Solved

cisco dynamic ssl vpn cant ping from out side to inside but can ping from inside to out side.

Posted on 2011-03-09
1
387 Views
Last Modified: 2012-06-27
i know its a weird issue.
i have a cisco secrure 520 router that im trying to setup a dynamic vpn.


currently it if i ping a address on internal network i get replys from the wan ip instead of the ip of the computer im trying to ping.

i can ping from the inside client to the vpn and get a vaild responce.

i have included the config from the cisco router.



Current configuration : 2916 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname GPC1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging console
!
aaa new-model
!
!
aaa authentication login vpn-users local
aaa authorization network vpn-users local
!
aaa session-id common
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint GPC1_Certificate
 enrollment selfsigned
 serial-number none
 ip-address none
 subject-name CN=ACS11, ST=WI, C=US
 revocation-check crl
 rsakeypair GPC1_Certificate_RSAKey 512
!
!
dot11 syslog
ip source-route
!
!
ip dhcp excluded-address 192.168.1.1 192.168.1.100
!
ip dhcp pool MYNET

   network 192.168.1.0 255.255.255.0
   domain-name gpc.local
   default-router 192.168.1.1
   dns-server 216.xx.xx.2 64.xx.xx.250
   lease 0 2
!
!
ip cef
ip name-server 216.xx.xx.2
ip name-server 64.xx.xx.250
!
no ipv6 cef
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 removed
username test secret 5 removed
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2


 lifetime 3600
crypto isakmp keepalive 120 15
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group default
 key removed
 dns 4.2.2.2
 domain domain.local
 pool vpn-dynamic-pool
!
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA-LZS esp-aes esp-sha-hmac comp-lzs
!
crypto dynamic-map vpn-dynamic-map 1
 set transform-set ESP-AES-128-SHA-LZS
crypto dynamic-map vpn-dynamic-map 2
 set transform-set ESP-AES-128-SHA
!
!
crypto map vpn-dynamic client authentication list vpn-users
crypto map vpn-dynamic isakmp authorization list vpn-users



crypto map vpn-dynamic client configuration address respond
crypto map vpn-dynamic 1 ipsec-isakmp dynamic vpn-dynamic-map
!
archive
 log config
  hidekeys
!
process-max-time 150
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 shutdown
!
interface FastEthernet4



 description WAN INTERFACE STATIC
 ip address 207.xx.xx.xx 255.255.255.128
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpn-dynamic
!
interface Vlan1
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
ip local pool vpn-dynamic-pool 192.168.3.10 192.168.3.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 207.xx.xx.xx
!
ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet4 overload
!
ip access-list extended NAT-ACL
 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 password removed
!
scheduler max-task-time 5000
end

Open in new window

C:\Users\xxxx>ping 192.168.1.101

Pinging 192.168.1.101 with 32 bytes of data:
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127
Reply from 207.xx.xx.xx: bytes=32 time=2ms TTL=127

Ping statistics for 192.168.1.101:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 2ms, Average = 2ms

Open in new window

0
Comment
Question by:03671328
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 18

Accepted Solution

by:
jmeggers earned 500 total points
ID: 35097721
Your NAT ACL is configured to NAT all traffic outbound.  You might want to put a deny statement at the top of the ACL that denies NAT if the destination is your VPN subnet.  
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question