Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Unable to Ping LAN or Remote desktop to LAN PC after connected to VPN

Status
Not open for further replies.

achtungbaby

Technical User
Sep 6, 2009
7
US
I have a problem that I've been dealing with and wondering whether someone can shed light on it. I think that the problem has to do with routing but I can't seem to figure out how. I am able to connect to VPN but unable to ping the router.

Router 2800-->3750 switch
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M5.bin
boot system flash:c2800nm-adventerprisek9_ivs_li-mz.151-4.M5.bin
boot-end-marker


!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network VPNAPOLLO local
!
!
!
!
!
aaa session-id common
!
!
dot11 syslog
ip source-route
!
!
ip cef
!
ip dhcp excluded-address 192.168.10.1 192.168.10.60
ip dhcp excluded-address 192.168.20.1 192.168.20.60
ip dhcp excluded-address 192.168.30.1 192.168.30.25
ip dhcp excluded-address 192.168.40.1 192.168.40.25
!
ip dhcp pool Data
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.10.1 68.105.28.11
option 150 ip 192.168.10.1
option 66 ip 192.168.10.1
domain-name X.X.X.X.com
lease 7
!
ip dhcp pool Voice
network 192.168.20.0 255.255.255.0
default-router 192.168.20.1
option 150 ip 192.168.10.1
option 66 ip 192.168.10.1
dns-server 192.168.10.1 192.168.10.17
domain-name X.X.X.X.com
lease 7
!
ip dhcp pool Wireless
network 192.168.40.0 255.255.255.0
default-router 192.168.40.1
dns-server 192.168.10.1 68.105.28.11
option 150 ip 192.168.10.1
domain-name X.X.X.X.com
option 66 ip 192.168.10.1
lease 7
!
ip dhcp pool Media
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
dns-server 192.168.10.1 192.168.10.17
option 150 ip 192.168.10.1
domain-name X.X.X.X..com
option 66 ip 192.168.10.1
lease 7
!
!
ip domain list X.X.X.X

ip tcp synwait-time 10
ip ssh time-out 60
ip ssh version 2
!
class-map match-any Call-Control
match dscp cs3
match access-group 105
match access-group 100
class-map match-any Voice
match dscp ef
match protocol rtp audio
class-map match-any voice
match dscp ef
match protocol rtp audio
!
!
!
policy-map Incoming-Voice
class Voice
set ip dscp ef
class Call-Control
set ip dscp cs3
class voice
set ip dscp ef
policy-map Outgoing-Voice
class Voice
priority percent 30
set ip dscp ef
class Call-Control
bandwidth percent 2
set ip dscp cs3
fair-queue
class voice
priority percent 30
set ip dscp ef
class class-default
fair-queue
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp keepalive 15
crypto isakmp nat keepalive 30
!
!
crypto isakmp client configuration group APOLLO
key ciscovoice
dns 192.168.10.1
domain X.X.X.X.com
pool vpnclients
acl 188
!
!
crypto ipsec transform-set VPNAPOLLO esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set VPNAPOLLO
reverse-route
!
!
crypto map test client authentication list userauthen
crypto map test isakmp authorization list VPNAPOLLO
crypto map test client configuration address respond
crypto map test 20 ipsec-isakmp dynamic dynmap
!
!

interface Loopback0
ip address 10.10.10.1 255.255.255.255
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
description ISP
ip address dhcp
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
ip policy route-map VPN-OUT
duplex auto
speed auto
no cdp enable
no mop enabled
crypto map test
max-reserved-bandwidth 100
service-policy input Incoming-Voice
service-policy output Outgoing-Voice
!
interface GigabitEthernet0/1
no ip address
ip access-group 100 in
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
duplex full
speed 1000
no cdp enable
no mop enabled
!
interface GigabitEthernet0/1.10
description $FW_INSIDE$
encapsulation dot1Q 10 native
ip address 192.168.10.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
h323-gateway voip interface
h323-gateway voip bind srcaddr 192.168.10.1
!
interface GigabitEthernet0/1.20
description $FW_INSIDE$
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
ip access-group 101 in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.30
description $FW_INSIDE$
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
ip access-group 103 in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.40
description $FW_INSIDE$
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
ip access-group 104 in
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/1.60
description $FW_INSIDE$
encapsulation dot1Q 60
ip nat inside
ip virtual-reassembly in
shutdown
!
ip local pool vpnclients 192.168.60.2 192.168.60.10
ip default-gateway X.X.X.X
ip forward-protocol nd
ip http server
ip http secure-server
!
!
ip nat translation timeout never
ip nat pool Data 192.168.10.1 192.168.10.255 netmask 255.255.255.0
ip nat pool Voice 192.168.20.1 192.168.20.255 netmask 255.255.255.0
ip nat pool Media 192.168.30.1 192.168.30.255 netmask 255.255.255.0
ip nat pool Wireless 192.168.40.1 192.168.40.255 netmask 255.255.255.0
ip nat pool vpnclients 192.168.60.2 192.168.60.10 netmask 255.255.255.0
ip nat source list inside interface GigabitEthernet0/0 overload
ip nat inside source list 100 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any
access-list 188 permit ip 192.168.60.0 0.0.0.255 any
!
route-map VPN-OUT permit 15
match ip address 188
set ip next-hop 10.10.10.1 10.10.10.2
!
-------------
APOLLOROUTER#sh crypto ipsec sa

