We help IT Professionals succeed at work.
Get Started

Unable to ping hosts on either side of an ipsec vpn

cameron213 asked
Last Modified: 2012-05-11
I have created a site to site Ipsec vpn with a cisco 2610 and a linksys RV042. Running a show "crypto isakmp sa" command I get a qm_idle status and when running a "show crypto ipsec sa" I see that packets are being decrypted and encrypted. Also when running the "show ip access-lists" command I do have matches to that connection.

The problem is that I am unable to ping hosts from one network to another. For example, from the Cisco router in network I am unable to ping the remote network and vice versa.

I am not sure what is happening. Do I need to create a route to that remote network? I guess it could also be a problem with NAT or an ACL.

Here is what running-config shows:

crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key 6 linksys address 173.x.x.x

crypto ipsec transform-set FirstStep esp-3des esp-md5-hmac

crypto map FirstStep 1 ipsec-isakmp
set peer 173.x.x.x
set transform-set FirstStep
set pfs group2
match address 110

interface FastEthernet0/0
ip address
ip nat inside
ip virtual-reassembly
duplex auto
speed auto

interface FastEthernet0/1
ip address 70.x.x.x
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map FirstStep

interface Serial0/2
ip address
ip nat inside
ip virtual-reassembly
encapsulation ppp
service-module t1 clock source internal
service-module t1 timeslots 1-24

router rip
version 2
passive-interface FastEthernet0/0
passive-interface FastEthernet0/1
default-information originate
no auto-summary

ip forward-protocol nd
ip route 70.91.x.x

ip http server
ip http authentication local
ip http secure-server
ip nat inside source route-map NONAT_NAT interface FastEthernet0/1 overload

ip access-list extended nonat_nat
remark No NAT local network to remote vpn network
deny ip
remark NAT local network to Internet
permit ip any

access-list 110 permit ip


route-map NONAT_NAT permit 1
match ip address nonat_nat




line con 0
password 7 06351B205E42001F11
logging synchronous
line aux 0
line vty 0 3
logging synchronous
login local
line vty 4
password 7 00370707165702001B
logging synchronous
login local

ntp clock-period 17208400
ntp server


I am not sure if this matters or not, but our company has purchased several public IP addresses that we have assigned to internal devices. As you can see in the network diagram, in the network, the Cisco router has an IP address on the fa0/1 interface that connects to the modem of 70.210.x.x. , while the same interface on the modem that connects to the Cisco has an private address of

The same thing happens in the network. Could this cause problems with other things?

 I do notice that I am able to ping fine to the internet from the Cisco Router in the network. However, if a PC in the same network network pings the internet a ping packet gets lost or is not returned, thus resulting in an 20% loss.

Any ideas and suggestions are appreciated,

Watch Question
Systems Architect
Top Expert 2008
This problem has been solved!
Unlock 2 Answers and 16 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE