Cisco SOHO 91 VPN, no traffic coming back through tunnel

Discussion in 'Network Routers' started by JayFromFarAway, May 12, 2007.

  1. Group,

    I set up a simple VPN on my Cisco SOHO 91 using info that I've found around
    the net and I'm having what seems to be an access list or maybe a NAT
    problem. I can connect with the Cisco 4.6 VPN Client and I see packets
    getting encrypted and decrypted, and the route listed in the client while
    I'm connected looks fine, 10.10.10.0 255.255.255.0, but I still can't ping
    anything on the LAN. Actually, I can ping but I'm not getting any packets
    to come back through the tunnel. I've debugged ICMP so I can see the
    responses being sent to the client but as I said, nothing comes back through
    the tunnel. My other suspicion is that it's a NAT issue and it's somehow
    not forwarding packets back through the tunnel. Anyway, I've included my
    config below, if you could take a look and give me some advice on how to fix
    it I'd appreciate it. By the way, I have an early version of the SOHO 91 so
    I really can't upgrade the IOS because it's already has it's maximum amount
    of memory at 32mb. I believe my version supports everything I'm trying to
    do since I can connect and secure the tunnel with no problem, so hopefully
    you all have an answer for me. I have to do all this manually because you
    can't run SDM on a SOHO 91, but I've compared my config to an SDM version
    and it looks pretty solid, but I'm sure I'm missing something. My version
    info follows, and then the current config. And by the way, any other advice
    about my config is welcomed...

    Thanks very much, Jay.

    Version info:

    ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
    ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT
    RELEASE SOFTWARE (fc1)

    CISCO SOHO91 (MPC857DSL) processor (revision 0x300) with 31130K/1638K bytes
    of memory.
    Processor board ID AMB08310BH3 (878404472), with hardware revision 0000
    CPU rev number 7
    Bridging software.
    2 Ethernet/IEEE 802.3 interface(s)
    128K bytes of non-volatile configuration memory.
    8192K bytes of processor board System flash (Read/Write)
    2048K bytes of processor board Web flash (Read/Write)

    Config:

    !
    version 12.3
    no service pad
    service timestamps debug uptime
    service timestamps log uptime
    service password-encryption
    !
    hostname MyCisco91
    !
    memory-size iomem 5
    no logging buffered
    enable secret 5 XXXXX
    enable password 7 XXXXX
    !
    username admin password 7 XXXXX
    !
    aaa new-model
    !
    !
    aaa authorization network hw-client-groupname local
    aaa session-id common
    ip subnet-zero
    ip domain name dsl-hawaiiantel.net
    ip name-server 4.2.2.4
    ip name-server 4.2.2.5
    ip dhcp excluded-address 10.10.10.1
    ip dhcp excluded-address 10.10.10.20 10.10.10.30
    !
    ip dhcp pool CLIENT
    import all
    network 10.10.10.0 255.255.255.0
    default-router 10.10.10.1
    dns-server 4.2.2.4 4.2.2.5
    domain-name dsl-hawaiiantel.net
    lease 0 2
    !
    ip cef
    ip inspect name myfw cuseeme timeout 3600
    ip inspect name myfw ftp timeout 3600
    ip inspect name myfw rcmd timeout 3600
    ip inspect name myfw realaudio timeout 3600
    ip inspect name myfw tftp timeout 30
    ip inspect name myfw udp timeout 15
    ip inspect name myfw tcp timeout 3600
    ip inspect name myfw h323 timeout 3600
    ip ssh port 2222 rotary 1
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp client configuration address-pool local dynpool
    !
    crypto isakmp client configuration group USERID1
    key 0 XXXXX
    dns 4.2.2.4 4.2.2.5
    domain dsl-hawaiiantel.net
    pool dynpool
    acl 199
    !
    crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
    !
    crypto dynamic-map dynmap 1
    set transform-set transform-1
    reverse-route
    !
    crypto map dynmap isakmp authorization list hw-client-groupname
    crypto map dynmap client configuration address respond
    crypto map dynmap 1 ipsec-isakmp dynamic dynmap
    !
    interface Ethernet0
    ip address 10.10.10.1 255.255.255.0
    ip nat inside
    no cdp enable
    hold-queue 32 in
    !
    interface Ethernet1
    ip address dhcp client-id Ethernet1
    ip access-group 111 in
    ip nat outside
    ip inspect myfw out
    duplex auto
    no cdp enable
    crypto map dynmap
    !
    ip local pool dynpool 10.10.10.20 10.10.10.30
    !
    ip nat inside source list 102 interface Ethernet1 overload
    !
    ip classless
    ip http server
    no ip http secure-server
    !
    access-list 102 permit ip 10.10.10.0 0.0.0.255 any
    !
    access-list 111 permit tcp any any eq pop3
    access-list 111 permit tcp any any eq smtp
    access-list 111 permit tcp any any eq ftp
    access-list 111 permit tcp any any eq www
    access-list 111 permit tcp any any eq telnet
    access-list 111 permit udp any any eq echo
    access-list 111 permit icmp any any administratively-prohibited
    access-list 111 permit icmp any any echo
    access-list 111 permit icmp any any echo-reply
    access-list 111 permit icmp any any packet-too-big
    access-list 111 permit icmp any any time-exceeded
    access-list 111 permit icmp any any traceroute
    access-list 111 permit icmp any any unreachable
    access-list 111 permit udp any eq bootps any eq bootpc
    access-list 111 permit udp any eq bootps any eq bootps
    access-list 111 permit udp any eq domain any
    access-list 111 permit esp any any
    access-list 111 permit udp any any eq isakmp
    access-list 111 permit udp any any eq non500-isakmp
    access-list 111 permit udp any any eq netbios-ns
    access-list 111 permit udp any any eq netbios-dgm
    access-list 111 permit gre any any
    access-list 111 permit tcp any any eq 22
    access-list 111 permit tcp any any eq 81
    access-list 111 permit tcp any any eq 139
    access-list 111 permit tcp any any eq 1723
    access-list 111 permit tcp any any eq 3389
    access-list 111 permit udp any any eq 8767
    access-list 111 permit udp any any eq 10000
    access-list 111 permit tcp any any eq 2222
    access-list 111 deny ip any any
    !
    access-list 199 permit ip 10.10.10.0 0.0.0.255 any
    !
    no cdp run
    !
    line con 0
    exec-timeout 120 0
    no modem enable
    stopbits 1
    line aux 0
    line vty 0 4
    exec-timeout 120 0
    rotary 1
    length 25
    !
    scheduler max-task-time 5000
    !
    end
     
    JayFromFarAway, May 12, 2007
    #1
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.