10-01-2014 06:18 AM - edited 03-04-2019 11:52 PM
using the Cisco VPN Client dialer. Able to connect to the VPN but unable to access network resources. Suspect I do not have the necessary ACL. Any help is greatly appreciated!
Building configuration...
WLAN_AP_SM: Config command is not supported
Current configuration : 7822 bytes
version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service internal
service sequence-numbers
!
hostname XXXX
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
security authentication failure rate 3 log
security passwords min-length 10
logging buffered 16384
logging console critical
enable secret 5 $1$fW7P$R7uRO0HR/qfTKfWLJRzuX/
enable password 7 0960472E31311953050B22677871
!
aaa new-model
!
!
aaa authentication login local_authen local-case
aaa authentication login rtr-remote local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization console
aaa authorization exec local_author local
aaa authorization network rtr-remote local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2189269114
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2189269114
revocation-check none
rsakeypair TP-self-signed-2189269114
!
!
crypto pki certificate chain TP-self-signed-2189269114
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32313839 32363931 3134301E 170D3134 30393137 31353237
33335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 31383932
36393131 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B288 C7F43947 F348BEAC C77DC9EA C4E65AD0 7DBC3F44 66BC9A6B 244054CC
4C5C59F3 253CE4DA 644B7C08 68B6D59A B3382174 D7861A76 7E416D12 8E778E54
137CEEAD E213B888 E7F6DBA5 6F4344F1 535277B6 59002D04 566FE7F9 AFB70717
B4F6CA45 06CB23A7 50EF4D5B 80384EE0 3DE44A1F 614C4380 151C8EC7 5CBD2FAE
8D0D0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 148CCBE1 B0D4D10C 40D1F60B 1FD097FF B5FDEBAE 60301D06
03551D0E 04160414 8CCBE1B0 D4D10C40 D1F60B1F D097FFB5 FDEBAE60 300D0609
2A864886 F70D0101 05050003 81810038 6767E94E E2F1C3A9 730ACD07 24F5CB36
D6DE02B3 B0E27992 5970A7F2 AFC581ED 6716C21B 675EDF73 2FA25FE7 8EC70C66
6FB1B85C 63727F86 1FFC3C33 A52B0DEE 55D5099B 62A7B70F 5AAF7A29 23A9EABB
ED53CBD3 C0E11077 09308D4C 8D88CAC8 F5727A29 BCF73D31 A70CEDC7 4809D468
D13A3563 FA74AD99 358C36D9 6736F8
quit
no ip source-route
ip dhcp excluded-address 192.168.0.1 192.168.0.99
ip dhcp excluded-address 192.168.0.150 192.168.0.254
!
ip dhcp pool Local_DHCP
import all
network 192.168.0.0 255.255.255.0
domain-name ecsinternal.com
dns-server 8.8.8.8 100.100.1.1
default-router 192.168.0.30
lease 7
!
!
!
no ip bootp server
ip domain name ecs.com
ip inspect WAAS flush-timeout 10
ip cef
login block-for 30 attempts 3 within 30
login delay 4
login quiet-mode access-class 2
login on-failure log every 3
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
chat-script lte "" "AT!CALL" TIMEOUT 20 "OK"
!
!
!
!
!
!
license udi pid C819G-4G-V-K9 sn FTX183780X5
!
!
username wcperkins privilege 15 secret 5 $1$t.LO$Oud1W2yJqVPdUSlcz5gM/.
username ecsvpn password 7 050E350C75795E1D580812
username champnet privilege 15 secret 5 $1$tjeE$UZejKpoxmHaPtlL3XoEFM/
!
!
!
!
!
controller Cellular 0
!
ip tcp synwait-time 10
ip ssh maxstartups 4
ip ssh time-out 30
ip ssh authentication-retries 2
ip ssh logging events
ip ssh version 2
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group ecsvpn
key XXXXX
dns 100.100.1.1
pool dynpool
acl 102
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group ecsvpn
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set vpn1
set isakmp-profile ciscocp-ike-profile-1
!
!
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
!
!
!
!
!
interface Cellular0
ip address negotiated
no ip unreachables
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 30
dialer in-band
dialer idle-timeout 0
dialer enable-timeout 6
dialer string lte
dialer string ltescript
dialer watch-group 1
async mode interactive
crypto map static-map
!
interface FastEthernet0
no ip address
shutdown
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
shutdown
!
interface FastEthernet3
no ip address
shutdown
!
interface GigabitEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface Serial0
no ip address
shutdown
clock rate 2000000
!
interface Virtual-Template1
ip unnumbered Cellular0
!
interface Virtual-Template2 type tunnel
ip unnumbered Cellular0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
ip address 192.168.0.30 255.255.255.0
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1400
ip policy route-map clear-df
!
ip local pool dynpool 192.168.199.100 192.168.199.149
ip forward-protocol nd
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http max-connections 10
ip http timeout-policy idle 5 life 86400 requests 10000
!
!
ip nat inside source list 100 interface Cellular0 overload
ip route 0.0.0.0 0.0.0.0 Cellular0
!
!
dialer watch-list 1 ip 1.2.3.4 0.0.0.0
dialer watch-list 1 delay route-check initial 60
dialer watch-list 1 delay connect 1
!
route-map clear-df permit 10
set ip df 0
!
access-list 100 permit ip any any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 102 permit ip 192.168.199.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
script dialer ltescript
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
script dialer lte
no exec
rxspeed 100000000
txspeed 50000000
line vty 0 4
access-class 1 in
exec-timeout 5 30
timeout login response 20
logout-warning 30
absolute-timeout 60
authorization exec local_author
login authentication local_authen
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
!
!
webvpn gateway gateway_1
ip address X.X.X.X port 443
ssl trustpoint TP-self-signed-2189269114
inservice
!
webvpn context ecsvpn
secondary-color white
title-color #669999
text-color black
virtual-template 1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1 domain ecsvpn
!
ssl authenticate verify all
inservice
!
policy group policy_1
functions svc-enabled
svc address-pool "dynpool" netmask 255.255.255.255
svc default-domain "XXXX
svc keep-client-installed
svc dns-server primary 8.8.8.8
default-group-policy policy_1
!
end
10-01-2014 08:21 AM
Are you trying to access them via IP, Hostname or Both? What is the result of a ping?
10-01-2014 08:40 AM
pings fail. Have also tried to access http one the interface VLAN1. Thanks!
10-01-2014 09:00 AM
If you view the status of your vpn client connection, select route details and check secure routes. What do you see in there?
10-01-2014 09:03 AM
Also - you're applying ip any any to your NAT statement. Need to add some exceptions. Trying adding:
access-list 100 deny ip any 192.168.0.0 0.0.255.255
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide