09-08-2009 05:25 AM - edited 03-04-2019 05:58 AM
Hello,
I have se-up a VPN connection to an 877, using Cisco VPN client. I am able to establishg a tunnel and can ping interface Vlan1 on the 877. There is a primary and seconday address on interface vlan 1 and the server that I need to RDP onto is on the secondary interface address. I am unable to ICMP to the server. Although from the router I can ICMP the server. I have tried many scenarios, currently the DHCP Pool for VPN clients is on the same subnet as the server.
Any ideas?
Darren
09-08-2009 06:19 AM
Can you post the relevant crypto info from the router(s)?
09-08-2009 06:37 AM
Hi Colin,
There you go..
Current configuration : 5621 bytes
!
!
boot-start-marker
boot system flash c870-advsecurityk9-mz.124-15.T9.bin
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.1.1 172.16.1.30
ip dhcp excluded-address 172.16.1.65 172.16.1.94
ip dhcp excluded-address 172.16.1.97 172.16.1.126
ip dhcp excluded-address 172.16.1.129 172.16.1.158
ip dhcp excluded-address 172.16.1.161 172.16.1.190
ip dhcp excluded-address 172.16.1.193 172.16.1.222
ip dhcp excluded-address 172.16.1.225 172.16.1.254
!
ip dhcp pool Test
network 172.16.1.0 255.255.255.0
dns-server 172.16.1.1
default-router 172.16.1.1
lease 3
!
!
ip domain lookup source-interface Vlan1
ip domain name yourdomain.com
ip host test 192.168.1.150
ip name-server 62.24.128.18
ip name-server 62.24.128.17
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group remoteaccess
key cisco321
dns 172.16.1.1
pool remoteaccess
!
!
crypto ipsec transform-set remoteaccess esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 5
set transform-set remoteaccess
reverse-route
!
!
crypto map remoteaccess client authentication list userauthen
crypto map remoteaccess isakmp authorization list groupauthor
crypto map remoteaccess client configuration address respond
crypto map remoteaccess 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description test LAN
ip address 192.168.1.1 255.255.255.0 secondary
ip address 172.16.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Dialer0
ip address x.x.x. x.x.x.x
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip policy route-map VPN-Client
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname x.x.x.x
ppp chap password 0 x,x,x,
crypto map remoteaccess
!
ip local pool remoteaccess 192.168.1.225 192.168.1.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 permanent
ip route 62.24.128.18 255.255.255.255 Dialer0
ip route 172.16.1.50 255.255.255.255 Dialer0
ip route 172.16.1.224 255.255.255.224 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip dns spoofing 172.16.1.1
ip nat inside source list 103 interface Dialer0 overload
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit any log
access-list 101 permit ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 permit ip 0.0.0.0 255.255.255.248 any
access-list 102 permit ip 172.16.1.0 0.0.0.255 any
access-list 103 permit ip 172.16.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 permit ip 172.16.1.224 0.0.0.31 any
access-list 104 permit ip host 10.1.1.10 any
access-list 104 permit ip host 172.16.1.50 any
access-list 104 permit ip 192.168.1.224 0.0.0.31 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map VPN-Client permit 10
match ip address 104
set interface Vlan1
09-08-2009 06:54 AM
I don't see your crypto ACL, but does it include the secondary IP subnets?
09-08-2009 11:47 AM
Hi Colin,
I have pasted all my config. I thought the router map would do the same thing as the crypto ACL as the interesting traffic.
Darren.
09-08-2009 11:51 AM
cool, I've never used a route map for it. Anyway, you're encrypting all traffic to the remote site correct? The tunnel is up and working except for the secondary subnets correct?
09-08-2009 12:17 PM
Hi Colin,
That's right. very weird problems.
Darren.
09-08-2009 12:24 PM
Darren-
I need a day or two to lab it up and test. If you need this quicker than that, you might want to re-post or open a TAC case.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: