Cisco client VPN, issues

Posted on 2014-09-22
Medium Priority
Last Modified: 2014-11-04
I am able to successfully connect to cisco 2811 using client VPN, but I am unable to ping remote network.

Need some help with this.

Question by:pajkico
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2

Assisted Solution

by:Soufiane Adil, Ph.D
Soufiane Adil, Ph.D earned 750 total points
ID: 40338089

- Are you trying to ping from the Router 2811?
- Are you using MPLS VPN technology?
- Can you issue show ip route and post the result?


Author Comment

ID: 40338425
I am trying to ping from the computer that has cisco client VPN installed, and connected to the main office where 2811 router is. I already have a site-to-site VPN established with another branch office, and it is working (pings both side)

I am not using MPLS as far as I know.

this is the configuration:

aaa new-model
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
memory-size iomem 15
dot11 syslog
ip source-route
ip cef
ip domain name xxxxxxxxxx
no ipv6 cef
multilink bundle-name authenticated
voice-card 0
license udi pid CISCO2811 sn xxxxxxxx
 log config
username xxxxxxx privilege 15 secret 4 k/n6IDqfigaeInoSc2oPHB0aBm.F9T08zVCXHLqPOGk
username xxxxxx privilege 15 password 0 xxxxxxx
username xxxxx privilege 15 password 0 xxxxxxx
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address AAA.BBB.CCC.DDD (branch office)
crypto isakmp nat keepalive 20
crypto isakmp client configuration group CLIENT
 domain XXXXXXXXXX.local
 pool VPN-Pool
 acl 120
crypto isakmp profile vpn-ike-profile-1
   match identity group CLIENT
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 2
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
 set isakmp-profile vpn-ike-profile-1
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to BRANCH-OFFICE
 set peer AAA.BBB.CCC.DDD
 set transform-set ESP-3DES-SHA
 match address 100
interface FastEthernet0/0
 description $ETH-WAN$
 ip address X.X.X.X
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
interface FastEthernet0/1
 description $ETH-LAN$
 ip address
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
ip local pool VPN-Pool
ip forward-protocol nd
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port xxxx
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip route X.X.X.X
ip route
ip route
ip route
ip route
ip route
ip access-list extended aclin
 permit udp any eq isakmp host WAN-IP eq isakmp
 permit udp any host WAN-IP eq isakmp
 permit udp any host WAN-IP eq non500-isakmp
 permit udp any eq non500-isakmp host WAN-IP
 permit esp any host WAN-IP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
access-list 1 remark SDM_ACL Category=2
access-list 1 permit
access-list 4 permit
access-list 10 permit
access-list 12 permit x.x.x.x
access-list 12 permit
access-list 100 permit ip
access-list 101 permit ip any
access-list 101 permit ip host x.x.x.x any
access-list 102 deny   ip
access-list 102 deny   ip
access-list 102 permit ip any
access-list 120 permit ip
route-map SDM_RMAP_1 permit 1
 match ip address 102
mgcp profile default
line con 0
line aux 0
line vty 0 4
 access-class 12 in
 privilege level 15
 password xxxxxxxx
 transport input telnet ssh
scheduler allocate 20000 1000


so, here I can ping branch office network (between sites), but not main office network



Author Comment

ID: 40340671
Ok, here's a show ip route command:

R2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is "gateway" to network

S* [1/0] via "gateway" is variably subnetted, 2 subnets, 2 masks
C        x.x.x.x/29 is directly connected, FastEthernet0/0
L        x.x.x.x/32 is directly connected, FastEthernet0/0 is subnetted, 1 subnets
S [1/0] via
S [1/0] via is subnetted, 1 subnets
S is directly connected, Virtual-Access2 is variably subnetted, 2 subnets, 2 masks
C is directly connected, FastEthernet0/1
L is directly connected, FastEthernet0/1 is subnetted, 1 subnets
S [1/0] via is subnetted, 1 subnets
S [1/0] via is subnetted, 1 subnets
S [1/0] via

I am also able to ping the inside router interface on the remote site.



Accepted Solution

Dale McKay earned 750 total points
ID: 40414857
Does the far side have a route to get back to your local network? Does the far end know about the local end in terms of networks and routes?

Featured Post

Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question