asked on Cisco VPN cannot ping anything!
Hi!
Im having a little trouble with a cisco setup i made. I have a cisco 851 running as a VPN gateway for a computer with a Cisco VPN client.
Everyting is setup, and i get the connection with the VPN client and the correct IP, but i cant ping anything from the computer when connected to the VPN.
Can YOU find the error?
Im having a little trouble with a cisco setup i made. I have a cisco 851 running as a VPN gateway for a computer with a Cisco VPN client.
Everyting is setup, and i get the connection with the VPN client and the correct IP, but i cant ping anything from the computer when connected to the VPN.
Can YOU find the error?
Building configuration...
Current configuration : 6486 bytes
!
! No configuration change since last restart
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname gw1.xxxxx
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3074672605
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3074672605
revocation-check none
rsakeypair TP-self-signed-3074672605
!
!
crypto pki certificate chain TP-self-signed-3074672605
certificate self-signed 01
30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303734 36373236 3035301E 170D3032 30333031 30313139
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30373436
37323630 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3D6 9FA87942 846FFEEC DBFC03D5 3860E7C2 868EF55B A34B2C8B 1C20BDC0
88462B61 29B79A33 F1B79BCC 1628E749 9A8952A9 719011CC 9C617EE0 E8CB1229
458EEE84 8750502D 6DB70D96 25297E99 82314A97 B034D771 BA0E8E8E 18E21156
FF1A6997 1F385184 60302AEC DD63F0CA FB0A2298 A9C6CCBC 97C7A67E EC81AF15
D4FB0203 010001A3 8180307E 300F0603 551D1301 01FF0405 30030101 FF302B06
03551D11 04243022 82206777 312E6167 726F636F 636F7261 2E726F2E 796F7572
646F6D61 696E2E63 6F6D301F 0603551D 23041830 1680143A 2B0575BF 5E9E63C3
04A7B45E 457358BC 89BC8C30 1D060355 1D0E0416 04143A2B 0575BF5E 9E63C304
A7B45E45 7358BC89 BC8C300D 06092A86 4886F70D 01010405 00038181 004EC194
9C3E72C7 E1455D1E 28AE7E65 1E0818BC DBEFBBF7 A8CBFCBA 7467AB27 F46A3897
6B6E44D6 235BE99A E29F85A6 FADBA460 9E923C6C 00B0C9D8 BC1C0985 95CE79AE
A5C35C7B 1DF21965 BC211502 85DCD48A A634B888 24D76E0D AB2DC89A 8E8E4D10
D1A1955D 9942E017 AF51FC74 BEA81A4B 05A43133 4F894458 5A31F784 DE
quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.82.1
ip dhcp excluded-address 192.168.82.2
ip dhcp excluded-address 192.168.82.3
ip dhcp excluded-address 192.168.82.4
ip dhcp excluded-address 192.168.82.5
ip dhcp excluded-address 192.168.82.254
ip dhcp excluded-address 192.168.82.101
!
ip dhcp pool sdm-pool
import all
network 192.168.82.0 255.255.255.0
default-router 192.168.82.254
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name xxxx.local
!
!
!
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxx
username xxx privilege 15 secret 5 xxxxxxxxxxxxxxxxx
username xxx password 7 xxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group xxxxx
key xxxxx
dns 192.168.6.8
pool vpn1
acl 151
include-local-lan
max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map Dynmap_1 1
reverse-route
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map Cmap_1 65535 ipsec-isakmp dynamic Dynmap_1
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel108
description Connected to Hostcenter
ip address 192.168.100.38 255.255.255.252
keepalive 10 3
tunnel source Dialer1
tunnel destination xxxxxxx
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Wan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
pppoe-client dial-pool-number 1
!
interface Vlan1
description LAN
ip address 192.168.83.254 255.255.255.0 secondary
ip address 192.168.82.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname agromeccocor_IL
ppp chap password 7 04095F515F7119
ppp pap sent-username agromeccocor_IL password 7 06545B761C1E5C
ppp ipcp dns request
ppp ipcp address accept
crypto map clientmap
!
