11-11-2021 11:13 AM
Hey folks,
I've got my VPN setup I can make connections to the VPN, but I can't figure out the last steps required to allow the machines connected to my interface Virtual-Template1 to access my VLAN 3 here is my config as it stands:
Using 5367 out of 262136 bytes
!
! Last configuration change at 18:08:36 UTC Thu Nov 11 2021 by jlvb83
! NVRAM config last updated at 18:08:39 UTC Thu Nov 11 2021 by jlvb83
! NVRAM config last updated at 18:08:39 UTC Thu Nov 11 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username jlvbvpn privilege 15 password 7 123D171E011F0D0A242A37293F382B00134453510518
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
!
class-map type inspect match-all IPSEC_CM
match access-group name ISAKMP_IPSEC
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
class-map type inspect match-all DHCP_CM
match access-group name DHCP
!
!
policy-map type inspect OUT_SELF_PM
class type inspect IPSEC_CM
pass
class type inspect DHCP_CM
pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.2.100 192.168.2.150
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 50.65.168.1
ip route 0.0.0.0 0.0.0.0 50.65.168.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DHCP
permit udp any any eq bootpc
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 1701
!
access-list 1 permit 192.168.1.0 0.0.0.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end
11-11-2021 12:39 PM
Hello,
as far as I recall, that is related to the Virtual Template not being part of the inside zone. Try and add the below to the loopback interface:
interface Loopback1
ip address 192.168.2.1 255.255.255.0
--> zone-member security inside
11-11-2021 12:51 PM
I have tried that I also added the:
ip nat inside
with no luck
11-11-2021 01:39 PM
Hello,
the NAT could be the problem. Try to make the changes marked in bold:
Using 5367 out of 262136 bytes
!
! Last configuration change at 18:08:36 UTC Thu Nov 11 2021 by jlvb83
! NVRAM config last updated at 18:08:39 UTC Thu Nov 11 2021 by jlvb83
! NVRAM config last updated at 18:08:39 UTC Thu Nov 11 2021 by jlvb83
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$rn7O$5kouMbw3c3zjSd64bALKa0
!
aaa new-model
!
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
vtp domain NULL
vtp mode transparent
username jlvb83 password 7 1321051B1818052425253B32392F1A14025151060A19
username jlvbvpn privilege 15 password 7 123D171E011F0D0A242A37293F382B00134453510518
!
redundancy
!
vlan 2
name CAMS
!
vlan 3
name MAIN
!
class-map type inspect match-all IPSEC_CM
match access-group name ISAKMP_IPSEC
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
class-map type inspect match-all DHCP_CM
match access-group name DHCP
!
policy-map type inspect OUT_SELF_PM
class type inspect IPSEC_CM
pass
class type inspect DHCP_CM
pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface Loopback1
ip address 192.168.2.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered Loopback1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip local pool l2tp-pool 192.168.2.100 192.168.2.150
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
--> ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 50.65.168.1
ip route 0.0.0.0 0.0.0.0 50.65.168.1 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DHCP
permit udp any any eq bootpc
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 1701
!
--> access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
--> access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 106D0817041313595C547E
transport input ssh
!
scheduler allocate 20000 1000
end
11-11-2021 03:47 PM
added still something stopping it I even tried
interface Virtual-Template1
ip unnumbered Gi0/1.1
peer default ip address pool l2tp-pool
ppp authentication ms-chap-v2 VPDN_AUTH
with no luck
11-21-2021 03:01 PM
Hey folks after some playing and testing what I have realized is i can ping VLAN adapters on my switches when using the VPN connection but can't seem to ping physical devices plugged int my switches and I'm not sure why this would be occurring.
11-11-2021 03:52 PM
I can only think that my problem might be that my vpn connection on my machine show's a default gateway of 0.0.0.0
11-22-2021 09:53 AM
After playing with it a bunch I removed
Interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
---->zone-member security inside
And found that my ping made it through so my firewall blocks the VPN connection from getting pings through not sure how to solve this any suggestions
11-22-2021 11:58 AM
Hello,
since that post has become quite long, in summary, what problem is left ? And what does the configuration look like now (sh run) ?
11-22-2021 01:18 PM
The problem that I'm seeing is that when I'm connected to the VPN I can't ping/connect to my host on Vlan3 unless I remove the zone membership on my Gi0/1.1 interface on this current config:
Current configuration : 5535 bytes
!
! Last configuration change at 18:15:20 UTC Mon Nov 22 2021 by #####
! NVRAM config last updated at 17:59:05 UTC Mon Nov 22 2021 by #####
! NVRAM config last updated at 17:59:05 UTC Mon Nov 22 2021 by #####
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 ##################
!
aaa new-model
!
!
aaa authentication ppp VPDN_AUTH local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool VPN-1
network 192.168.2.0 255.255.255.0
default-router 192.168.1.1
!
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
!
vtp domain NULL
vtp mode transparent
username #### password 7 ##################
username ##### privilege 15 password 7 ###############
username ########### privilege 15 password 7 ####################
!
redundancy
!
!
!
!
vlan 2
name CAMS
!
!
class-map type inspect match-all IPSEC_CM
match access-group name ISAKMP_IPSEC
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
class-map type inspect match-all DHCP_CM
match access-group name DHCP
!
!
policy-map type inspect OUT_SELF_PM
class type inspect IPSEC_CM
pass
class type inspect DHCP_CM
pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############ address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
peer default ip address dhcp-pool VPN-1
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 ########
ip route 0.0.0.0 0.0.0.0 ######### 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DHCP
permit udp any any eq bootpc
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 1701
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 #####################
transport input ssh
!
scheduler allocate 20000 1000
end
11-22-2021 01:46 PM
Hello,
try and configure the virtual template as 'ip nat inside':
interface Virtual-Template1
ip unnumbered GigabitEthernet0/1.1
--> ip nat inside
peer default ip address dhcp-pool VPN-1
ppp authentication ms-chap-v2 VPDN_AUTH
11-22-2021 01:57 PM
I had tried that already with no luck, I even tried adding the zone-member security inside with no luck
11-22-2021 02:31 PM
Hello,
make the changes marked in bold:
Current configuration : 5535 bytes
!
! Last configuration change at 18:15:20 UTC Mon Nov 22 2021 by #####
! NVRAM config last updated at 17:59:05 UTC Mon Nov 22 2021 by #####
! NVRAM config last updated at 17:59:05 UTC Mon Nov 22 2021 by #####
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
!
hostname CISCO1921
!
boot-start-marker
boot-end-marker
!
enable secret 5 ##################
!
aaa new-model
!
aaa authentication ppp VPDN_AUTH local
!
aaa session-id common
!
no ipv6 cef
ip source-route
ip cef
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
ip dhcp excluded-address 10.10.20.1 10.10.20.10
ip dhcp excluded-address 192.168.2.1 192.168.2.10
!
ip dhcp pool CAMSNET
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.10.10.1
!
ip dhcp pool CLIENT_1
host 10.10.10.5 255.255.255.0
client-identifier 0100.1018.6f77.df
!
ip dhcp pool MAIN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
ip dhcp pool CLIENT_2
host 192.168.1.10 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool MGMT
network 10.10.20.0 255.255.255.0
default-router 10.10.20.1
!
ip dhcp pool CLIENT_3
host 10.10.20.6 255.255.255.0
client-identifier 017c.0ece.e732.a4
!
ip dhcp pool CLIENT_4
host 10.10.20.5 255.255.255.0
client-identifier 0164.9ef3.4de4.f6
!
ip dhcp pool VPN-1
network 192.168.2.0 255.255.255.0
--> default-router 192.168.2.1
!
ip domain name JLVB.CA
ip inspect WAAS flush-timeout 10
!
multilink bundle-name authenticated
!
vpdn enable
!
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
!
crypto pki token default removal timeout 0
!
license udi pid CISCO1921/K9 sn FGL160720QS
!
vtp domain NULL
vtp mode transparent
username #### password 7 ##################
username ##### privilege 15 password 7 ###############
username ########### privilege 15 password 7 ####################
!
redundancy
!
vlan 2
name CAMS
!
class-map type inspect match-all IPSEC_CM
match access-group name ISAKMP_IPSEC
class-map type inspect match-any IN_OUT_CM
match access-group name IN_OUT_ACL
class-map type inspect match-all DHCP_CM
match access-group name DHCP
!
policy-map type inspect OUT_SELF_PM
class type inspect IPSEC_CM
pass
class type inspect DHCP_CM
pass
class class-default
drop log
policy-map type inspect IN_OUT_PM
class type inspect IN_OUT_CM
inspect
class class-default
drop log
policy-map type inspect OUT_IN_PM
class class-default
drop log
!
zone security outside
zone security inside
zone-pair security IN_OUT_ZP source inside destination outside
service-policy type inspect IN_OUT_PM
zone-pair security OUT_IN_ZP source outside destination inside
service-policy type inspect OUT_IN_PM
zone-pair security OUT_SELF_ZP source outside destination self
service-policy type inspect OUT_SELF_PM
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ############ address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set L2TP-Set2 esp-3des esp-sha-hmac
mode transport
!
crypto dynamic-map dyn-map 10
set nat demux
set transform-set L2TP-Set2
!
crypto map outside_map 65535 ipsec-isakmp dynamic dyn-map
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
--> interface Loopback0
description Gate for L2TP clients
ip address 192.168.2.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface GigabitEthernet0/0
ip address dhcp
ip nat outside
ip virtual-reassembly in
zone-member security outside
duplex auto
speed auto
crypto map outside_map
!
interface GigabitEthernet0/1
no ip address
ip nat inside
ip virtual-reassembly in
zone-member security inside
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
encapsulation dot1Q 3
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
zone-member security inside
!
interface GigabitEthernet0/1.2
encapsulation dot1Q 2
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/1.3
encapsulation dot1Q 99
ip address 10.10.20.1 255.255.255.0
!
interface FastEthernet0/0/0
no ip address
no mop enabled
!
interface FastEthernet0/0/1
no ip address
!
interface FastEthernet0/0/2
no ip address
!
interface FastEthernet0/0/3
no ip address
shutdown
!
interface Virtual-Template1
--> ip unnumbered Loopback0
ip nat inside
peer default ip address dhcp-pool VPN-1
ppp authentication ms-chap-v2 VPDN_AUTH
!
interface Vlan1
no ip address
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip nat inside source list NAT interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 ########
ip route 0.0.0.0 0.0.0.0 ######### 254
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/0 dhcp
!
ip access-list standard IN_OUT_ACL
permit 192.168.1.0 0.0.0.255
!
ip access-list extended DHCP
permit udp any any eq bootpc
ip access-list extended ISAKMP_IPSEC
permit esp any any
permit ahp any any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 1701
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
!
control-plane
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
password 7 #####################
transport input ssh
!
scheduler allocate 20000 1000
end
11-22-2021 03:03 PM
Still the same unfortunately, the only time I can ping the host is when I remove zone membership from Gi0/1.1
11-22-2021 03:07 PM
Hello,
what if you put the loopback and the virtual template in the inside zone as well ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide