?
Solved

Cisco VPN Client connect to a 1710 Router

Posted on 2003-03-14
10
Medium Priority
?
282 Views
Last Modified: 2008-03-17
Hi,
maybe someone is able to help me with my problem.
I configured a 1710 Cisco router for Internet and VPN with split-tunneling.
Now I am trying to connect a client, from the outside world over a Cisco VPN Client, with the router. I am getting a connection and the tunnel is working fine!
But when I try to ping from my outside Client to the internal network behind the router, I dont get an answer! When I ping from somewhere in the internal network to that IP of the client I am getting an answer! What did I do wrong?
Interesting is, if I use the Cisco VPN-Client with Windows XP, I can ping the first Device I tryed to ping in the internal Network. But when I try to ping another device, I cant.
Under Windows 98 I have never got an answer from any device of the internal network!

Here is my running-config:


version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname X
!
logging buffered 4096 debugging
no logging console
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 1234
!
username 1234 password 1234
memory-size iomem 15
ip subnet-zero
no ip source-route
!
!
ip domain-name XXXXXX.com
ip name-server 200.100.64.86
ip name-server 200.100.68.10
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 1234
 key 1234
 dns 200.100.68.10
 domain XXXXXX.com
 pool ippool
 acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 200.100.78.114 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 half-duplex
 crypto map clientmap
!
interface FastEthernet0
 ip address 192.168.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 speed auto
 half-duplex
!
ip local pool ippool 192.168.11.10 192.168.11.20
ip nat inside source list 7 interface Ethernet0 overload
ip nat inside source static tcp 192.168.10.100 110 200.100.78.115 110 extendable
ip nat inside source static tcp 192.168.10.100 25 200.100.78.115 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.78.113
no ip http server
ip pim bidir-enable
!
!
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 100 deny   ip 192.168.10.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 100 deny   ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 deny   tcp any any range 135 139
access-list 100 deny   udp any any range 135 netbios-ss
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 108 permit ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
line con 0
line aux 0
line vty 0 4
 password 1234
!
no scheduler allocate
end

Thanks in advance!
0
Comment
Question by:luckydenona
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
10 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 8137206
Try removing the acl 100 from the inside Ethernet interface and see if that helps.
If it works, then it is only an acl issue.
Typically, we only put acls on the inbound of the outside interface.

You can see exactly what you are blocking by changing the last line from
>access-list 100 deny ip any any
to
access-list 100 deny ip any any log

Also, you may have a simple typo in your acl 108

>access-list 108 permit ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255

should be

access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255
0
 

Author Comment

by:luckydenona
ID: 8137388
Thanks for your comment.

I already disabeled the access-list 100 and i still have the same problem!
I also reconfigured the access-list 108, you are right, thanks!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8137424
>you are right, thanks!
Does this mean it works now?
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:luckydenona
ID: 8137460
No!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8137559
Try this:
interface FastEthernet0
ip redirects
ip unreachables
ip proxy-arp

0
 

Author Comment

by:luckydenona
ID: 8137678
Tryed, but no change!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 8137738
What is the default gateway on the stations that you are trying to ping from the client?
>When I ping from somewhere in the internal network to that IP of the client I am getting an answer!

This doesn't make sense. I would expect it to be the other way around, because the VPN client has a built-in ZoneAlarm firewall. What version client are you using?

Any other firewall or anything between the internal clients and this router?
0
 

Author Comment

by:luckydenona
ID: 8138053
The default gateway is the internal router adress!
The Cisco client is the 3.6.3B version! But I also tried the 3.6.3A version!
The firewall option is not activated in the client software.
There are no other firewalls between the router and the internal clients.
0
 
LVL 3

Expert Comment

by:RouterDude
ID: 8198731
Sounds like an IP misconfiguration. What does the routing table and ipconfig look like on the XP machine? Do you get a default gateway address for the VPN conection that points to your inside network and does the subnet match? Since I dont have the same model router your using, I am not able to see all the configuration commands for you client configuration, but I dont see where a default router would be configured on the client side. I see DNS, domain name and pool, but no gateway address. What I am thinking is it can ping the directly connected IP, the router, but nothing else because it does not know how to get there and is trying to get to it via its current default gateway. Do a tracert and such and let me know.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 100 total points
ID: 8637225
G'day luckydenona,

Are you still working on this? Can you close out this question?

Cheers!
0

Featured Post

Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question