Sorry for double posting, I should have put it in this section instead. Here goes
I'm really getting frustrated at this thing. My software vpn clients connect just fine (to a Cisco 1800) but the Cisco 3002 Hardware VPN can only ping stuff on the internet and can't ping anything on the local subnet (LAN's on the 1800). The vpn tunnel is up so its not a problem in ipsec/isakmp.
I would really appreciate help from you guys.
Heres what the remote site looks like (with the 3002)
internet <--> dsl modem (192.168.0.1) <--> (192.168.0.10) 3002 (192.168.209.1)
And the local site looks like
internet <--> dsl modem (192.168.2.1) <--> (192.168.2.2) Cisco IOS router <--> LAN
The 3002 is configured for network extension mode with split tunneling (atleast i think it is , thats if i did it properly)
Heres the config for the Cisco IOS
Building configuration...
Current configuration : 8640 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 --------
enable password ---------
!
aaa new-model
!
!
aaa authentication login ---- local
aaa authorization network --- local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.205.254
ip dhcp excluded-address 192.168.206.254
ip dhcp excluded-address 192.168.205.1
ip dhcp excluded-address 192.168.205.2
!
ip dhcp pool vlan205
import all
network 192.168.205.0 255.255.255.0
default-router 192.168.205.254
dns-server ------
!
ip dhcp pool vlan206
import all
network 192.168.206.0 255.255.255.0
default-router 192.168.206.254
dns-server -----------
!
!
no ip domain lookup
ip domain name -----
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
!
!
username ----- privilege 15 password 7 ---
username ------ password 0 --------
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 120 15
crypto isakmp client configuration address-pool local vlan208-2
!
crypto isakmp client configuration group ----
key ------
pool vlan208-2
acl 199
!
!
crypto ipsec transform-set thisset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set thisset
reverse-route
!
!
!
crypto map clientmap client authentication list --
crypto map clientmap isakmp authorization list --
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
description Link to SpeedStream5200
ip address 192.168.2.2 255.255.255.0
ip access-group ac1 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface FastEthernet1
description NOT_USED
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description FastEthernet2
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet3
description FastEthernet3
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet4
description FastEthernet4
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet5
description FastEthernet5
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet6
description FastEthernet6
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet7
description FastEthernet7
switchport access vlan 205
no snmp trap link-status
spanning-tree portfast
!
interface FastEthernet8
description FastEthernet8
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet9
description FastEthernet9-HUB
switchport access vlan 205
!
interface Vlan1
no ip address
shutdown
!
interface Vlan205
description Inside Lan
ip address 192.168.205.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool vlan208-2 192.168.208.5 192.168.208.10
ip default-gateway 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool vlan206-nat 192.168.2.2 192.168.2.2 netmask 255.255.255.0
ip nat pool vlan205-nat 192.168.2.2 192.168.2.2 netmask 255.255.255.0
ip nat inside source route-map SDM_RMAP_3 pool vlan205-nat overload
ip nat inside source route-map SDM_RMAP_4 pool vlan206-nat
!
ip access-list extended ac1
permit udp any host 192.168.2.2 eq non500-isakmp
permit udp any host 192.168.2.2 eq isakmp
permit esp any host 192.168.2.2
permit ahp any host 192.168.2.2
deny tcp any any eq 161
deny udp any any eq snmp
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 23
deny tcp any any eq telnet
deny tcp any any eq 135
deny udp any any eq 135
deny udp any any eq netbios-ss
deny tcp any any eq 139
deny tcp any any eq ident
deny udp any any eq 113
permit ip any any
!
access-list 101 deny ip any 192.168.208.0 0.0.0.15
access-list 101 permit ip 192.168.205.0 0.0.0.255 any
access-list 104 deny ip any 192.168.208.0 0.0.0.15
access-list 104 permit ip 192.168.206.0 0.0.0.255 any
access-list 199 permit ip 192.168.205.0 0.0.0.255 192.168.208.0 0.0.0.255
snmp-server community ------ RO
!
!
!
route-map SDM_RMAP_4 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
line con 0
.
.
.
PLEASE HELP !!
I'm really getting frustrated at this thing. My software vpn clients connect just fine (to a Cisco 1800) but the Cisco 3002 Hardware VPN can only ping stuff on the internet and can't ping anything on the local subnet (LAN's on the 1800). The vpn tunnel is up so its not a problem in ipsec/isakmp.
