Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN Client 3.5.2 to 1720 or 2621 upisng IPSEC cannot ping

Hi

Wondered whether someone can shed some light on this. My scenario is as follows:

We are attempting to set up for a client an IPSec VPN for remote mobile users to terminate on their 1720. Code version on the 1720 is:

:c1700-k9o3sy7-mz.122-11.T9.bin

which is the IP/ADSL/FW/IDS PLUS IPsec 3DES version.

Hence, I have set up a test internally using a 2621 with code version:

12.3(1a)

the IPSec PLUS 3DES version (I think). Anyway, it checks out on the Feature navigatro to support what we are trying to do.

The problem is this:

We can suceessfully terminate our tunnel on the 2621 (and the 1720). We can ping the router's interfaces. The router can ping the VPN client by it's local pool assigned IP address. Clients on the inside of the network can ping the connected VPN client, even doing file transfers from it! BUT, the client cannot ping any of the internal devices on the network!!

Now, I am sure that this has something to do with correct ACL application and perhaps a NAT-T issue too (there are not other devices that could be performing NAT between the client and the router). But I am at a loss, as I have triend all sorts of combinations. Here are the ACLs that I'm using right now.

access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255

access-list 130 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 130 permit ip 192.168.1.0 0.0.0.255 any

This 130 list I have been using as part of the NO NAT rule, so that this traffic does not got through the NAT process. I also tried applying it under the crypto isakmp client config group list, using the acl command. That made no difference.

Then I created the following:

access-list 140 permit ip 192.168.1.0 0.0.0.255 any

access-list 140 permit ip 192.168.4.0 0.0.0.255 any

This I have applied to the crypto isakmp client config group xxxxxx, using the acl command. Again no joy!

I have been banging my head against the brick wall with this one for a couple of days now. I have followed all the sample configs and nothing seems to work.

Please help!!!!

Many thanks in advance

Marc

2 REPLIES
New Member

Re: VPN Client 3.5.2 to 1720 or 2621 upisng IPSEC cannot ping

Are you using IOS FW (CBAC)? If so are you allowing the VPN Pool traffic through the Access-List that is applied to the outside interface?

New Member

Re: VPN Client 3.5.2 to 1720 or 2621 upisng IPSEC cannot ping

Thanks for that.

Yes, it is using the IOS Firewall. I have checked the access list applied to the outside interface of this router and have found that it has got a statement there that references the vpnpool traffic. Having displayed the sho access-list command and performed a few tests, the match count for that particular statement is incrementing. There is also a statement for the opposite traffic profile (from the inside network to the vpnpool address range), but there are not matches ahowing to that statement at all, ever.

However, some good news in that with the 2621 was able to get access to the internal network by putting specific route statements into the internal hosts that we were trying to reach and turning on crypto isakmp nat keepalives for NAT-T. That permitted the traffic to reach the VPN gateway on the way back.

However, this does not work on the 1720 (the code on there does not support NAT-T apparently). Would this we the cause? Is an upgrade of code the only way to go? Dont want to go that way as they have not got enough Flash to support any higher level of code with the required features!

Again, any help much appreciated. Please let me know if you need any more info!!

193
Views
0
Helpful
2
Replies
CreatePlease login to create content