Cisco client VPN, issues

I am able to successfully connect to cisco 2811 using client VPN, but I am unable to ping remote network.

Need some help with this.
Regards,

Oljeg
pajkicoPresidentAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Soufiane Adil, Ph.DIT, Network Architect - CCNP/CCDPCommented:
Hi

- Are you trying to ping from the Router 2811?
- Are you using MPLS VPN technology?
- Can you issue show ip route and post the result?

Sou
0
pajkicoPresidentAuthor Commented:
I am trying to ping from the computer that has cisco client VPN installed, and connected to the main office where 2811 router is. I already have a site-to-site VPN established with another branch office, and it is working (pings both side)

I am not using MPLS as far as I know.

this is the configuration:

aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authorization network vpn_group_ml_1 local
!
aaa session-id common
!
memory-size iomem 15
!
dot11 syslog
ip source-route
!
ip cef
!
ip domain name xxxxxxxxxx
no ipv6 cef
!
multilink bundle-name authenticated
!
voice-card 0
!
license udi pid CISCO2811 sn xxxxxxxx
archive
 log config
  hidekeys
username xxxxxxx privilege 15 secret 4 k/n6IDqfigaeInoSc2oPHB0aBm.F9T08zVCXHLqPOGk
username xxxxxx privilege 15 password 0 xxxxxxx
username xxxxx privilege 15 password 0 xxxxxxx
!
redundancy
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key xxxxxxxx address AAA.BBB.CCC.DDD (branch office)
crypto isakmp nat keepalive 20
!
crypto isakmp client configuration group CLIENT
 key XXXXXXXX
 dns 192.168.130.9
 domain XXXXXXXXXX.local
 pool VPN-Pool
 acl 120
crypto isakmp profile vpn-ike-profile-1
   match identity group CLIENT
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address initiate
   client configuration address respond
   virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
 set transform-set encrypt-method-1
 set isakmp-profile vpn-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to BRANCH-OFFICE
 set peer AAA.BBB.CCC.DDD
 set transform-set ESP-3DES-SHA
 match address 100
!
interface FastEthernet0/0
 description $ETH-WAN$
 ip address X.X.X.X 255.255.255.248
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly in
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
interface FastEthernet0/1
 description $ETH-LAN$
 ip address 192.168.130.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly in
 duplex auto
 speed auto
 no mop enabled
!
interface Virtual-Template2 type tunnel
 ip unnumbered FastEthernet0/0
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile VPN-Profile-1
!
ip local pool VPN-Pool 192.168.3.10 192.168.3.50
ip forward-protocol nd
ip http server
ip http access-class 6
ip http authentication local
ip http secure-server
ip http secure-port xxxx
!
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 X.X.X.X
ip route 172.30.249.0 255.255.255.0 192.168.130.30
ip route 192.110.68.0 255.255.255.0 192.168.130.30
ip route 206.22.219.48 255.255.255.240 192.168.130.30
ip route 206.22.232.64 255.255.255.240 192.168.130.30
ip route 207.186.244.192 255.255.255.192 192.168.130.30
!
ip access-list extended aclin
 permit udp any eq isakmp host WAN-IP eq isakmp
 permit udp any host WAN-IP eq isakmp
 permit udp any host WAN-IP eq non500-isakmp
 permit udp any eq non500-isakmp host WAN-IP
 permit esp any host WAN-IP
 permit icmp any any echo
 permit icmp any any echo-reply
 permit icmp any any unreachable
 permit icmp any any time-exceeded
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.130.0 0.0.0.255
access-list 4 permit 192.168.130.0 0.0.0.255
access-list 10 permit 192.168.130.0 0.0.0.255
access-list 12 permit x.x.x.x
access-list 12 permit 192.168.130.0 0.0.0.255
access-list 100 permit ip 192.168.130.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip host x.x.x.x any
access-list 102 deny   ip 192.168.130.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 102 deny   ip 192.168.130.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 102 permit ip 192.168.130.0 0.0.0.255 any
access-list 120 permit ip 192.168.130.0 0.0.0.255 192.168.3.0 0.0.0.255
!
route-map SDM_RMAP_1 permit 1
 match ip address 102
!
control-plane
!
mgcp profile default
!
line con 0
line aux 0
line vty 0 4
 access-class 12 in
 privilege level 15
 password xxxxxxxx
 transport input telnet ssh
!
scheduler allocate 20000 1000
end

R2811#

so, here I can ping branch office 192.168.16.0 network (between sites), but not 192.168.130.0 main office network

Thanks,

Oljeg
0
pajkicoPresidentAuthor Commented:
Ok, here's a show ip route command:

R2811#sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       + - replicated route, % - next hop override

Gateway of last resort is "gateway" to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via "gateway"
      68.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        x.x.x.x/29 is directly connected, FastEthernet0/0
L        x.x.x.x/32 is directly connected, FastEthernet0/0
      172.30.0.0/24 is subnetted, 1 subnets
S        172.30.249.0 [1/0] via 192.168.130.30
S     192.110.68.0/24 [1/0] via 192.168.130.30
      192.168.3.0/32 is subnetted, 1 subnets
S        192.168.3.12 is directly connected, Virtual-Access2
      192.168.130.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.130.0/24 is directly connected, FastEthernet0/1
L        192.168.130.3/32 is directly connected, FastEthernet0/1
      206.22.219.0/28 is subnetted, 1 subnets
S        206.22.219.48 [1/0] via 192.168.130.30
      206.22.232.0/28 is subnetted, 1 subnets
S        206.22.232.64 [1/0] via 192.168.130.30
      207.186.244.0/26 is subnetted, 1 subnets
S        207.186.244.192 [1/0] via 192.168.130.30
R2811#

I am also able to ping the inside router interface on the remote site.

Regards,

Oljeg
0
Dale McKayGlobal Principal ArchitectCommented:
Does the far side have a route to get back to your local network? Does the far end know about the local end in terms of networks and routes?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Protocols

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.