Re: Cisco 837 Easy VPN Server

Since I noticed you are using DSL, here is another tip if telnet or any
other tcp doesn't works anyway:

config t
int ethernet 0
!this could help for tcp connections if any firewalls are on the path since
you're using xDSL, but ping will have no use of it
ip tcp adjust-mss 1452

Also try with this in global config mode:
config t
! this will disable path mtu discovery for LAN side clients since it will
remove df bit in ipsec encrypted packets:
crypto ipsec df-bit clear

B.R.
Igor



"Igor Mamuzic" <no@xxxxxxx> wrote in message
news:dpbk45$32i$1@xxxxxxxxxxxxxxxxx
> post this whole sentence from debug output "before encryption..." and
> "after encryption...".
>
> How you are pinging? with "ordinary" ping (ping 192.168.10.1)? If so this
> is 64-byte ping so I don't think that this is MTU issue, but just for the
> case use ping with -f option... This will generate ping packets with
> "don't fragment" bit turned on so if this is an MTU issue you should get
> "Packet needs to be fragmented but DF set" message if there is no any
> firewalls on the path that blocks such messages... Remove all firewalls on
> the path (if any) including firewall on your pc or vpn client so that we
> can isolate problem most accurately...
>
> Can you establish any TCP connections, for example to telnet on
> 192.168.10.1? Before you try this telnet session, don't forget to enable
> vty access from your vpn pool address space!!! Add the following statement
> to the ACL 10:
> access-list 10 permit 192.168.99.0 0.0.0.255
>
> Also after establishing vpn connection, post:
> 'show cry isakmp sa"
> 'show cry ipsec sa"
>
> B.R.
> Igor
>
>
>
> <wxu3000@xxxxxxxxx> wrote in message
> news:1136217244.587377.86480@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Hi, Igor,
> I've removed the statement of "access-list 120 permit ip
> 192.168.99.0 0.0.0.255 any" from acl 120. But unfortunately same
> result. I could not ping 192.168.10.1.
>
> I did a "debug Crypto Engine Packet Details" on the router. When I
> ping 192.168.10.1 from my pc, I could see "before decrytion, blah, blah
> blah." When I ping 192.168.99.83 from the router, I could see "before
> encryption, blah, blah", and then "after encryption blah, blah".
>
> Hope this helps.
>
> Weili
>
> Igor Mamuzic ??:
>
>> Can you remove the following statement from your crypto acl 120:
>> access-list 120 permit ip 192.168.99.0 0.0.0.255 any
>>
>> In this crypto acl you should only match traffic destined from your
>> protected networks and in your case this is 192.168.10.0 /24 net, so your
>> crypto acl should contain only: 'access-list 120 permit ip 192.168.10.0
>> 0.0.0.255 any'
>>
>> Let me know if this helps...
>>
>> B.R.
>> Igor
>>
>>
>>
>>
>> <wxu3000@xxxxxxxxx> wrote in message
>> news:1136182006.008405.272720@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>> > 1. Tracert output from my PC:
>> >
>> > C:\Documents and Settings\Eric Xu>tracert 192.168.10.1
>> >
>> > Tracing route to 192.168.10.1 over a maximum of 30 hops
>> >
>> > 1 * * * Request timed out.
>> >
>> > 2. "sh ip route" from the router:
>> >
>> > 202.173.159.0/32 is subnetted, 1 subnets
>> > C 202.173.159.34 is directly connected, Dialer1
>> > 202.173.158.0/32 is subnetted, 1 subnets
>> > C 202.173.158.149 is directly connected, Dialer1
>> > C 192.168.10.0/24 is directly connected, Ethernet0
>> > 192.168.99.0/32 is subnetted, 1 subnets
>> > S 192.168.99.81 [1/0] via 61.140.190.148
>> > 10.0.0.0/32 is subnetted, 2 subnets
>> > S 10.1.28.2 [1/0] via 192.168.10.6
>> > S 10.1.28.13 [1/0] via 192.168.10.6
>> > S* 0.0.0.0/0 is directly connected, Dialer1
>> >
>
>


.

Relevant Pages

  • Re: linux box on XP home network
    ... >> The red hat ... just the distro specific config utils. ... First thing is that if you can't ping to another commputer, ... Connectivity issues have to be addressed one by one and with exact ...
    (comp.os.linux.networking)
  • Re: Trouble with Net::Ping
    ... IIRC TCP lives on top of UDP (and thus it makes sense that UDP would ... ICMP although it is more tightly coupled to IP. ... That's a different protocol then HTTP. ... The ping command uses ICMP. ...
    (comp.lang.perl.misc)
  • Re: Which port to block for ping, and how?
    ... Define `ping'. ... Your policy is your choice; ... all packets apart from things you've asked for and services you provide, ... with the exception of identd which should be REJECTed with a TCP RST. ...
    (comp.os.linux.security)
  • Re: problem pinging between PCes connected to Linksys WRT54GS router
    ... The desktop has IP 192.168.2.100 and the laptop ... attacks between wireless clients. ... Use ping to do all your testing. ... >After additional config to the router via IE (by creating two routes ...
    (alt.internet.wireless)
  • smoothwall & dmz question
    ... i've been using smoothwall green+red config for a few months now and it ... i have this all set up, i can ping both green & orange nic's from behind ... mail servers) to be accessed from the internet? ...
    (comp.security.firewalls)