Announcement

Collapse
No announcement yet.

Cisco 851 VPN cannot ping secure subnet

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 851 VPN cannot ping secure subnet

    Hello

    I am trying to setup a cisco 851 router using the easy vpn server, and the cisco client.

    I am able to establish a vpn connection but that is about it. Once I have a connection I look at the status and it all looks good but I cannot ping anything on the secured subnet.

    I don't know if it a missing route, or acl???

    Any suggestions?



    Code:
    hostname MSM-Guest
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$yPnW$nIaCiylXwmpZG4oZoGMfu1
    enable password 7 053B071D35424B1B2A
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    !
    aaa session-id common
    !
    resource policy
    !
    ip subnet-zero
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.50
    !
    ip dhcp pool MSM-Guest-DHCP
       import all
       network 192.168.1.0 255.255.255.0
       dns-server 216.220.230.24 216.220.230.25
       default-router 192.168.1.1
    !
    !
    ip cef
    ip inspect name MYFW tcp
    ip inspect name MYFW udp
    ip domain name MSM-Guest
    ip name-server 216.220.230.24
    ip name-server 216.220.230.25
    !
    !
    crypto pki trustpoint TP-self-signed-2169386341
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2169386341
     revocation-check none
     rsakeypair TP-self-signed-2169386341
    !
    !
    crypto pki certificate chain TP-self-signed-2169386341
     certificate self-signed 01
      30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32313639 33383633 3431301E 170D3037 30373033 32323435
      34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363933
      38363334 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BC0E 40374E2C 4C6BA75D 2733480D 00E69AB1 8AF13382 D02A79FE 9C4A6F26
      3C4E0693 5BA22DC5 21CD56C0 1EC748BB DFA6EC39 6882459A A6498EFC 88729431
      31A85FD9 D804021A 6BEEFD4E 74DC05A2 FBB6566B BA9EEA8B 2A92DDF9 BE2C3DCE
      D830BC9C 10BA57A4 66A9D206 BB1BA28A 14BFAE20 E846C78A 0F23081F B319728C
      2CF90203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
      551D1104 0E300C82 0A4D534D 2D477565 73742E30 1F060355 1D230418 30168014
      AF4DBEE1 EBC2DA1F 8868EFEE 775132E9 1C518030 301D0603 551D0E04 160414AF
      4DBEE1EB C2DA1F88 68EFEE77 5132E91C 51803030 0D06092A 864886F7 0D010104
      05000381 81000B2F AD4DAB62 D7CDD238 8F57A0F8 AD1A0D75 F551630F 6E1BC227
      21CA4FB9 96641668 AF1C9762 F111CF86 01C2CAFA 917FF144 006745E6 6AC36E54
      FAF384C0 E9346309 FAA812C8 8026AEF6 6C2BFBA8 C04EF5B3 7DF75523 7EEA0F68
      07387899 FC3AD57C CFA9F596 59AAEA85 CC04C85A 3F65D4FB 22C85B23 5A4AE4E9
      08490611 A016
      quit
    username administrator privilege 15 password 7 11391817031C0E1E37
    !
    !
    !
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    !
    crypto isakmp client configuration group vpn
     key ****************
     dns 192.168.1.1
     wins 192.168.1.1
     domain msm-guest
     pool SDM_POOL_1
     acl 100
     netmask 255.255.255.0
    crypto isakmp profile sdm-ike-profile-1
       match identity group vpn
       client authentication list sdm_vpn_xauth_ml_1
       isakmp authorization list sdm_vpn_group_ml_1
       client configuration address respond
       virtual-template 1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto ipsec profile SDM_Profile1
     set transform-set ESP-3DES-SHA
     set isakmp-profile sdm-ike-profile-1
    !
    !
    !
    !
    interface Loopback0
     ip address 10.0.0.1 255.255.255.0
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface FastEthernet4
     description $ETH-WAN$
     ip address 216.220.228.125 255.255.255.224
     ip access-group Internet-inbound-ACL in
     ip access-group Internet-outbound-ACL out
     ip inspect MYFW out
     ip nat outside
     ip virtual-reassembly
     ip tcp adjust-mss 1460
     duplex auto
     speed auto
     no cdp enable
    !
    interface Virtual-Template1 type tunnel
     ip unnumbered Loopback0
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile SDM_Profile1
    !
    interface Vlan1
     description Internal Network
     ip address 192.168.1.1 255.255.255.0
     ip nat inside
     ip virtual-reassembly
    !
    ip local pool SDM_POOL_1 192.168.2.1 192.168.2.10
    ip classless
    ip route 0.0.0.0 0.0.0.0 216.220.228.97
    !
    ip http server
    ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    !
    ip access-list extended Internet-inbound-ACL
     remark SDM_ACL Category=17
     permit udp any host 216.220.228.125 eq non500-isakmp
     permit udp any host 216.220.228.125 eq isakmp
     permit esp any host 216.220.228.125
     permit ahp any host 216.220.228.125
     permit udp host 216.220.230.25 eq domain any
     permit udp host 216.220.230.24 eq domain any
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any traceroute
     permit gre any any
     permit esp any any
    ip access-list extended Internet-outbound-ACL
     permit ip any any
    !
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit ip 192.168.1.0 0.0.0.255 any
    !
    control-plane
    !
    banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
     password 7 122904050605091619
     no modem enable
    line aux 0
    line vty 0 4
     password 7 14271319180A2F3917
    !
    scheduler max-task-time 5000
    end

  • #2
    Re: Cisco 851 VPN cannot ping secure subnet

    Your ACL 100 should be the secured network, not the VPN network. You may need a couple deny statements in there as well but try that first.

    Comment


    • #3
      Re: Cisco 851 VPN cannot ping secure subnet

      Here are the changes to my final config that got it working. Plus I had to shut off the windows firewall on the machine that I was trying to ping.

      Code:
      access-list 1 permit 192.168.1.0 0.0.0.255
      access-list 100 permit ip 192.168.1.0 0.0.0.255 any
      access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
      access-list 120 permit ip 192.168.1.0 0.0.0.255 any
      route-map nonat permit 10 match ip address 120
      
      no ip nat inside source list 1 interface FastEthernet4 overload 
      
      ip nat inside source route-map nonat interface FastEthernet4 overload 
      
      Clear ip nat translation *
      I can go back and turn on the windows firewall and allow exceptions for internal IP's.

      Comment

      Working...
      X