Easy VPN Set-up on Cisoc 1841

stasila2010
stasila2010 used Ask the Experts™
on
Can some one please help me with my config? I have set-up the  Easy VPN and my VPN clients are receiving and IP address but  they  cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.) any help would be highly appreciated.
Here is my config.


Building configuration...

Current configuration : 2068 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
warm-reboot
boot-end-marker
!
!
no aaa new-model
ip cef
!
!
!
!
ip name-server 206.191.x.140
ip name-server 10.1.1.3
!
multilink bundle-name authenticated
!
!
!
!
username mike password 0 test

crypto isakmp policy 10
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp policy 11
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group StorageGroup
 key test
 dns 10.1.1.3 10.1.1.11
 wins 10.1.1.3 10.1.1.11
 domain domain
 pool pool100
 acl SplitTunnel
 save-password
 netmask 255.255.255.0
!
!
crypto ipsec transform-set aessha esp-aes esp-sha-hmac
crypto ipsec transform-set 168sha esp-3des esp-sha-hmac
crypto ipsec transform-set 56md5 esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set aessha
 reverse-route
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list StorageGroup
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
 ip address 10.1.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 173.206.x.11 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto map vpnmap
!
interface Serial0/0/0
 no ip address
 shutdown
!
ip local pool pool100 10.1.2.200 10.1.2.240
ip route 0.0.0.0 0.0.0.0 173.206.x.9
!
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface FastEthernet0/1 overload
!
ip access-list extended SplitTunnel
 permit ip 10.1.1.0 0.0.0.255 any
!
access-list 100 deny   ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 100 permit ip 10.1.1.0 0.0.0.255 any
!
!
route-map nonat permit 10
 match ip address VPN-traffic


sh ip route
Gateway of last resort is 173.206.x.9 to network 0.0.0.0

     173.206.0.0/29 is subnetted, 1 subnets
C       173.206.x.8 is directly connected, FastEthernet0/1
     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.1.1.0/24 is directly connected, FastEthernet0/0
S       10.1.2.200/32 [1/0] via 67.212.13.26
S*   0.0.0.0/0 [1/0] via 173.206.x.9


Router#sh cryp ip sa

interface: FastEthernet0/1
    Crypto map tag: vpnmap, local addr 173.206.x.11

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (10.1.2.200/255.255.255.255/0/0)
   current_peer 67.212.13.26 port 61277
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 76, #pkts decrypt: 76, #pkts verify: 76
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 173.206.x.11, remote crypto endpt.: 67.212.13.26
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/1
     current outbound spi: 0xBB412AC8(3141610184)

     inbound esp sas:
      spi: 0x39F28194(972194196)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2001, flow_id: FPGA:1, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4583849/3264)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xBB412AC8(3141610184)
        transform: esp-aes esp-sha-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2002, flow_id: FPGA:2, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4583862/3255)
        IV size: 16 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:



Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Network Architect
Commented:
I don't see any routing with the 10.1.2.x subnet.  Do devices on the inside know where that subnet is located?  Also don't see the VPN-traffic ACL referenced in the route-map.  Is that now ACL 100?

Author

Commented:
Do devices on the inside know where that subnet is located?  Thank you for that question:-) I have 2 routers on the same subnet.  routerA is were my LAN devices connected and routerB with the config above was for the testing the VPN connection.  I was trying to PING devices on which connected to the routeraA. It's all working now.

thank you.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial