Unable to ping ip address from connected vpn client

Hi All,
I'm having an issue where as I can connect to the VPN. that i've created on this Cisco 837 router, but I can't ping a PC inside the network or ping the router on the IP from the client side.  I'm pasting my config below. It would be great if someone can point me in the right direction.
I'm sure it something simple, just I'm not thinking of it.

Router IP: 172.160.0.253
Firewall: 172.160.0.254
PC: 172.160.0.1 (I am trying to ping  this pc from the connected client side)
Firewall is currently allowing all traffic through to the router, so is not blocking ICMP
Router01#show run
Building configuration...

Current configuration : 2120 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router01
!
boot-start-marker
boot-end-marker
!
memory-size iomem 5
enable secret 5 $1$QCCC$pOpRL.UjTxxhDmsvYT.zG/
enable password xxxxx
!
username xxxxx password 0 xxxxx
username CRWS_xxxxx privilege 15 password 0 $1$W1fA$o1oSEpa1983951347
username CRWS_xxxxx privilege 15 password 0 $1$W1fA$o1oSEpa2103948567
username CRWS_xxxxx privilege 15 password 0 $1$W1fA$o1oSEpa1446099413
username CRWS_xxxxx privilege 15 password 0 $1$W1fA$o1oSEpa1688257825
aaa new-model
!
!
aaa authentication ppp default local
aaa session-id common
ip subnet-zero
no ip routing
!
!
ip audit notify log
ip audit po max-events 100
ip ssh break-string
vpdn enable
!
vpdn-group VOICE-VPN
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
no ftp-server write-enable
!
!
!
no crypto isakmp enable
!
!
!
!
interface Ethernet0
 ip address 172.160.0.253 255.255.255.0
 no ip route-cache
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip route-cache
 shutdown
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface Virtual-Template1
 ip unnumbered Ethernet0
 ip mroute-cache
 peer default ip address pool defaultpool
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
!
ip local pool defaultpool 172.160.0.100 172.160.0.200
ip default-gateway 172.160.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 172.160.0.254 permanent
ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 101 permit icmp any any
!
control-plane
!
!
line con 0
 no modem enable
 transport preferred all
 transport output all
line aux 0
 transport preferred all
 transport output all
line vty 0 4
 password xxxxx
 transport preferred all
 transport input all
 transport output all
!
scheduler max-task-time 5000
!
end

Thanks for any help in advance
H
NicodemiusAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pmk_mckCommented:
To debug:
1) Check that Windows firewalls are off, or permit ping.

2) Using 'ipconfig /all' ensure that there on interface [tun or tap] has an ip assigned in the 172.160.0.100-200 range.

Note: 172.16.0.0 - 172.31.255.255 is in the RFC1918 private address range, 172.160.x.y is not.
This traffic by default IS routable over the public internet. Shouldn't break your config, but one to watch out for.

You've said that the vpn client can connect, but we're assuming that it's connected to the public internet and reaching the 837 by its WAN interface. Can you confirm that the vpn client can surf and that clients behind the 837 can too please?

Thanks.

pmk

NicodemiusAuthor Commented:
Hi

thanks for your reply.

From the client machine i do get an ip address:
ipconfig /all shows:
ip address: 172.160.0.100
subnet mask: 255.255.255.255
client is not using default gateway on remote network.
client is unable to ping the router that is connected to.
client is uanble to ping the pc.
Client is able to surf the internet as it using it own gateway.
Client firewall is disabled.

From the router view.
Able to ping the the pc that is on 172.160.0.2
Able to ping the firewall that is the default gateway for the router on 172.160.0.254
i''m unable to ping the vpn connected client that on 172.160.0.100
I can ping any site through this router successfully.

I've added a diagram below so you can have an idea of how the setup looks


Drawing1.jpg
pmk_mckCommented:
Thanks for the diagram, it helped.

Would you review the diagram i've responded with and let me know if shows your config please?
It shows the physical connections, we'll get onto the vpn connections presently.

Will you tell me the DHCP range and LAN interface address of Router A?

Will you tell me the WAN interface address of the Juniper, in the same way you've shown the other WAN IP's.

Are you using the PPTP client which is built-in to Windows (on the laptop in the diagram)?

Are you port forwarding TCP 1723 on the Juniper to the Eth0 address on the Cisco 837 (172.160.0.253)?

Thanks.

pmk
Q25857660-1.jpg
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.

NicodemiusAuthor Commented:
Hi

thanks for responding

yes the diagram you've done is what the config of my network looks like, but the 87.83.x.x address is the wan address Ive been given to use, it one of the many MIPs assigned on the juniper.  

All traffic on the MIP is currently being allowed and not blocking any IP or ICMP messages.

Router A,
Is just a standard home network.
192.168.0.1 - 168.168.0.254
with the gateway of 192.168.0.1

Side note: I've also created  VPN connections from my own home network using my windows and mac machines to the router and they get ip successfully as in 172.160.0.101 and 172.160.0.102, but again i can't ping the router or any other IP address in this range. from my mac or windows machine.

I'm just using the windows client and on the mac the vpn client for mac. I'm not using the cisco vpn software at all.  I wanted to do things as simple as possible.

Port 1723 is being forwarded successfully to ethernet0. As I can create vpn connection that can authenticate and an ip address from the range specified.

I've tested it by changing ip local pool defaultpool to various ranges and then on the cilent side disconnecting and reconnecting the client and getting an IP in the range I've set in this command.
This tells me i am connecting to the router and not some other device.

Thanks ever so much for you questions and ideas so far

pmk_mckCommented:
I can't help wondering if it's the address range of your remote subnet which is causing issue.
172.160.x.y is not an RFC 1918 address, and hence IS routable over the internet, unlike:
10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255 and 192.168.0.0 – 192.168.255.255.

So with split tunneling, this would exit your network over the non-vpn-tunnel outbound route potentially.

Is changing the remote subnet...or adding a 172.16.x.y possible?

If from my machine I do a tracert on the addresses you indicate as being present on the remote LAN, they resolve to AOL WAN addresses.

C:\>tracert 172.160.0.101
Tracing route to ACA00065.ipt.aol.com [172.160.0.101]
over a maximum of 30 hops:

  1   153 ms   153 ms   154 ms  ^C
C:\>tracert 172.160.0.102

Tracing route to ACA00066.ipt.aol.com [172.160.0.102]
over a maximum of 30 hops:

  1   153 ms   153 ms   153 ms  10.8.0.1

I can't ping either of them...


pmk
NicodemiusAuthor Commented:
Hi

Sorry for not replying was away on a long weekend.

I've also got the 172.160.x.x going to aol server that is including for 172.160.253

I've manage to get the system architect to change the range he has given me from 172.160.x.x
to 172.30.x.x

I was able to connect to the vpn getting ip address on the client 172.30.0.100 and my mac on 172.30.0.101.

So the vpn is working.

But again I'm  still unable to ping 172.30.0.253(router) or 172.30.0.99(a pc on the internal network)  

Any suggestions?
NicodemiusAuthor Commented:
just to add

from the router:

show users

Interface            User            Mode                     Idle             peer address
Vi4                     testuser       PPPoVPDN          00:02:23      172.30.0.100

traceroute 172.30.0.100

1.  *  *  *
2.  *  *  *
3.  *  *  *
etc

NicodemiusAuthor Commented:
sweet looks like i manage to solve the issue

i've changed no ip routing

to ip routing

Router01>show ip route

has given me gateway of last resort is 172.30.0.254 to network 0.0.0.0

                            172.30.0.0//16 is variably subnetted, 2 subnets, 2 masks
C                          172.30.0.0/24 is directly connected, Ethernet0
C                          172.30.0100/32 is directly connected, Virtual-Access4
S*                         0.0.0.0.0 [1/0] via 172.30.0.254



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
NicodemiusAuthor Commented:
I'm able to ping the router.
Ping the test computers I've set up to capture data
It all work
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is being closed as part of the Cleanup Program.  See my comment at the end of the question for more details.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.