Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Easy VPN Server Can't Ping Past Gateway

Status
Not open for further replies.
underzen

underzen

MIS
Mar 5, 2002
20
US
I'm trying to setup a Cisco Easy VPN server through SDM. I am able to connect to our VPN via remotely though the Cisco VPN Client. I am able to obtain an IP address through the VPN Client and I'm able to ping the local router ip address of 10.1.1.50. However I can't ping any other internal IP address (servers/pc's).

The cisco config is below.


Building configuration...

Current configuration : 11209 bytes
!
! Last configuration change at 10:27:12 PCTime Wed Oct 8 2008 by
! NVRAM config last updated at 10:27:15 PCTime Wed Oct 8 2008 by
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Network
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
enable secret 5 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login local_authen local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authentication login sdm_vpn_xauth_ml_5 local
aaa authentication login sdm_vpn_xauth_ml_6 local
aaa authentication login sdm_vpn_xauth_ml_7 local
aaa authorization exec local_author local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
aaa authorization network sdm_vpn_group_ml_3 local
aaa authorization network sdm_vpn_group_ml_4 local
aaa authorization network sdm_vpn_group_ml_5 local
aaa authorization network sdm_vpn_group_ml_6 local
aaa authorization network sdm_vpn_group_ml_7 local
aaa authorization network sdm_vpn_group_ml_8 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.50
ip dhcp excluded-address 10.1.1.60 10.1.1.254
!
ip dhcp pool sdm-pool1
network 10.1.1.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 10.1.1.50
!
!
ip tcp synwait-time 10
no ip bootp server
ip name-server 208.67.220.220
ip name-server 208.67.222.222
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name SDM_HIGH appfw SDM_HIGH
ip inspect name SDM_HIGH icmp
ip inspect name SDM_HIGH dns
ip inspect name SDM_HIGH tcp
ip inspect name SDM_HIGH udp
ip ips sdf location flash://128MB.sdf
ip ips notify SDEE
ip ips name sdm_ips_rule
!
appfw policy-name SDM_HIGH
application im aol
service default action reset
service text-chat action reset
server deny name login.oscar.aol.com
server deny name toc.oscar.aol.com
server deny name oam-d09a.blue.aol.com
audit-trail off
application http
port-misuse im action reset alarm
application im yahoo
service default action reset
service text-chat action reset
server deny name scs.msg.yahoo.com
server deny name scsa.msg.yahoo.com
server deny name scsb.msg.yahoo.com
server deny name scsc.msg.yahoo.com
server deny name scsd.msg.yahoo.com
server deny name cs16.msg.dcn.yahoo.com
server deny name cs19.msg.dcn.yahoo.com
server deny name cs42.msg.dcn.yahoo.com
server deny name cs53.msg.dcn.yahoo.com
server deny name cs54.msg.dcn.yahoo.com
server deny name ads1.vip.scd.yahoo.com
server deny name radio1.launch.vip.dal.yahoo.com
server deny name in1.msg.vip.re2.yahoo.com
server deny name data1.my.vip.sc5.yahoo.com
server deny name address1.pim.vip.mud.yahoo.com
server deny name edit.messenger.yahoo.com
server deny name messenger.yahoo.com
server deny name http.pager.yahoo.com
server deny name privacy.yahoo.com
server deny name csa.yahoo.com
server deny name csb.yahoo.com
server deny name csc.yahoo.com
audit-trail off
!
!
!
username xxx secret 5 xxx

