Solved

Unable to browse LAN from Cisco VPN Client - 891

Posted on 2010-09-10
13
1,975 Views
Last Modified: 2012-05-10
Hello experts, I looked at several similar posts, and some suggest not to NAT the VPN traffic, but was unsure how to apply it to my scenario given very different variables.

Currently, my remote user can connect over VPN successfully, but is not able to ping anything on the LAN. Config attached.

I would love some assistance in understanding what's wrong here and how to correct the issue so remote VPN users can browse the network.

Thanks in advance.

Luis
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname mre
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
!
!
!
clock timezone Pacific -8
clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1507793008
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1507793008
 revocation-check none
 rsakeypair TP-self-signed-1507793008
!
!
crypto pki certificate chain TP-self-signed-1507793008
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 31353037 37393330 3038301E 170D3130 30393037 31373239 
  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303737 
  39333030 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100C150 094B319F 018EF68A F1173F1E 24011944 344D4F7D 6BC59164 73E9112D 
  36B74720 02E0F877 055BCB73 68F2D0EE CF5EC1D5 0776AEFC 8321AA11 59B32304 
  E2C4A11F 91838DB6 560B8798 8C653ECC AE77F524 EAF24827 1422CA93 B2184BA9 
  14AAD152 8F67B3B7 16397E99 7FA18030 D9513E50 858BC1FE 7963B0A6 633EEF0B 
  69230203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 14327128 E8CF28DF 31A27E83 14AB66C0 CFFD23E6 
  95301D06 03551D0E 04160414 327128E8 CF28DF31 A27E8314 AB66C0CF FD23E695 
  300D0609 2A864886 F70D0101 04050003 81810070 106BB7D0 FE00A0F7 3D6593DA 
  915CD68A 929C7DF1 8054E09F CC287640 B323006B AAAA9710 B242A194 415E5936 
  C73AF7EB BEF864D8 F2C7C1B1 8A8C53DD D6DBD86B EAC17508 4E42F07A F97612FB 
  7C761557 4036FE31 2B54940D 54534D8C FCF66911 AE21EA1A D2B41750 B0E0113C 
  DC933F23 801D6CF5 F5B8A560 AC4DC6C9 EEBB5F
  	quit
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.123.186
ip dhcp excluded-address 192.168.123.1 192.168.123.127
ip dhcp excluded-address 192.168.123.192 192.168.123.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.123.0 255.255.255.0
   dns-server 192.168.123.250 
   default-router 192.168.123.1 
   domain-name example.com
   lease 0 2
!
!
ip cef
no ip bootp server
ip domain name example.com
ip name-server 8.8.8.8
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO891-K9 sn FHK***
!
!
username admin privilege 15 secret 5 ***
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group MRE-ADMIN
 key ***
 dns 192.168.123.250
 domain example.com
 pool SDM_POOL_1
 acl 101
 max-users 6
 netmask 255.255.255.0
!
crypto isakmp client configuration group MRE-STAFF
 key ***
 dns 192.168.123.250
 domain example.com
 pool SDM_POOL_2
 acl 102
 max-users 30
 netmask 255.255.255.224
crypto isakmp profile ciscocp-ike-profile-1
   match identity group MRE-ADMIN
   match identity group MRE-STAFF
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 900
 set transform-set ESP-3DES-SHA 
 set isakmp-profile ciscocp-ike-profile-1
!         
!
!
!
!
!
interface Loopback0
 description $FW_INSIDE$
 ip address 1.1.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 !
!
interface Null0
 no ip unreachables
!
interface FastEthernet0
 spanning-tree portfast
 !
!
interface FastEthernet1
 spanning-tree portfast
 !        
!
interface FastEthernet2
 spanning-tree portfast
 !
!
interface FastEthernet3
 !
!
interface FastEthernet4
 spanning-tree portfast
 !
!
interface FastEthernet5
 spanning-tree portfast
 !
!
interface FastEthernet6
 spanning-tree portfast
 !
!
interface FastEthernet7
 spanning-tree portfast
 !        
!
interface FastEthernet8
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 duplex auto
 speed auto
 !
!
interface Virtual-Template1 type tunnel
 ip unnumbered Loopback0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
 !
!
interface GigabitEthernet0
 description ***Upstream to Internet***$ETH-WAN$$FW_OUTSIDE$
 ip address 111.111.111.111 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex full
 speed 10
 no cdp enable
 !
!
interface Vlan1
 description *** Local Network ***$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$
 ip address 192.168.123.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 load-interval 30
 !
!
interface Async1
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 encapsulation slip
 !
!
ip local pool SDM_POOL_2 192.168.128.129 192.168.128.158
ip local pool SDM_POOL_1 192.168.129.129 192.168.129.134
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map NONAT interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 111.111.111.110
!
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.123.0 0.0.0.255
access-list 3 permit 192.168.129.128 0.0.0.7
access-list 3 permit 192.168.129.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.123.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 permit ip 192.168.123.0 0.0.0.255 any
access-list 150 permit ip 192.168.128.128 0.0.0.31 any
access-list 150 permit ip 192.168.129.128 0.0.0.7 any
!
!
!
!
route-map NONAT permit 10
 description *** NAT Address Translation Rule List ***
 match ip address 150
!
!
!
control-plane
!
line con 0
 logging synchronous
 transport output telnet
line 1
 modem InOut
 stopbits 1
 speed 115200
 flowcontrol hardware
line aux 0
 transport output telnet
line vty 0 4
 access-class 3 in
 logging synchronous
 transport input telnet ssh
line vty 5 15
 logging synchronous
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp update-calendar
ntp server 17.151.16.20 prefer source GigabitEthernet0
ntp server 17.151.16.21 source GigabitEthernet0
ntp server 17.151.16.22 source GigabitEthernet0
ntp server 17.151.16.23 source GigabitEthernet0
end

Open in new window

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname mre

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 ***

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local 

aaa authorization network ciscocp_vpn_group_ml_1 local 

!

!

!

!

!

aaa session-id common

!

!

!

clock timezone Pacific -8

clock summer-time Pacific date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1507793008

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1507793008

 revocation-check none

 rsakeypair TP-self-signed-1507793008

!

!

crypto pki certificate chain TP-self-signed-1507793008

 certificate self-signed 01

  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 

  69666963 6174652D 31353037 37393330 3038301E 170D3130 30393037 31373239 

  30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 35303737 

  39333030 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 

  8100C150 094B319F 018EF68A F1173F1E 24011944 344D4F7D 6BC59164 73E9112D 

  36B74720 02E0F877 055BCB73 68F2D0EE CF5EC1D5 0776AEFC 8321AA11 59B32304 

  E2C4A11F 91838DB6 560B8798 8C653ECC AE77F524 EAF24827 1422CA93 B2184BA9 

  14AAD152 8F67B3B7 16397E99 7FA18030 D9513E50 858BC1FE 7963B0A6 633EEF0B 

  69230203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 

  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 

  301F0603 551D2304 18301680 14327128 E8CF28DF 31A27E83 14AB66C0 CFFD23E6 

  95301D06 03551D0E 04160414 327128E8 CF28DF31 A27E8314 AB66C0CF FD23E695 

  300D0609 2A864886 F70D0101 04050003 81810070 106BB7D0 FE00A0F7 3D6593DA 

  915CD68A 929C7DF1 8054E09F CC287640 B323006B AAAA9710 B242A194 415E5936 

  C73AF7EB BEF864D8 F2C7C1B1 8A8C53DD D6DBD86B EAC17508 4E42F07A F97612FB 

  7C761557 4036FE31 2B54940D 54534D8C FCF66911 AE21EA1A D2B41750 B0E0113C 

  DC933F23 801D6CF5 F5B8A560 AC4DC6C9 EEBB5F

  	quit

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.123.186

ip dhcp excluded-address 192.168.123.1 192.168.123.127

ip dhcp excluded-address 192.168.123.192 192.168.123.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.123.0 255.255.255.0

   dns-server 192.168.123.250 

   default-router 192.168.123.1 

   domain-name example.com

   lease 0 2

!

!

ip cef

no ip bootp server

ip domain name example.com

ip name-server 8.8.8.8

no ipv6 cef

!

!

multilink bundle-name authenticated

license udi pid CISCO891-K9 sn FHK***

!

!

username admin privilege 15 secret 5 ***

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_AH

 match access-group name SDM_AH

class-map type inspect match-any SDM_ESP

 match access-group name SDM_ESP

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp client configuration group MRE-ADMIN

 key ***

 dns 192.168.123.250

 domain example.com

 pool SDM_POOL_1

 acl 101

 max-users 6

 netmask 255.255.255.0

!

crypto isakmp client configuration group MRE-STAFF

 key ***

 dns 192.168.123.250

 domain example.com

 pool SDM_POOL_2

 acl 102

 max-users 30

 netmask 255.255.255.224

crypto isakmp profile ciscocp-ike-profile-1

   match identity group MRE-ADMIN

   match identity group MRE-STAFF

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto ipsec profile CiscoCP_Profile1

 set security-association idle-time 900

 set transform-set ESP-3DES-SHA 

 set isakmp-profile ciscocp-ike-profile-1

!         

!

!

!

!

!

interface Loopback0

 description $FW_INSIDE$

 ip address 1.1.1.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 !

!

interface Null0

 no ip unreachables

!

interface FastEthernet0

 spanning-tree portfast

 !

!

interface FastEthernet1

 spanning-tree portfast

 !        

!

interface FastEthernet2

 spanning-tree portfast

 !

!

interface FastEthernet3

 !

!

interface FastEthernet4

 spanning-tree portfast

 !

!

interface FastEthernet5

 spanning-tree portfast

 !

!

interface FastEthernet6

 spanning-tree portfast

 !

!

interface FastEthernet7

 spanning-tree portfast

 !        

!

interface FastEthernet8

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

 duplex auto

 speed auto

 !

!

interface Virtual-Template1 type tunnel

 ip unnumbered Loopback0

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile CiscoCP_Profile1

 !

!

interface GigabitEthernet0

 description ***Upstream to Internet***$ETH-WAN$$FW_OUTSIDE$

 ip address 111.111.111.111 255.255.255.248

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip nat outside

 ip virtual-reassembly

 duplex full

 speed 10

 no cdp enable

 !

!

interface Vlan1

 description *** Local Network ***$ES_LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 1$$FW_INSIDE$

 ip address 192.168.123.1 255.255.255.0

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip mtu 1492

 ip flow ingress

 ip nat inside

 ip virtual-reassembly

 ip tcp adjust-mss 1452

 load-interval 30

 !

!

interface Async1

 no ip address

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 encapsulation slip

 !

!

ip local pool SDM_POOL_2 192.168.128.129 192.168.128.158

ip local pool SDM_POOL_1 192.168.129.129 192.168.129.134

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source route-map NONAT interface GigabitEthernet0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0 111.111.111.110

!

ip access-list extended SDM_AH

 remark CCP_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark CCP_ACL Category=1

 permit esp any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.123.0 0.0.0.255

access-list 3 permit 192.168.123.0 0.0.0.255

access-list 3 permit 192.168.129.128 0.0.0.7

access-list 3 permit 192.168.129.0 0.0.0.255

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.123.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.123.0 0.0.0.255 any

access-list 150 permit ip 192.168.123.0 0.0.0.255 any

access-list 150 permit ip 192.168.128.128 0.0.0.31 any

access-list 150 permit ip 192.168.129.128 0.0.0.7 any

!

!

!

!

route-map NONAT permit 10

 description *** NAT Address Translation Rule List ***

 match ip address 150

!

!

!

control-plane

!

line con 0

 logging synchronous

 transport output telnet

line 1

 modem InOut

 stopbits 1

 speed 115200

 flowcontrol hardware

line aux 0

 transport output telnet

line vty 0 4

 access-class 3 in

 logging synchronous

 transport input telnet ssh

line vty 5 15

 logging synchronous

 transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

ntp update-calendar

ntp server 17.151.16.20 prefer source GigabitEthernet0

ntp server 17.151.16.21 source GigabitEthernet0

ntp server 17.151.16.22 source GigabitEthernet0

ntp server 17.151.16.23 source GigabitEthernet0

end

Open in new window

0
Comment
Question by:monkeymac
  • 7
  • 6
13 Comments
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Hi,

you missed nonat:

no access-list 150 permit ip 192.168.128.128 0.0.0.31 any
no access-list 150 permit ip 192.168.129.128 0.0.0.7 any
access-list 150 deny ip any 192.168.128.128 0.0.0.31
access-list 150 deny ip any 192.168.129.128 0.0.0.7


!
0
 
LVL 1

Author Comment

by:monkeymac
Comment Utility
Thanks ikalmar,

I changed the ACL to reflect your changes, but I'm still not able to ping the LAN from the VPN client.

Regards,

Luis
0
 
LVL 1

Author Comment

by:monkeymac
Comment Utility
Here is the show crypto session output while I'm connected over VPN.

Regards,

Luis


#show crypto session
Crypto session current status

Interface: Virtual-Access2
Username: ****
Profile: ciscocp-ike-profile-1
Group: MRE-ADMIN
Assigned address: 192.168.129.134
Session status: UP-ACTIVE    
Peer: 200.200.200.200 port 36812
  IKE SA: local 111.111.111.111/4500 remote 200.200.200.200/36812 Active
  IPSEC FLOW: permit ip 192.168.123.0/255.255.255.0 host 192.168.129.134
        Active SAs: 2, origin: crypto map
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
Please show:

sh cry isa sa
sh cry ips sa
 sh ip nat trans

sh access-list 150
0
 
LVL 1

Author Comment

by:monkeymac
Comment Utility
All your requested shows below:

sh cry isa sa:

mre-van-cr01#sh cry isa sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
111.111.111.111 200.200.200.200   QM_IDLE           2016 ACTIVE


#sh cry ips sa

interface: Virtual-Access2
    Crypto map tag: Virtual-Access2-head-0, local addr 111.111.111.111

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (192.168.123.0/255.255.255.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.129.129/255.255.255.255/0/0)
   current_peer 200.200.200.200 port 46141
     PERMIT, flags={origin_is_acl,}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 111.111.111.111, remote crypto endpt.: 200.200.200.200
     path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0
     current outbound spi: 0xD2011BC(220205500)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0x39E73A3C(971455036)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 25, flow_id: Onboard VPN:25, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4403019/3445)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xD2011BC(220205500)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 26, flow_id: Onboard VPN:26, sibling_flags 80000046, crypto map: Virtual-Access2-head-0
        sa timing: remaining key lifetime (k/sec): (4403019/3445)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
         
     outbound ah sas:

     outbound pcp sas:

