Announcement

Collapse
No announcement yet.

VPN users cannot ping

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • VPN users cannot ping

    Hi,

    Small config with local VPN login for a remote user, connects fine, but user cannot ping the internal servers. I have replaced the confidential info with the xxxxxxx

    and my public IP with 123.123.123.123
    internal lan is 10.88.53.x

    Thanks for your help


    !
    ! Last configuration change at 08:16:11 EDT Mon Sep 17 2012 by admin
    ! NVRAM config last updated at 07:14:32 EDT Mon Sep 17 2012 by admin
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname xxxxxx
    !
    boot-start-marker
    boot-end-marker
    !
    enable secret
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login VPN_CLIENT_LOGIN local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network VPN_CLIENT_GROUP local
    !
    !
    aaa session-id common
    clock timezone EST -5
    clock summer-time EDT recurring
    dot11 syslog
    ip cef
    !
    !
    no ip dhcp use vrf connected
    ip dhcp excluded-address 10.88.53.1
    ip dhcp excluded-address 10.88.53.2 10.88.53.49
    ip dhcp excluded-address 10.88.53.68
    ip dhcp excluded-address 10.88.53.102
    ip dhcp excluded-address 10.88.53.105
    ip dhcp excluded-address 10.88.53.53
    ip dhcp excluded-address 10.88.53.108
    !
    ip dhcp pool UK_LAN
    network 10.88.53.0 255.255.255.0
    domain-name xxxxxxxxx
    default-router 10.88.53.1
    dns-server 10.88.53.102 109.231.227.154
    lease 8
    !
    !
    no ip domain lookup
    ip domain name xxxxxxxxxxx
    ip name-server 10.88.53.102
    login on-failure log
    login on-success log
    !
    multilink bundle-name authenticated
    crypto pki token default removal timeout 0
    !
    crypto pki trustpoint TP-self-signed-825856865
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-825856865
    revocation-check none
    rsakeypair TP-self-signed-825856865
    !
    !
    crypto pki certificate chain TP-self-signed-825856865
    certificate self-signed 01
    xxxxxx
    quit
    !
    !
    username xxxxxx
    username xxxxx
    username xxxxx
    username xxxxxx
    username xxxxxx

    archive
    log config
    hidekeys
    !
    !
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 3600
    !
    crypto isakmp client configuration group VPN_CLIENTS
    key xxxxxxxxx
    dns 10.88.53.102
    pool VPN_CLIENT_POOL
    acl 110
    !
    !
    crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map EXT_DYNAMIC_MAP 10
    set transform-set TRANS_3DES_SHA
    !
    !
    crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
    crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
    crypto map EXT_MAP client configuration address respond
    crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
    !
    !
    !
    ip ftp username xxxxx
    ip ftp password xxxxxxx
    ip ssh source-interface FastEthernet0/1
    ip ssh logging events
    ip ssh version 2
    !
    !
    !
    interface FastEthernet0/0
    ip address 10.88.53.1 255.255.255.0
    ip access-group OUTBOUND_FILTER in
    no ip redirects
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description To Internet
    ip address 123.123.123. 255.255.255.252
    ip access-group INBOUND_FILTER in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    crypto map EXT_MAP
    !
    ip local pool VPN_CLIENT_POOL 192.168.240.20 192.168.240.50
    no ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 123.123.123.123
    !
    !
    no ip http server
    ip http secure-server
    ip nat inside source list 101 interface FastEthernet0/1 overload
    !
    ip access-list standard SNMP-ACL
    permit 10.75.139.90
    deny any log
    ip access-list standard SSH-ACL
    permit xxxxxxxxxx
    permit xxxxxxxxxxx
    permit xxxxxxxxxxx
    !
    ip access-list extended INBOUND_FILTER
    permit udp any eq domain any
    permit tcp any eq domain any
    permit tcp any eq www any
    permit tcp any eq 563 any
    permit udp any eq 563 any
    permit tcp any eq 443 any
    permit udp any eq 443 any
    permit tcp any any eq 1723
    permit tcp any eq ftp any
    permit gre any any
    permit tcp any eq 3389 any
    permit tcp any eq ftp-data any
    permit tcp any any range 1023 65535
    permit icmp any any
    permit tcp any eq 1723 any
    permit tcp any eq smtp any
    permit tcp any eq pop3 any
    permit tcp any host 41.164.139.46
    permit tcp host xx.xx.xxx.50 host 123.123.123.123 eq 22
    permit udp any host 123.123.123.123 eq isakmp
    permit udp any host 123.123.123.123 eq non500-isakmp
    permit esp any host 123.123.123.123
    permit ahp any host 123.123.123.123

