Solved

cisco dynamic ssl vpn cant ping from out side to inside but can ping from inside to out side.

Posted on 2011-03-09
1
382 Views
Last Modified: 2012-06-27
i know its a weird issue.
i have a cisco secrure 520 router that im trying to setup a dynamic vpn.


currently it if i ping a address on internal network i get replys from the wan ip instead of the ip of the computer im trying to ping.

i can ping from the inside client to the vpn and get a vaild responce.

i have included the config from the cisco router.



Current configuration : 2916 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GPC1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
!
aaa new-model
!
!
aaa authentication login vpn-users local
aaa authorization network vpn-users local
!
aaa session-id common
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint GPC1_Certificate
 enrollment selfsigned
 serial-number none
 ip-address none
 subject-name CN=ACS11, ST=WI, C=US
 revocation-check crl
 rsakeypair GPC1_Certificate_RSAKey 512
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool MYNET

   network 192.168.1.0 255.255.255.0
   domain-name gpc.local
   default-router 192.168.1.1
   dns-server 216.xx.xx.2 64.xx.xx.250
   lease 0 2
!
!
ip cef
ip name-server 216.xx.xx.2
ip name-server 64.xx.xx.250
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 removed
username test secret 5 removed
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2


 lifetime 3600
crypto isakmp keepalive 120 15
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
 key removed
 dns 4.2.2.2
 domain domain.local
 pool vpn-dynamic-pool
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs
!
crypto dynamic-map vpn-dynamic-map 1
 set transform-set ESP-AES-128-SHA-LZS
crypto dynamic-map vpn-dynamic-map 2
 set transform-set ESP-AES-128-SHA
!
!
crypto map vpn-dynamic client authentication list vpn-users
crypto map vpn-dynamic isakmp authorization list vpn-users



crypto map vpn-dynamic client configuration address respond
crypto map vpn-dynamic 1 ipsec-isakmp dynamic vpn-dynamic-map
!
archive
 log config
  hidekeys
!
process-max-time 150
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4



 description WAN INTERFACE STATIC
 ip address 207.xx.xx.xx 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn-dynamic
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn-dynamic-pool 192.168.3.10 192.168.3.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 207.xx.xx.xx
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password removed
!
scheduler max-task-time 5000
end

Open in new window

C:\Users\xxxx>ping 192.168.1.101

Pinging 192.168.1.101 with 32 bytes of data:
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms

Open in new window

0
Comment
Question by:03671328
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35097721
Your NAT ACL is configured to NAT all traffic outbound.  You might want to put a deny statement at the top of the ACL that denies NAT if the destination is your VPN subnet.  
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

Getting hacked is no longer a matter or "if you get hacked" — the 2016 cyber threat landscape is now titled "when you get hacked." When it happens — will you be proactive, or reactive?
This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now