I made the tunnel between Easy VPN Server on Cisco 831 and Cisco VPN Client
4.0.1 on computer. Tunnel is establish. I can ping private interface on router 10.10.0.1 from client but I can't ping hosts in private network. Then I do 'debug ip' output is:IP: s=10.10.0.252 (Ethernet1), d=10.10.0.10 (Ethernet0), g=10.10.0.10, len
48, forward TCP src=1082, dst=6670, seq=2178354019, ack=0, win=65535 SYNIP: s=10.10.0.252 (Ethernet1), d=10.10.0.10 (Ethernet0), g=10.10.0.10, len
60, forward ICMP type=8, code=010.10.0.10 is computer in private network
10.10.0.252 is Csico VPN ClientThat is mean: 'g=10.10.0.10'? This is a getaway?
When I use SDM 2.1.1 wizard to make Easy VPN Server on router he tell me that he can't make Easy VPN Server on interface Ethernet1 because there is a GRE tunnel. Why I can't have Easy VPN Server and GRE tunnel on the same interfece? Maybe SDM is laying me?
I have GRE and IPSec tunnels on my router on public interface Ethernet1.
And this is my config:
aaa new-model ! aaa authorization network groupad local aaa session-id common no ip source-route ! crypto isakmp policy 10 hash md5 authentication pre-share group 2 ! crypto isakmp policy 20 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 30 encr 3des authentication pre-share group 2 crypto isakmp key ********* address 111.111.111.111 crypto isakmp key ********* address 222.222.222.222 crypto isakmp key ********* address 333.333.333.333 crypto isakmp client configuration address-pool local dynpool ! crypto isakmp client configuration group groupad key ********* pool dynpool ! crypto ipsec security-association lifetime kilobytes 46080000 crypto ipsec security-association lifetime seconds 86400 ! crypto ipsec transform-set SDM_TRANSFORMSET_1 esp-3des esp-md5-hmac crypto ipsec transform-set SDM_TRANSFORMSET_2 esp-3des esp-sha-hmac crypto ipsec transform-set mca esp-3des esp-md5-hmac crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac ! crypto dynamic-map SDM_CMAP_1 4 set transform-set transform-1 reverse-route ! ! crypto map SDM_CMAP_1 isakmp authorization list groupad
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 1 ipsec-isakmp set peer 111.111.111.111 set transform-set SDM_TRANSFORMSET_1 set pfs group1 match address 110
crypto map SDM_CMAP_1 2 ipsec-isakmp set peer 222.222.222.222 set transform-set SDM_TRANSFORMSET_2 set pfs group2 match address 103
crypto map SDM_CMAP_1 3 ipsec-isakmp set peer 333.333.333.333 set transform-set mca set pfs group1 match address mca
crypto map SDM_CMAP_1 4 ipsec-isakmp dynamic SDM_CMAP_1 ! crypto map dynmap isakmp authorization list groupad crypto map dynmap client configuration address respond ! interface Tunnel0 ip address 10.0.251.2 255.255.255.0 ip access-group sdm_tunnel0_in in ip inspect f_kon out tunnel source Ethernet1 tunnel destination 444.444.444.444 ! interface Tunnel1 ip address 10.209.253.50 255.255.255.252 ip access-group sdm_tunnel0_in in ip access-group fr_fout out no ip redirects no ip unreachables no ip proxy-arp ip inspect firewall_falck out ip route-cache flow tunnel source Ethernet1 tunnel destination 555.555.555.555
interface Ethernet0 ip address 10.10.0.1 255.255.255.0 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow no cdp enable ! interface Ethernet1 ip address 666.666.666.666 255.255.255.252 ip access-group fr-internet in ip access-group fr_out out ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect firewall out ip route-cache flow duplex auto no cdp enable crypto map SDM_CMAP_1 ! ip local pool dynpool 10.10.0.250 10.10.0.254
ip classless
ip route 0.0.0.0 0.0.0.0 888.888.888.889 ip route 10.0.0.0 255.255.255.0 Tunnel0 ip route 10.0.251.0 255.255.255.0 Tunnel0 ip route 10.209.0.0 255.255.0.0 Tunnel1 ip route 999.999.999.999 255.255.255.224 Tunnel1
ip nat pool net-2 666.666.666.666 666.666.666.666 netmask 255.255.255.252 ip nat inside source route-map SDM_RMAP_1 interface Ethernet1 overload ! ip access-list extended mca permit icmp 10.10.0.0 0.0.0.255 host 192.168.13.5 permit icmp 10.10.0.0 0.0.0.255 host 192.168.12.7
ip access-list extended fr-internet permit udp host 222.222.222.222 host 666.666.666.666 eq non500-isakmp permit udp host 222.222.222.222 host 666.666.666.666 eq isakmp permit ahp host 222.222.222.222 host 666.666.666.666 permit esp host 222.222.222.222 host 666.666.666.666 permit ip host 192.168.1.5 10.10.0.0 0.0.0.255 log permit gre host 444.444.444.444 host 666.666.666.666 permit gre host 555.555.555.555 host 666.666.666.666 permit udp host 111.111.111.111 host 666.666.666.666 eq non500-isakmp permit ahp host 111.111.111.111 host 666.666.666.666 permit esp host 111.111.111.111 host 666.666.666.666 permit udp host 111.111.111.111 host 666.666.666.666 eq isakmp permit ip host 333.333.333.333 any permit ip host 192.168.13.5 any permit ip host 192.168.12.7 any permit ahp host 333.333.333.333 any permit esp host 333.333.333.333 any permit udp host 333.333.333.333 eq non500-isakmp any permit udp host 333.333.333.333 eq isakmp any permit ip any any log
ip access-list extended fr_fout permit tcp 10.10.0.0 0.0.0.255 10.209.0.0 0.0.255.255 eq 6066 deny ip any any log
ip access-list extended fr_out permit ip any any
ip access-list extended sdm_tunnel0_in deny ip any any
access-list 100 deny ip 10.10.0.0 0.0.0.255 host 192.168.13.5 log access-list 100 deny tcp 10.10.0.0 0.0.0.255 host 192.168.1.5 eq 5900 access-list 100 deny tcp 10.10.0.0 0.0.0.255 host 192.168.1.5 eq 139 access-list 100 deny icmp 10.10.0.0 0.0.0.255 host 192.168.1.5 access-list 100 deny ip 10.10.0.0 0.0.0.255 host 192.168.1.1 access-list 100 deny ip 10.10.0.0 0.0.0.255 host 192.168.1.111 access-list 100 deny ip any 10.0.251.0 0.0.0.255 access-list 100 deny tcp 10.10.0.0 0.0.0.255 host 192.168.13.5 eq 5631 log access-list 100 deny udp 10.10.0.0 0.0.0.255 host 192.168.13.5 eq 5632 log access-list 100 deny icmp 10.10.0.0 0.0.0.255 host 192.168.13.5 log access-list 100 deny ip 10.10.0.0 0.0.0.255 host 192.168.12.7 access-list 100 deny ip 10.10.0.0 0.0.0.255 host 10.10.0.250 log access-list 100 deny ip 10.10.0.0 0.0.0.255 host 10.10.0.251 log access-list 100 deny ip 10.10.0.0 0.0.0.255 host 10.10.0.252 log access-list 100 deny ip 10.10.0.0 0.0.0.255 host 10.10.0.253 log access-list 100 deny ip 10.10.0.0 0.0.0.255 host 10.10.0.254 log access-list 100 permit ip 10.10.0.0 0.0.0.255 any
access-list 103 permit ip host 666.666.666.666 host 444.444.444.444 access-list 103 permit gre host 666.666.666.666 host 444.444.444.444 access-list 103 permit esp host 666.666.666.666 host 444.444.444.444
access-list 104 permit ip host 444.444.444.444 any access-list 104 permit ip host 222.222.222.222 any access-list 104 permit ip host 80.241.133.83 any
access-list 110 permit ip 10.10.0.0 0.0.0.255 host 192.168.1.5 log no cdp run
route-map SDM_RMAP_1 permit 1 match ip address 100
Thanks for help Piotr Pytel