I would really appreciate help from you guys.
Heres what the remote site looks like (with the 3002)
internet <--> dsl modem (192.168.0.1) <--> (192.168.0.10) 3002 (192.168.209.1)
And the local site looks like
internet <--> dsl modem (192.168.2.1) <--> (192.168.2.2) Cisco IOS router <--> LAN
The 3002 is configured for network extension mode with split tunneling (atleast i think it is , thats if i did it properly)
Heres the config for the Cisco IOS
Building configuration...
Current configuration : 8640 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
logging buffered 4096 debugging
no logging console
enable secret 5 --------
enable password ---------
!
aaa new-model
!
!
aaa authentication login ---- local
aaa authorization network --- local
!
aaa session-id common
!
resource policy
!
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.205.254
ip dhcp excluded-address 192.168.206.254
ip dhcp excluded-address 192.168.205.1
ip dhcp excluded-address 192.168.205.2
!
ip dhcp pool vlan205
import all
network 192.168.205.0 255.255.255.0
default-router 192.168.205.254
dns-server ------
!
ip dhcp pool vlan206
import all
network 192.168.206.0 255.255.255.0
default-router 192.168.206.254
dns-server -----------
!
!
no ip domain lookup
ip domain name -----
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect log drop-pkt
!
!
username ----- privilege 15 password 7 ---
username ------ password 0 --------
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 120 15
crypto isakmp client configuration address-pool local vlan208-2
!
crypto isakmp client configuration group ----
key ------
pool vlan208-2
acl 199
!
!
crypto ipsec transform-set thisset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set thisset
reverse-route
!
!
!
crypto map clientmap client authentication list --
crypto map clientmap isakmp authorization list --
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Loopback0
no ip address
!
interface FastEthernet0
description Link to SpeedStream5200
ip address 192.168.2.2 255.255.255.0
ip access-group ac1 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip nat enable
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no cdp enable
crypto map clientmap
!
interface FastEthernet1
description NOT_USED
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description FastEthernet2
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet3
description FastEthernet3
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet4
description FastEthernet4
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet5
description FastEthernet5
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet6
description FastEthernet6
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet7
description FastEthernet7
switchport access vlan 205
no snmp trap link-status
spanning-tree portfast
!
interface FastEthernet8
description FastEthernet8
switchport access vlan 205
spanning-tree portfast
!
interface FastEthernet9
description FastEthernet9-HUB
switchport access vlan 205
!
interface Vlan1
no ip address
shutdown
!
interface Vlan205
description Inside Lan
ip address 192.168.205.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
encapsulation slip
!
ip local pool vlan208-2 192.168.208.5 192.168.208.10
ip default-gateway 192.168.2.1
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat pool vlan206-nat 192.168.2.2 192.168.2.2 netmask 255.255.255.0
ip nat pool vlan205-nat 192.168.2.2 192.168.2.2 netmask 255.255.255.0
ip nat inside source route-map SDM_RMAP_3 pool vlan205-nat overload
ip nat inside source route-map SDM_RMAP_4 pool vlan206-nat
!
ip access-list extended ac1
permit udp any host 192.168.2.2 eq non500-isakmp
permit udp any host 192.168.2.2 eq isakmp
permit esp any host 192.168.2.2
permit ahp any host 192.168.2.2
deny tcp any any eq 161
deny udp any any eq snmp
deny tcp any any eq 445
deny udp any any eq 445
deny udp any any eq 23
deny tcp any any eq telnet
deny tcp any any eq 135
deny udp any any eq 135
deny udp any any eq netbios-ss
deny tcp any any eq 139
deny tcp any any eq ident
deny udp any any eq 113
permit ip any any
!
access-list 101 deny ip any 192.168.208.0 0.0.0.15
access-list 101 permit ip 192.168.205.0 0.0.0.255 any
access-list 104 deny ip any 192.168.208.0 0.0.0.15
access-list 104 permit ip 192.168.206.0 0.0.0.255 any
access-list 199 permit ip 192.168.205.0 0.0.0.255 192.168.208.0 0.0.0.255
snmp-server community ------ RO
!
!
!
route-map SDM_RMAP_4 permit 1
match ip address 104
!
route-map SDM_RMAP_3 permit 1
match ip address 101
!
!
!
!
control-plane
!
!
line con 0
.
.
.
PLEASE HELP !!
