Cisco 2911 IPSEC VPN --- No Internal Ping

I am trying to configure an IPSEC vpn on my 2911 router. I am able to connect to the VPN, however I cannot ping any internal resources, including the internal IP of the router, 10.0.1.1
yourname#show run
Building configuration...

Current configuration : 6974 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
!
!
!         
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.155
!
ip dhcp pool LAN
   import all
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1 
   dns-server 4.2.2.1 4.2.2.2 
   lease infinite
!
!
ip domain name manvantage.com
!         
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2546580128
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2546580128
 revocation-check none
 rsakeypair TP-self-signed-2546580128
!
!
crypto pki certificate chain TP-self-signed-2546580128
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 32353436 35383031 3238301E 170D3130 30343232 31383539 
  32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35343635 
  38303132 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100BAD9 68A11ACB 394200A0 E3A6B30D EEA95A8A BBF29AD1 DDFDA320 DF1E0B7C 
  3E7855D0 A0D3035F 03F76DDC 49AB83D5 36F22736 32E3204F 21C3B88B 2ACADC70 
  4A117190 738B5DE7 10CB0B4B ACAA09E6 8E7C95A8 2A5BCBB2 A47C96FA 1AF806F9 
  4635704E 3E467E8E 827BAA3D D9E2D75A 496933FF C2EF580B 4617694A 4EA7D2A8 
  11EB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E6D61 6E76616E 74616765 2E636F6D 
  301F0603 551D2304 18301680 14E38AEC C84A2C49 A40A868B 70B10D3D 5405F999 
  B0301D06 03551D0E 04160414 E38AECC8 4A2C49A4 0A868B70 B10D3D54 05F999B0 
  300D0609 2A864886 F70D0101 04050003 8181006D 18BD60D7 C63C7828 2EF07A27 
  7266B1B9 D967A1F3 82922348 CFCBD74B 72B09B90 F9D9D0FC AFAFBDC0 B94868B9 
  3D065282 86378C0E F9F62C7E 1504B1E1 84DEBED1 58AFF0F1 68C5A6F2 606B56B6 
  08694833 18499F2D 9CF2CA34 252AAFBB 63E42FD6 21BA8413 957AF471 82B2940D 
  11FA78AF 88FF43FF 6F56BACB F9245E44 52BE6D
  	quit
license udi pid CISCO2911/K9 sn FTX1409ALDE
!
!
username USER privilege 15 secret 5 $1$Xsf6$h0jK8bo80.EWVp.WSWbEZ/
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
track 1 ip sla 1 reachability
 delay down 15 up 15
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group PAMusers
 key pam123
 dns 4.2.2.1
 wins 10.0.1.1
 domain manvantage.com
 pool ippool
 acl 100
 include-local-lan
 backup-gateway EXT_IP2
 netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set myset 
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
interface GigabitEthernet0/1
 description PrimaryWAN
 ip address EXT_IP1 255.255.255.224
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 crypto map clientmap
 !
!
interface GigabitEthernet0/2
 description SecondaryWAN
 ip address EXT_IP2 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 no mop enabled
 !
!
ip local pool ippool 10.0.1.160 10.0.1.191
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map 1 interface GigabitEthernet0/1 overload
ip nat inside source route-map 2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 EXT_GATEWAY1 227 track 1
ip route 0.0.0.0 0.0.0.0 EXT_GATEWAY2 251
ip route 4.2.2.1 255.255.255.255 216.254.106.129
!
ip sla 1
 icmp-echo 4.2.2.1 source-interface GigabitEthernet0/1
 frequency 5
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
!
!
!
!
route-map 1 permit 1
 match ip address 1
 match interface GigabitEthernet0/1
!
route-map 2 permit 2
 match ip address 2
 match interface GigabitEthernet0/2
!
route-map 3 permit 1
 match ip address 100
 match interface GigabitEthernet0/1
!
!
!
control-plane
 !
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device 
and it provides the default username "cisco" for  one-time use. If you have 
already used the username "cisco" to login to the router and your IOS image 
supports the "one-time" user option, then this username has already expired. 
You will not be able to login to the router with this username after you exit 
this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C        
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device. 
This feature requires the one-time use of the username "cisco" with the 
password "cisco". These default credentials have a privilege level of 15.
 
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN 
CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want 
to use. 

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE 
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
 
For more information about Cisco CP please follow the instructions in the 
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp 
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

yourname#

Open in new window

aseismanAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jody LemoineNetwork ArchitectCommented:
You're not excluding your VPN IP addresses from your NAT policy.  Try removing the existing access-lists and route maps with the following commands...

no access-list 1
no access-list 2
no route-map 1
no route-map 2

...and replacing them with the following...

access-list 101 deny 10.0.1.0 0.0.0.255 10.0.1.160 0.0.0.31
access-list 101 permit 10.0.1.0 any
route-map 1 permit 1
 match ip address 101
 match interface GigabitEthernet0/1
route-map 2 permit 2
 match ip address 101
 match interface GigabitEthernet0/2

This will make an exception for your VPN pool in the NAT policy.

Also, if you're going to use Gigabit0/2 as your backup VPN address, you'll need to add "crypto map clientmap" to its configuration as well.
0
Jody LemoineNetwork ArchitectCommented:
A possible solution was posted on the same day as the original post and there has been no response to this.
0
aseismanAuthor Commented:
Requesting delete to this question was a mistake. This response was helpful but did not fully solve the problem. After doing the above recommendation, I had to open a TAC case with CISCO because the problem was still not solved. In the end, the solution was to remove ip cef (with "no ip cef") and that solved the internal ping problem. Thank you jodylemoine for you time on this case, EE got away from us as we escalated it to CISCO support directly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.