sh ip nat trans
Pro Inside global      Inside local       Outside local      Outside global
tcp 111.111.111.111:80 192.168.123.6:80   ---                ---
tcp 111.111.111.111:3389 192.168.123.6:3389 ---              ---
tcp 111.111.111.111:4550 192.168.123.6:4550 ---              ---
tcp 111.111.111.111:5511 192.168.123.6:5511 ---              ---
tcp 111.111.111.111:5550 192.168.123.6:5550 ---              ---
tcp 111.111.111.111:8866 192.168.123.6:8866 ---              ---
udp 111.111.111.111:1  192.168.123.138:123 17.151.16.21:123  17.151.16.21:123
tcp 111.111.111.111:52411 192.168.123.138:52411 216.52.233.248:80 216.52.233.248:80
udp 111.111.111.111:123 192.168.123.149:123 17.151.16.23:123 17.151.16.23:123
tcp 111.111.111.111:54791 192.168.123.164:54791 72.14.213.109:993 72.14.213.109:993
tcp 111.111.111.111:54861 192.168.123.164:54861 74.125.155.109:993 74.125.155.109:993
tcp 111.111.111.111:54879 192.168.123.164:54879 66.183.7.147:110 66.183.7.147:110
tcp 111.111.111.111:58943 192.168.123.165:58943 64.59.134.27:110 64.59.134.27:110
tcp 111.111.111.111:59063 192.168.123.165:59063 74.125.155.109:993 74.125.155.109:993
tcp 111.111.111.111:59065 192.168.123.165:59065 74.125.155.109:993 74.125.155.109:993
Pro Inside global      Inside local       Outside local      Outside global
tcp 111.111.111.111:59202 192.168.123.165:59202 74.125.127.109:993 74.125.127.109:993
tcp 111.111.111.111:59203 192.168.123.165:59203 74.125.127.109:993 74.125.127.109:993
tcp 111.111.111.111:59204 192.168.123.165:59204 74.125.127.109:993 74.125.127.109:993
tcp 111.111.111.111:59206 192.168.123.165:59206 66.183.7.147:143 66.183.7.147:143
tcp 111.111.111.111:59209 192.168.123.165:59209 64.59.134.27:110 64.59.134.27:110
tcp 111.111.111.111:59210 192.168.123.165:59210 66.183.7.147:143 66.183.7.147:143
tcp 111.111.111.111:50683 192.168.123.166:50683 17.149.36.86:5223 17.149.36.86:5223
tcp 111.111.111.111:50688 192.168.123.166:50688 17.250.248.82:5223 17.250.248.82:5223
tcp 111.111.111.111:53324 192.168.123.168:53324 216.52.233.225:443 216.52.233.225:443
tcp 111.111.111.111:49159 192.168.123.172:49159 216.52.233.201:443 216.52.233.201:443
tcp 111.111.111.111:49157 192.168.123.173:49157 216.52.233.217:443 216.52.233.217:443
Pro Inside global      Inside local       Outside local      Outside global
tcp 111.111.111.111:56320 192.168.123.182:56320 66.183.7.147:995 66.183.7.147:995
tcp 111.111.111.111:56321 192.168.123.182:56321 64.59.134.27:110 64.59.134.27:110
tcp 111.111.111.111:56325 192.168.123.182:56325 66.183.7.147:995 66.183.7.147:995
tcp 111.111.111.111:56346 192.168.123.182:56346 64.59.134.27:110 64.59.134.27:110
tcp 111.111.111.111:56347 192.168.123.182:56347 66.183.7.147:995 66.183.7.147:995
tcp 111.111.111.111:56363 192.168.123.182:56363 66.183.7.147:995 66.183.7.147:995
tcp 111.111.111.111:56368 192.168.123.182:56368 66.183.7.147:995 66.183.7.147:995
tcp 111.111.111.111:49563 192.168.123.184:49563 17.250.248.121:443 17.250.248.121:443
tcp 111.111.111.111:49564 192.168.123.184:49564 17.250.248.121:443 17.250.248.121:443
tcp 111.111.111.111:5003 192.168.123.250:5003 ---            ---
udp 111.111.111.111:50187 192.168.123.250:50187 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:50260 192.168.123.250:50260 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:51097 192.168.123.250:51097 198.41.0.4:53 198.41.0.4:53
Pro Inside global      Inside local       Outside local      Outside global
udp 111.111.111.111:51126 192.168.123.250:51126 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:51559 192.168.123.250:51559 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:53481 192.168.123.250:53481 204.174.64.1:53 204.174.64.1:53
udp 111.111.111.111:54005 192.168.123.250:54005 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:54548 192.168.123.250:54548 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:54935 192.168.123.250:54935 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:57159 192.168.123.250:57159 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:57644 192.168.123.250:57644 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:58778 192.168.123.250:58778 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:59215 192.168.123.250:59215 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:60374 192.168.123.250:60374 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:61388 192.168.123.250:61388 204.174.65.1:53 204.174.65.1:53
tcp 111.111.111.111:61808 192.168.123.250:61808 192.35.50.49:443 192.35.50.49:443
udp 111.111.111.111:62135 192.168.123.250:62135 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:62581 192.168.123.250:62581 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:63333 192.168.123.250:63333 204.174.65.1:53 204.174.65.1:53
tcp 111.111.111.111:63812 192.168.123.250:63812 69.8.124.45:80 69.8.124.45:80
tcp 111.111.111.111:63817 192.168.123.250:63817 69.8.124.54:443 69.8.124.54:443
udp 111.111.111.111:64683 192.168.123.250:64683 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:64829 192.168.123.250:64829 204.174.65.1:53 204.174.65.1:53
udp 111.111.111.111:65142 192.168.123.250:65142 204.174.65.1:53 204.174.65.1:53
Pro Inside global      Inside local       Outside local      Outside global
udp 111.111.111.111:65476 192.168.123.250:65476 204.174.65.1:53 204.174.65.1:53
tcp 111.111.111.111:50839 192.168.123.251:50839 69.8.124.42:443 69.8.124.42:443
tcp 111.111.111.111:54650 192.168.123.251:54650 69.8.124.54:443 69.8.124.54:443
tcp 111.111.111.111:54655 192.168.123.251:54655 69.8.124.45:80 69.8.124.45:80
tcp 111.111.111.111:54657 192.168.123.251:54657 17.250.248.122:443 17.250.248.122:443
tcp 111.111.111.111:54658 192.168.123.251:54658 96.6.205.15:80 96.6.205.15:80
tcp 111.111.111.111:54659 192.168.123.251:54659 96.6.205.15:80 96.6.205.15:80
tcp 111.111.111.111:54660 192.168.123.251:54660 69.8.124.45:80 69.8.124.45:80
tcp 111.111.111.111:54663 192.168.123.251:54663 69.8.124.52:443 69.8.124.52:443
tcp 111.111.111.111:54664 192.168.123.251:54664 69.8.116.198:443 69.8.116.198:443