!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpn
key xxx
pool SDM_POOL_5
acl 104
crypto isakmp profile sdm-ike-profile-1
match identity group vpn
client authentication list sdm_vpn_xauth_ml_7
isakmp authorization list sdm_vpn_group_ml_8
client configuration address respond
virtual-template 8
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Loopback2
ip address 10.1.3.100 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface FastEthernet0
description Miami Deltacom WAN 4.5 Mbps
switchport mode trunk
!
interface FastEthernet1
description Miami Internal LAN
switchport trunk native vlan 2
switchport mode trunk
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template8 type tunnel
ip unnumbered Loopback2
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description WAN 4.5 Mbps$FW_OUTSIDE$
ip address 97.67.20.162 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect SDM_HIGH out
ip ips sdm_ips_rule in
ip virtual-reassembly
ip route-cache flow
!
interface Vlan2
description Internal LAN$FW_INSIDE$
ip address 10.1.1.50 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
ip local pool SDM_POOL_5 10.1.1.200 10.1.1.209
ip route 0.0.0.0 0.0.0.0 97.67.20.161
ip route 10.1.2.0 255.255.255.0 10.1.1.100
!
ip flow-top-talkers
top 100
sort-by packets
cache-timeout 1000
!
ip http server
ip http access-class 2
no ip http secure-server
ip nat pool Miami 10.1.1.51 10.1.1.59 netmask 255.255.255.0
ip nat inside source list 103 interface Vlan1 overload
ip nat inside source static tcp 10.1.1.1 23 interface Vlan1 23
ip nat inside source static tcp 10.1.1.10 8000 interface Vlan1 8000
ip nat inside source static tcp 10.1.1.10 8001 interface Vlan1 8001
ip nat inside source static tcp 10.1.1.1 8470 interface Vlan1 8470
ip nat inside source static tcp 10.1.1.1 8471 interface Vlan1 8471
ip nat inside source static tcp 10.1.1.1 8472 interface Vlan1 8472
ip nat inside source static tcp 10.1.1.1 8473 interface Vlan1 8473
ip nat inside source static tcp 10.1.1.1 8474 interface Vlan1 8474
ip nat inside source static tcp 10.1.1.1 8475 interface Vlan1 8475
ip nat inside source static tcp 10.1.1.1 8476 interface Vlan1 8476
ip nat inside source static tcp 10.1.1.1 8477 interface Vlan1 8477
ip nat inside source static tcp 10.1.1.1 8478 interface Vlan1 8478
ip nat inside source static tcp 10.1.1.1 8479 interface Vlan1 8479
ip nat inside source static tcp 10.1.1.1 449 interface Vlan1 449
!
logging trap debugging
logging 10.1.1.50
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any any eq non500-isakmp log
access-list 100 permit udp any any eq isakmp log
access-list 100 permit esp any any log
access-list 100 permit ahp any any log
access-list 100 deny ip 97.67.20.160 0.0.0.7 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 permit udp any any eq isakmp log
access-list 101 permit esp any any log
access-list 101 permit ahp any any log
access-list 101 remark Auto generated by SDM for NTP (123) 2.pool.ntp.org
access-list 101 permit udp host 38.99.80.156 eq ntp host 97.67.20.162 eq ntp log
access-list 101 remark Auto generated by SDM for NTP (123) 1.pool.ntp.org
access-list 101 permit udp host 138.23.180.126 eq ntp host 97.67.20.162 eq ntp log
access-list 101 remark Auto generated by SDM for NTP (123) 0.pool.ntp.org
access-list 101 permit udp host 128.2.1.20 eq ntp host 97.67.20.162 eq ntp log
access-list 101 permit tcp any host 97.67.20.162 eq telnet log
access-list 101 remark iSeries
access-list 101 permit tcp any host 97.67.20.162 eq 449 log
access-list 101 remark Video Camera
access-list 101 permit tcp any host 97.67.20.162 range 8000 8001 log
access-list 101 remark iSeries
access-list 101 permit tcp any host 97.67.20.162 range 8470 8479 log
access-list 101 permit udp host 208.67.220.220 eq domain host 97.67.20.162 log
access-list 101 permit udp host 208.67.222.222 eq domain host 97.67.20.162 log
access-list 101 deny ip 10.1.1.0 0.0.0.255 any log
access-list 101 permit icmp any host 97.67.20.162 echo-reply log
access-list 101 permit icmp any host 97.67.20.162 time-exceeded log
access-list 101 permit icmp any host 97.67.20.162 unreachable log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=2
access-list 103 permit ip 10.1.1.0 0.0.0.255 any log
access-list 103 permit ip 10.1.2.0 0.0.0.255 any log
access-list 103 permit ip 10.1.3.0 0.0.0.255 any log
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 10.1.1.0 0.0.0.255 any log
access-list 104 permit ip 10.1.2.0 0.0.0.255 any log
access-list 104 permit ip 10.1.3.0 0.0.0.255 any log

no cdp run
!
!
!
!
control-plane
!
banner login ^C Cisco Internet Router^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 102 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175055
ntp server 138.23.180.126 source Vlan1
ntp server 38.99.80.156 source Vlan1
ntp server 128.2.1.20 source Vlan1 prefer
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end

 
Sort by date Sort by votes
You have to exclude 10.1.1.200-10.1.1.209 from NAT...
no access-list 103
access-list 103 deny ip any 10.1.1.200 0.0.0.7
access-list 103 deny ip any host 10.1.1.208
access-list 103 deny ip any host 10.1.1.209
access-list 103 permit ip 10.1.1.0 0.0.0.255 any log
access-list 103 permit ip 10.1.2.0 0.0.0.255 any log
access-list 103 permit ip 10.1.3.0 0.0.0.255 any log

Burt
 
Upvote 0 Downvote
Thanks for the quick response and help Burt

I just tried that Burt and it didn't work. I am able to ping the router IP of 10.1.1.50 and the Loopback2 of 10.1.3.100 but I still can't ping any of my servers located in the 10.1.1.0 255.255.255.0 network.