interface: GigabitEthernet0/0
Crypto map tag: test, local addr X.X.X.X (ISP)

protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (192.168.60.3/255.255.255.255/0/0)
current_peer (PC WITH VPNCLIENT) port 9947
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 227, #pkts decrypt: 227, #pkts verify: 227
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0

local crypto endpt.: X.X.X.X (ISP), remote crypto endpt.: (PC WITH VPNCLIENT)
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/0
current outbound spi: 0xC4411E48(3292601928)
PFS (Y/N): N, DH group: none

inbound esp sas:
spi: 0x665DD999(1717426585)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2005, flow_id: NETGX:5, sibling_flags 80000046, crypto map: test
sa timing: remaining key lifetime (k/sec): (4408815/3222)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

inbound ah sas:

inbound pcp sas:

outbound esp sas:
spi: 0xC4411E48(3292601928)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2006, flow_id: NETGX:6, sibling_flags 80000046, crypto map: test
sa timing: remaining key lifetime (k/sec): (4408847/3222)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE

outbound ah sas:

outbound pcp sas:
-------------------------------------
ipconfig /all
Connection-specific DNS Suffix . : X.X.X.X
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::e1bc:5733:4f9:a503%15(Preferred)
IPv4 Address. . . . . . . . . . . : 192.168.60.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 301991322
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-18-36-14-F1-00-1C-23-40-06-D8

DNS Servers . . . . . . . . . . . : X.X.X.X
192.168.10.1
NetBIOS over Tcpip. . . . . . . . : Enabled

----------------------------

C:\>route print
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.50.1 192.168.50.30 25
(ISP)X.X.X.X 255.255.255.255 192.168.50.1 192.168.50.30 100
127.0.0.0 255.0.0.0 On-link 127.0.0.1 306
127.0.0.1 255.255.255.255 On-link 127.0.0.1 306
127.255.255.255 255.255.255.255 On-link 127.0.0.1 306
192.168.50.0 255.255.255.0 On-link 192.168.50.30 281
192.168.50.1 255.255.255.255 On-link 192.168.50.30 100
192.168.50.30 255.255.255.255 On-link 192.168.50.30 281
192.168.50.255 255.255.255.255 On-link 192.168.50.30 281
192.168.60.0 255.255.255.0 On-link 192.168.60.3 281
192.168.60.0 255.255.255.0 192.168.60.1 192.168.60.3 100
192.168.60.3 255.255.255.255 On-link 192.168.60.3 281
192.168.60.255 255.255.255.255 On-link 192.168.60.3 281
224.0.0.0 240.0.0.0 On-link 127.0.0.1 306
224.0.0.0 240.0.0.0 On-link 192.168.50.30 281
224.0.0.0 240.0.0.0 On-link 192.168.60.3 281
255.255.255.255 255.255.255.255 On-link 127.0.0.1 306
255.255.255.255 255.255.255.255 On-link 192.168.50.30 281
255.255.255.255 255.255.255.255 On-link 192.168.60.3 281

 
Start with your client's interface IP config - what is it getting?
What is your client's route table looking like?
What about the routing table on the router?
Is traffic back to the VPN client being NATd on the way out?
 
ip policy route-map VPN-OUT ---needs to be on the Lo int for PBR

You need to exclude VPN pool traffic from being NATted back out...

local (router) LAN: 192.168.10.0/24 (doesn't matter what it is if you use the "any" keyword in your deny ACE

access-list 100 deny ip any 192.168.60.0 0.0.0.15 (or 0.0.0.255 if nothing else in the .60 subnet is being used)
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 100 permit ip 192.168.20.0 0.0.0.255 any
access-list 100 permit ip 192.168.30.0 0.0.0.255 any

or

ip access-list extended 100
1 deny ip any 192.168.60.0 0.0.0.15

10 ? "TIMMAY!!!"
20 goto 10
run
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!!!
TIMMAY!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top