Easy VPN routing problem

[Mystro]

Hi all

Im new to the Cisco scene and am having a problem with Easy VPN. Im currently using it to connect two sites over adsl as the remote site has a dynamic IP.

Using an 1841 (HO) and an 837 (remote). The tunnel is up and the remote site can ping the Head Office LAN, however I am unable to ping anything on the remote network from HO.

Both Sites are using NAT and I have split tunneling setup for the remote site which is working great.

Anything obvious Im missing here? Thanks.

 

[JOAMON]

Are you denying nat from HO to remote? Might be useful to see the configs.

 

[Mystro]

Thanks JOAMON. We dont actually have a firewall on the remote router yet as we are just testing at this stage.

Here's the configs:

<Head Office>==============================================
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router.1841
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
xxxxxxxusernames xxxxx
clock timezone Perth 8
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth local
aaa authorization exec default local
aaa authorization network vpn_group local
aaa session-id common
ip subnet-zero
no ip source-route
ip cef
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
ip ips sdf location flash://attack-drop.sdf
ip ips po max-events 100
ip domain name xxxxxxxxxx
ip name-server 202.72.191.199
ip name-server 203.10.1.9
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
group 2
!
crypto isakmp client configuration group vpngroup
key K33p0u+!
dns 10.10.1.1 10.10.1.2
wins 10.10.1.1 10.10.1.2
pool SDM_POOL_1
acl 104
save-password
include-local-lan
max-logins 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list vpn_xauth
crypto map SDM_CMAP_1 isakmp authorization list vpn_group
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
ip address 10.10.1.254 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
duplex auto
speed auto
no cdp enable
no mop enabled
hold-queue 100 out
!
interface FastEthernet0/1
no ip address
shutdown
duplex auto
speed auto
no cdp enable
!
interface ATM0/0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
oam-pvc manage
pppoe-client dial-pool-number 1
!
!
interface Dialer0
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxxxxxx
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.10.100.1 10.10.100.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
!
logging trap debugging
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 deny ip 10.10.1.0 0.0.0.255 10.10.100.0 0.0.0.255
access-list 101 deny ip 10.10.1.0 0.0.0.255 10.10.2.0 0.0.0.255 log
access-list 101 permit ip 10.10.1.0 0.0.0.255 any
access-list 102 permit udp host 203.10.1.9 eq domain any
access-list 102 permit udp host 202.72.191.199 eq domain any
access-list 102 permit ahp any any
access-list 102 permit esp any any
access-list 102 permit udp any any eq isakmp
access-list 102 permit udp any any eq non500-isakmp
access-list 102 permit ip 10.10.100.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 102 deny ip 10.10.1.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
access-list 104 permit ip 10.10.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
!
control-plane
!
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
transport output none
!
end

<Remote Site>===========================================
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router.837
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxx
!
username xxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
!
!
!
!
ip name-server 203.0.178.191
ip ips po max-events 100
vpdn enable
!
vpdn-group adsl
request-dialin
protocol pppoe
!
no ftp-server write-enable
!
!
!
!
!
!
crypto ipsec client ezvpn HeadOffice
connect auto
group vpngroup key xxxxxxx
mode client
peer <HO Public IP>
username xxxxxxxx password xxxxxxxx
!
!
!
interface Ethernet0
ip address 10.10.2.254 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 100 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp chap refuse
ppp pap sent-username xxxxxxxxxxxxxxxxxxx
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip http server
ip http secure-server
ip dns server
!
ip nat inside source list 1 interface Dialer1 overload
!
access-list 1 permit 10.10.2.0 0.0.0.255
access-list 10 permit any
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 100 permit udp host <HO Public IP> any eq 10000
access-list 100 permit udp host <HO Public IP> any eq non500-isakmp
access-list 100 permit udp host <HO Public IP> any eq isakmp
access-list 100 permit esp host <HO Public IP> any
access-list 100 permit ahp host <HO Public IP> any
access-list 100 permit ip any any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
password 7 022D57081B561A6A0D
login
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 10 in
exec-timeout 30 0
password 7 xxxxxxxxxxxxxxxxx
login local
transport preferred all
transport input telnet
transport output all
!
scheduler max-task-time 5000
end


Thanks again