Solved

cisco dynamic ssl vpn cant ping from out side to inside but can ping from inside to out side.

Posted on 2011-03-09
1
383 Views
Last Modified: 2012-06-27
i know its a weird issue.
i have a cisco secrure 520 router that im trying to setup a dynamic vpn.


currently it if i ping a address on internal network i get replys from the wan ip instead of the ip of the computer im trying to ping.

i can ping from the inside client to the vpn and get a vaild responce.

i have included the config from the cisco router.



Current configuration : 2916 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GPC1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
!
aaa new-model
!
!
aaa authentication login vpn-users local
aaa authorization network vpn-users local
!
aaa session-id common
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint GPC1_Certificate
 enrollment selfsigned
 serial-number none
 ip-address none
 subject-name CN=ACS11, ST=WI, C=US
 revocation-check crl
 rsakeypair GPC1_Certificate_RSAKey 512
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool MYNET

   network 192.168.1.0 255.255.255.0
   domain-name gpc.local
   default-router 192.168.1.1
   dns-server 216.xx.xx.2 64.xx.xx.250
   lease 0 2
!
!
ip cef
ip name-server 216.xx.xx.2
ip name-server 64.xx.xx.250
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 removed
username test secret 5 removed
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2


 lifetime 3600
crypto isakmp keepalive 120 15
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
 key removed
 dns 4.2.2.2
 domain domain.local
 pool vpn-dynamic-pool
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs
!
crypto dynamic-map vpn-dynamic-map 1
 set transform-set ESP-AES-128-SHA-LZS
crypto dynamic-map vpn-dynamic-map 2
 set transform-set ESP-AES-128-SHA
!
!
crypto map vpn-dynamic client authentication list vpn-users
crypto map vpn-dynamic isakmp authorization list vpn-users



crypto map vpn-dynamic client configuration address respond
crypto map vpn-dynamic 1 ipsec-isakmp dynamic vpn-dynamic-map
!
archive
 log config
  hidekeys
!
process-max-time 150
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4



 description WAN INTERFACE STATIC
 ip address 207.xx.xx.xx 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn-dynamic
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn-dynamic-pool 192.168.3.10 192.168.3.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 207.xx.xx.xx
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password removed
!
scheduler max-task-time 5000
end

Open in new window

C:\Users\xxxx>ping 192.168.1.101

Pinging 192.168.1.101 with 32 bytes of data:
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms

Open in new window

0
Comment
Question by:03671328
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35097721
Your NAT ACL is configured to NAT all traffic outbound.  You might want to put a deny statement at the top of the ACL that denies NAT if the destination is your VPN subnet.  
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco Router DMZ 5 57
AnyConnect - VPN server list 2 50
The purpose of using BGP 33 70
BGP Network restrictions 6 19
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now