sh access-list 150
Extended IP access list 150
    10 permit ip 192.168.123.0 0.0.0.255 any (2264283 matches)
    20 deny ip any 192.168.128.128 0.0.0.31
    30 deny ip any 192.168.129.128 0.0.0.7
0
 
LVL 34

Accepted Solution

by:
Istvan Kalmar earned 500 total points
Comment Utility
you need:

conf t
no access-list 150
ip access-list extended 150
    20 deny ip any 192.168.128.128 0.0.0.31
    30 deny ip any 192.168.129.128 0.0.0.7
   50 permit ip 192.168.123.0 0.0.0.255 any
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:monkeymac
Comment Utility
Thanks, I reordered the ACLs, tried ping, still no luck.

Do I need to allow ICMP specifically?

At least now the ACL shows the matched denies.


mre-van-cr01(config-ext-nacl)#do sho access-lists 150
Extended IP access list 150
    10 deny ip any 192.168.128.128 0.0.0.31
    20 deny ip any 192.168.129.128 0.0.0.7
    50 permit ip 192.168.123.0 0.0.0.255 any (1181 matches)
0
 
LVL 1

Author Comment

by:monkeymac
Comment Utility
It looks like it is actually GETTING the pings, but not able to route them back to the VPN client?

mre-van-cr01#debug ip icmp
ICMP packet debugging is on
mre-van-cr01#
001843: Sep 10 16:51:22.679 Pacific: ICMP: echo reply sent, src 192.168.123.1, dst 192.168.129.132, topology BASE, dscp 0 topoid 0
001844: Sep 10 16:51:23.659 Pacific: ICMP: echo reply sent, src 192.168.123.1, dst 192.168.129.132, topology BASE, dscp 0 topoid 0
mre-van-cr01#
001845: Sep 10 16:51:24.659 Pacific: ICMP: echo reply sent, src 192.168.123.1, dst 192.168.129.132, topology BASE, dscp 0 topoid 0
mre-van-cr01#
001846: Sep 10 16:51:25.663 Pacific: ICMP: echo reply sent, src 192.168.123.1, dst 192.168.129.132, topology BASE, dscp 0 topoid 0
mre-van-cr01#
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
did you reloaded the router?
0
 
LVL 1

Author Comment

by:monkeymac
Comment Utility
No, but I will - stand by...
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
ty it....
0
 
LVL 1

Author Comment

by:monkeymac
Comment Utility
YESSSSS!

Thanks ikalmar!

Why was the reload necessary?

Regards,

Luis
0
 
LVL 34

Expert Comment

by:Istvan Kalmar
Comment Utility
sometimes there is a problem with NAT, and reloading help:)
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now