    ip access-list extended OUTBOUND_FILTER
    deny tcp 10.88.53.0 0.0.0.255 any eq smtp
    permit ip any any
    permit icmp any any
    !
    access-list 101 permit ip 10.88.53.0 0.0.0.255 any
    access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
    access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
    access-list 110 permit ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
    access-list 110 permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    banner login 
    ************************************************** ****************
    * WARNING *

    IF YOU ARE NOT AUTHORISED TO ACCESS THIS SYSTEM EXIT IMMEDIATELY

    Unauthorised users are subject to criminal and civil penalties
    as well as company initiated disciplinary proceedings.
    By entry into this system you acknowledge that you are
    authorised to access it and have the level of privilege at which
    you subsequently operate on this system. You consent by entry
    into this system to the monitoring of your activities.
    ************************************************** ****************
    
    !
    line con 0
    exec-timeout 30 0
    logging synchronous
    line aux 0
    line vty 0 4
    exec-timeout 30 0
    logging synchronous
    transport input ssh
    !
    scheduler allocate 20000 1000
    ntp clock-period 17178065
    ntp server 158.121.104.4
    ntp server 128.59.35.142
    ntp server 209.81.9.7
    end

  • #2
    Re: VPN users cannot ping

    Can the remote client reach servers over the vpn with non icmp traffic? IE tcp etc...

    Do you see traffic on the remote client being encapsulated and sent through the tunnel?
    CCNA, CCNA-Security, CCNP
    CCIE Security (In Progress)

    Comment


    • #3
      Re: VPN users cannot ping

      Thanks for the quick response

      when I send ping

      the statistics on the VPN client show bytes received and sent. Likewise also show packets are being Encrypted and decrypted.

      Are my access control lists correct? VPN clients are using the 110?

      Thanks, much appreciated

      Comment


      • #4
        Re: VPN users cannot ping

        access-list 110 permit ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
        access-list 110 permit ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255

        This says anything 10.88.0.0/16 going to 192.168.240/24 send through the tunnel. On the cisco vpn client software there is a routing tab. This will tell you what is being encrypted and sent across the tunnel from the client side. You should see 10.88.0.0 in that column. In reality the first line on access-list 110 covers everything in the 10.88.0.0 subnet so you dont really need the second entry.

        Can you send non icmp traffic to the remote side from the client?

        The software firewall on the end hosts may also be blocking icmp messages. (Windows Firewall etc...)
        CCNA, CCNA-Security, CCNP
        CCIE Security (In Progress)

        Comment


        • #5
          Re: VPN users cannot ping

          so on the VPN client the Router details it says

          10.88.0.0 255.255.0.0
          10.88.53.0 255.255.255.0

          What should the access list be to allow all traffic? No traffic returns, just tried HTTP as well.

          A trace route is sending the traffic down the tunnel

          Thanks!

          Comment


          • #6
            Re: VPN users cannot ping

            This may be your issue:


            access-list 101 permit ip 10.88.53.0 0.0.0.255 any
            access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
            access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255

            Move your deny statements to the top of the acl. I believe the return traffic from 10.88.53.0 is being natted as its matching the permit first.

            Change to:

            access-list 101 deny ip 10.88.0.0 0.0.255.255 192.168.240.0 0.0.0.255
            access-list 101 deny ip 10.88.53.0 0.0.0.255 192.168.240.0 0.0.0.255
            access-list 101 permit ip 10.88.53.0 0.0.0.255 any
            CCNA, CCNA-Security, CCNP
            CCIE Security (In Progress)

            Comment


            • #7
              Re: VPN users cannot ping

              Excellent that did it. Thanks!!!

              Thank you for the fast response!

              Comment


              • #8
                Re: VPN users cannot ping

                Glad I could help.
                CCNA, CCNA-Security, CCNP
                CCIE Security (In Progress)

                Comment

                Working...
                X