VPN tunnel is up but cannot ping remote router

Discussion in 'Cisco' started by louisa, Dec 9, 2011.

  1. louisa

    louisa

    Joined:
    Dec 9, 2011
    Messages:
    1
    Hello,
    I have succesfully configured zone based firewall and VPN on my router using SDM.
    My vpn tunnel is up but i cannot ping neither the remote router nor the LAN.

    I have checked my firewall on the SDM and discovered that there is red mark on
    class-map:sdm-access and
    class-map:sdm-cls-vpnoutsidetoinside-1
    I dont know if thats the problem but i need help to resolve this

    My configuration files are pasted below

    Thanks for your assistance



    ! Last configuration change at 07:47:47 UTC Sat Dec 3 2011 by admin
    ! NVRAM config last updated at 07:49:22 UTC Sat Dec 3 2011 by huof
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname R1
    !
    boot-start-marker
    boot-end-marker
    !
    logging message-counter syslog
    no logging buffered
    enable secret 5 $1$R49J$VcSixS5k0fEA.WAHYKgm70
    !
    aaa new-model
    !
    !
    aaa authentication login default local enable
    !
    !
    aaa session-id common
    memory-size iomem 10
    !
    dot11 syslog
    ip source-route
    !
    !
    ip cef
    !
    !
    no ip bootp server
    no ip domain lookup
    ip domain name UKMETALS.com
    ip ips config location flash:/ retries 1
    ip ips notify SDEE
    ip ips name sdm_ips_rule
    !
    ip ips signature-category
    category all
    retired true
    category ios_ips basic
    retired false
    !
    login block-for 60 attempts 2 within 30
    login on-failure log
    !
    no ipv6 cef
    multilink bundle-name authenticated
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    voice-card 0
    no dspfarm
    !
    !
    crypto pki trustpoint TP-self-signed-1356861678
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1356861678
    revocation-check none
    rsakeypair TP-self-signed-1356861678
    !
    !
    !
    !
    username admin01 secret 5 $1$GDGV$73nID5h872U7./gtfFLws0
    archive
    log config
    hidekeys
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 10
    encr aes 256
    hash md5
    authentication pre-share
    group 5
    crypto isakmp key ukmetalsvpn55 address 10.20.20.1
    !
    !
    crypto ipsec transform-set Assignment-Transform esp-aes 256 esp-sha-hmac
    !
    crypto map SDM_CMAP_1 1 ipsec-isakmp
    description Tunnel to10.20.20.1
    set peer 10.20.20.1
    set transform-set Assignment-Transform
    match address 102
    !
    !
    crypto key pubkey-chain rsa
    named-key realm-cisco.pub
    key-string
    30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
    00C19E93 A8AF124A D6CC7A24 5097A975 206BE3A2 06FBA13F 6F12CB5B 4E441F16
    17E630D5 C02AC252 912BE27F 37FDD9C8 11FC7AF7 DCDD81D9 43CDABC3 6007D128
    B199ABCB D34ED0F9 085FADC1 359C189E F30AF10A C0EFB624 7E0764BF 3E53053E
    5B2146A9 D7A5EDE3 0298AF03 DED7A5B8 9479039D 20F30663 9AC64B93 C0112A35
    FE3F0C87 89BCB7BB 994AE74C FA9E481D F65875D6 85EAF974 6D9CC8E3 F0B08B85
    50437722 FFBE85B9 5E4189FF CC189CB9 69C46F9C A84DFBA5 7A0AF99E AD768C36
    006CF498 079F88F8 A3B3FB1F 9FB7B3CB 5539E1D1 9693CCBB 551F78D2 892356AE
    2F56D826 8918EF3C 80CA4F4D 87BFCA3B BFF668E9 689782A5 CF31CB6E B4B094D3
    F3020301 0001
    quit
    !
    !
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
    match access-group 104
    class-map type inspect match-any SDM_HTTPS
    match access-group name SDM_HTTPS
    class-map type inspect match-any SDM_SSH
    match access-group name SDM_SSH
    class-map type inspect match-any SDM_SHELL
    match access-group name SDM_SHELL
    class-map type inspect match-any sdm-cls-access
    match class-map SDM_HTTPS
    match class-map SDM_SSH
    match class-map SDM_SHELL
    class-map type inspect match-any SDM_AH
    match access-group name SDM_AH
    class-map type inspect match-any sdm-cls-insp-traffic
    match protocol cuseeme
    match protocol dns
    match protocol ftp
    match protocol h323
    match protocol https
    match protocol icmp
    match protocol imap
    match protocol pop3
    match protocol netshow
    match protocol shell
    match protocol realmedia
    match protocol rtsp
    match protocol smtp extended
    match protocol sql-net
    match protocol streamworks
    match protocol tftp
    match protocol vdolive
    match protocol tcp
    match protocol udp
    class-map type inspect match-all sdm-insp-traffic
    match class-map sdm-cls-insp-traffic
    class-map type inspect match-any SDM_ESP
    match access-group name SDM_ESP
