Question

Locked

No answer for my VPN problem from Cisco Forums yet...

By jay.lewis ·
Hi All,

I've posted a specific VPN problem in the Cisco Forums a couple of times now and haven't even received one suggestion yet... Maybe I can get some help here at TechRepublic instead :-).

I have a Cisco SOHO 91 running NAT and have a dynamic address on the outside interface from my DSL provider. I have configured IPSEC VPN and can connect with no issues, but the problem is that I can ping into the tunnel from the client, but the responses don't come back through the tunnel. I have tried every variation of an access list, a route-map, a nat pool, basically everything shown in all the Cisco configuration guides but I still can't ping back and forth through the tunnel. My version info and my config follows, if anyone has any suggestions I'd really appreciate it - keep in mind that I need the overloading for my inside web server and other features, but I'm open to any suggestions you might have... Thanks in advance, Jay.

IOS (tm) SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(1.6)T
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2004 by cisco Systems, Inc.
Compiled Thu 04-Mar-04 01:24 by ealyon
Image text-base: 0x800131E8, data-base: 0x80A40300

ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1)
ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)

!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname MyCisco91
!
memory-size iomem 5
no logging buffered
enable secret 5 XXXXX
enable password 7 XXXXX
!
username admin password 7 XXXXX
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa session-id common
ip subnet-zero
ip domain name dsl-hawaiiantel.net
ip name-server x.x.x.x
ip name-server x.x.x.x
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server x.x.x.x x.x.x.x
domain-name dsl-hawaiiantel.net
lease 0 2
!
!
ip cef
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip ssh port 8080 rotary 1
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group USERID1
key 0 XXXXX
dns 10.10.10.1 x.x.x.x x.x.x.x
domain dsl-hawaiiantel.net
pool dynpool
acl 199
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list hw-client-groupname
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip directed-broadcast
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
crypto map dynmap
!
ip local pool dynpool 10.10.1.1 10.10.1.3
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static tcp 10.10.10.1 8080 interface Ethernet1 8080
ip nat inside source static tcp 10.10.10.2 21 interface Ethernet1 21
ip nat inside source static tcp 10.10.10.2 22 interface Ethernet1 22
ip nat inside source static tcp 10.10.10.2 80 interface Ethernet1 80
ip nat inside source static tcp 10.10.10.2 3389 interface Ethernet1 3389
ip nat inside source static tcp 10.10.10.7 25 interface Ethernet1 25
ip nat inside source static tcp 10.10.10.7 81 interface Ethernet1 81
ip nat inside source static tcp 10.10.10.7 110 interface Ethernet1 110
ip nat inside source static udp 10.10.10.7 8767 interface Ethernet1 8767
ip nat inside source static udp 10.10.10.255 7 interface Ethernet1 7
ip classless
ip http server
no ip http secure-server
!
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 permit tcp any any eq pop3
access-list 111 permit tcp any any eq smtp
access-list 111 permit tcp any any eq ftp
access-list 111 permit tcp any any eq www
access-list 111 permit tcp any any eq telnet
access-list 111 permit udp any any eq echo
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq non500-isakmp
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit tcp any any eq 22
access-list 111 permit tcp any any eq 81
access-list 111 permit tcp any any eq 139
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 3389
access-list 111 permit tcp any any eq 8080
access-list 111 permit udp any any eq 8767
access-list 111 permit udp any any eq 10000
access-list 111 deny ip any any
access-list 199 deny ip 10.10.10.0 0.0.0.255 10.10.1.0 0.0.0.255
access-list 199 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
rotary 1
length 25
!
scheduler max-task-time 5000
!
end

This conversation is currently closed to new comments.

3 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Collapse -

Response

by jecker In reply to No answer for my VPN prob ...

In your ACL 102 you need a deny statement before your permit statement that deny's traffice from your LAN to your VPN pool. This way, when the traffic hits your inside interface it will not get natted and then it will go through your VPN tunnel.

Collapse -

Thanks...

by jay.lewis In reply to Response

Thanks jecker,

I actually took care of that after I posted this - and I ended up getting the entire thing working... I had fiddled with it for about 2 weeks, then I decided to erase all the crypto command and reenter them, and it started working on its own - I think the crypto map was corrupted, I've read about that before but didn't try reentering everything for nearly 2 weeks like a dumbdumb :-)

Thanks again,
Jay.

Back to Networks Forum
3 total posts (Page 1 of 1)  

Related Discussions

Related Forums