Current Position:Home > Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

Update:10-11Source: network consolidation
Advertisement
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
  include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1   172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
      10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C        10.2.2.2/32 is directly connected, Loopback0
C        10.10.7.0/24 is directly connected, FastEthernet0/1
L        10.10.7.1/32 is directly connected, FastEthernet0/1
C        10.10.8.0/22 is directly connected, FastEthernet0/1
L        10.10.10.1/32 is directly connected, FastEthernet0/1
      117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
      172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C        172.16.0.0/22 is directly connected, FastEthernet0/1
L        172.16.0.1/32 is directly connected, FastEthernet0/1
      172.18.0.0/32 is subnetted, 1 subnets
S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
      192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C        192.168.10.0/24 is directly connected, FastEthernet0/1
L        192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
    Crypto map tag: giet-vpn, local addr 117.239.xx.xx
   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
   current_peer 49.206.59.86 port 50083
     PERMIT, flags={}
    #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
    #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0
     local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
     current outbound spi: 0x550E70F9(1427009785)
     PFS (Y/N): N, DH group: none
     inbound esp sas:
      spi: 0x5668C75(90606709)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550169/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     inbound ah sas:
     inbound pcp sas:
     outbound esp sas:
      spi: 0x550E70F9(1427009785)
        transform: esp-3des esp-md5-hmac ,
        in use settings ={Tunnel UDP-Encaps, }
        conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
        sa timing: remaining key lifetime (k/sec): (4550170/3437)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE
     outbound ah sas:
     outbound pcp sas:

The Best Answer

Advertisement
hi  Maximilian Schojohann..
First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance....