Hi, Terence,

I have eveything you listed above.  But I simply can't access https://10.10.10.1, therefore I can't run CISCO CP.

Help.

Then you have other configuration misatkes.

Note however, Cisco CP is pretty useless.

The original post establishes that there is IP connectivity from the laptop to the router address. If https access does not work then I must agree with Paolo that there is some other issue in the configuration. A good next step would be for the original poster to post the configuration of the router so that we can identify what is the other issue.

HTH

Rick

Hi Bin,

Does CCP prompts you for a username/password? Make sure you've got a username with privilege 15 configured.

username USERNAME privilege 15 secret PASSWORD

If this still doesn't work, kindly post your show run as Rick suggested and remove any sensitive info.

Sent from Cisco Technical Support iPhone App

Hi, eveyone, thank you for taking time to respond to my post. Here is my config, please refer to Original post for connection INFO.

What I need help with:

1: be able to access manage C2921 from 10.0.9 network or

2: once connected to VPN, be able to access and manage C2921.

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname C2921W

!

boot-start-marker

boot-end-marker

!

card type t1 0 0

logging buffered 51200 warnings

enable secret 4 SECRET

!

aaa new-model

aaa authentication login rtr-remote-list local

aaa authorization network rtr-remote-list local

aaa session-id common

!

clock timezone EST -5 0

clock summer-time EDT recurring

network-clock-participate wic 0

!

no ipv6 cef

ip source-route

ip cef

!

ip dhcp excluded-address 10.0.9.241 10.0.9.254

ip dhcp excluded-address 10.0.9.1 10.0.9.21

!

ip dhcp pool P-VLAN10

import all

network 10.0.9.0 255.255.255.0

default-router 10.0.9.254

dns-server 10.0.2.22

domain-name example.net

lease 10

!

ip domain name example.net

ip name-server 12.12.12.67

ip name-server 12.12.12.71

ip inspect log drop-pkt

ip inspect name CCP_HIGH appfw CCP_HIGH

ip inspect name CCP_HIGH icmp

ip inspect name CCP_HIGH dns

ip inspect name CCP_HIGH esmtp

ip inspect name CCP_HIGH https

ip inspect name CCP_HIGH imap reset

ip inspect name CCP_HIGH pop3 reset

ip inspect name CCP_HIGH sip

ip inspect name CCP_HIGH h323

ip inspect name CCP_HIGH tcp

ip inspect name CCP_HIGH udp

!

appfw policy-name CCP_HIGH

  application im aol

    service default action reset alarm

    service text-chat action reset alarm

    server deny name login.oscar.aol.com

    server deny name toc.oscar.aol.com

    server deny name oam-d09a.blue.aol.com

    audit-trail on

  application im msn

    service default action reset alarm

    service text-chat action reset alarm

    server deny name messenger.hotmail.com

    server deny name gateway.messenger.hotmail.com

    server deny name webmessenger.msn.com

    audit-trail on

  application http

    strict-http action reset alarm

    port-misuse im action reset alarm

    port-misuse p2p action reset alarm

    port-misuse tunneling action reset alarm

  application im yahoo

    service default action reset alarm

    service text-chat action reset alarm

    server deny name scs.msg.yahoo.com

    server deny name scsa.msg.yahoo.com

    server deny name scsb.msg.yahoo.com

    server deny name scsc.msg.yahoo.com

    server deny name scsd.msg.yahoo.com

    server deny name cs16.msg.dcn.yahoo.com

    server deny name cs19.msg.dcn.yahoo.com

    server deny name cs42.msg.dcn.yahoo.com

    server deny name cs53.msg.dcn.yahoo.com

    server deny name cs54.msg.dcn.yahoo.com

    server deny name ads1.vip.scd.yahoo.com

    server deny name radio1.launch.vip.dal.yahoo.com

    server deny name in1.msg.vip.re2.yahoo.com

    server deny name data1.my.vip.sc5.yahoo.com

    server deny name address1.pim.vip.mud.yahoo.com

    server deny name edit.messenger.yahoo.com

    server deny name messenger.yahoo.com

    server deny name http.pager.yahoo.com

    server deny name privacy.yahoo.com

    server deny name csa.yahoo.com

    server deny name csb.yahoo.com

    server deny name csc.yahoo.com

    audit-trail on

!

