Link to home
Create AccountLog in
Avatar of mahrens007
mahrens007Flag for United States of America

asked on

Cisco 871w node VPN access


I am trying to setup IPsec VPN access to one of my customers.  I am able to establish the VPN, but cannot ping the local subnet of 192.168.50.x.  I'm sure it is a NAT or ACL issue but I'm not seeing it.

Building configuration...

Current configuration : 8571 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname <the hostname>
logging buffered 51200
logging console critical
enable secret 5 <the secret>
aaa new-model
aaa authentication login rauser local
aaa authorization network ragroup local
aaa session-id common
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp client configuration group <the group name>
 key <the key>
 pool ippool
 acl split
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 1000
 set transform-set myset
crypto map mymap client authentication list rauser
crypto map mymap isakmp authorization list ragroup
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
crypto pki trustpoint TP-self-signed-2042814819
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2042814819
 revocation-check none
 rsakeypair TP-self-signed-2042814819
crypto pki certificate chain TP-self-signed-2042814819
 certificate self-signed 01
  3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 32303432 38313438 3139301E 170D3032 30333031 30313038
  33385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 30343238
  31343831 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100CDF3 4984CA00 99396523 0EBCCBF3 3A207E3F 1A0745C1 01E1DE3C F28CDBA9
  7E49D782 6C1212AF 90718602 A68587BF 60F011AA 63ED66B8 8D844A92 3574B119
  65D826B2 960E994F 856D418C C96462CA D42EC3E4 59ADB365 73BE505E B6831BEC
  AF060151 C100E08A 081F6072 02A97355 2532D474 79301AA1 5C3D18EC C78E9DE3
  D86D0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
  551D1104 0B300982 07726663 2E726663 301F0603 551D2304 18301680 14FFDB68
  8AE8C261 4A381CB0 17931AAB 01FFB7D1 37301D06 03551D0E 04160414 FFDB688A

  E8C2614A 381CB017 931AAB01 FFB7D137 300D0609 2A864886 F70D0101 04050003
  81810068 A1866AC0 D52F5974 F45CBDDF 759DBED9 461ED3FA 945A7968 A1001C3E
  0865849A 8C80A84A 7931507B 478B9FD1 D30EFB78 A5FF5D60 86662224 C7A3B00E
  015D74EE 96D16503 A8F97C46 8628CEEA 79E861F7 648E6E42 6352300B 18263CD4
  94546CAB A506D526 D0B4C160 FB745938 EDD6DAFA 0DCA4FD6 DDFB8191 68BE1096 D8138C

dot11 ssid wlan01
   authentication open
   authentication key-management wpa
   wpa-psk ascii 7 <the key>

no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address
ip dhcp excluded-address
ip dhcp pool sdm-pool1
   import all

no ip bootp server
ip domain name <the domain>
ip name-server
ip name-server
username INSADMIN privilege 15 secret 5 <the password>

username testuser password 7 <the password>

 log config
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh rsa keypair-name rfc.rfc
ip ssh version 2
class-map type inspect match-any sdm-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-insp-traffic
 match class-map sdm-cls-insp-traffic
class-map type inspect match-any sdm-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ssh-https-class
 match protocol ssh
 match protocol https
class-map type inspect match-all management-class
 match class-map ssh-https-class
 match access-group 109
class-map type inspect match-all sdm-invalid-src
 match access-group 100
class-map type inspect match-all sdm-icmp-access
 match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
 match protocol http
class-map type inspect match-all sdm-nat-ssh-1
 match access-group 101
 match protocol ssh
class-map type inspect match-all sdm-nat-ssh-2
 match access-group 102
 match protocol ssh
policy-map type inspect sdm-permit-icmpreply
 class type inspect sdm-icmp-access
 class class-default
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-ssh-1
 class type inspect sdm-nat-ssh-2
policy-map type inspect sdm-inspect
 class type inspect sdm-invalid-src
  drop log
 class type inspect sdm-insp-traffic
 class type inspect sdm-protocol-http
 class class-default
policy-map type inspect sdm-permit
 class class-default
policy-map type inspect ccp-permit
 class type inspect management-class
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
 service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
 service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
 service-policy type inspect sdm-inspect
bridge irb
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address <the IP and subnet>
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow

 duplex auto
 speed auto
 crypto map mymap
interface Dot11Radio0
 no ip address
 encryption mode ciphers aes-ccm
 ssid wlan01
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
 station-role root
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
interface Vlan1
 no ip address

 ip tcp adjust-mss 1452
 bridge-group 1
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
ip local pool ippool
ip route <ISP gateway>
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 111 interface FastEthernet4 overload
ip access-list extended split
 permit ip
logging trap debugging

access-list 1 permit
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host any
access-list 100 permit ip any
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host
access-list 106 permit tcp host any
access-list 109 permit ip any
access-list 109 permit ip any

access-list 110 permit ip any any
access-list 111 permit ip any
access-list 111 permit ip
no cdp run
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C

line con 0
 no modem enable

 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 access-class 110 in
 privilege level 15
 password 7 143711085F1739
 transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

webvpn cef

Open in new window

Avatar of TYoung

Connect to the VPN. In the client, goto statistics and read what it says for "secured routes". That will tell you if its being tunnelled properly.

Also, while a client is still connected, do a show ip route on the router to see if the client IP shows up in the routing table.

Have a look at the following document - Using VPN with Zone-Based Policy Firewall

When I implemented it, I used a virtual template interface and created a VPN security zone. However the document shows you how to do this without a VTI as well.
Avatar of mahrens007


Under secure routes, it shows sub

I attached the route print

Avatar of mahrens007
Flag of United States of America image

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
NAT issue.