cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1429
Views
0
Helpful
10
Replies

Easy vpn

cemil.heyderov
Level 1
Level 1

Hi dear.I configured Easy Vpn on Cisco Router 2911 (this router is support Zone Base Firewall).i can connect.and client has ip adress from vpn-pool.but vpn client cannot connect local network. ping doesnt reach any host.pls help me

 


!
version 15.0
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname XXXXXX
!
boot-start-marker
boot-end-marker
!
logging buffered 52000
enable secret 5 XXXXXXXXXXXXXXXXXXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
ip domain name TEST.local
ip name-server xxxxx
ip name-server xxxxx
!
multilink bundle-name authenticated
!
crypto pki trustpoint TP-self-signed-4116208376
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4116208376
revocation-check none
rsakeypair TP-self-signed-4116208376
!
!
crypto pki certificate chain TP-self-signed-4116208376
certificate self-signed 01
30820248 308201B1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313136 32303833 3736301E 170D3138 30323238 31333537
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31313632
30383337 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81009919 38AE578D 380571D1 67CCA453 D3EFE845 101F70D6 EFEA993E 6F29EACA
6064AD0D 57137272 CF02F9E1 6D38E129 929377BC 8F5B34E3 5DF0C36C 5B27C135
03006510 32F5D84C CB807CB4 10867F20 45613449 22CB94C7 713102E9 F21D99B1
93BE7CA7 36C595DD 8C39E9F8 FC77206C 2A546F10 B0A539A0 02313619 146D71DF
37470203 010001A3 70306E30 0F060355 1D130101 FF040530 030101FF 301B0603
551D1104 14301282 104E4F43 2D42412D 524F2E6E 6F632E61 7A301F06 03551D23
04183016 80148268 B82C069E EA74495D AE3EA90D 798A5978 D148301D 0603551D
0E041604 148268B8 2C069EEA 74495DAE 3EA90D79 8A5978D1 48300D06 092A8648
86F70D01 01040500 03818100 5579F0CB D0B1200A 38E20C39 296C1FA7 57123620
BA92DC90 5DFF05A1 5AEE44D6 E3B04BE8 B1896AA4 F7703C49 51E35CB8 0E95B20F
6FEBBF76 D3D0D3EE 7017E5CF A8B84DD5 80AED74B 8F409293 BBCFD17F 8ABC11AD
E3D8F24A 123C0E2D 6A0760E5 99ACF70E 7028B084 7CD7FB2F 7B5EB459 52F8859F
181E9827 2CE5A61A E9EB9470
quit
!
username xxxxxxx privilege 15 secret 5 $yyyyyyyyyyyyyyyyyy/
!
redundancy
!
!
ip ssh time-out 30
!
class-map type inspect match-any SMTP,HTTPS,DNS
match protocol smtp
match protocol https
match protocol dns
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-all sdm-nat--1
match access-group 101
match class-map SMTP,HTTPS,DNS
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat--1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group RA-VPN-GROUP
key xxxxxx
dns xxxxxx
wins xxxxxx
domain xxxxx
pool VPN-POOL
acl 102
crypto isakmp profile ciscocp-ike-profile-1
match identity group RA-VPN-GROUP
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
interface GigabitEthernet0/0
ip address xxxxxxx 255.255.255.224
no ip redirects
no ip proxy-arp
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
!
!
interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address xxxxxxxxxx xxxxxxxxxxxx
no ip redirects
no ip proxy-arp
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip policy route-map camera
duplex auto
speed auto
!
!
interface GigabitEthernet0/2
ip address xxxxxx xxxxxx
zone-member security in-zone
duplex auto
speed auto
!
!
interface FastEthernet0/0/0
ip address xxxxxxx 255.255.255.0
zone-member security in-zone
ip policy route-map camera
duplex auto
speed auto
!
!
interface FastEthernet0/0/1
no ip address
shutdown
duplex auto
speed auto
!
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool VPN-POOL 172.20.20.20 172.20.20.30
no ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source static 10.10.0.9 xxxxxxxxxx
ip route 0.0.0.0 0.0.0.0 xxxxxxx permanent
ip route xxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxx 255.255.252.0 GigabitEthernet0/2
ip route xxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxx255.255.255.0 GigabitEthernet0/2
ip route xxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxxx 255.255.255.0 GigabitEthernet0/2
ip route xxxx 255.255.255.0 GigabitEthernet0/2
!
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
!
no logging trap
access-list 100 permit ip host 255.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.10.0.9
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip xxxxx 0.0.0.255 any
access-list 102 permit ip xxxxx 0.0.0.255 any
access-list 102 permit ip xxxx 0.0.0.255 any
access-list 102 permit ip xxxx 0.0.0.255 any
access-list 110 deny ip any xxxxxx 0.0.0.255
access-list 110 deny ip any xxxxxx 0.0.0.255
access-list 110 deny ip any xxxxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx0.0.0.255
access-list 110 deny ip host xxxxx any
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxx 0.0.0.255
access-list 110 deny ip any xxxxxx 0.0.0.255
access-list 110 deny ip any xxxxxx 0.0.3.255
access-list 110 permit ip any any
!
!
!
!
route-map camera permit 10
match ip address 110
set ip next-hop xxxxxx
!
!
!
control-plane
!
!
!
line con 0
password xxxxxxxx
line aux 0
line vty 0 4
password xxxxxxxxx
transport preferred ssh
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

 

1 Accepted Solution

Accepted Solutions

Hello,

 

does the router with IP address 192.168.153.2 have a route back to the IP addresses of the VPN clients (172.20.20.20 172.20.20.30) ?

 

Try and add a static route on the router with IP address 192.168.153.2:

 

ip route 172.20.20.0 255.255.255.0 192.168.153.1

 

(make sure the subnet mask for your VPN clients matches, I cannot see what mask you are actually using)...

View solution in original post

10 Replies 10

Hello,

 

try and change the policy for the class type below from 'pass' to 'inspect'

 

policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
inspect

class class-default 

drop

 

Also, make sure that your access-list 102 matches the traffic from the inside to any. I cannot see your internal IP addressing, but the ACL for the pool needs to allow access from the inside; so whatever is xxxxxxxxxx xxxxxxxxxxxx, needs to match:

 

 

interface GigabitEthernet0/1
description $ETH-LAN$$FW_INSIDE$
ip address xxxxxxxxxx xxxxxxxxxxxx

!

acl 102 permit ip xxxxxxxxxx xxxxxxxxxxxx any

Thank Dear.I change pass to inspect. ACL like as you say.but again vpn client doesnt reach local network

Route details.jpgTunnel Details.jpg

Where are you dear Friends? help plz. i need your helps

Hello,

 

post the full running config again with the changes you have implemented...

Friends

i checked after connection vpn  i can ping 10.10.0.9 (host from my local network, exchnage server) and 10.10.0.254 (Router Lan interface)from my vpn client.but only this.other hosts i cannit ping.

Dear Friends i can resolve firts part of problem.now i can reach my local network from vpn client.The problem was acces list which use route map.second part of problem is that vpn client cannot reach networks which connect router (which i connect vpn)

Hello,

 

--> vpn client cannot reach networks which connect router

 

Which networks can you NOT reach ? Indicate the subnets you cannot reach from your VPN client...

Router which i connect vpn has 2 local interfaces. 10.10.0.0.24 and 10.10.2.0/24 vpn client can reach.but can not reach 10.1.0.0/24-this subnet connect other router.vpn client can reach 192.168.153.1 but cannot reach 192.168.153.2

topology.jpg

Hello,

 

does the router with IP address 192.168.153.2 have a route back to the IP addresses of the VPN clients (172.20.20.20 172.20.20.30) ?

 

Try and add a static route on the router with IP address 192.168.153.2:

 

ip route 172.20.20.0 255.255.255.0 192.168.153.1

 

(make sure the subnet mask for your VPN clients matches, I cannot see what mask you are actually using)...

Dear Thanks.All problem has been resolved

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: