[nsp] Easy VPN problem

Roberto Bazan Sancho roberto.bazan at inycom.es
Wed Dec 17 13:28:01 EST 2003 

Hello everybody.

I've an extrange problem with a Easy VPN Server IOs configuration.

I've a router 837 configured for Internet access doing NAT, in this router i've configured Ez VPN Server

This is my scenario:

   My Computer ------ INTERNET ----  837 Router with NAT and Ez VPN Server ----- 192.168.8.0 Network

>From my computer with internet and  vpn client 4.0.3(A) i connected fine with the 837 Ez VPN Server, but my problem is the next:

When the tunnel is established and i do a ping to 192.168.8.191 for example, it respond me fine, but the next ping for any IP

for example
ping 192.168.8.223 interface ethernet of the Router
or
ping 192.168.8.101 a server

it doesn't respond me.

Then i close the tunnel and reconnect, then tunnel is established fine, and make a ping to 192.168.8.223 and it respond me fine

Does anybody understart this ?

This is my router configuration:

!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpncliente
 key cisco
 dns 192.168.4.102
 domain midominio
 pool poolprueba
 acl 197
!
!
crypto ipsec transform-set mipolitica esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set mipolitica
!
!
crypto map mapacliente client authentication list authUsuario
crypto map mapacliente isakmp authorization list authgrupo
crypto map mapacliente client configuration address respond
crypto map mapacliente 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 192.168.8.223 255.255.255.0
 ip nat inside
 ip tcp adjust-mss 1452
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/32
  pppoe-client dial-pool-number 1
 !
!
interface Dialer1
 mtu 1492
 ip address 20.20.20.20 255.255.255.0
 ip nat outside
 encapsulation ppp
 dialer pool 1
 ppp chap hostname x
 ppp chap passwordx
  crypto map mapacliente
!
ip local pool poolprueba 172.17.1.1 172.17.1.30
ip nat inside source list 101 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
!
access-list 101 deny   ip 172.17.1.0 0.0.0.255 any
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 197 permit ip 192.168.8.0 0.0.0.255 172.17.1.0 0.0.0.255
end

Thanks in advance
Roberto.

More information about the cisco-nsp mailing list