• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 504
  • Last Modified:

Cisco 1841 - VPN Connects, but cannot access or ping internal hosts

router#
*Apr 24 00:07:06.757: %SYS-5-CONFIG_I: Configured from console by consoleshow ru
n
Building configuration...

Current configuration : 2237 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$RJCz$UBvg0lR6yyhDIepwzkuEg/
enable password boot
!
aaa new-model
!
!
aaa authentication login vpn-authentication local
aaa authorization network vpn-authorization local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
!
!
!
!
!
username akhlaq password 0 akhlaq
username abd password 0 abd
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group iims
 key iims
 dns 195.229.241.222
 pool vpn-pool
 acl vpn-split-tunnel
 netmask 255.255.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set ESP-3DES-SHA
!
!
crypto map vpn client authentication list vpn-authentication
crypto map vpn isakmp authorization list vpn-authorization
crypto map vpn client configuration address respond
crypto map vpn 65535 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.10.10.1 255.0.0.0
 speed auto
 full-duplex
 no cdp enable
 no mop enabled
!
interface FastEthernet0/1
 ip address 172.172.101.1 255.255.0.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no cdp enable
!
interface Serial0/0/0
 ip address 83.111.32.154 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no cdp enable
 crypto map vpn
!
ip local pool vpn-pool 172.172.100.10 172.172.100.250
ip route 0.0.0.0 0.0.0.0 83.111.32.153
!
!
no ip http server
no ip http secure-server
ip nat inside source list 102 interface Serial0/0/0 overload
!
ip access-list extended vpn-split-tunnel
 permit ip 172.172.255.0 0.0.0.255 172.172.0.0 0.0.255.255
!
access-list 1 permit 172.172.0.0 0.0.255.255
access-list 101 permit udp any any eq domain
access-list 101 permit udp any eq domain any
access-list 102 deny   ip 172.172.0.0 0.0.255.255 10.255.255.0 0.0.0.255
access-list 102 permit ip 172.172.0.0 0.0.255.255 any
snmp-server community cs RO
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line vty 0 4
 password boot
!
scheduler allocate 20000 1000
no process cpu extended
no process cpu autoprofile hog
end

router#
router#
0
akhlaq2006
Asked:
akhlaq2006
  • 13
  • 12
1 Solution
 
JFrederick29Commented:
That's because you changed the pool IP addresses.

It is best to use a pool of IP's outside the LAN subnet.  Use the original pool I had you use yesterday.

conf t
no
ip local pool vpn-pool 172.172.100.10 172.172.100.250
ip local pool vpn-pool 10.255.255.10 10.255.255.250

ip access-list extended vpn-split-tunnel
permit ip 172.172.0.0 0.0.255.255 10.255.255.0 0.0.0.255
no permit ip 172.172.255.0 0.0.0.255 172.172.0.0 0.0.255.255
0
 
JFrederick29Commented:
Sorry, typo:

conf t
no ip local pool vpn-pool 172.172.100.10 172.172.100.250
ip local pool vpn-pool 10.255.255.10 10.255.255.250

ip access-list extended vpn-split-tunnel
permit ip 172.172.0.0 0.0.255.255 10.255.255.0 0.0.0.255
no permit ip 172.172.255.0 0.0.0.255 172.172.0.0 0.0.255.255
0
 
akhlaq2006Author Commented:
atached is my cisco client status showing

when im trying to ping "destination host unreachable" msg coming

one thing more i am testing my vpn using logmein from out side LAN having windows 2003 and ISA, with GFI Web Monitor on remote system may be that is also one issue
cisco.JPG
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
JFrederick29Commented:
Testing the VPN client on an ISA server is probably going to be an issue in itself.  As long as you made the changes that I posted earlier, the config is good and most likely the issue is with the server.  Try testing from your home Internet or a public wifi hotspot.
0
 
JFrederick29Commented:
Can you post the image on the route details tab in the Cisco client just to double check that.
0
 
akhlaq2006Author Commented:
statistic
statistic.JPG
0
 
JFrederick29Commented:
Yeah, that looks good.  The router config is fine.  Most likely ISA is getting its hands on the connections and breaking it.
0
 
akhlaq2006Author Commented:
from internal network how i can test
0
 
JFrederick29Commented:
You can't unfortunately.

You'll need to try from your home or can you from the ISA server RDP to a "regular" PC on that network to test it?
0
 
akhlaq2006Author Commented:
i tried RDP also but not coming
one more question

my internal range is 172.172.101.0 - 254

but in vpn client router detail
secured routers           network 172.172.0.0  and subnet mask 255.255.0.0
it should be like this or not network 172.172.101.0  and subnet mask 255.255.0.0 ?
0
 
JFrederick29Commented:
Nope, that is okay.  It should be 172.172.0.0 255.255.0.0.
0
 
akhlaq2006Author Commented:
ok now i am out side of LAN
but the problem only one pc i can ping but for others not coming
0
 
JFrederick29Commented:
Do they happen to have Windows Firewall enabled?
0
 
akhlaq2006Author Commented:
no i got the problem

system who has default gateway 172.172.101.1(for cisco router) i can ping but not others
it should be like this ?
0
 
JFrederick29Commented:
Yeah, all the PC's need a default gateway of 172.172.101.1.
0
 
akhlaq2006Author Commented:
now for access list

deny remote access to remote network
permit http to remote and so

for that what should i do
0
 
akhlaq2006Author Commented:
if at site offices they have same range of lan 172.172.101.0-254 can they access remote access to head-office wich is already 172.172.101.0-255
0
 
JFrederick29Commented:
No, the remote sites should use different address space that the head-office.

As far as an access-list, you want to protect the LAN from the Internet or from the remote sites?  
0
 
akhlaq2006Author Commented:
from internet but also from remote user also by giving him some particular protocol access
0
 
JFrederick29Commented:
For remote access, you can use an outbound access-list on the f0/1 interface to restrict what remote access clients can access.  What do you want to restrict them to?
0
 
akhlaq2006Author Commented:
allow
only http, icmp

deny
rdp, browsing to directories
0
 
JFrederick29Commented:
So you only want to allow HTTP and ICMP from the remote clients to systems on the 172.172.0.0 subnet, right?
0
 
akhlaq2006Author Commented:
yes exactly
0
 
JFrederick29Commented:
Can you open a new question for this request?  Thanks!
0
 
akhlaq2006Author Commented:
every thing is ok now

but one problem is still there

i am unable to ping isa server
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 13
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now