troubleshooting Question

Cisco Router VPN Connects but Unable to Access Internal Servers and resources

Avatar of lewylupo
lewylupo asked on
RoutersVPNInternet Protocol Security
8 Comments1 Solution522 ViewsLast Modified:
I have a cisco 1811 router and configured it as a VPN Server.  I am using the cisco vpn client version 5.0.01.0530.  I am able to successfully connect to the server user local authentication on the router; however I am not able to ping any internal servers once connected.  I get an IP address from the vpn ip pool but I can only ping the outside interface of the router 192.168.1.2 and the translated address 192.168.1.3.  Below is my config, please help.  


Current configuration : 10625 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ironbridge
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!

ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.10
ip dhcp excluded-address 10.10.10.11
ip dhcp excluded-address 10.10.10.12
ip dhcp excluded-address 10.10.10.13
ip dhcp excluded-address 10.10.10.14
ip dhcp excluded-address 10.10.10.15
ip dhcp excluded-address 10.10.10.16
ip dhcp excluded-address 10.10.10.17
ip dhcp excluded-address 10.10.10.18
ip dhcp excluded-address 10.10.10.19
ip dhcp excluded-address 10.10.10.20
ip dhcp excluded-address 10.10.10.129
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
ip dhcp pool 1800-ISR
   import all
   network 10.10.10.128 255.255.255.128
   default-router 10.10.10.1
   dns-server 68.87.71.226
!
!
ip domain name nextblueprint.com
ip name-server 68.87.71.226
ip name-server 68.87.73.242
!

username ironbridge privilege 15 secret 5 $1$ff9D$Lo.vVL88uLrbgz3k8Be6m.
username xxxxxxxx password 0 xxxxxxx
!

crypto isakmp policy 3
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group xxxxxx
 key xxxxxxx
 dns 10.10.10.10 68.87.73.242
 wins 10.10.10.10
 domain nextblueprint.com
 pool ippool
!
!
crypto ipsec transform-set ironbridgeset esp-aes esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set ironbridgeset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
 description $FW_INSIDE$$ETH-LAN$
 ip address 192.168.1.2 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map clientmap
!

interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 key 1 size 40bit 0 XXXXXX transmit-key
 encryption vlan 1 mode wep mandatory
 !
 ssid XXXXX
    vlan 1
    authentication open
    guest-mode
 !
 speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 b
asic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0
 station-role root
 no dot11 extension aironet
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
 no ip address
 shutdown
 !
 encryption vlan 1 key 1 size 40bit 0 DFA2D05063 transmit-key
 encryption vlan 1 mode wep mandatory
 !
 ssid ironbridge
    vlan 1
    authentication open
    guest-mode
 !
 speed basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.
0 basic-54.0
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio1.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.128
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Async1
 no ip address
 encapsulation slip
!
interface BVI1
 ip address 10.10.10.129 255.255.255.128
 ip nat inside
 ip virtual-reassembly
!
ip local pool ippool 10.0.0.1 10.0.0.10
ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip route 0.0.0.0 0.0.0.0 FastEthernet0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat pool pool1 192.168.1.3 192.168.1.100 netmask 255.255.255.0
ip nat pool pool2 192.168.1.101 192.168.1.200 netmask 255.255.255.0
ip nat inside source list 1 pool pool1 overload
ip nat inside source list 2 pool pool2 overload
!
logging trap warnings
logging 10.10.10.10
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 0.0.0.0 255.255.255.0
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 10.10.10.128 0.0.0.127
no cdp run
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip

line con 0
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
line vty 0 4
 transport input telnet ssh
line vty 5 15
 transport input telnet ssh

!
end
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 1 Answer and 8 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 1 Answer and 8 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros