• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 406
  • Last Modified:

cisco dynamic ssl vpn cant ping from out side to inside but can ping from inside to out side.

i know its a weird issue.
i have a cisco secrure 520 router that im trying to setup a dynamic vpn.


currently it if i ping a address on internal network i get replys from the wan ip instead of the ip of the computer im trying to ping.

i can ping from the inside client to the vpn and get a vaild responce.

i have included the config from the cisco router.



Current configuration : 2916 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GPC1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
!
aaa new-model
!
!
aaa authentication login vpn-users local
aaa authorization network vpn-users local
!
aaa session-id common
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint GPC1_Certificate
 enrollment selfsigned
 serial-number none
 ip-address none
 subject-name CN=ACS11, ST=WI, C=US
 revocation-check crl
 rsakeypair GPC1_Certificate_RSAKey 512
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool MYNET

   network 192.168.1.0 255.255.255.0
   domain-name gpc.local
   default-router 192.168.1.1
   dns-server 216.xx.xx.2 64.xx.xx.250
   lease 0 2
!
!
ip cef
ip name-server 216.xx.xx.2
ip name-server 64.xx.xx.250
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 removed
username test secret 5 removed
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2


 lifetime 3600
crypto isakmp keepalive 120 15
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
 key removed
 dns 4.2.2.2
 domain domain.local
 pool vpn-dynamic-pool
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs
!
crypto dynamic-map vpn-dynamic-map 1
 set transform-set ESP-AES-128-SHA-LZS
crypto dynamic-map vpn-dynamic-map 2
 set transform-set ESP-AES-128-SHA
!
!
crypto map vpn-dynamic client authentication list vpn-users
crypto map vpn-dynamic isakmp authorization list vpn-users



crypto map vpn-dynamic client configuration address respond
crypto map vpn-dynamic 1 ipsec-isakmp dynamic vpn-dynamic-map
!
archive
 log config
  hidekeys
!
process-max-time 150
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4



 description WAN INTERFACE STATIC
 ip address 207.xx.xx.xx 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn-dynamic
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn-dynamic-pool 192.168.3.10 192.168.3.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 207.xx.xx.xx
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password removed
!
scheduler max-task-time 5000
end

Open in new window

C:\Users\xxxx>ping 192.168.1.101

Pinging 192.168.1.101 with 32 bytes of data:
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms

Open in new window

0
03671328
Asked:
03671328
1 Solution
 
jmeggersSr. Network and Security EngineerCommented:
Your NAT ACL is configured to NAT all traffic outbound.  You might want to put a deny statement at the top of the ACL that denies NAT if the destination is your VPN subnet.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now