Hi,

Please post the router config in this thread, its not clear on Notepad.

Regards,

Mohamed

No problem. Here is the configuration from the attachment above:

Building configuration...

Current configuration : 8573 bytes
!
! Last configuration change at 20:08:52 PCTime Thu Dec 2 2010 by superuser
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpngate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-15289216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-15289216
revocation-check none
rsakeypair TP-self-signed-15289216
!
!
!
!
!
ip dhcp excluded-address 10.20.0.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.255.254
ip dhcp excluded-address 10.20.30.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.30.254
!
ip dhcp pool ccp-pool1
   import all
   network 10.20.30.0 255.255.255.0
   default-router 10.20.30.1
   dns-server 192.168.2.1
!
!
ip cef
no ip bootp server
ip domain name mynetwork.ca
ip name-server 192.168.2.1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn XXXXXXXXXX
!
!
username XXXXX privilege 15 secret 5 XXXXXXXXXXXXXXXXXXXXXXX
username XXXXX secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sjptest1
key XXXXXXXXXXXXXXXXXXXXXX
dns 192.168.2.1
pool SDM_POOL_1
acl 103
save-password
crypto isakmp profile ciscocp-ike-profile-1
   match identity group sjptest1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 10.30.99.99 255.255.255.0
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.68.222 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.30.1 255.255.0.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 10.20.40.10 10.20.40.50
ip local pool SDM_POOL_2 10.1.1.10 10.1.1.20
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 1 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.68.1
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.20.30.0 0.0.0.255
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.20.30.0 0.0.0.255
access-list 2 permit 192.168.68.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 22
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 443
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq cmd
access-list 100 deny   tcp any host 192.168.68.222 eq telnet
access-list 100 deny   tcp any host 192.168.68.222 eq 22
access-list 100 deny   tcp any host 192.168.68.222 eq www
access-list 100 deny   tcp any host 192.168.68.222 eq 443
access-list 100 deny   tcp any host 192.168.68.222 eq cmd
access-list 100 deny   udp any host 192.168.68.222 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.20.30.0 0.0.0.255 any
access-list 101 permit ip 192.168.68.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 22
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 443
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq cmd
access-list 102 deny   tcp any host 10.20.30.1 eq telnet
access-list 102 deny   tcp any host 10.20.30.1 eq 22
access-list 102 deny   tcp any host 10.20.30.1 eq www
access-list 102 deny   tcp any host 10.20.30.1 eq 443
access-list 102 deny   tcp any host 10.20.30.1 eq cmd
access-list 102 deny   udp any host 10.20.30.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark CCP_ACL Category=4
access-list 103 deny   ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
access-list 103 permit ip 10.20.30.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
bla bla bla
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 101 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Hi,

Please change ACL1 to the following ACL:

access-list 100 deny ip 10.20.30.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 deny ip 192.168.68.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip any any

ip nat inside source list 100 interface fastethernet4 overload.

Let us know if this solves your problem,

Regards,

Mohamed

Is there a typo?

access-list 100 deny ip 10.20.20.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 deny ip 192.168.68.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 100 permit ip any any

Should that not be 10.20.30.0 ?

FYI - a support tech is on my Router right now so I will let him know of

the second deny rule to test it out...

- Tim

On Mon, Dec 6, 2010 at 3:41 PM, msobier123 <

Well, there are a number of errors in the configuration:

1) Split tunnel ACL 103 has been incorrectly configured. ACL 103 should really be assigned to your NAT policy.

In this case, I would create a new ACL (leaving ACL 103 as we can re-use this for your NAT policy):

access-list 150 permit  ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255

crypto isakmp client configuration group sjptest1

     no acl 103

     acl 150

2) As advised earlier, NAT policy is incorrect. Currently you are assigning standard ACL 1 to your nat policy. You would need to configure extended ACL with deny statement for the traffic between your internal subnet to your ip pool subnet (ie: exactly what ACL 103 has defined).

ip nat inside source list 103 interface FastEthernet4 overload

no ip nat inside source list 1 interface FastEthernet4 overload

Hope that helps

I have updated my running config with the configurations as suggested.

I also added Mohamed's suggested ACE.

Still no luck though. On a fresh re-boot of the router, I can ping the gateway and physically connected servers the first time I connect with VPN Client. However, after I disconnect and re-connect the client, I can not ping any more. The only way to be able to ping the Router or server again is to restart the router.

Thanks for your attention to this.

Main Changes:

- Removed ACL 1

- Created ACL 150 and assigned it to tunnel

- Altered ACL 103 slightly and assigned it to NAT on FastEthernet 4

- Removed SDM_POOL_2 which was not in use

Here is my current running config:

