|
|
|
Question : VPN is connected, but I can't transfer data
|
|
Hey guys, I need a little help with this. I'm making a connection vpn tunnel between a linksys wrv54g and a cisco 831. The connection is up, however I can't ping (or make other connections) from it behind the linksys. From the cisco router itself i can ping any pc behind the linksys, but behind the cisco i can't ping anything behind the linksys. here is my config file...below are show crypto sessions and map. Thanks for all your help.
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NetRouter
!
boot-start-marker
boot-end-marker
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.79
ip dhcp excluded-address 192.168.1.225 192.168.1.254
!
ip dhcp pool CLIENT
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 64.**.**.** 216.**.**.**
domain-name HumanConcepts
lease 0 2
!
!
ip name-server 64.**.**.**
ip name-server 216.**.**.**
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip ips po max-events 100
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
local name remote
!
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 1
authentication pre-share
group 2
!
crypto isakmp policy 2
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
authentication pre-share
!
crypto isakmp policy 4
hash md5
crypto isakmp key ********** address 192.169.1.21
!
!
crypto ipsec transform-set rtpset3 esp-null esp-md5-hmac
crypto ipsec transform-set rtpset1 esp-des esp-md5-hmac
crypto ipsec transform-set rtpset2 esp-des esp-sha-hmac
crypto ipsec transform-set rtpset4 esp-null esp-sha-hmac
crypto ipsec transform-set rtpset5 esp-des
!
crypto dynamic-map clientmap 10
set peer 192.169.1.21
set transform-set rtpset1 rtpset2 rtpset3 rtpset4 rtpset5
match address 101
reverse-route
!
!
crypto map clientmap 10 ipsec-isakmp dynamic clientmap
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.1.1-255.255.255.0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
no cdp enable
crypto map clientmap
hold-queue 32 in
!
interface Ethernet1
ip address 192.169.1.2 255.255.255.0
ip nat outside
ip inspect myfw out
ip virtual-reassembly
no ip mroute-cache
duplex auto
no cdp enable
crypto map clientmap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Virtual-Template1
ip unnumbered Ethernet1
peer default ip address pool incoming
ppp encrypt mppe 40
ppp authentication ms-chap-v2
!
interface Dialer1
mtu 1492
ip address negotiated
ip access-group 103 in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
!
ip local pool incoming 192.168.1.65 192.168.1.74
ip classless
ip route 0.0.0.0 0.0.0.0 192.169.1.1
ip http server
no ip http secure-server
ip nat inside source list 102 interface Ethernet1 overload
!
!
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 101 permit ip host 192.168.25.1 any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit ip any any
access-list 108 permit ip 192.169.0.0 0.0.0.255 192.168.1.0 0.0.0.255
snmp-server community public RO
snmp-server enable traps tty
no cdp run
route-map MyMap permit 10
match ip address 111
!
route-map nonat permit 10
match ip address 103
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
end
Show crypto session:
Interface: Ethernet1
Session status: UP-ACTIVE
Peer: 192.169.1.21/500
IKE SA: local 192.169.1.2/500 remote 192.169.1.21/500 Active
IPSEC FLOW: permit ip 192.168.1.0/255.255.255.0 192.168.25.0/255.255.255.0
Active SAs: 2, origin: dynamic crypto map
Crypto Map "clientmap" 10 ipsec-isakmp
Dynamic map template tag: clientmap
Crypto Map "clientmap" 65536 ipsec-isakmp
Peer = 192.169.1.21
Extended IP access list
access-list permit ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
dynamic (created from dynamic map clientmap/10)
Current peer: 192.169.1.21
Security association lifetime: 4608000 kilobytes/3600 seconds
PFS (Y/N): Y
DH group: group2
Transform sets={
rtpset1,
}
Reverse Route Injection Enabled
Interfaces using crypto map clientmap:
Ethernet0
Ethernet1
|
Answer : VPN is connected, but I can't transfer data
|
|
Oops you are using access-list 103 elsewhere. You better use a different one :-
access-list 104 deny ip 192.168.1.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
route-map nonat permit 10
no match ip address 103
match ip address 104
no ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source route-map nonat interface Ethernet1 overload
|
|
|
|
|
|
|
