aseisman
asked on
Cisco 2911 IPSEC VPN --- No Internal Ping
I am trying to configure an IPSEC vpn on my 2911 router. I am able to connect to the VPN, however I cannot ping any internal resources, including the internal IP of the router, 10.0.1.1
yourname#show run
Building configuration...
Current configuration : 6974 bytes
!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
!
!
!
aaa session-id common
!
!
!
!
no ipv6 cef
ip source-route
ip cef
!
!
ip dhcp excluded-address 10.0.1.1 10.0.1.155
!
ip dhcp pool LAN
import all
network 10.0.1.0 255.255.255.0
default-router 10.0.1.1
dns-server 4.2.2.1 4.2.2.2
lease infinite
!
!
ip domain name manvantage.com
!
multilink bundle-name authenticated
!
!
!
crypto pki trustpoint TP-self-signed-2546580128
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2546580128
revocation-check none
rsakeypair TP-self-signed-2546580128
!
!
crypto pki certificate chain TP-self-signed-2546580128
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32353436 35383031 3238301E 170D3130 30343232 31383539
32325A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 35343635
38303132 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100BAD9 68A11ACB 394200A0 E3A6B30D EEA95A8A BBF29AD1 DDFDA320 DF1E0B7C
3E7855D0 A0D3035F 03F76DDC 49AB83D5 36F22736 32E3204F 21C3B88B 2ACADC70
4A117190 738B5DE7 10CB0B4B ACAA09E6 8E7C95A8 2A5BCBB2 A47C96FA 1AF806F9
4635704E 3E467E8E 827BAA3D D9E2D75A 496933FF C2EF580B 4617694A 4EA7D2A8
11EB0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E6D61 6E76616E 74616765 2E636F6D
301F0603 551D2304 18301680 14E38AEC C84A2C49 A40A868B 70B10D3D 5405F999
B0301D06 03551D0E 04160414 E38AECC8 4A2C49A4 0A868B70 B10D3D54 05F999B0
300D0609 2A864886 F70D0101 04050003 8181006D 18BD60D7 C63C7828 2EF07A27
7266B1B9 D967A1F3 82922348 CFCBD74B 72B09B90 F9D9D0FC AFAFBDC0 B94868B9
3D065282 86378C0E F9F62C7E 1504B1E1 84DEBED1 58AFF0F1 68C5A6F2 606B56B6
08694833 18499F2D 9CF2CA34 252AAFBB 63E42FD6 21BA8413 957AF471 82B2940D
11FA78AF 88FF43FF 6F56BACB F9245E44 52BE6D
quit
license udi pid CISCO2911/K9 sn FTX1409ALDE
!
!
username USER privilege 15 secret 5 $1$Xsf6$h0jK8bo80.EWVp.WSWbEZ/
!
redundancy
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
!
track 1 ip sla 1 reachability
delay down 15 up 15
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group PAMusers
key pam123
dns 4.2.2.1
wins 10.0.1.1
domain manvantage.com
pool ippool
acl 100
include-local-lan
backup-gateway EXT_IP2
netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.0.1.1 255.255.255.0
no ip redirects
no ip unreachables
ip flow ingress
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
interface GigabitEthernet0/1
description PrimaryWAN
ip address EXT_IP1 255.255.255.224
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
crypto map clientmap
!
!
interface GigabitEthernet0/2
description SecondaryWAN
ip address EXT_IP2 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
!
ip local pool ippool 10.0.1.160 10.0.1.191
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source route-map 1 interface GigabitEthernet0/1 overload
ip nat inside source route-map 2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 EXT_GATEWAY1 227 track 1
ip route 0.0.0.0 0.0.0.0 EXT_GATEWAY2 251
ip route 4.2.2.1 255.255.255.255 216.254.106.129
!
ip sla 1
icmp-echo 4.2.2.1 source-interface GigabitEthernet0/1
frequency 5
ip sla schedule 1 life forever start-time now
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
!
!
!
!
route-map 1 permit 1
match ip address 1
match interface GigabitEthernet0/1
!
route-map 2 permit 2
match ip address 2
match interface GigabitEthernet0/2
!
route-map 3 permit 1
match ip address 100
match interface GigabitEthernet0/1
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE PUBLICLY-KNOWN
CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end
yourname#
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A possible solution was posted on the same day as the original post and there has been no response to this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.