Problem: Cannot ping once connected on 1841 VPN from remote client?

Discussion in 'Cisco' started by StevenY, May 28, 2006.

  1. StevenY

    StevenY Guest

    Hi all,
    I know I missing something simple here.

    Currently I can connect using Cisco Client to Cisco 1841 Server - I can
    telnet into the 1841 once on VPN but cannot ping/trace/telnet out to
    10.11.12.13

    Layout wise i have a Soho 97 (10.11.12.13) connected to 0/0 on 1841
    (10.11.12.14) with 0/1 (10.11.121.15) connecting to internal LAN switch.

    Config below: THANKS for any replies...

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp policy 3
    encr 3des
    group 2
    !
    crypto isakmp client configuration group LAPD
    key **********
    pool SDM_POOL_1
    include-local-lan
    max-users 4
    max-logins 4
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    !
    crypto dynamic-map SDM_DYNMAP_1 1
    set transform-set ESP-3DES-SHA
    reverse-route
    !
    !
    crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
    crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
    crypto map SDM_CMAP_1 client configuration address respond
    crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
    !
    !
    !
    interface Null0
    no ip unreachables
    !
    interface FastEthernet0/0
    description OUTSIDE INTERFACE 10.11.12.14
    ip address 10.11.12.14 255.255.255.0
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip inspect DEFAULT100 out
    ip nat outside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    crypto map SDM_CMAP_1
    !
    interface FastEthernet0/1
    description INSIDE INTERFACE 10.11.121.15
    ip address 10.11.121.15 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    no mop enabled
    !
    ip local pool SDM_POOL_1 10.11.12.2 10.11.12.12
    ip route 0.0.0.0 0.0.0.0 10.11.12.13 permanent
    !
    no ip http server
    ip http access-class 1
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 600 life 86400 requests 10000
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
    !
    logging trap debugging
    logging 10.11.12.1
    access-list 1 remark ======== HTTPS ACCESS ========
    access-list 1 permit 10.11.12.0 0.0.0.255
    access-list 1 permit 10.11.121.0 0.0.0.255
    access-list 1 deny any
    access-list 100 remark ======== INSIDE INTERFACE ACL =========
    access-list 100 deny ip any host 10.11.12.2
    access-list 100 deny ip any host 10.11.12.3
    access-list 100 deny ip any host 10.11.12.4
    access-list 100 deny ip any host 10.11.12.5
    access-list 100 deny ip any host 10.11.12.6
    access-list 100 deny ip any host 10.11.12.7
    access-list 100 deny ip any host 10.11.12.8
    access-list 100 deny ip any host 10.11.12.9
    access-list 100 deny ip any host 10.11.12.10
    access-list 100 deny ip any host 10.11.12.11
    access-list 100 deny ip any host 10.11.12.12
    access-list 100 deny ip 10.11.12.0 0.0.0.255 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 remark ======== OUTSIDE INTERFACE ACL ========
    access-list 101 permit ip host 10.11.12.2 any
    access-list 101 permit ip host 10.11.12.3 any
    access-list 101 permit ip host 10.11.12.4 any
    access-list 101 permit ip host 10.11.12.5 any
    access-list 101 permit ip host 10.11.12.6 any
    access-list 101 permit ip host 10.11.12.7 any
    access-list 101 permit ip host 10.11.12.8 any
    access-list 101 permit ip host 10.11.12.9 any
    access-list 101 permit ip host 10.11.12.10 any
    access-list 101 permit ip host 10.11.12.11 any
    access-list 101 permit ip host 10.11.12.12 any
    access-list 101 permit esp any host 10.11.12.14
    access-list 101 permit ahp any host 10.11.12.14
    access-list 101 permit udp any host 10.11.12.14 eq non500-isakmp
    access-list 101 permit udp any host 10.11.12.14 eq isakmp
    access-list 101 permit icmp any host 10.11.12.14 echo-reply
    access-list 101 permit icmp any host 10.11.12.14 time-exceeded
    access-list 101 permit icmp any host 10.11.12.14 unreachable
    access-list 101 deny ip 10.11.121.0 0.0.0.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any log
    access-list 102 remark ======== TELNET ACCESS ACL ========
    access-list 102 permit ip 10.11.12.0 0.0.0.255 any
    access-list 102 permit ip 10.11.121.0 0.0.0.255 any
    access-list 102 deny ip any any
    no cdp run
    route-map SDM_RMAP_1 permit 1
    match ip address 100
    !
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    access-class 102 in
    transport input telnet ssh
    line vty 5 15
    access-class 102 in
    transport input telnet ssh
    !
    scheduler allocate 4000 1000
    end
     
    StevenY, May 28, 2006
    #1
    1. Advertisements

  2. StevenY

    StevenY Guest

    I've noticed the client gets the same gateway address as its own IP address
    from the pool....?

    Any ideas?
     
    StevenY, Jun 1, 2006
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.