Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   VPN tunnel is up but cannot ping remote router (http://www.velocityreviews.com/forums/t806758-vpn-tunnel-is-up-but-cannot-ping-remote-router.html)

louisa 12-09-2011 03:48 AM

VPN tunnel is up but cannot ping remote router
 
Hello,
I have succesfully configured zone based firewall and VPN on my router using SDM.
My vpn tunnel is up but i cannot ping neither the remote router nor the LAN.

I have checked my firewall on the SDM and discovered that there is red mark on
class-map:sdm-access and
class-map:sdm-cls-vpnoutsidetoinside-1
I dont know if thats the problem but i need help to resolve this

My configuration files are pasted below

Thanks for your assistance



! Last configuration change at 07:47:47 UTC Sat Dec 3 2011 by admin
! NVRAM config last updated at 07:49:22 UTC Sat Dec 3 2011 by huof
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
no logging buffered
enable secret 5 $1$R49J$VcSixS5k0fEA.WAHYKgm70
!
aaa new-model
!
!
aaa authentication login default local enable
!
!
aaa session-id common
memory-size iomem 10
!
dot11 syslog
ip source-route
!
!
ip cef
!
!
no ip bootp server
no ip domain lookup
ip domain name UKMETALS.com
ip ips config location flash:/ retries 1
ip ips notify SDEE
ip ips name sdm_ips_rule
!
ip ips signature-category
category all
retired true
category ios_ips basic
retired false
!
login block-for 60 attempts 2 within 30
login on-failure log
!
no ipv6 cef
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
voice-card 0
no dspfarm
!
!
crypto pki trustpoint TP-self-signed-1356861678
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1356861678
revocation-check none
rsakeypair TP-self-signed-1356861678
!
!
!
!
username admin01 secret 5 $1$GDGV$73nID5h872U7./gtfFLws0
archive
log config
hidekeys
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 10
encr aes 256
hash md5
authentication pre-share
group 5
crypto isakmp key ukmetalsvpn55 address 10.20.20.1
!
!
crypto ipsec transform-set Assignment-Transform esp-aes 256 esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to10.20.20.1
set peer 10.20.20.1
set transform-set Assignment-Transform
match address 102
!
!
crypto key pubkey-chain rsa
named-key realm-cisco.pub
key-string
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
F3020301 0001
quit
!
!
ip ssh time-out 60
ip ssh authentication-retries 2
ip ssh version 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 104
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any sdm-cls-access
match class-map SDM_HTTPS
match class-map SDM_SSH
match class-map SDM_SHELL
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 103
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-access
match class-map sdm-cls-access
match access-group 101
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
pass
class class-default
drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
drop
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
pass
class type inspect sdm-access
class class-default
drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description $FW_INSIDE$
ip address 172.16.1.1 255.255.255.0
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
no shutdown
!
interface Serial0/0/0
description $FW_OUTSIDE$
ip address 10.10.10.1 255.255.255.252
ip ips sdm_ips_rule in
ip virtual-reassembly
zone-member security out-zone
clock rate 64000
crypto map SDM_CMAP_1
no shutdown
!
interface Serial0/0/1
no ip address
shutdown
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Serial0/0/0
ip http server
ip http secure-server
!
!
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=1
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=1
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=1
permit tcp any any eq 22
!
logging trap critical
logging 172.16.1.3
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 10.10.10.0 0.0.0.3 any
access-list 101 remark SDM_ACL Category=128
access-list 101 permit ip host 172.16.3.3 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
access-list 103 remark SDM_ACL Category=128
access-list 103 permit ip host 10.20.20.1 any
access-list 104 remark SDM_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255


All times are GMT. The time now is 04:25 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.