Solved

Cisco client VPN, issues

Posted on 2014-09-22
4
255 Views
Last Modified: 2014-11-04
I am able to successfully connect to cisco 2811 using client VPN, but I am unable to ping remote network.

Need some help with this.
Regards,

Oljeg
0
Comment
Question by:pajkico
  • 2
4 Comments
 
LVL 3

Assisted Solution

by:Soufiane Adil, Ph.D
Soufiane Adil, Ph.D earned 250 total points
ID: 40338089
Hi

- Are you trying to ping from the Router 2811?
- Are you using MPLS VPN technology?
- Can you issue show ip route and post the result?

Sou
0
 

Author Comment

by:pajkico
ID: 40338425
I am trying to ping from the computer that has cisco client VPN installed, and connected to the main office where 2811 router is. I already have a site-to-site VPN established with another branch office, and it is working (pings both side)

I am not using MPLS as far as I know.

this is the configuration:

aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name xxxxxxxxxx
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
license udi pid CISCO2811 sn xxxxxxxx
archive
 log config
  hidekeys
username xxxxxxx privilege 15 secret 4 k/n6IDqfigaeInoSc2oPHB0aBm.F9T08zVCXHLqPOGk
username xxxxxx privilege 15 password 0 xxxxxxx
username xxxxx privilege 15 password 0 xxxxxxx
!
redundancy
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address AAA.BBB.CCC.DDD (branch office)
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group CLIENT
 key XXXXXXXX
 dns 192.168.130.9
 domain XXXXXXXXXX.local
 pool VPN-Pool
 acl 120
crypto isakmp profile vpn-ike-profile-1
   match identity group CLIENT
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
 set isakmp-profile vpn-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to BRANCH-OFFICE
 set peer AAA.BBB.CCC.DDD
 set transform-set ESP-3DES-SHA
 match address 100
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address X.X.X.X 255.255.255.248
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 192.168.130.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-Pool 192.168.3.10 192.168.3.50
ip forward-protocol nd
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port xxxx
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 172.30.249.0 255.255.255.0 192.168.130.30
ip route 192.110.68.0 255.255.255.0 192.168.130.30
ip route 206.22.219.48 255.255.255.240 192.168.130.30
ip route 206.22.232.64 255.255.255.240 192.168.130.30
ip route 207.186.244.192 255.255.255.192 192.168.130.30
!
ip access-list extended aclin
 permit udp any eq isakmp host WAN-IP eq isakmp
 permit udp any host WAN-IP eq isakmp
 permit udp any host WAN-IP eq non500-isakmp
 permit udp any eq non500-isakmp host WAN-IP
 permit esp any host WAN-IP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.130.0 0.0.0.255
access-list 4 permit 192.168.130.0 0.0.0.255
access-list 10 permit 192.168.130.0 0.0.0.255
access-list 12 permit x.x.x.x
access-list 12 permit 192.168.130.0 0.0.0.255
access-list 100 permit ip 192.168.130.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip host x.x.x.x any
access-list 102 deny   ip 192.168.130.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 deny   ip 192.168.130.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.130.0 0.0.0.255 any
access-list 120 permit ip 192.168.130.0 0.0.0.255 192.168.3.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
control-plane
!
mgcp profile default
!
line con 0
line aux 0
line vty 0 4
 access-class 12 in
 privilege level 15
 password xxxxxxxx
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

R2811#

so, here I can ping branch office 192.168.16.0 network (between sites), but not 192.168.130.0 main office network

Thanks,

Oljeg
0
 

Author Comment

by:pajkico
ID: 40340671
Ok, here's a show ip route command:

R2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is "gateway" to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via "gateway"
      68.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        x.x.x.x/29 is directly connected, FastEthernet0/0
L        x.x.x.x/32 is directly connected, FastEthernet0/0
      172.30.0.0/24 is subnetted, 1 subnets
S        172.30.249.0 [1/0] via 192.168.130.30
S     192.110.68.0/24 [1/0] via 192.168.130.30
      192.168.3.0/32 is subnetted, 1 subnets
S        192.168.3.12 is directly connected, Virtual-Access2
      192.168.130.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.130.0/24 is directly connected, FastEthernet0/1
L        192.168.130.3/32 is directly connected, FastEthernet0/1
      206.22.219.0/28 is subnetted, 1 subnets
S        206.22.219.48 [1/0] via 192.168.130.30
      206.22.232.0/28 is subnetted, 1 subnets
S        206.22.232.64 [1/0] via 192.168.130.30
      207.186.244.0/26 is subnetted, 1 subnets
S        207.186.244.192 [1/0] via 192.168.130.30
R2811#

I am also able to ping the inside router interface on the remote site.

Regards,

Oljeg
0
 
LVL 1

Accepted Solution

by:
Dale McKay earned 250 total points
ID: 40414857
Does the far side have a route to get back to your local network? Does the far end know about the local end in terms of networks and routes?
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Please see preceding article here: http://www.experts-exchange.com/Networking/Operating_Systems/A_11209-Root-Bridge-Election.html Figure 1 After Root Bridge has been elected, then what?..... Let's start by defining a Root Port in la…
This article is in response to a question (http://www.experts-exchange.com/Networking/Network_Management/Network_Analysis/Q_28230497.html) here at Experts Exchange. The Original Poster (OP) requires a utility that will accept a list of IP addresses …
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now