Group, not sure if this is the right group to post config questions in but it's the only cisco group on my news server with any traffic in it...
Anyway, I set up a simple VPN on my Cisco SOHO 91 using info that I've found around the net and I'm having what seems to be an access list or maybe a NAT problem. I can connect with the Cisco 4.6 VPN Client and I see packets getting encrypted and decrypted, and the route listed in the client while I'm connected looks fine, 10.10.10.0 255.255.255.0, but I still can't ping anything on the LAN. Actually, I can ping but I'm not getting any packets to come back through the tunnel. I've debugged ICMP so I can see the responses being sent to the client but as I said, nothing comes back through the tunnel. My other suspicion is that it's a NAT issue and it's somehow not forwarding packets back through the tunnel. Anyway, I've included my config below, if you could take a look and give me some advice on how to fix it I'd appreciate it. By the way, I have an early version of the SOHO 91 so I really can't upgrade the IOS because it's already has it's maximum amount of memory at 32mb. I believe my version supports everything I'm trying to do since I can connect and secure the tunnel with no problem, so hopefully you all have an answer for me. I have to do all this manually because you can't run SDM on a SOHO 91, but I've compared my config to an SDM version and it looks pretty solid, but I'm sure I'm missing something. My version info follows, and then the current config. And by the way, any other advice about my config is welcomed...
Thanks very much, Jay.
Version info:
ROM: System Bootstrap, Version 12.2(8r)YN, RELEASE SOFTWARE (fc1) ROM: SOHO91 Software (SOHO91-K9OY6-M), Version 12.3(2)XC2, EARLY DEPLOYMENT RELEASE SOFTWARE (fc1)
CISCO SOHO91 (MPC857DSL) processor (revision 0x300) with 31130K/1638K bytes of memory. Processor board ID AMB08310BH3 (878404472), with hardware revision 0000 CPU rev number 7 Bridging software.
2 Ethernet/IEEE 802.3 interface(s) 128K bytes of non-volatile configuration memory. 8192K bytes of processor board System flash (Read/Write) 2048K bytes of processor board Web flash (Read/Write)Config:
! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname MyCisco91 ! memory-size iomem 5 no logging buffered enable secret 5 XXXXX enable password 7 XXXXX ! username admin password 7 XXXXX ! aaa new-model ! ! aaa authorization network hw-client-groupname local aaa session-id common ip subnet-zero ip domain name dsl-hawaiiantel.net ip name-server 4.2.2.4 ip name-server 4.2.2.5 ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 10.10.10.20 10.10.10.30 ! ip dhcp pool CLIENT import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 dns-server 4.2.2.4 4.2.2.5 domain-name dsl-hawaiiantel.net lease 0 2 ! ip cef ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip ssh port 2222 rotary 1 ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp client configuration address-pool local dynpool ! crypto isakmp client configuration group USERID1 key 0 XXXXX dns 4.2.2.4 4.2.2.5 domain dsl-hawaiiantel.net pool dynpool acl 199 ! crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 1 set transform-set transform-1 reverse-route ! crypto map dynmap isakmp authorization list hw-client-groupname crypto map dynmap client configuration address respond crypto map dynmap 1 ipsec-isakmp dynamic dynmap ! interface Ethernet0 ip address 10.10.10.1 255.255.255.0 ip nat inside no cdp enable hold-queue 32 in ! interface Ethernet1 ip address dhcp client-id Ethernet1 ip access-group 111 in ip nat outside ip inspect myfw out duplex auto no cdp enable crypto map dynmap ! ip local pool dynpool 10.10.10.20 10.10.10.30 ! ip nat inside source list 102 interface Ethernet1 overload ! ip classless ip http server no ip http secure-server ! access-list 102 permit ip 10.10.10.0 0.0.0.255 any ! access-list 111 permit tcp any any eq pop3 access-list 111 permit tcp any any eq smtp access-list 111 permit tcp any any eq ftp access-list 111 permit tcp any any eq www access-list 111 permit tcp any any eq telnet access-list 111 permit udp any any eq echo access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq non500-isakmp access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 permit tcp any any eq 22 access-list 111 permit tcp any any eq 81 access-list 111 permit tcp any any eq 139 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 3389 access-list 111 permit udp any any eq 8767 access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 2222 access-list 111 deny ip any any ! access-list 199 permit ip 10.10.10.0 0.0.0.255 any ! no cdp run ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 line vty 0 4 exec-timeout 120 0 rotary 1 length 25 ! scheduler max-task-time 5000 ! end