multilink bundle-name authenticated

!

parameter-map type inspect global

log dropped-packets enable

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-1375906681

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1375906681

revocation-check none

rsakeypair TP-self-signed-1375906681

!

hw-module sm 1

!

username admin privilege 15 secret 4 PASSWORD

username rwadmin password 0 CLIENTKEY

!

redundancy

!

controller T1 0/0/0

fdl both

cablelength long 0db

channel-group 0 timeslots 1-24

!

controller T1 0/0/1

fdl both

cablelength long 0db

channel-group 0 timeslots 1-24

!

controller T1 0/0/2

fdl both

cablelength long 0db

channel-group 0 timeslots 1-24

!

controller T1 0/0/3

fdl both

cablelength long 0db

channel-group 0 timeslots 1-24

!

!

class-map match-any sdm_p2p_kazaa

match protocol fasttrack

match protocol kazaa2

class-map match-any sdm_p2p_edonkey

match protocol edonkey

class-map match-any sdm_p2p_gnutella

match protocol gnutella

class-map match-any sdm_p2p_bittorrent

match protocol bittorrent

!

!

policy-map sdmappfwp2p_CCP_HIGH

class sdm_p2p_edonkey

  drop

class sdm_p2p_gnutella

  drop

class sdm_p2p_kazaa

  drop

class sdm_p2p_bittorrent

  drop

!

crypto isakmp policy 5

encr 3des

authentication pre-share

group 2

crypto isakmp key ISAKMPKEY address 19.19.18.71 no-xauth

crypto isakmp key ISAKMPKEY address 29.29.28.68 no-xauth

crypto isakmp keepalive 10

!

crypto isakmp client configuration group rtr-remote-list

key CLIENTKEY

domain example.net

pool ippool

acl 102

!

crypto ipsec transform-set 3des-sha esp-3des esp-sha-hmac

!

crypto dynamic-map dynmap 10

set transform-set 3des-sha

reverse-route

!

crypto map outsidemap client authentication list rtr-remote-list

crypto map outsidemap isakmp authorization list rtr-remote-list

crypto map outsidemap client configuration address respond

crypto map outsidemap 1 ipsec-isakmp

set peer 19.19.18.71

set transform-set 3des-sha

match address outside_cryptomap

crypto map outsidemap 2 ipsec-isakmp

set peer 29.29.28.68

set security-association lifetime seconds 28800

set transform-set 3des-sha

match address outside_cryptomap_dil

crypto map outsidemap 10 ipsec-isakmp dynamic dynmap

!

interface Multilink1

ip address 12.12.13.94 255.255.255.252

ip nat outside

ip inspect CCP_HIGH out

ip virtual-reassembly in

ppp multilink

ppp multilink group 1

ppp multilink fragment disable

crypto map outsidemap

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.10.10.1 255.255.255.248

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

description $FW_OUTSIDE$

ip address 12.12.15.145 255.255.255.248

ip access-group 101 in

ip nat outside

ip inspect CCP_HIGH out

ip virtual-reassembly in

ip verify unicast reverse-path

duplex auto

speed auto

service-policy input sdmappfwp2p_CCP_HIGH

service-policy output sdmappfwp2p_CCP_HIGH

!

interface GigabitEthernet0/2

description $ES_LAN$

no ip address

shutdown

duplex auto

speed auto

!

interface Serial0/0/0:0

description multilink 1 interface

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 1

!

interface Serial0/0/1:0

description multilink 1 interface

no ip address

encapsulation ppp

ppp multilink

ppp multilink group 1

!

interface Serial0/0/2:0

no ip address

!

interface Serial0/0/3:0

no ip address

!

interface GigabitEthernet1/0

description $ETH-LAN$$SWDMADDR:192.168.1.245:80$$FW_INSIDE$

ip address 10.0.9.254 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

!

interface GigabitEthernet1/1

description Internal switch interface connected to EtherSwitch Service Module

no ip address

!

interface Vlan1

no ip address

!

ip local pool ippool 10.0.10.30 10.0.10.40

ip forward-protocol nd

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list inside_nat0_outbound interface Multilink1 overload

ip route 0.0.0.0 0.0.0.0 12.12.13.93

!

ip access-list extended inside_nat0_outbound

deny   ip 10.0.9.0 0.0.0.255 10.0.2.0 0.0.0.255

deny   ip 10.0.9.0 0.0.0.255 10.0.6.0 0.0.0.255

deny   ip 10.0.9.0 0.0.0.255 10.0.4.0 0.0.0.255

permit ip 10.0.9.0 0.0.0.255 any

deny   ip 10.10.10.0 0.0.0.255 10.0.10.0 0.0.0.255

permit ip 10.0.10.0 0.0.0.255 any

permit ip any any

ip access-list extended outside_cryptomap

permit ip 10.0.9.0 0.0.0.255 10.0.2.0 0.0.0.255

permit ip 10.0.9.0 0.0.0.255 10.0.4.0 0.0.0.255

ip access-list extended outside_cryptomap_dil

permit ip 10.0.9.0 0.0.0.255 10.0.6.0 0.0.0.255

!

access-list 23 permit 10.10.10.0 0.0.0.7

access-list 100 remark auto generated by CCP firewall configuration

access-list 100 remark CCP_ACL Category=1

access-list 100 permit ip 12.12.15.144 0.0.0.7 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by CCP firewall configuration

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 10.0.9.0 0.0.0.255 any

access-list 101 permit icmp any host 12.12.15.145 echo-reply

access-list 101 permit icmp any host 12.12.15.145 time-exceeded

access-list 101 permit icmp any host 12.12.15.145 unreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 permit ip 10.10.10.0 0.0.0.248 10.0.10.0 0.0.0.255

!

control-plane

!

line con 0

exec-timeout 0 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line 67

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

flowcontrol software

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

I believe that John has correctly identified the issue. To give some supporting detail about it, this line of the config is the key:

ip http access-class 23

This uses access-list 23 to control who can use the web interface to access the router. And access-list 23 only permits a small part of a subnet. Note that this looks like the access-list that is part of the standard initial configuration of an IOS router.  And note that this access list is also controlling who can get remote access for the command line also

line vty 0 4

access-class 23 in

So if you add 10.0.9 as a permit in access-list 23 the http/https should work.

HTH

Rick

Thank you John / Richard. With this access-list, my first problem was resolved: that is to be able to access the router from 10.0.9 network.

My second problem is this: once I connect to the Router with CISCO VPN client, I got an IP address 10.0.10.30, with mask: 255.0.0.0. I am not able to access the router.  What else do I need to do?

I am glad that our suggestion about modifying the access list has resolved the first problem. The solution to the second problem is quite similar. You need to modify access list 23 and add an entry that will include a permit for an address range that includes the VPN addresses.

Do you have access to the device that is providing the VPN and can you determine what range of addresses in the the VPN pool? That is the range that you need to permit in the access list.

HTH

Rick

Rick, yes, the range is in the above config file that I posted earlier. I added access list 23 for 10.0.10, but no luck.

When I connect to VPN, my subnet mask should be 255.255.255.0, right? But is is 255.0.0.0. So I think something is  not right.

I followed CISCO documentation and example to setup the VPN access.

Perhaps you can post the current version of access list 23? I am guessing that there is something about the way that you did the permit for 10.0.10.

I can see where you intend the mask for VPN to be 255.255.255.0. But I do not see anywhere that you specify this in the VPN config. Have I missed something?

HTH

Rick

Hi Bin,

Are you referring to Easy VPN server setup on the router? By the way, I've got your email but I will be responding here on this thread. This will help other folks keep track and assist in resolving your issue if I'm not available.

Please help rate useful posts. Thanks!

Sent from Cisco Technical Support iPhone App

John,

Yes, this is Easy VPN server setup on the router. Please refer to the router configuration above.

I added the following access list:

     access-list 23 permit ip 10.0.10.0 0.0.0.255

But, no luck this time. The purpose of this exercise is that I can VPN in to the router, and then SSH to the router management interface.