These are the access-lists now.


access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.1.1.0 0.0.0.255
access-list 2 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit udp any any eq non500-isakmp log
access-list 100 permit udp any any eq isakmp log
access-list 100 permit esp any any log
access-list 100 permit ahp any any log
access-list 100 deny ip 97.67.20.160 0.0.0.7 any log
access-list 100 deny ip host 255.255.255.255 any log
access-list 100 deny ip 127.0.0.0 0.255.255.255 any log
access-list 100 permit ip any any log
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any any eq non500-isakmp log
access-list 101 permit udp any any eq isakmp log
access-list 101 permit esp any any log
access-list 101 permit ahp any any log
access-list 101 remark Auto generated by SDM for NTP (123) 2.pool.ntp.org
access-list 101 permit udp host 38.99.80.156 eq ntp host 97.67.20.162 eq ntp log
access-list 101 remark Auto generated by SDM for NTP (123) 1.pool.ntp.org
access-list 101 permit udp host 138.23.180.126 eq ntp host 97.67.20.162 eq ntp log
access-list 101 remark Auto generated by SDM for NTP (123) 0.pool.ntp.org
access-list 101 permit udp host 128.2.1.20 eq ntp host 97.67.20.162 eq ntp log
access-list 101 permit tcp any host 97.67.20.162 eq telnet log
access-list 101 remark iSeries
access-list 101 permit tcp any host 97.67.20.162 eq 449 log
access-list 101 remark Video Camera
access-list 101 permit tcp any host 97.67.20.162 range 8000 8001 log
access-list 101 remark iSeries
access-list 101 permit tcp any host 97.67.20.162 range 8470 8479 log
access-list 101 permit udp host 208.67.220.220 eq domain host 97.67.20.162 log
access-list 101 permit udp host 208.67.222.222 eq domain host 97.67.20.162 log
access-list 101 deny ip 10.1.1.0 0.0.0.255 any log
access-list 101 permit icmp any host 97.67.20.162 echo-reply log
access-list 101 permit icmp any host 97.67.20.162 time-exceeded log
access-list 101 permit icmp any host 97.67.20.162 unreachable log
access-list 101 deny ip 10.0.0.0 0.255.255.255 any log
access-list 101 deny ip 172.16.0.0 0.15.255.255 any log
access-list 101 deny ip 192.168.0.0 0.0.255.255 any log
access-list 101 deny ip 127.0.0.0 0.255.255.255 any log
access-list 101 deny ip host 255.255.255.255 any log
access-list 101 deny ip host 0.0.0.0 any log
access-list 101 deny ip any any log
access-list 102 remark VTY Access-class list
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 103 remark SDM_ACL Category=18
access-list 103 deny ip any 10.1.1.200 0.0.0.7 log
access-list 103 deny ip any host 10.1.1.208 log
access-list 103 deny ip any host 10.1.1.209 log
access-list 103 permit ip 10.1.1.0 0.0.0.255 any log
access-list 103 permit ip 10.1.2.0 0.0.0.255 any log
access-list 103 permit ip 10.1.3.0 0.0.0.255 any log
 
Upvote 0 Downvote
The easiest way to eliminate acl's is to remove them one by one from the interfaces---my guess would be that acl 101 is stopping it because icmp is not allowed except from that one host---remember, pings need two way traffic---once an acl is built, there is an implicit deny ip any any at the end. Do any of the other protocols specified work?

Burt
 
Upvote 0 Downvote
Thanks Burt. Was looking around tek-tips and found a thread where someone was having the same issue. The problem, for whatever reason, is that my SDM_POOL_5 10.1.1.200 10.1.1.209 is in the same ip range/subnet as my local lan on Vlan2. So I changed the pool to a different subnet of 10.1.99.1 10.1.99.20 and removed the access-lists that you recommended and it worked perfectly.

Again thank you so much for your help!
 
Upvote 0 Downvote
Actually, you can have the vpn pool in the same subnet as the LAN, as long as it doesn't get NATted. Glad it's working.
(star)...

Burt
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
68
quazimotto
quazimotto
NavinNet
  • Locked
  • Question
Why 2 different mac addresses of a server are being shown of CISCO 6509E Layer-3 Switch ?
Replies
0
Views
71
NavinNet
NavinNet
Baze72
  • Locked
  • Question
Cisco 2800 Series can't login
Replies
7
Views
150
burtsbees
burtsbees
tviman
  • Locked
  • Question
Same subnet on each side of a VPN 1
Replies
2
Views
82
tviman
tviman
DigitalG
  • Locked
  • Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
54
DigitalG
DigitalG

Part and Inventory Search

Sponsor

Back
Top