VPN Client ping problem

[ajtsystems]

Hi,

I have a router which is configured for site to site VPNs in the usual method. I have set up a Cisco client to allow remote users to connect in to the router and am usinghte Cisco VPN client. The cisco client is connecting and authenticating but I am not getting any communications between the client and the local routers subnet. Here is my config, if anyone knows what might be the problem please let me know..

As I see it its either ACL or a NAT issue but can pin point the issue.

The address I am dishing out is different from the subnet of the router...

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname test
!
boot-start-marker
boot-end-marker
!
enable secret test
enable password test
!
aaa new-model
!
!
aaa authorization network groupauthor local
!
!
aaa session-id common
!
!
dot11 syslog
!
!
ip cef
ip inspect name police cuseeme
ip inspect name police fragment maximum 256 timeout 1
ip inspect name police ftp
ip inspect name police h323
ip inspect name police http
ip inspect name police icmp
ip inspect name police rcmd
ip inspect name police realaudio
ip inspect name police rtsp
ip inspect name police smtp
ip inspect name police sqlnet
ip inspect name police streamworks
ip inspect name police tcp
ip inspect name police tftp
ip inspect name police udp
ip inspect name police vdolive
ip domain name tandata.co.uk
!
!
!
username rti password 0 test
username cisco password 0 test
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key altohousedsvr1a address 111.111.111.111 no-xauth
crypto isakmp key ipswich2tandata address 111.111.111.111 no-xauth
crypto isakmp key password address 111.111.111.111 no-xauth
crypto isakmp key acis_SUF1583 address 111.111.111.111 no-xauth
!
crypto isakmp client configuration group 3000client
key cisco123
dns 14.1.1.10
wins 14.1.1.20
domain cisco.com
pool ippool
!
!
crypto ipsec transform-set transet1 esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set transet1
!
!
crypto map vpnmap client authentication list userauthen
crypto map vpnmap isakmp authorization list groupauthor
crypto map vpnmap client configuration address respond
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap
crypto map vpnmap 12 ipsec-isakmp
set peer 111.111.111.111
set transform-set transet1
match address 197
crypto map vpnmap 13 ipsec-isakmp
set peer 111.111.111.111
set transform-set transet1
match address 196
crypto map vpnmap 14 ipsec-isakmp
set peer 111.111.111.111
set transform-set transet1
match address 199
crypto map vpnmap 15 ipsec-isakmp
set peer 111.111.111.111
set transform-set transet1
match address 194
!
archive
log config
hidekeys
!
!
ip ssh source-interface ATM0
!
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
ip address 111.111.111.111 255.255.255.0
ip inspect police in
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface Dialer1
description Connection to Altohiway (SDSL)
ip address negotiated
ip access-group incoming-outside in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer idle-timeout 0
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname test
ppp chap password 0 test
crypto map vpnmap
!
ip local pool ippool 111.111.111.111 111.111.111.111
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
!
ip access-list extended incoming-outside
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit icmp any any
permit ip 10.0.0.0 0.0.0.255 111.111.111.111 0.0.0.255
permit ip 111.111.111.111 0.0.0.255 111.111.111.111 0.0.0.255
permit tcp any any eq 22
permit tcp any host 111.111.111.111 eq 22
permit ip 192.168.10.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 192.168.200.0 0.0.0.255
permit ip 10.2.1.0 0.0.0.255 192.168.200.0 0.0.0.255
!
access-list 100 deny ip 192.168.200.0 0.0.0.255 192.168.44.0 0.0.0.255
access-list 100 deny ip 192.168.200.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 deny ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 100 deny ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 deny ip 192.168.200.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 100 deny ip 192.168.200.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 194 permit ip 192.168.200.0 0.0.0.255 10.2.1.0 0.0.0.255
access-list 196 permit ip 192.168.200.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 197 permit ip 192.168.200.0 0.0.0.255 192.168.44.0 0.0.0.255
access-list 197 permit ip 192.168.200.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 199 permit ip 192.168.200.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
!
line con 0
exec-timeout 120 0
password test
no modem enable
transport output all
stopbits 1
line aux 0
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end

Thanks

James

 

[unclerico]

Your IP Pool is not actually in a different range than your internal subnet. To make things easier it should be something in a completely separate range, something like 192.168.201.0/24. Create an ACL and a route-map to exempt the internal traffic from being NATed when communicating with the IP Pool.

access-list 101 deny ip any 192.168.201.0 0.0.0.255
access-list 101 permit ip any any

route-map NONAT permit 10
  match ip address 101

ip nat inside source route-map NONAT interface di0

Finally, be sure to add the route for your IP Pool into the peer router(s).



I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)