host in remote end.

The hosts I really need to access is the following:

 

Server - 192.168.18.240

Switch - 192.168.18.251

Switch - 192.168.18.252

 

But I can´t reach them, only all other hosts on the network. Their default gatway is 192.168.18.1 (the router)

 

What might be the problem?

 

-------------------------------------------------

Hostes on the network:

 

PUFESTI-R#sh arp | e Inc
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.18.1            -   442b.0346.244e  ARPA   Vlan1
Internet  192.168.18.20          58   f0f7.5557.c468  ARPA   Vlan1
Internet  192.168.18.21           0   f0f7.5557.c472  ARPA   Vlan1
Internet  192.168.18.100         29   0090.c2e3.6234  ARPA   Vlan1
Internet  192.168.18.101          0   0040.48b2.534e  ARPA   Vlan1
Internet  192.168.18.171         62   0050.c2e4.00d7  ARPA   Vlan1
Internet  192.168.18.172         57   0050.c2e4.00cf  ARPA   Vlan1
Internet  192.168.18.181          0   0090.e82c.482a  ARPA   Vlan1
Internet  192.168.18.182          0   0090.e82c.4594  ARPA   Vlan1
Internet  192.168.18.240          0   0001.0516.e473  ARPA   Vlan1
Internet  192.168.18.251          0   08d0.9f6c.61dd  ARPA   Vlan1
Internet  192.168.18.252          0   08d0.9f6c.61c7  ARPA   Vlan1
Internet  217.156.34.161          0   0017.95e0.7bca  ARPA   FastEthernet4
Internet  217.156.34.167          -   442b.0346.2452  ARPA   FastEthernet4
Internet  217.156.34.168          -   442b.0346.2452  ARPA   FastEthernet4
Internet  217.156.34.169          -   442b.0346.2452  ARPA   FastEthernet4

 

--------------------------------------------

Hosts I can reach on the network:

 

IP              Ping            Hostname                Ports           
192.168.18.1    66 ms           [n/a]                   [n/s]           
192.168.18.20   66 ms           [n/a]                   [n/s]           
192.168.18.100  68 ms           [n/a]                   [n/s]           
192.168.18.21   69 ms           [n/a]                   [n/s]           
192.168.18.101  69 ms           [n/a]                   [n/s]           
192.168.18.171  71 ms           [n/a]                   [n/s]           
192.168.18.172  71 ms           [n/a]                   [n/s]           
192.168.18.181  76 ms           [n/a]                   [n/s]           
192.168.18.182  78 ms           [n/a]                   [n/s]           

 

--------------------------------------------------

VPN info:

 

PUFESTI-R#sh crypto isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
217.156.34.167  87.104.81.49    QM_IDLE           2006 ACTIVE
217.156.34.167  89.249.1.238    QM_IDLE           2001 ACTIVE

IPv6 Crypto ISAKMP SA

PUFESTI-R#

 


PUFESTI-R#sh crypto ips sa

interface: FastEthernet4
    Crypto map tag: outside_map, local addr 217.156.34.167

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.18.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (10.2.0.0/255.255.255.0/0/0)
   current_peer 89.249.1.238 port 500
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 2320, #pkts encrypt: 2320, #pkts digest: 2320
    #pkts decaps: 2352, #pkts decrypt: 2352, #pkts verify: 2352
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 217.156.34.167, remote crypto endpt.: 89.249.1.238
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0x952A4954(2502576468)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x7EC90F3A(2127105850)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 11, flow_id: Onboard VPN:11, sibling_flags 80000046, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4491363/2676)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0x952A4954(2502576468)
        transform: esp-aes esp-md5-hmac ,
        in use settings ={Tunnel, }
        conn id: 12, flow_id: Onboard VPN:12, sibling_flags 80000046, crypto map: outside_map
        sa timing: remaining key lifetime (k/sec): (4491346/2676)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 217.156.34.167

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.253.5/255.255.255.255/0/0)
   current_peer 87.104.81.49 port 40425
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 1088, #pkts encrypt: 1088, #pkts digest: 1088
    #pkts decaps: 4087, #pkts decrypt: 4087, #pkts verify: 4087
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 217.156.34.167, remote crypto endpt.: 87.104.81.49
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0xE7B9F329(3887723305)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x1D30192F(489691439)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 13, flow_id: Onboard VPN:13, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4437881/2919)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xE7B9F329(3887723305)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 14, flow_id: Onboard VPN:14, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4438107/2919)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
PUFESTI-R#

---------------------------

 

Attached is running-config of the router.

 

Thanks in advance

Regards

Mikkel

 

 

 

 

Everyone's tags (1)
6 REPLIES
Hall of Fame Super Silver

The switches you cannot reach

The switches you cannot reach (192.168.18.240/251/252) are addressed from a range in your VPN DHCP pool (=192.168.18.200-254 once you take into account your exclusions):

ip dhcp excluded-address 192.168.17.1 192.168.17.199
ip dhcp excluded-address 192.168.18.1 192.168.18.199
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.18.0 255.255.255.0
   dns-server 8.8.8.8 208.67.222.222
   default-router 192.168.18.1

Try excluding those specific /32s as well:

 

New Member

Hi Marvin Thanks for the

Hi Marvin

 

Thanks for the reply. Just got back from easter holiday.

The suggested did not help. 

Any other ideas? Mayby some debug commands to use.

 

Regards

Mikkel

i agreed with you Marvin,

i agreed with you Marvin, this is the problem and somethings may be wrong in consideration because vpn is good to go.

your VPN is based on this ACL:

ip access-list extended customer
 permit ip 192.168.18.0 0.0.0.255 10.2.0.0 0.0.0.255

it should be on other end:

ip access-list extended customer
 permit ip  10.2.0.0 0.0.0.255 192.168.18.0 0.0.0.255

Another thing keep in mind, the switches will be access only from this sub net hosts  :10.2.0.0  0.0.0.255

HTH

 

 

New Member

Hi

Hi

 

Thanks for the reply. I think that some things here is mixed up. The 

ip access-list extended customer
 permit ip 192.168.18.0 0.0.0.255 10.2.0.0 0.0.0.255

Is used for LAN to LAN VPN connection, and this is working just fine.

The problem is in the Remote access VPN.

Can you tell me why DHCP exclutions could solve the problem? It makes no sense in my world.

 

Regards

 

Mikkel

New Member

Hi Mikkel,I do not think DHCP

Hi Mikkel,

I do not think DHCP mis-configuration cause the issue, The remote ezVPN client(192.168.253.5) has setup the ipsec session without any issue. I think it is route issue, Did you forget to configure default gateway or default route on those 3 devices?

Regards,

David

Hi mikkel003,welcome sorry,

Hi mikkel003,

welcome 

sorry, do not need to exclude, i did not look carefully before.

regards,

syed

 

"plz don't forget to rate for helpful post"

113
Views
0
Helpful
6
Replies
CreatePlease login to create content