luckydenona
asked on
Cisco VPN Client connect to a 1710 Router
Hi,
maybe someone is able to help me with my problem.
I configured a 1710 Cisco router for Internet and VPN with split-tunneling.
Now I am trying to connect a client, from the outside world over a Cisco VPN Client, with the router. I am getting a connection and the tunnel is working fine!
But when I try to ping from my outside Client to the internal network behind the router, I dont get an answer! When I ping from somewhere in the internal network to that IP of the client I am getting an answer! What did I do wrong?
Interesting is, if I use the Cisco VPN-Client with Windows XP, I can ping the first Device I tryed to ping in the internal Network. But when I try to ping another device, I cant.
Under Windows 98 I have never got an answer from any device of the internal network!
Here is my running-config:
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname X
!
logging buffered 4096 debugging
no logging console
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 1234
!
username 1234 password 1234
memory-size iomem 15
ip subnet-zero
no ip source-route
!
!
ip domain-name XXXXXX.com
ip name-server 200.100.64.86
ip name-server 200.100.68.10
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 1234
key 1234
dns 200.100.68.10
domain XXXXXX.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 200.100.78.114 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed auto
half-duplex
!
ip local pool ippool 192.168.11.10 192.168.11.20
ip nat inside source list 7 interface Ethernet0 overload
ip nat inside source static tcp 192.168.10.100 110 200.100.78.115 110 extendable
ip nat inside source static tcp 192.168.10.100 25 200.100.78.115 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.78.113
no ip http server
ip pim bidir-enable
!
!
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 deny tcp any any range 135 139
access-list 100 deny udp any any range 135 netbios-ss
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 108 permit ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
line con 0
line aux 0
line vty 0 4
password 1234
!
no scheduler allocate
end
Thanks in advance!
maybe someone is able to help me with my problem.
I configured a 1710 Cisco router for Internet and VPN with split-tunneling.
Now I am trying to connect a client, from the outside world over a Cisco VPN Client, with the router. I am getting a connection and the tunnel is working fine!
But when I try to ping from my outside Client to the internal network behind the router, I dont get an answer! When I ping from somewhere in the internal network to that IP of the client I am getting an answer! What did I do wrong?
Interesting is, if I use the Cisco VPN-Client with Windows XP, I can ping the first Device I tryed to ping in the internal Network. But when I try to ping another device, I cant.
Under Windows 98 I have never got an answer from any device of the internal network!
Here is my running-config:
version 12.2
service timestamps debug datetime
service timestamps log datetime
service password-encryption
!
hostname X
!
logging buffered 4096 debugging
no logging console
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 1234
!
username 1234 password 1234
memory-size iomem 15
ip subnet-zero
no ip source-route
!
!
ip domain-name XXXXXX.com
ip name-server 200.100.64.86
ip name-server 200.100.68.10
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group 1234
key 1234
dns 200.100.68.10
domain XXXXXX.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 200.100.78.114 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
half-duplex
crypto map clientmap
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
speed auto
half-duplex
!
ip local pool ippool 192.168.11.10 192.168.11.20
ip nat inside source list 7 interface Ethernet0 overload
ip nat inside source static tcp 192.168.10.100 110 200.100.78.115 110 extendable
ip nat inside source static tcp 192.168.10.100 25 200.100.78.115 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 200.100.78.113
no ip http server
ip pim bidir-enable
!
!
access-list 7 permit 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 172.0.0.0 0.31.255.255
access-list 100 deny ip 192.168.10.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 100 deny tcp any any range 135 139
access-list 100 deny udp any any range 135 netbios-ss
access-list 100 permit tcp any any
access-list 100 permit udp any any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 deny ip any any
access-list 108 permit ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 1 protocol ipx permit
!
!
line con 0
line aux 0
line vty 0 4
password 1234
!
no scheduler allocate
end
Thanks in advance!
ASKER
Thanks for your comment.
I already disabeled the access-list 100 and i still have the same problem!
I also reconfigured the access-list 108, you are right, thanks!
I already disabeled the access-list 100 and i still have the same problem!
I also reconfigured the access-list 108, you are right, thanks!
>you are right, thanks!
Does this mean it works now?
Does this mean it works now?
ASKER
No!
Try this:
interface FastEthernet0
ip redirects
ip unreachables
ip proxy-arp
interface FastEthernet0
ip redirects
ip unreachables
ip proxy-arp
ASKER
Tryed, but no change!
What is the default gateway on the stations that you are trying to ping from the client?
>When I ping from somewhere in the internal network to that IP of the client I am getting an answer!
This doesn't make sense. I would expect it to be the other way around, because the VPN client has a built-in ZoneAlarm firewall. What version client are you using?
Any other firewall or anything between the internal clients and this router?
>When I ping from somewhere in the internal network to that IP of the client I am getting an answer!
This doesn't make sense. I would expect it to be the other way around, because the VPN client has a built-in ZoneAlarm firewall. What version client are you using?
Any other firewall or anything between the internal clients and this router?
ASKER
The default gateway is the internal router adress!
The Cisco client is the 3.6.3B version! But I also tried the 3.6.3A version!
The firewall option is not activated in the client software.
There are no other firewalls between the router and the internal clients.
The Cisco client is the 3.6.3B version! But I also tried the 3.6.3A version!
The firewall option is not activated in the client software.
There are no other firewalls between the router and the internal clients.
Sounds like an IP misconfiguration. What does the routing table and ipconfig look like on the XP machine? Do you get a default gateway address for the VPN conection that points to your inside network and does the subnet match? Since I dont have the same model router your using, I am not able to see all the configuration commands for you client configuration, but I dont see where a default router would be configured on the client side. I see DNS, domain name and pool, but no gateway address. What I am thinking is it can ping the directly connected IP, the router, but nothing else because it does not know how to get there and is trying to get to it via its current default gateway. Do a tracert and such and let me know.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it works, then it is only an acl issue.
Typically, we only put acls on the inbound of the outside interface.
You can see exactly what you are blocking by changing the last line from
>access-list 100 deny ip any any
to
access-list 100 deny ip any any log
Also, you may have a simple typo in your acl 108
>access-list 108 permit ip 192.168.10.0 0.0.255.255 192.168.11.0 0.0.0.255
should be
access-list 108 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255