Problem: Cannot ping once connected on 1841 VPN from remote client?

Hi all, I know I missing something simple here.

Currently I can connect using Cisco Client to Cisco 1841 Server - I can telnet into the 1841 once on VPN but cannot ping/trace/telnet out to

10.11.12.13

Layout wise i have a Soho 97 (10.11.12.13) connected to 0/0 on 1841 (10.11.12.14) with 0/1 (10.11.121.15) connecting to internal LAN switch.

Config below: THANKS for any replies...

crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group LAPD key ********** pool SDM_POOL_1 include-local-lan max-users 4 max-logins 4 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! interface Null0 no ip unreachables ! interface FastEthernet0/0 description OUTSIDE INTERFACE 10.11.12.14 ip address 10.11.12.14 255.255.255.0 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map SDM_CMAP_1 ! interface FastEthernet0/1 description INSIDE INTERFACE 10.11.121.15 ip address 10.11.121.15 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled ! ip local pool SDM_POOL_1 10.11.12.2 10.11.12.12 ip route 0.0.0.0 0.0.0.0 10.11.12.13 permanent ! no ip http server ip http access-class 1 ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload ! logging trap debugging logging 10.11.12.1 access-list 1 remark ======== HTTPS ACCESS ======== access-list 1 permit 10.11.12.0 0.0.0.255 access-list 1 permit 10.11.121.0 0.0.0.255 access-list 1 deny any access-list 100 remark ======== INSIDE INTERFACE ACL ========= access-list 100 deny ip any host 10.11.12.2 access-list 100 deny ip any host 10.11.12.3 access-list 100 deny ip any host 10.11.12.4 access-list 100 deny ip any host 10.11.12.5 access-list 100 deny ip any host 10.11.12.6 access-list 100 deny ip any host 10.11.12.7 access-list 100 deny ip any host 10.11.12.8 access-list 100 deny ip any host 10.11.12.9 access-list 100 deny ip any host 10.11.12.10 access-list 100 deny ip any host 10.11.12.11 access-list 100 deny ip any host 10.11.12.12 access-list 100 deny ip 10.11.12.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark ======== OUTSIDE INTERFACE ACL ======== access-list 101 permit ip host 10.11.12.2 any access-list 101 permit ip host 10.11.12.3 any access-list 101 permit ip host 10.11.12.4 any access-list 101 permit ip host 10.11.12.5 any access-list 101 permit ip host 10.11.12.6 any access-list 101 permit ip host 10.11.12.7 any access-list 101 permit ip host 10.11.12.8 any access-list 101 permit ip host 10.11.12.9 any access-list 101 permit ip host 10.11.12.10 any access-list 101 permit ip host 10.11.12.11 any access-list 101 permit ip host 10.11.12.12 any access-list 101 permit esp any host 10.11.12.14 access-list 101 permit ahp any host 10.11.12.14 access-list 101 permit udp any host 10.11.12.14 eq non500-isakmp access-list 101 permit udp any host 10.11.12.14 eq isakmp access-list 101 permit icmp any host 10.11.12.14 echo-reply access-list 101 permit icmp any host 10.11.12.14 time-exceeded access-list 101 permit icmp any host 10.11.12.14 unreachable access-list 101 deny ip 10.11.121.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 remark ======== TELNET ACCESS ACL ======== access-list 102 permit ip 10.11.12.0 0.0.0.255 any access-list 102 permit ip 10.11.121.0 0.0.0.255 any access-list 102 deny ip any any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 100 ! ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 transport output telnet line aux 0 transport output telnet line vty 0 4 access-class 102 in transport input telnet ssh line vty 5 15 access-class 102 in transport input telnet ssh ! scheduler allocate 4000 1000 end

Reply to
StevenY
Loading thread data ...

I've noticed the client gets the same gateway address as its own IP address from the pool....?

Any ideas?

Reply to
StevenY

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.