    class-map type inspect match-any SDM_VPN_TRAFFIC
    match protocol isakmp
    match protocol ipsec-msft
    match class-map SDM_AH
    match class-map SDM_ESP
    class-map type inspect match-all SDM_VPN_PT
    match access-group 103
    match class-map SDM_VPN_TRAFFIC
    class-map type inspect match-any sdm-cls-icmp-access
    match protocol icmp
    match protocol tcp
    match protocol udp
    class-map type inspect match-all sdm-access
    match class-map sdm-cls-access
    match access-group 101
    class-map type inspect match-all sdm-icmp-access
    match class-map sdm-cls-icmp-access
    class-map type inspect match-all sdm-invalid-src
    match access-group 100
    class-map type inspect match-all sdm-protocol-http
    match protocol http
    !
    !
    policy-map type inspect sdm-permit-icmpreply
    class type inspect sdm-icmp-access
    inspect
    class class-default
    pass
    policy-map type inspect sdm-pol-VPNOutsideToInside-1
    class type inspect sdm-cls-VPNOutsideToInside-1
    pass
    class class-default
    drop
    policy-map type inspect sdm-inspect
    class type inspect sdm-invalid-src
    drop log
    class type inspect sdm-insp-traffic
    inspect
    class type inspect sdm-protocol-http
    inspect
    class class-default
    drop
    policy-map type inspect sdm-permit
    class type inspect SDM_VPN_PT
    pass
    class type inspect sdm-access
    class class-default
    drop
    !
    zone security out-zone
    zone security in-zone
    zone-pair security sdm-zp-self-out source self destination out-zone
    service-policy type inspect sdm-permit-icmpreply
    zone-pair security sdm-zp-out-self source out-zone destination self
    service-policy type inspect sdm-permit
    zone-pair security sdm-zp-in-out source in-zone destination out-zone
    service-policy type inspect sdm-inspect
    zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
    service-policy type inspect sdm-pol-VPNOutsideToInside-1
    !
    !
    !
    !
    interface FastEthernet0/0
    no ip address
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet0/1
    description $FW_INSIDE$
    ip address 172.16.1.1 255.255.255.0
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    zone-member security in-zone
    duplex auto
    speed auto
    no shutdown
    !
    interface Serial0/0/0
    description $FW_OUTSIDE$
    ip address 10.10.10.1 255.255.255.252
    ip ips sdm_ips_rule in
    ip virtual-reassembly
    zone-member security out-zone
    clock rate 64000
    crypto map SDM_CMAP_1
    no shutdown
    !
    interface Serial0/0/1
    no ip address
    shutdown
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Serial0/0/0
    ip http server
    ip http secure-server
    !
    !
    !
    ip access-list extended SDM_AH
    remark SDM_ACL Category=1
    permit ahp any any
    ip access-list extended SDM_ESP
    remark SDM_ACL Category=1
    permit esp any any
    ip access-list extended SDM_HTTPS
    remark SDM_ACL Category=1
    permit tcp any any eq 443
    ip access-list extended SDM_SHELL
    remark SDM_ACL Category=1
    permit tcp any any eq cmd
    ip access-list extended SDM_SSH
    remark SDM_ACL Category=1
    permit tcp any any eq 22
    !
    logging trap critical
    logging 172.16.1.3
    access-list 100 remark SDM_ACL Category=128
    access-list 100 permit ip host 255.255.255.255 any
    access-list 100 permit ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip 10.10.10.0 0.0.0.3 any
    access-list 101 remark SDM_ACL Category=128
    access-list 101 permit ip host 172.16.3.3 any
    access-list 102 remark SDM_ACL Category=4
    access-list 102 remark IPSec Rule
    access-list 102 permit ip 172.16.1.0 0.0.0.255 172.16.3.0 0.0.0.255
    access-list 103 remark SDM_ACL Category=128
    access-list 103 permit ip host 10.20.20.1 any
    access-list 104 remark SDM_ACL Category=0
    access-list 104 remark IPSec Rule
    access-list 104 permit ip 172.16.3.0 0.0.0.255 172.16.1.0 0.0.0.255
     
    louisa, Dec 9, 2011
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mirko
    Replies:
    5
    Views:
    12,622
    Ivan Ostres
    Aug 1, 2004
  2. a.nonny mouse
    Replies:
    2
    Views:
    1,149
  3. tsvanduyn@yahoo.com

    GRE Tunnel up/up Cannot ping tunnel interface

    tsvanduyn@yahoo.com, Mar 6, 2006, in forum: Cisco
    Replies:
    6
    Views:
    29,777
    tsvanduyn@yahoo.com
    Mar 9, 2006
  4. urvin
    Replies:
    0
    Views:
    1,531
    urvin
    Apr 14, 2008
  5. superkingkong
    Replies:
    2
    Views:
    1,833
    superkingkong
    Apr 17, 2010
Loading...

Share This Page