1. Home
  2. Cisco Systems
  3. Cisco 1811 K9- VPN clients can connect, but can't connect or ping to computers

Cisco 1811 K9- VPN clients can connect, but can't connect or ping to computers

I have an 1811 that I use as a firewall. Last Friday I configured a site to site VPN for a vendor to do offsite backups. Ever since then, remote users have reported that they successfully connect their VPN clients, but all traffic (email, remote desktop) is denied. Any ideas?

Reply to
Pappy
Loading thread data ...

On Jan 30, 3:30=A0pm, Pappy wrote:

Here is the config: !This is the running config of the router: 172.25.2.2 !--------------------------------------------------------------------------=

-- !version 12.4 service timestamps debug datetime msec service timestamps log datetime localtime show-timezone no service password-encryption service sequence-numbers ! hostname ! boot-start-marker boot-end-marker ! logging buffered 4096 debugging ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 group radius local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! aaa session-id common ! resource policy ! clock timezone IDLW -12 ! ! ip cef ! ! ip domain name ip name-server 205.152.132.23 ip name-server 205.152.37.23 ip inspect log drop-pkt ip inspect name SDM_LOW cuseeme ip inspect name SDM_LOW dns ip inspect name SDM_LOW ftp ip inspect name SDM_LOW h323 ip inspect name SDM_LOW icmp ip inspect name SDM_LOW imap ip inspect name SDM_LOW pop3 ip inspect name SDM_LOW netshow ip inspect name SDM_LOW rcmd ip inspect name SDM_LOW realaudio ip inspect name SDM_LOW rtsp ip inspect name SDM_LOW esmtp ip inspect name SDM_LOW sqlnet ip inspect name SDM_LOW streamworks ip inspect name SDM_LOW tftp ip inspect name SDM_LOW tcp ip inspect name SDM_LOW udp ip inspect name SDM_LOW vdolive ip inspect name SDM_LOW https ip ips sdf location flash://128MB.sdf autosave ip ips notify SDEE ip ips name sdm_ips_rule ! ! crypto pki trustpoint TP-self-signed-1675073411 enrollment selfsigned subject-name cn=3DIOS-Self-Signed-Certificate-1675073411 revocation-check none rsakeypair TP-self-signed-1675073411 ! ! crypto pki certificate chain TP-self-signed-1675073411 certificate self-signed 01 3082024E 308201B7 A0030201 02020101 300D0609 2A864886 F70D0101

04050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 31363735 30373334 3131301E 170D3038 30353133 31323230 35365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36373530 37333431 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100E912 A1301C77 6B8EDD60 B00051A5 2F61DE43 10159F74 6215BFD1 F810F8E1 C467E7AB A8CAC680 E298DDB1 829BD994 D417589C E8AEFF93 7D1FE2C4 B9204F9C 842094EB 1F98D950 22B74860 5DCCC8EF 4F0C4F4A 98C59F11 9178718C 6125E117 DA2BBF30 4C051386 03AE9275 17A563D5 F983575F FDECDFEE 39C43369 B2F0A27C 2FA70203 010001A3 76307430 0F060355 1D130101 FF040530 030101FF 30210603 551D1104 1A301882 16666973 68667279 31383131 2E747366 662E6C6F 63616C30 1F060355 1D230418 30168014 D4A5D4B9 E8754DB9 44374330 2E982A58 8D304B94 301D0603 551D0E04 160414D4 A5D4B9E8 754DB944 3743302E 982A588D 304B9430 0D06092A 864886F7 0D010104 05000381 8100C5CD 62640EB3 8FB80C86 2C3FC85A EDC1FD62 821881D2 0F2DB398 0F9D0F46 A86838C0 9A5AFC6C DB54E0AB C24676DE 50AFFA95 01DDE848 B69C5FF2 C4DA5B4C 58391ECE 3A342D2B 6799B66D 9CCBA31C 99C19267 3A1047C4 52A41CA6 31B67C06 8844346E 09142955 FE695D03 9C3E7A27 107EE3DE 20034EFF BF4108DC EACAAB6E 4FC3 quit username verma privilege 15 secret 5 $1$UCg9$cP4FVv8HMZ3UFC3woujSV/ ! ! ! crypto isakmp policy 1 encr aes 256 authentication pre-share group 2 crypto isakmp key f15hfry2v3rm@vpn address 66.55.21.162 crypto isakmp key srdBZ%sao78 address 67.78.238.2 ! crypto isakmp client configuration group RemEmp key fishfryemp dns 172.25.2.10 172.25.2.11 domain tsff.local pool SDM_POOL_1 acl 103 ! crypto isakmp client configuration group verma key =3D420369910002i$v dns 172.25.2.10 172.25.2.11 domain tsff.local pool SDM_POOL_1 acl 103 ! crypto isakmp client configuration group SupRem key letmein dns 172.25.2.10 172.25.2.11 domain tsff.local pool SDM_POOL_1 acl 103 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-AES-256-SHA esp-aes 256 esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route qos pre-classify ! ! crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to66.55.21.162 set peer 66.55.21.162 set transform-set ESP-AES-256-SHA match address 114 crypto map SDM_CMAP_1 2 ipsec-isakmp description Tunnel to67.78.238.2 set peer 67.78.238.2 set transform-set ESP-AES-256-SHA match address 125 crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface FastEthernet0 description Bellsouth Internet Service$FW_OUTSIDE$$ETH-WAN$ ip address 12.237.113.130 255.255.255.240 ip access-group 103 in ip verify unicast reverse-path ip nat outside ip inspect SDM_LOW out ip ips sdm_ips_rule in ip virtual-reassembly no ip route-cache cef no ip route-cache no ip mroute-cache duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet1 description Cox Internet Service$FW_OUTSIDE$$ETH-WAN$ ip address 70.164.48.74 255.255.255.240 ip verify unicast reverse-path ip nat outside ip ips sdm_ips_rule in ip virtual-reassembly no ip route-cache cef no ip route-cache no ip mroute-cache duplex auto speed auto ! interface FastEthernet2 ! interface FastEthernet3 ! interface FastEthernet4 ! interface FastEthernet5 ! interface FastEthernet6 ! interface FastEthernet7 ! interface FastEthernet8 ! interface FastEthernet9 switchport mode trunk ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$FW_INSIDE$ ip address 172.25.2.2 255.255.254.0 ip access-group 100 in ip helper-address 172.25.2.10 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Vlan10 description $FW_INSIDE$ ip address 172.25.4.1 255.255.255.0 ip access-group 102 in ip helper-address 172.25.2.10 ip nat inside ip virtual-reassembly ip tcp adjust-mss 1452 ! interface Async1 no ip address encapsulation slip ! ip local pool SDM_POOL_1 192.168.2.1 192.168.2.254 ip route 0.0.0.0 0.0.0.0 12.237.113.129 ! ! ip http server ip http access-class 23 ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip nat translation timeout 300 ip nat translation tcp-timeout 300 ip nat translation icmp-timeout 5 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload ip nat inside source static tcp 172.25.2.13 80 interface FastEthernet0 80 ip nat inside source static tcp 172.25.2.13 25 interface FastEthernet0 25 ip nat inside source static tcp 172.25.2.13 443 interface FastEthernet0 443 ip nat outside source static tcp 12.237.113.130 3000 172.25.2.220 3000 extendable ip nat outside source static tcp 12.237.113.130 7000 172.25.2.220 7000 extendable ip nat outside source static tcp 12.237.113.130 7021 172.25.2.220 7021 extendable ip nat outside source static tcp 12.237.113.130 8000 172.25.2.220 8000 extendable ip nat outside source static tcp 12.237.113.130 8001 172.25.2.220 8001 extendable ip nat outside source static tcp 12.237.113.130 8002 172.25.2.220 8002 extendable ip nat outside source static tcp 12.237.113.130 8003 172.25.2.220 8003 extendable ip nat outside source static udp 12.237.113.130 8875 172.25.2.220 8875 extendable ip nat outside source static tcp 12.237.113.130 9000 172.25.2.220 9000 extendable ip nat outside source static tcp 12.237.113.130 9001 172.25.2.220 9001 extendable ! access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=3D1 access-list 100 deny ip 12.237.113.128 0.0.0.15 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark SDM_ACL Category=3D16 access-list 101 permit ip 172.25.2.0 0.0.1.255 any access-list 102 deny ip 12.237.113.128 0.0.0.15 any access-list 102 remark auto generated by SDM firewall access-list 102 remark SDM_ACL Category=3D1 access-list 102 deny ip host 255.255.255.255 any access-list 102 deny ip 127.0.0.0 0.255.255.255 any access-list 102 permit ip any any access-list 103 remark auto generated by SDM firewall configuration access-list 103 remark SDM_ACL Category=3D5 access-list 103 remark IPSec Rule access-list 103 permit ip 172.25.25.0 0.0.0.255 172.25.2.0 0.0.0.255 access-list 103 permit ip 192.168.2.0 0.0.0.255 host 67.78.238.2 access-list 103 permit ip 192.168.2.0 0.0.0.255 10.4.1.0 0.0.0.255 access-list 103 remark IPSec Rule access-list 103 permit ip 10.4.1.0 0.0.0.255 172.25.2.0 0.0.1.255 access-list 103 permit udp host 67.78.238.2 host 12.237.113.130 eq non500-isakmp access-list 103 permit udp host 67.78.238.2 host 12.237.113.130 eq isakmp access-list 103 permit esp host 67.78.238.2 host 12.237.113.130 access-list 103 permit ahp host 67.78.238.2 host 12.237.113.130 access-list 103 remark Auto generated by SDM for NTP (123) 64.236.96.53 access-list 103 permit udp host 64.236.96.53 eq ntp host 12.237.113.130 eq ntp access-list 103 remark Auto generated by SDM for NTP (123) 64.90.182.55 access-list 103 permit udp host 64.90.182.55 eq ntp host 12.237.113.130 eq ntp access-list 103 permit ahp host 66.55.21.162 host 12.237.113.130 access-list 103 permit ahp any host 12.237.113.130 access-list 103 permit esp host 66.55.21.162 host 12.237.113.130 access-list 103 permit esp any host 12.237.113.130 access-list 103 permit udp host 66.55.21.162 host 12.237.113.130 eq isakmp access-list 103 permit udp any host 12.237.113.130 eq isakmp access-list 103 permit udp host 66.55.21.162 host 12.237.113.130 eq non500-isakmp access-list 103 permit udp any host 12.237.113.130 eq non500-isakmp access-list 103 remark Auto generated by SDM for NTP (123) 64.236.96.53 access-list 103 permit udp host 64.236.96.53 eq ntp host 12.237.113.129 eq ntp access-list 103 remark Auto generated by SDM for NTP (123) 64.90.182.55 access-list 103 permit udp host 64.90.182.55 eq ntp host 12.237.113.129 eq ntp access-list 103 permit ahp host 66.55.21.162 host 12.237.113.129 access-list 103 permit ahp any host 12.237.113.129 access-list 103 permit esp host 66.55.21.162 host 12.237.113.129 access-list 103 permit esp any host 12.237.113.129 access-list 103 permit udp host 66.55.21.162 host 12.237.113.129 eq isakmp access-list 103 permit udp any host 12.237.113.129 eq isakmp access-list 103 permit udp host 66.55.21.162 host 12.237.113.129 eq non500-isakmp access-list 103 permit udp any host 12.237.113.129 eq non500-isakmp access-list 103 permit udp any host 12.237.113.130 eq 8875 access-list 103 permit tcp any host 12.237.113.130 eq 7021 access-list 103 permit tcp any host 12.237.113.130 eq 3000 access-list 103 permit tcp any host 12.237.113.130 eq 9001 access-list 103 permit tcp any host 12.237.113.130 eq 9000 access-list 103 permit tcp any host 12.237.113.130 eq 8003 access-list 103 permit tcp any host 12.237.113.130 eq 8002 access-list 103 permit tcp any host 12.237.113.130 eq 8001 access-list 103 permit tcp any host 12.237.113.130 eq 8000 access-list 103 permit tcp any host 12.237.113.130 eq 7000 access-list 103 permit ip 192.168.2.0 0.0.0.255 host 66.55.21.162 access-list 103 permit ip 192.168.2.0 0.0.0.255 172.25.25.0 0.0.0.255 access-list 103 permit tcp any host 12.237.113.130 eq 443 access-list 103 permit tcp any host 12.237.113.130 eq www access-list 103 permit tcp any host 12.237.113.130 eq smtp access-list 103 permit tcp any host 12.237.113.130 eq 5631 access-list 103 permit tcp any host 12.237.113.130 eq 5632 access-list 103 permit tcp any host 12.237.113.130 eq 3550 access-list 103 permit tcp any host 12.237.113.130 eq 4550 access-list 103 permit tcp any host 12.237.113.130 eq 5550 access-list 103 permit tcp any host 12.237.113.130 eq 6550 access-list 103 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 103 permit ip 192.168.2.0 0.0.0.255 66.55.21.160 0.0.0.15 access-list 103 permit ip 192.168.2.0 0.0.0.255 any access-list 103 permit ip 192.168.2.0 0.0.0.255 host 64.90.182.55 access-list 103 permit ip 192.168.2.0 0.0.0.255 host 64.236.96.53 access-list 103 remark Auto generated by SDM for NTP (123) 64.90.182.55 access-list 103 deny ip 172.25.4.0 0.0.0.255 any access-list 103 deny ip 172.25.2.0 0.0.1.255 any access-list 103 permit icmp any host 12.237.113.130 echo-reply access-list 103 permit icmp any host 12.237.113.130 time-exceeded access-list 103 permit icmp any host 12.237.113.130 unreachable access-list 103 permit tcp 66.55.21.160 0.0.0.15 host 12.237.113.130 eq 443 access-list 103 permit tcp 66.55.21.160 0.0.0.15 host 12.237.113.130 eq 22 access-list 103 permit tcp 66.55.21.160 0.0.0.15 host 12.237.113.130 eq cmd access-list 103 deny ip 10.0.0.0 0.255.255.255 any access-list 103 deny ip 172.16.0.0 0.15.255.255 any access-list 103 deny ip 192.168.0.0 0.0.255.255 any access-list 103 deny ip 127.0.0.0 0.255.255.255 any access-list 103 deny ip host 255.255.255.255 any access-list 103 deny ip host 0.0.0.0 any access-list 103 deny ip any any log access-list 104 remark SDM_ACL Category=3D18 access-list 104 remark IPSec Rule access-list 104 deny ip 172.25.2.0 0.0.0.255 172.25.25.0 0.0.0.255 access-list 104 remark IPSec Rule access-list 104 deny ip 172.25.2.0 0.0.1.255 10.4.1.0 0.0.0.255 access-list 104 deny ip 172.25.2.0 0.0.1.255 172.25.4.0 0.0.0.255 access-list 104 deny ip 66.55.21.160 0.0.0.15 192.168.2.0 0.0.0.255 access-list 104 deny ip host 64.90.182.55 192.168.2.0 0.0.0.255 access-list 104 deny ip host 64.236.96.53 192.168.2.0 0.0.0.255 access-list 104 deny ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 104 deny ip any 192.168.2.0 0.0.0.255 access-list 104 deny ip host 172.25.2.220 any access-list 104 permit ip 172.25.2.0 0.0.1.255 any access-list 104 permit ip 172.25.4.0 0.0.0.255 any access-list 105 permit ip 172.25.2.0 0.0.0.255 any access-list 106 remark SDM_ACL Category=3D2 access-list 106 deny ip host 172.25.2.13 192.168.2.0 0.0.0.255 access-list 106 permit ip host 172.25.2.13 any access-list 106 permit ip host 192.168.1.2 any access-list 106 deny ip host 192.168.1.2 192.168.2.0 0.0.0.255 access-list 106 deny ip host 192.168.1.2 192.168.3.0 0.0.0.255 access-list 107 remark SDM_ACL Category=3D2 access-list 107 permit ip host 192.168.1.3 any access-list 107 deny ip host 192.168.1.3 192.168.2.0 0.0.0.255 access-list 107 deny ip host 192.168.1.3 192.168.3.0 0.0.0.255 access-list 108 remark SDM_ACL Category=3D2 access-list 108 permit ip host 192.168.1.109 any access-list 108 deny ip host 192.168.1.109 192.168.2.0 0.0.0.255 access-list 108 deny ip host 192.168.1.109 192.168.3.0 0.0.0.255 access-list 109 remark SDM_ACL Category=3D2 access-list 109 permit ip host 192.168.1.129 any access-list 109 deny ip host 192.168.1.129 192.168.2.0 0.0.0.255 access-list 109 deny ip host 192.168.1.129 192.168.3.0 0.0.0.255 access-list 110 remark SDM_ACL Category=3D2 access-list 110 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 110 permit ip host 172.25.2.220 any access-list 111 remark SDM_ACL Category=3D2 access-list 111 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 