ip local pool vpn 192.168.82.195 192.168.82.200
ip local pool vpn1 192.168.83.0 192.168.83.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.0.0 Tunnel108 name Hostcenter
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.82.101 80 interface Dialer1 80
ip nat inside source static udp 192.168.82.101 80 interface Dialer1 80
ip nat inside source static udp 192.168.82.101 5560 interface Dialer1 5560
ip nat inside source static tcp 192.168.82.101 5560 interface Dialer1 5560
ip nat inside source static tcp 192.168.82.101 5561 interface Dialer1 5561
ip nat inside source static tcp 192.168.82.3 3454 interface Dialer1 3454
ip nat inside source static tcp 192.168.82.3 554 interface Dialer1 554
ip nat inside source static udp 192.168.82.101 554 interface Dialer1 554
!
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit any
access-list 102 remark NAT
access-list 102 permit ip 192.168.82.0 0.0.0.255 any
access-list 102 deny ip 192.168.82.0 0.0.0.255 192.168.83.0 0.0.0.255
access-list 151 permit ip 192.168.82.0 0.0.0.255 any
access-list 151 remark VPN
snmp-server community xxx RO
snmp-server community xxx RO 1
snmp-server ifindex persist
snmp-server location xxxx, xx
snmp-server contact xxxxxxxxxxx
no cdp run
!
control-plane
!
!
line con 0
password 7 110E4C53154352
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 193.162.159.194
sntp server 193.162.159.197
sntp server 193.162.145.130
end
VPNRoutersInternet Protocol Security
Last Comment
johnnybrian
ASKER
Of course...corrected this...still doesnt work however! :(
Are you using the 192.168.83.0/24 subnet for anything other than the VPN pool? If not, remove it from the VLAN1 interface.
conf t
no ip address 192.168.83.254 255.255.255.0 secondary
Also, add a specific route to the outside for the 192.168.83.0/24 subnet if again it is only used for VPN.
conf t
ip route 192.168.83.0 255.255.255.0 Dialer1
conf t
no ip address 192.168.83.254 255.255.255.0 secondary
Also, add a specific route to the outside for the 192.168.83.0/24 subnet if again it is only used for VPN.
conf t
ip route 192.168.83.0 255.255.255.0 Dialer1
ASKER
Still not working, cannot ping anything in the 82.XX network! :(
Deleted the 83. secondary address.
Deleted the 83. secondary address.
Can you post your current running-config? What IP address are you trying to ping on the 192.168.82.0 subnet?
ASKER
Im trying to ping the gateway 82.254 but i cant ping anything in this network really....... ill post my running in a couple minutes....
ASKER
Building configuration...
Current configuration : 6524 bytes
!
! Last configuration change at 09:58:20 UTC Wed Mar 18 2009 by hax
! NVRAM config last updated at 09:58:21 UTC Wed Mar 18 2009 by hax
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname xxxxxxxx.
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authorization exec default local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3074672605
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3074672605
revocation-check none
rsakeypair TP-self-signed-3074672605
!
!
crypto pki certificate chain TP-self-signed-3074672605
certificate self-signed 01
30820259 308201C2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303734 36373236 3035301E 170D3032 30333031 30313139
31385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30373436
37323630 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3D6 9FA87942 846FFEEC DBFC03D5 3860E7C2 868EF55B A34B2C8B 1C20BDC0
88462B61 29B79A33 F1B79BCC 1628E749 9A8952A9 719011CC 9C617EE0 E8CB1229
458EEE84 8750502D 6DB70D96 25297E99 82314A97 B034D771 BA0E8E8E 18E21156
FF1A6997 1F385184 60302AEC DD63F0CA FB0A2298 A9C6CCBC 97C7A67E EC81AF15
D4FB0203 010001A3 8180307E 300F0603 551D1301 01FF0405 30030101 FF302B06
03551D11 04243022 82206777 312E6167 726F636F 636F7261 2E726F2E 796F7572
646F6D61 696E2E63 6F6D301F 0603551D 23041830 1680143A 2B0575BF 5E9E63C3
04A7B45E 457358BC 89BC8C30 1D060355 1D0E0416 04143A2B 0575BF5E 9E63C304
A7B45E45 7358BC89 BC8C300D 06092A86 4886F70D 01010405 00038181 004EC194
9C3E72C7 E1455D1E 28AE7E65 1E0818BC DBEFBBF7 A8CBFCBA 7467AB27 F46A3897
6B6E44D6 235BE99A E29F85A6 FADBA460 9E923C6C 00B0C9D8 BC1C0985 95CE79AE
A5C35C7B 1DF21965 BC211502 85DCD48A A634B888 24D76E0D AB2DC89A 8E8E4D10
D1A1955D 9942E017 AF51FC74 BEA81A4B 05A43133 4F894458 5A31F784 DE
quit
dot11 syslog
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.82.1
ip dhcp excluded-address 192.168.82.2
ip dhcp excluded-address 192.168.82.3
ip dhcp excluded-address 192.168.82.4
ip dhcp excluded-address 192.168.82.5
ip dhcp excluded-address 192.168.82.254
ip dhcp excluded-address 192.168.82.101
!
ip dhcp pool sdm-pool
import all
network 192.168.82.0 255.255.255.0
default-router 192.168.82.254
lease 0 2
!
!
ip cef
no ip domain lookup
ip domain name xxxxxxxx
!
!
!
username xxxxxxxx
username xxxxxxxx
username xxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp fragmentation
!
crypto isakmp client configuration group xxxx
key xxxx
dns 192.168.6.8
pool vpn1
acl 151
include-local-lan
max-users 5
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map Dynmap_1 1
reverse-route
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map Cmap_1 65535 ipsec-isakmp dynamic Dynmap_1
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface Tunnel108
description Connected to xxxxxxxx
ip address 192.168.100.38 255.255.255.252
keepalive 10 3
tunnel source Dialer1
tunnel destination xxxxxxxx
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Wan
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
speed 100
full-duplex
pppoe-client dial-pool-number 1
!
interface Vlan1
description LAN
ip address 192.168.82.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp chap hostname agromeccocor_IL
ppp chap password 7 04095F515F7119
ppp pap sent-username xxxxxxxx
ppp ipcp dns request
ppp ipcp address accept
crypto map clientmap
!
ip local pool vpn 192.168.82.195 192.168.82.200
ip local pool vpn1 192.168.83.0 192.168.83.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 192.168.0.0 255.255.0.0 Tunnel108 name xxxxxxxx
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.82.101 80 interface Dialer1 80
ip nat inside source static udp 192.168.82.101 80 interface Dialer1 80
ip nat inside source static udp 192.168.82.101 5560 interface Dialer1 5560
ip nat inside source static tcp 192.168.82.101 5560 interface Dialer1 5560
ip nat inside source static tcp 192.168.82.101 5561 interface Dialer1 5561
ip nat inside source static tcp 192.168.82.3 3454 interface Dialer1 3454
ip nat inside source static tcp 192.168.82.3 554 interface Dialer1 554
ip nat inside source static udp 192.168.82.101 554 interface Dialer1 554
!
access-list 23 permit 192.168.0.0 0.0.255.255
access-list 23 permit any
access-list 102 remark NAT
access-list 102 deny ip 192.168.82.0 0.0.0.255 192.168.83.0 0.0.0.255
access-list 102 permit ip 192.168.82.0 0.0.0.255 any
access-list 151 permit ip 192.168.82.0 0.0.0.255 any
access-list 151 remark VPN
snmp-server community pub xxxxxxxx
snmp-server community xxxxxxxx
snmp-server ifindex persist
snmp-server location xxxxxxxx
snmp-server contact xxxxxxxx
no cdp run
!
control-plane
!
!
line con 0
password 7 110E4C53154352
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
sntp server 193.162.159.194
sntp server 193.162.159.197
sntp server 193.162.145.130
end
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Works now. I thank you for your help. Most appreciated.
conf t
ip access-list ext 102
no permit ip 192.168.82.0 0.0.0.255 any
permit ip 192.168.82.0 0.0.0.255 any
The ordering is incorrect in the access-list. The "permit ip 192.168.82.0 0.0.0.255 any" needs to be below the deny to the VPN pool.