No announcement yet.

Cisco 851 VPN cannot ping secure subnet

  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 851 VPN cannot ping secure subnet


    I am trying to setup a cisco 851 router using the easy vpn server, and the cisco client.

    I am able to establish a vpn connection but that is about it. Once I have a connection I look at the status and it all looks good but I cannot ping anything on the secured subnet.

    I don't know if it a missing route, or acl???

    Any suggestions?

    hostname MSM-Guest
    no logging buffered
    enable secret 5 $1$yPnW$nIaCiylXwmpZG4oZoGMfu1
    enable password 7 053B071D35424B1B2A
    aaa new-model
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa session-id common
    resource policy
    ip subnet-zero
    no ip dhcp use vrf connected
    ip dhcp excluded-address
    ip dhcp pool MSM-Guest-DHCP
       import all
    ip cef
    ip inspect name MYFW tcp
    ip inspect name MYFW udp
    ip domain name MSM-Guest
    ip name-server
    ip name-server
    crypto pki trustpoint TP-self-signed-2169386341
     enrollment selfsigned
     subject-name cn=IOS-Self-Signed-Certificate-2169386341
     revocation-check none
     rsakeypair TP-self-signed-2169386341
    crypto pki certificate chain TP-self-signed-2169386341
     certificate self-signed 01
      30820242 308201AB A0030201 02020101 300D0609 2A864886 F70D0101 04050030
      31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
      69666963 6174652D 32313639 33383633 3431301E 170D3037 30373033 32323435
      34305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
      4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31363933
      38363334 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
      8100BC0E 40374E2C 4C6BA75D 2733480D 00E69AB1 8AF13382 D02A79FE 9C4A6F26
      3C4E0693 5BA22DC5 21CD56C0 1EC748BB DFA6EC39 6882459A A6498EFC 88729431
      31A85FD9 D804021A 6BEEFD4E 74DC05A2 FBB6566B BA9EEA8B 2A92DDF9 BE2C3DCE
      D830BC9C 10BA57A4 66A9D206 BB1BA28A 14BFAE20 E846C78A 0F23081F B319728C
      2CF90203 010001A3 6A306830 0F060355 1D130101 FF040530 030101FF 30150603
      551D1104 0E300C82 0A4D534D 2D477565 73742E30 1F060355 1D230418 30168014
      AF4DBEE1 EBC2DA1F 8868EFEE 775132E9 1C518030 301D0603 551D0E04 160414AF
      4DBEE1EB C2DA1F88 68EFEE77 5132E91C 51803030 0D06092A 864886F7 0D010104
      05000381 81000B2F AD4DAB62 D7CDD238 8F57A0F8 AD1A0D75 F551630F 6E1BC227
      21CA4FB9 96641668 AF1C9762 F111CF86 01C2CAFA 917FF144 006745E6 6AC36E54
      FAF384C0 E9346309 FAA812C8 8026AEF6 6C2BFBA8 C04EF5B3 7DF75523 7EEA0F68
      07387899 FC3AD57C CFA9F596 59AAEA85 CC04C85A 3F65D4FB 22C85B23 5A4AE4E9
      08490611 A016
    username administrator privilege 15 password 7 11391817031C0E1E37
    crypto isakmp policy 1
     encr 3des
     authentication pre-share
     group 2
    crypto isakmp client configuration group vpn
     key ****************
     domain msm-guest
     pool SDM_POOL_1
     acl 100
    crypto isakmp profile sdm-ike-profile-1
       match identity group vpn
       client authentication list sdm_vpn_xauth_ml_1
       isakmp authorization list sdm_vpn_group_ml_1
       client configuration address respond
       virtual-template 1
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec profile SDM_Profile1
     set transform-set ESP-3DES-SHA
     set isakmp-profile sdm-ike-profile-1
    interface Loopback0
     ip address
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
     description $ETH-WAN$
     ip address
     ip access-group Internet-inbound-ACL in
     ip access-group Internet-outbound-ACL out
     ip inspect MYFW out
     ip nat outside
     ip virtual-reassembly
     ip tcp adjust-mss 1460
     duplex auto
     speed auto
     no cdp enable
    interface Virtual-Template1 type tunnel
     ip unnumbered Loopback0
     tunnel mode ipsec ipv4
     tunnel protection ipsec profile SDM_Profile1
    interface Vlan1
     description Internal Network
     ip address
     ip nat inside
     ip virtual-reassembly
    ip local pool SDM_POOL_1
    ip classless
    ip route
    ip http server
    ip http secure-server
    ip nat inside source list 1 interface FastEthernet4 overload
    ip access-list extended Internet-inbound-ACL
     remark SDM_ACL Category=17
     permit udp any host eq non500-isakmp
     permit udp any host eq isakmp
     permit esp any host
     permit ahp any host
     permit udp host eq domain any
     permit udp host eq domain any
     permit icmp any any echo
     permit icmp any any echo-reply
     permit icmp any any traceroute
     permit gre any any
     permit esp any any
    ip access-list extended Internet-outbound-ACL
     permit ip any any
    access-list 1 permit
    access-list 100 remark SDM_ACL Category=4
    access-list 100 permit ip any
    banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C
    line con 0
     password 7 122904050605091619
     no modem enable
    line aux 0
    line vty 0 4
     password 7 14271319180A2F3917
    scheduler max-task-time 5000

  • #2
    Re: Cisco 851 VPN cannot ping secure subnet

    Your ACL 100 should be the secured network, not the VPN network. You may need a couple deny statements in there as well but try that first.


    • #3
      Re: Cisco 851 VPN cannot ping secure subnet

      Here are the changes to my final config that got it working. Plus I had to shut off the windows firewall on the machine that I was trying to ping.

      access-list 1 permit
      access-list 100 permit ip any
      access-list 120 deny   ip
      access-list 120 permit ip any
      route-map nonat permit 10 match ip address 120
      no ip nat inside source list 1 interface FastEthernet4 overload 
      ip nat inside source route-map nonat interface FastEthernet4 overload 
      Clear ip nat translation *
      I can go back and turn on the windows firewall and allow exceptions for internal IP's.