111 permit ip host 172.25.2.220 any access-list 112 remark SDM_ACL Category=3D2 access-list 112 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 112 permit ip host 172.25.2.220 any access-list 113 remark SDM_ACL Category=3D2 access-list 113 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 113 permit ip host 172.25.2.220 any access-list 114 remark SDM_ACL Category=3D4 access-list 114 remark IPSec Rule access-list 114 permit ip 172.25.2.0 0.0.0.255 172.25.25.0 0.0.0.255 access-list 115 remark SDM_ACL Category=3D2 access-list 115 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 115 permit ip host 172.25.2.220 any access-list 116 remark SDM_ACL Category=3D2 access-list 116 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 116 permit ip host 172.25.2.220 any access-list 117 remark SDM_ACL Category=3D2 access-list 117 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 117 permit ip host 172.25.2.220 any access-list 118 remark SDM_ACL Category=3D2 access-list 118 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 118 permit ip host 172.25.2.220 any access-list 119 remark SDM_ACL Category=3D2 access-list 119 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 119 permit ip host 172.25.2.220 any access-list 120 remark SDM_ACL Category=3D2 access-list 120 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 120 permit ip host 172.25.2.220 any access-list 121 remark SDM_ACL Category=3D2 access-list 121 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 121 permit ip host 172.25.2.220 any access-list 122 remark SDM_ACL Category=3D2 access-list 122 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 122 permit ip host 172.25.2.220 any access-list 123 remark SDM_ACL Category=3D2 access-list 123 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 123 permit ip host 172.25.2.220 any access-list 124 remark SDM_ACL Category=3D2 access-list 124 deny ip host 172.25.2.220 192.168.2.0 0.0.0.255 access-list 124 permit ip host 172.25.2.220 any access-list 125 remark SDM_ACL Category=3D4 access-list 125 remark IPSec Rule access-list 125 permit ip 172.25.2.0 0.0.1.255 10.4.1.0 0.0.0.255 ! ! ! route-map SDM_RMAP_15 permit 1 match ip address 119 ! route-map SDM_RMAP_14 permit 1 match ip address 118 ! route-map SDM_RMAP_17 permit 1 match ip address 121 ! route-map SDM_RMAP_16 permit 1 match ip address 120 ! route-map SDM_RMAP_11 permit 1 match ip address 115 ! route-map SDM_RMAP_10 permit 1 match ip address 113 ! route-map SDM_RMAP_13 permit 1 match ip address 117 ! route-map SDM_RMAP_20 permit 1 match ip address 124 ! route-map SDM_RMAP_12 permit 1 match ip address 116 ! route-map SDM_RMAP_19 permit 1 match ip address 123 ! route-map SDM_RMAP_18 permit 1 match ip address 122 ! route-map SDM_RMAP_4 permit 1 match ip address 107 ! route-map SDM_RMAP_5 permit 1 match ip address 108 ! route-map SDM_RMAP_6 permit 1 match ip address 109 ! route-map SDM_RMAP_7 permit 1 match ip address 110 ! route-map SDM_RMAP_1 permit 1 match ip address 104 match interface FastEthernet0 ! route-map SDM_RMAP_2 permit 1 match ip address 105 match interface FastEthernet1 ! route-map SDM_RMAP_3 permit 1 match ip address 106 ! route-map SDM_RMAP_8 permit 1 match ip address 111 ! route-map SDM_RMAP_9 permit 1 match ip address 112 ! ! ! radius-server host 192.168.1.11 auth-port 1645 acct-port 1646 key v $i19963024=3D radius-server host 192.168.1.10 auth-port 1645 acct-port 1646 key v $i20003024=3D ! control-plane ! banner login ^C

----------------------------------------------------------------------- Warning: Unauthorized access to this device will not be tolerated. Leave now while there is still time...

----------------------------------------------------------------------- ^C ! line con 0 line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 line vty 0 4 access-class 23 in transport input telnet ssh line vty 5 15 access-class 23 in transport input telnet ssh ! ntp clock-period 17180130 ntp server 64.90.182.55 ntp server 64.236.96.53 ! webvpn context Default_context ssl authenticate verify all ! no inservice ! end

Reply to
Pappy

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.