Solved

Why cant i ping the LAN with EZ VPN client?

Posted on 2008-10-06
8
794 Views
Last Modified: 2012-05-05
Hello, I am a Cisco newbie and learning, I am stuck on why I cannot get thius config to allow lan access with the VPN Clients...can i erase the static route> or do I just have to add a new subnet to ACL 101?

Here is the config:

!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.49
ip dhcp excluded-address 192.168.1.101 192.168.1.254
!
ip dhcp pool pool1
   network 192.168.1.0 255.255.255.0
   domain-name xxxxxxx
   default-router 192.168.1.1
   dns-server xxxxxxx
   lease 7
!
!
ip tcp synwait-time 10
ip cef
no ip domain lookup
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-3020417743
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3020417743
 revocation-check none
 rsakeypair TP-self-signed-3020417743
!
!
crypto pki certificate chain TP-self-signed-3020417743
 certificate self-signed 01
  30820240 308201A9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303230 34313737 3433301E 170D3032 30363232 31373430
  34335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323034
  31373734 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B1D2 45088E54 C3DDA792 0C3F8BDA 4B1694D0 0D769895 E6B2687A 4EE1F9A7
  B4CBFD97 CD11C76F 5B12AE00 3AE97CCB 54EC6894 B00CC3F6 20FC07FC 494A0E68
  AC939D00 C78F034A 05257660 BE95B79A E3CF2474 730A5928 A6B1A329 6906B80E
  9DB94237 A2371106 59D84B2A C7A17D80 33AD1766 E126C8B2 AEF6837B 419F6E5E
  74270203 010001A3 68306630 0F060355 1D130101 FF040530 030101FF 30130603
  551D1104 0C300A82 0853686F 72746573 73301F06 03551D23 04183016 8014B1C2
  802CF0DA 7E3BCABA 18994A4D BAD56D1F CED4301D 0603551D 0E041604 14B1C280
  2CF0DA7E 3BCABA18 994A4DBA D56D1FCE D4300D06 092A8648 86F70D01 01040500
  03818100 8511CE06 5F8559BE D7906108 E39F5B10 116CC8DB 0DAA691F D2101188
  16923570 4E334B6B D4528D8F 76E0E83E 77FCFA36 3715D739 B7612923 8C18A9DC
  5F3B81AB 0D139593 1D4AFE83 B757C37E 4649D990 11113BF5 A4B6E18E 0E5F69B4
  0E34FEEE 72B9534A F741E484 6D81AEAC 802F428E 33BEBF1B 54ABBD2E 22725CEA C2073FC6
  quit
username xxxxxxxprivilege 15 password 7 xxxxxxx
username xxxxxxxprivilege 15 secret 5 $1xxxxxxx
username xxxxxxxprivilege 15 secret 5 $1$Om30xxxxxxx
username xxxxxxxprivilege 15 secret 5 $1xxxxxxx
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_Group
 key xxxxxxx
 pool SDM_POOL_1
 acl 101
 max-users 5
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_OUTSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip access-group 103 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
!
interface Ethernet1
 description $ETH-WAN$$FW_INSIDE$
 ip address dhcp client-id Ethernet1
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 crypto map SDM_CMAP_1
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
!
interface FastEthernet1
 duplex auto
 speed auto
!
interface FastEthernet2
 duplex auto
 speed auto
!
interface FastEthernet3
 duplex auto
 speed auto
!
interface FastEthernet4
 duplex auto
 speed auto
!
ip local pool SDM_POOL_1 192.168.54.1 192.168.54.20
ip route 192.168.1.0 255.255.255.0 Ethernet1
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload
!
logging trap debugging
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 192.168.54.0 0.0.0.255 any
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.1
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.2
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.3
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.4
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.5
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.6
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.7
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.8
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.9
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.10
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.11
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.12
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.13
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.14
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.15
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.16
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.17
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.18
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.19
access-list 102 deny   ip 192.168.54.0 0.0.0.255 host 192.168.54.20
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit tcp any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
!
control-plane
!
banner login ^CWelcome to xxxxxxx^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 access-class 100 in
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler interval 500
end
0
Comment
Question by:jkhtkd
  • 4
  • 4
8 Comments
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22654196
Easy VPN is a site-is-site technology... and a unidirectional one too...
You cannot ping back into the remote side of an Easy VPN tunnel. You need to setup a true Site-to-Site VPN tunnel to do this.
Sorry! Cannot be done with site-to-site.
Cheers! Let me know if you have any questions!
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22654206
Sorry! What I meant was: "Cannot be done with EZ VPN".
Cheers!
0
 

Author Comment

by:jkhtkd
ID: 22655360
Sorry, I am using the ez vpn server with the client software to vpn into a lan. I cannot ping the lan side... I want to use rdp with a server on the lan.
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22660944
So wait a sec... are you using the Cisco VPN client to VPN into the main office or are you trying to go out of the office and contact a remote LAN?
Are you using EZ vpn at all? EZ VPN is only for site-to-site.
I need to know to get you the right answer.
Cheers!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:jkhtkd
ID: 22663718
I am using the Cisco VPN client to VPN into the main office... Used for a laptop and remote worker. He would like to use rdp over vpn on his work station.
0
 

Author Comment

by:jkhtkd
ID: 22663772
Here is a screen shot of the vpn client stats...
Picture1.gif
Picture2.gif
0
 
LVL 12

Expert Comment

by:Pugglewuggle
ID: 22663804
Ohhh... so what you want to do is be able to ping the LOCAL LAN even when connected to the VPN client?
0
 

Accepted Solution

by:
jkhtkd earned 0 total points
ID: 22667944
Got it, I ended up wiping the nvram and starting over using the ezvpn wizard in the SDM. That worked like a charm...  Thanks for all your help.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now