!
! Last configuration change at 20:08:52 PCTime Thu Dec 2 2010 by superuser
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname vpngate
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 XXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
!
memory-size iomem 10
clock timezone PCTime -5
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-15289216
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-15289216
revocation-check none
rsakeypair TP-self-signed-15289216
!
!
!
!
!
ip dhcp excluded-address 10.20.0.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.255.254
ip dhcp excluded-address 10.20.30.1 10.20.30.9
ip dhcp excluded-address 10.20.30.50 10.20.30.254
!
ip dhcp pool ccp-pool1
   import all
   network 10.20.30.0 255.255.255.0
   default-router 10.20.30.1
   dns-server 192.168.2.1
!
!
ip cef
no ip bootp server
ip domain name mynetwork.ca
ip name-server 192.168.2.1
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid CISCO881-SEC-K9 sn XXXXXXXXXXXXXXXXXX
!
!
username sjpc1ad privilege 15 secret 5 XXXXXXXXXXXXXXXXXX
username tquinn secret 5 XXXXXXXXXXXXXXXXXX
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group sjptest1
key XXXXXXXXXXXXXXXXXX
dns 192.168.2.1
pool SDM_POOL_1
acl 150
save-password
crypto isakmp profile ciscocp-ike-profile-1
   match identity group sjptest1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
ip address 10.30.99.99 255.255.255.0
!
!
interface FastEthernet0
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address 192.168.68.222 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.30.1 255.255.0.0
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
!
ip local pool SDM_POOL_1 10.20.40.10 10.20.40.50
ip forward-protocol nd
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 103 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.68.1
!
logging trap debugging
access-list 2 remark Auto generated by SDM Management Access feature
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 10.20.30.0 0.0.0.255
access-list 2 permit 192.168.68.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 22
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq 443
access-list 100 permit tcp 192.168.68.0 0.0.0.255 host 192.168.68.222 eq cmd
access-list 100 deny   tcp any host 192.168.68.222 eq telnet
access-list 100 deny   tcp any host 192.168.68.222 eq 22
access-list 100 deny   tcp any host 192.168.68.222 eq www
access-list 100 deny   tcp any host 192.168.68.222 eq 443
access-list 100 deny   tcp any host 192.168.68.222 eq cmd
access-list 100 deny   udp any host 192.168.68.222 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 10.20.30.0 0.0.0.255 any
access-list 101 permit ip 192.168.68.0 0.0.0.255 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 22
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq 443
access-list 102 permit tcp 10.20.30.0 0.0.0.255 host 10.20.30.1 eq cmd
access-list 102 deny   tcp any host 10.20.30.1 eq telnet
access-list 102 deny   tcp any host 10.20.30.1 eq 22
access-list 102 deny   tcp any host 10.20.30.1 eq www
access-list 102 deny   tcp any host 10.20.30.1 eq 443
access-list 102 deny   tcp any host 10.20.30.1 eq cmd
access-list 102 deny   udp any host 10.20.30.1 eq snmp
access-list 102 permit ip any any
access-list 103 remark NAT ACL
access-list 103 deny   ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
access-list 103 deny   ip 192.168.68.0 0.0.0.255 10.20.40.0 0.0.0.255
access-list 103 permit ip 10.20.30.0 0.0.0.255 any
access-list 150 remark Split Tunnel
access-list 150 permit ip 10.20.30.0 0.0.0.255 10.20.40.0 0.0.0.255
no cdp run

!
!
!
!
!
control-plane
!
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
bla bla bla
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 101 in
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

- Tim

Apart from ping, have you tested any other connectivity between the vpn client and the internal servers? Can you please test other protocols to see if it's problem with the tunnel or only problem with pings.

Also, when it's not working, can you please share the output of the following from the router (while the vpn is still connected and you try to access the internal network):

show cry isa sa

show cry ipsec sa

Thanks.

I did try arp and vnc. Both work with fresh reboot of Router and both also fail after re-connect of vpn client.

Please find attached the output logs for "show cry isa sa" and "show cry ipsec sa":

[+] Attachments

Late night fat finger ... sorry.

Attachments:

• _console_isa_sa_good.txt <--  show cry isa sa with Fresh Router Restart
  
• _console_ipsec_sa_good.txt <-- show cry ipsec sa with Fresh Router Restart
• _console_isa_sa_bad.txt <--  show cry isa sa after VPN session disconnect / reconnect
  
• _console_ipsec_sa_bad.txt <-- show cry ipsec sa after VPN session disconnect / reconnect

- Tim

Perfect, I think i found what the problem is

Your internal subnet and your ip pool are configured in the same subnet:

Internal subnet:

interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.20.30.1 255.255.0.0

VPN Pool subnet:

ip local pool SDM_POOL_1 10.20.40.10 10.20.40.50

And since you didn't specify the mask, it will default to /8 for the 10.x.x.x major subnet.

So 10.20.30.0/16 and 10.20.40.0/8 overlaps with each other.

I would suggest that you configure a totally unique VPN pool subnet: 172.16.40.0/24 for example.

Then:

1) Assign the new ACL to your VPN group configuration, and removing the old pool.

2) Configure split tunnel ACL 150 to include the new pool:

access-list 150 permit ip 10.20.30.0 0.0.0.255 0.0.0.255

3) Lastly to configure the NAT ACL 103 to deny those traffic:

ip access-list extended 130

     5 deny ip 10.20.30.0 0.0.0.255 0.0.0.255

Hope this time it helps.

I updated my config to have it simplified and following your suggestions. No luck unfortunately. Same symptoms.

Network Info:

• Internet Gateway to ISP: 192.168.68.1
• DNS: 192.168.2.1
• WAN Address for Cisco 881: 192.168.68.222
• LAN Address on Cisco 881: 10.10.10.1 (10.10.10.0/24)
• DHCP for LAN on Cisco 881: 10.10.10.10 - 10.10.10.50
  
• DHCP for IPSec VPN: 172.16.10.10 - 172.16.10.20
• new: I explicity specified SNM for VPN Policy to 255.255.255.0

Attachements:

• __Cisco_Support_config_3_halijenn_20101207_0149_share.txt <~ Latest running Config
• __Cisco_Support_config_compare_2-3.txt <~ UltraEdit diff from last config

Jennifer - Would you like some updated cry sa dumps based on the new config?

For brevity of this thread, I will only post config inline if requested.

- Tim

[Update] The issue was resolved by a Cisco Tech

The issue was related to using Virtual Templates for IPSec VPN. Lawrence from Cisco reverted my config back to using the old fashion way of doing IPSec VPNs and it worked perfectly.

I am normalizing his configuration and will post my final configuration shortly for closure.

- Tim

Great to hear and thanks for the update.