Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 871 VPN issue

Status
Not open for further replies.
hall5942

hall5942

Vendor
May 7, 2002
377
US
I have a 871 and I'm trying to connect via VPN. The VPN connects but i'm not able to ping any of the cpu's once it is connected. any ideas?

Thanks
 
Sort by date Sort by votes
I'd say NAT, like the VPN nw is not excluded in the outgoing NAT acl...post a config.

Burt
 
Upvote 0 Downvote

Username: admin
Password:

XYZ#sh run
Building configuration...

Current configuration : 7856 bytes
!
! Last configuration change at 12:53:27 PCTime Mon Mar 10 2008 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname XYZ
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$UTUN$/0DlSbq84LIZe94C41T7d1
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_v
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.10.1 192.168.10.50
ip dhcp excluded-address 192.168.10.99 192.168.10.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 64.89.70.2 64.89.74.2
default-router 192.168.10.1
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name XYZ.com
ip name-server 64.89.70.2
ip name-server 64.89.74.2
ip ssh time-out 60
ip ssh authentic
!
!
crypto pki trustpoint TP-self-signed-4168189096
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4168189096
revocation-check none
rsakeypair TP-self-signed-4168189096
!
!
crypto pki certificate chain TP-self-signed-4168189096
certificate self-signed 01
30820246 308201AF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313638 31383930 3936301E 170D3032 30333031 30303038
30315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31363831
38393039 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEAF AABD6C86 0D89E99C FBDF69E2 FA527A0A 918A93C2 D29CC6E3 92E08CD6
93931269 94FBFEC8 AEBC8F6A B21344BF 981DEB0C 531871EB 6C6B718C E964B1F2
10EE693B 4CA555AF A559652A 435B4A1E D3F0F526 0992A184 44E71DD2 8602CF46
E9B6FE75 7B36E529 77EFD73D A2B93A1F ECD73751 BB80FECD B5A7701A BEE5D7
08150203 010001A3 6E306C30 0F060355 1D130101 FF040530 030101FF 30190603
551D1104 12301082 0E424853 2E424853 496E632E 636F6D30 1F060355 1D230418
30168014 0B578C62 5BBF6A2C 7EFA2CD2 C8F28CFA 27D41B71 301D0603 551D0E04
1604140B 578C625B BF6A2C7E FA2CD2C8 F28CFA27 D41B7130 0D06092A 864886F7
0D010104 05000381 81002605 39E94BDB 900D1C2C 107E6B07 72CA1EF3 E0F00C0A
65A7A7DD 931EB8C7 F9F2FE6F 7F684896 61FBB4D2 8D2B32A7 EC40F5AC EACB2E3B
7A104D54 83AE9716 89673F6E 3386A49B F5FC4DE5 D31D3422 1F55631D F06D26
DC31000E 9A55FC58 184470CD 0612AE85 B6A1DFB3 9EBD9A13 8EBAA40A 94469BBC
FC2B62D7 D0907ABA 8C25
quit
username admin privilege 15 secret 5 $1$Q3qo$NbhWOGkSVKhEJpud7gS/w1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
authentication pre-share
group 2
!
crypto isakmp client configuration group XYZ
key vo11eyball
dns 64.89.70.2 64.89.74.2
wins 192.168.10.250
pool SDM_POOL_1
acl 100
include-local-lan
crypto isakmp profile sdm-ike-profile-1
match identity group XYZ
client authentication list sdm_vpn_xauth_ml_7
isakmp authorization list sdm_vpn_group_ml_8
client configuration address initiate
client configuration address respond
keepalive 3600 retry 2
virtual-template 8
!
!
crypto ipsec transform-set XYZ esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address 44.44.44.44 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed aut
!
interface Virtual-Template8 type tunnel
ip unnumbered BVI1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption key 1 size 40bit 7 89727E6F7534 transmit-key
encryption mode wep mandatory
!
ssid XYZ Inc
authentication shared eap eap_methods
guest-mode
wpa-psk ascii 7 122D561B411B040B242E
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 span
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 10.10.10.1 10.10.10.10
ip local pool SDM_POOL_2 11.11.11.1 11.11.11.250
ip classless
ip route 0.0.0.0 0.0.0.0 44.44.44.43
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.10.99 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.10.30 4030 interface FastEthernet4 4030
ip nat inside source static tcp 192.168.10.28 4031 interface FastEthernet4 4031
ip nat inside source static tcp 192.168.10.29 4029 interface FastEthernet4 4029
ip nat inside source static tcp 192.168.10.250 4027 interface FastEthernet4 4027

ip nat inside source static tcp 192.168
ip nat inside source static tcp 192.168.10.250 5763 interface FastEthernet4 5763

ip nat inside source static tcp 192.168.10.250 8081 interface FastEthernet4 8081

ip nat inside source static tcp 192.168.10.250 444 interface FastEthernet4 444
ip nat inside source static tcp 192.168.10.250 443 interface FastEthernet4 443
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 111 remark SDM_ACL Category=1
access-list 111 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
 
Upvote 0 Downvote
The way I do it in a router is I put the vpn pool on the same subnet as the internal network, but exclude it from NAT, but this can complicate things in your case...

Burt
 
Upvote 0 Downvote
I will try it this afternoon. Thanks for your help
 
Upvote 0 Downvote
Sorry I do not have time to look at this but a good place to start is to relize that the vpn tunnel is actually considered "OUTSIDE".

So look at your acl and keep in mind the the vpn is outside.

So routing gateways and acls are all subject to outside routing and rules.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

pbxcomm
  • Locked
  • Question
CISCO VG450
Replies
1
Views
247
bdk76
bdk76
Skip Rango
  • Locked
  • Question
how to backup cisco sg500-52p switch
Replies
1
Views
238
madwok
madwok
Jared R
  • Locked
  • Question
Cisco UC320W Paging Help
Replies
0
Views
225
Jared R
Jared R
Hayden09
  • Locked
  • Question
Cisco Sg-300 Flapping?
Replies
0
Views
237
Hayden09
Hayden09
JMarine0811
  • Locked
  • Question
CISCO VG450 Factory reset
Replies
1
Views
293
whykap
whykap

Part and Inventory Search

Sponsor

Back
Top