- Posts: 29
- Thank you received: 0
VPN - correct login but cannot ping server
16 years 7 months ago #25626
by netbaba
Admin of Wellage Community
www.wellage.net
VPN - correct login but cannot ping server was created by netbaba
My office has 192.168.1.0/24
My firewall has 192.168.1.x/192.168.2.x
My cisco 857 has 192.168.2.x
Ip of VPN 192.168.3.x/24
I use RADIUS on server in 192.168.1.0/24 network
Client correctly authenticated and take the ip 192.168.3.x but cannot ping pc on the office's lan 192.168.1.101
I have enabled debug of ip packet and i can't see any ping from vpn client to 192.168.1.101
I really can't understand
This is my configuration
Current configuration : 3771 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
enable secret xxx
enable password xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
!
aaa nas port extended
aaa session-id common
!
resource policy
!
no ip source-route
!
!
ip cef
ip name-server xxx
vpdn enable
!
vpdn-group TEST_VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username xxx
username xxx
!
!
!
!
!
interface Loopback1
ip address 192.168.3.1 255.255.255.0
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 1280
ip address xxx
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool ippool
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.1.101 192.168.1.102
!
interface Vlan1
ip address xxxxxx 255.255.255.248 secondary
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 192.168.3.2 192.168.3.10
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source list 2 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.102 22 xxx
ip nat inside source static tcp 192.168.1.102 25 xxx
ip nat inside source static tcp 192.168.1.102 80 xxx
ip nat inside source static tcp 192.168.1.102 443 xxx
ip nat inside source static tcp 192.168.1.102 993 xxx
ip nat inside source static tcp 192.168.1.102 995 xxx
ip nat inside source static tcp 192.168.1.101 80 xxx
ip nat inside source static tcp 192.168.1.101 3389 xxx
ip nat inside source static tcp 192.168.1.103 3389 xxx
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
no cdp run
no radius-server attribute nas-port
radius-server host 192.168.1.101 auth-port 1812 acct-port 1813
radius-server timeout 60
radius-server key xxx
!
control-plane
!
banner exec ^C
Benvenuto in Cisco 857
======================
^C
line con 0
password xxx
no modem enable
stopbits 1
line aux 0
line vty 0 4
password
!
scheduler max-task-time 5000
end
My firewall has 192.168.1.x/192.168.2.x
My cisco 857 has 192.168.2.x
Ip of VPN 192.168.3.x/24
I use RADIUS on server in 192.168.1.0/24 network
Client correctly authenticated and take the ip 192.168.3.x but cannot ping pc on the office's lan 192.168.1.101
I have enabled debug of ip packet and i can't see any ping from vpn client to 192.168.1.101
I really can't understand
This is my configuration
Current configuration : 3771 bytes
!
version 12.4
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
enable secret xxx
enable password xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication ppp default local group radius
aaa authorization exec default local
aaa authorization network default group radius local
aaa accounting network default start-stop group radius
!
aaa nas port extended
aaa session-id common
!
resource policy
!
no ip source-route
!
!
ip cef
ip name-server xxx
vpdn enable
!
vpdn-group TEST_VPN
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
!
username xxx
username xxx
!
!
!
!
!
interface Loopback1
ip address 192.168.3.1 255.255.255.0
!
interface ATM0
no ip address
ip nat outside
ip virtual-reassembly
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
bandwidth 1280
ip address xxx
ip nat outside
ip virtual-reassembly
no snmp trap link-status
pvc 8/35
encapsulation aal5snap
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool ippool
ppp encrypt mppe auto required
ppp authentication ms-chap-v2
ppp ipcp dns 192.168.1.101 192.168.1.102
!
interface Vlan1
ip address xxxxxx 255.255.255.248 secondary
ip address 192.168.2.2 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ippool 192.168.3.2 192.168.3.10
ip route 0.0.0.0 0.0.0.0 ATM0.1
ip route 192.168.1.0 255.255.255.0 192.168.2.1
!
no ip http server
no ip http secure-server
ip nat inside source list 1 interface ATM0.1 overload
ip nat inside source list 2 interface ATM0.1 overload
ip nat inside source static tcp 192.168.1.102 22 xxx
ip nat inside source static tcp 192.168.1.102 25 xxx
ip nat inside source static tcp 192.168.1.102 80 xxx
ip nat inside source static tcp 192.168.1.102 443 xxx
ip nat inside source static tcp 192.168.1.102 993 xxx
ip nat inside source static tcp 192.168.1.102 995 xxx
ip nat inside source static tcp 192.168.1.101 80 xxx
ip nat inside source static tcp 192.168.1.101 3389 xxx
ip nat inside source static tcp 192.168.1.103 3389 xxx
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.2.0 0.0.0.255
no cdp run
no radius-server attribute nas-port
radius-server host 192.168.1.101 auth-port 1812 acct-port 1813
radius-server timeout 60
radius-server key xxx
!
control-plane
!
banner exec ^C
Benvenuto in Cisco 857
======================
^C
line con 0
password xxx
no modem enable
stopbits 1
line aux 0
line vty 0 4
password
!
scheduler max-task-time 5000
end
Admin of Wellage Community
www.wellage.net
16 years 7 months ago #25627
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Replied by Chojin on topic Re: VPN - correct login but cannot ping server
ping = ICMP... .not IP.
if you debug IP you CANNOT see ICMP packages.
It seems IP traffic is working with your inter-vlan communication.. ICMP isn't..
hope this helps a bit
if you debug IP you CANNOT see ICMP packages.
It seems IP traffic is working with your inter-vlan communication.. ICMP isn't..
hope this helps a bit
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
16 years 7 months ago #25629
by netbaba
I'm sorry for the big mistake
Also IP doesn't work from VPN client because i can't see my website on the 192.168.1.101 server.
Which debug i can use to see ICMP packet?
Thanks
Admin of Wellage Community
www.wellage.net
Replied by netbaba on topic Re: VPN - correct login but cannot ping server
ping = ICMP... .not IP.
if you debug IP you CANNOT see ICMP packages.
It seems IP traffic is working with your inter-vlan communication.. ICMP isn't..
hope this helps a bit
I'm sorry for the big mistake
Also IP doesn't work from VPN client because i can't see my website on the 192.168.1.101 server.
Which debug i can use to see ICMP packet?
Thanks
Admin of Wellage Community
www.wellage.net
16 years 7 months ago #25631
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Replied by Chojin on topic Re: VPN - correct login but cannot ping server
debug icmp
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
16 years 7 months ago #25636
by netbaba
My router (857) doesn't have debug icmp... or i can't find it...
Admin of Wellage Community
www.wellage.net
Replied by netbaba on topic Re: VPN - correct login but cannot ping server
debug icmp
My router (857) doesn't have debug icmp... or i can't find it...
Admin of Wellage Community
www.wellage.net
16 years 7 months ago #25637
by Chojin
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Replied by Chojin on topic Re: VPN - correct login but cannot ping server
I haven't got a 8xx series here to test it..try debug ip icmp for instance (or use the ? to see which options you have after debug)
CCNA / CCNP / CCNA - Security / CCIP / Prince2 / Checkpoint CCSA
Time to create page: 0.131 seconds