VPN Client 3.5.2 to 1720 or 2621 upisng IPSEC cannot ping
Wondered whether someone can shed some light on this. My scenario is as follows:
We are attempting to set up for a client an IPSec VPN for remote mobile users to terminate on their 1720. Code version on the 1720 is:
which is the IP/ADSL/FW/IDS PLUS IPsec 3DES version.
Hence, I have set up a test internally using a 2621 with code version:
the IPSec PLUS 3DES version (I think). Anyway, it checks out on the Feature navigatro to support what we are trying to do.
The problem is this:
We can suceessfully terminate our tunnel on the 2621 (and the 1720). We can ping the router's interfaces. The router can ping the VPN client by it's local pool assigned IP address. Clients on the inside of the network can ping the connected VPN client, even doing file transfers from it! BUT, the client cannot ping any of the internal devices on the network!!
Now, I am sure that this has something to do with correct ACL application and perhaps a NAT-T issue too (there are not other devices that could be performing NAT between the client and the router). But I am at a loss, as I have triend all sorts of combinations. Here are the ACLs that I'm using right now.
access-list 130 deny ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 130 deny ip 192.168.4.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 130 permit ip 192.168.1.0 0.0.0.255 any
This 130 list I have been using as part of the NO NAT rule, so that this traffic does not got through the NAT process. I also tried applying it under the crypto isakmp client config group list, using the acl command. That made no difference.
Then I created the following:
access-list 140 permit ip 192.168.1.0 0.0.0.255 any
access-list 140 permit ip 192.168.4.0 0.0.0.255 any
This I have applied to the crypto isakmp client config group xxxxxx, using the acl command. Again no joy!
I have been banging my head against the brick wall with this one for a couple of days now. I have followed all the sample configs and nothing seems to work.
Re: VPN Client 3.5.2 to 1720 or 2621 upisng IPSEC cannot ping
Thanks for that.
Yes, it is using the IOS Firewall. I have checked the access list applied to the outside interface of this router and have found that it has got a statement there that references the vpnpool traffic. Having displayed the sho access-list command and performed a few tests, the match count for that particular statement is incrementing. There is also a statement for the opposite traffic profile (from the inside network to the vpnpool address range), but there are not matches ahowing to that statement at all, ever.
However, some good news in that with the 2621 was able to get access to the internal network by putting specific route statements into the internal hosts that we were trying to reach and turning on crypto isakmp nat keepalives for NAT-T. That permitted the traffic to reach the VPN gateway on the way back.
However, this does not work on the 1720 (the code on there does not support NAT-T apparently). Would this we the cause? Is an upgrade of code the only way to go? Dont want to go that way as they have not got enough Flash to support any higher level of code with the required features!
Again, any help much appreciated. Please let me know if you need any more info!!
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :