Re: VPN

Hamid Amir · ‎08-28-2017

Question

I have a Cisco 877 router which connects my network to the Internet using an ADSL line, static IP address and NAT; the IOS version is 15.

Everything is working ok, but I'd like to configure this router to be a VPN server, to be able to connect to the network from the outside.

letting single remote computers access the internal network

I can connect to my vpn from home using router ip as server name in vpn client (is this wright) but I can not from the outside using public internet

And, finally: how to set up this?

my config

Current configuration : 5563 bytes
!
! Last configuration change at 15:16:15 UTC Mon Aug 28 2017 by me
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
--More--
*Aug 28 15:18:19.652: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug 28 15:18:19.660: %LINK-3-UPDOWN: Interface Virtual-Access3, changed staaaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username me privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username she secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENTvpn
key firewallvpn
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENTvpn
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile VPN-Profile-1-ike-profile-1
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8059afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8059afb35580@skydsl password 0 efrtyuie
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.0.20 192.168.0.25
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
ip access-list extended vpn_resources
permit ip 192.168.0.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0

Francesco Molino · ‎08-28-2017

Hi

Based on your config, the following profile is the right one: vpn-ike-profile-1

I want to understand why are you configuring your ipsec profile to point to the isakmp profile VPN-Profile-1-ike-profile-1 that's not the correct one. I mean on this profile VPN-Profile-1-ike-profile-1, you refer to some identities that aren't not existing and missing the the client authentication.

I would be interested to see how you can connect from home.

Let's correct the profile with those commands:

crypto ipsec profile VPN-Profile-1
no set isakmp-profile VPN-Profile-1-ike-profile-1

set isakmp-profile vpn-ike-profile-1

And give it a try.

I'll review it when I'm back home from a laptop to be sure I didn't missed something on your config.

If you can do that test before it would be great.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hamid Amir · ‎08-29-2017

Hi

I did the change you suggested but still I can not coneect from outside.

i get error message Vpn server do not respond

please see below.

can you help ?

cisco ccp

Router#sh ip int brief
Interface IP-Address OK? Method Status Protocol
ATM0 unassigned YES NVRAM up up
Dialer0 94.10.200.233 YES IPCP up up
Ethernet0 unassigned YES NVRAM administratively down down
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up up
FastEthernet3 unassigned YES unset down down
NVI0 unassigned YES unset administratively down down
Virtual-Access1 unassigned YES unset up up
Virtual-Access2 unassigned YES unset up up
Virtual-Access3 94.10.200.233 YES unset up up
Virtual-Access4 94.10.200.233 YES unset up up
Virtual-Template2 94.10.200.233 YES unset up down
Vlan1 192.168.1.1 YES NVRAM up up

Version:1.0 StartHTML:000000231 EndHTML:000005392 StartFragment:000000392 EndFragment:000005360 StartSelection:000000392 EndSelection:000005360 SourceURL:file:///C:/Users/Administrator/Desktop/VPNTroubleshootingReport.htmlVPN Troubleshooting Report Details

VPN Troubleshooting Report Details

Router Details

Attribute	Value
Router Model	C887VA-K9
Image Name	c800-universalk9-mz.SPA.153-3.M3.bin
IOS Version	15.3(3)M3
Hostname	Router

Test Activity Summary

Activity	Status
Checking Easy VPN Server configuration...	Successful
Checking dependent components...	Successful
Checking Firewall...	Successful

Test Activity Details

Activity	Status
Checking Easy VPN Server configuration...	Successful
Â Â Â Interface :Virtual-Template2
Â Â Â Tunnel Mode:ipsec ipv4
Â Â Â Interface physical status :Up
Â Â Â Interface IP address Type :Dialer0
Â Â Â Interface :Dialer0
Â Â Â Interface physical status :Up
Â Â Â Line protocol status :Up
Â Â Â Interface IP address Type :Easy IP
Â Â Â Checking IPSec Profile:VPN-Profile-1
Â Â Â ISAKMP Profile Association:Configured
Â Â Â Transform set :Configured
Â Â Â Checking IKE Profile:vpn-ike-profile-1
Â Â Â Group Match Identity:Configured
Â Â Â Authorization Policy:Configured
Checking dependent components...	Successful
Â Â Â Checking IKE
Â Â Â IKE Policies : Configured
Â Â Â Policies with pre shared key authentication method : Configured
Â Â Â IKE configuration status : Valid
Â Â Â Checking AAA
Â Â Â AAA status : Enabled
Â Â Â AAA authorization : Not configured
Â Â Â AAA authentication : Not configured
Â Â Â Checking Local Group Policies
Â Â Â Global address pool : Not configured
Â Â Â Group Name : CCLIENT-VPN
Â Â Â Key : Configured
Â Â Â Local address Pool : Configured
Checking Firewall...	Successful

Troubleshooting Results

Failure Reason(s)

Recommended Action(s)

Francesco Molino · ‎08-29-2017

Ok You can access https to your public IP but I think it's an authentication error. Can you do: aaa authorization network CCLIENTvpn local

And test it please ?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hamid Amir · ‎08-29-2017

Hi Francesco Molino

Did not work.

I have Virtual-Template2 prot down.

any other suggestion please

Georg Pauwen · ‎08-30-2017

Hello,

on a side note, try and add the below in global configuration mode:

webvpn sslvpn-vif nat inside

Is your purpose to also have the remote users access resources in the local (192.168.1.0/24) network ?

Hamid Amir · ‎08-30-2017

Hi George

Yes i want the remote users access resources in the local (192.168.1.0/24) network. I did apply your configuration but i get the message below

% IP NAT configuration is applied to contexts without Vt.
% But please use virtual-template to configure this feature.

Kind Regards

Hamid

Georg Pauwen · ‎08-30-2017

Hello,

I have made a few adjustments (marked in bold) to your original configuration, see if you get this to work.

For simplicity, the VPN pool uses addresses from your local LAN, which are subsequently excluded from NAT.

Current configuration : 5563 bytes
!
! Last configuration change at 15:16:15 UTC Mon Aug 28 2017 by me
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
vtp domain SKYBB
vtp mode transparent
username me privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username she secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
controller VDSL 0
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENTvpn
key firewallvpn
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENTvpn
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile VPN-Profile-1-ike-profile-1
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8059afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8059afb35580@skydsl password 0 efrtyuie
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.1.200 192.168.1.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0

Hamid Amir · ‎08-30-2017

Hi George

I did apply your configuration but still doesn't work.

Kind Regards

Hamid

Francesco Molino · ‎08-30-2017

I'm sorry but did you do the change I suggested:
crypto ipsec profile VPN-Profile-1
no set isakmp-profile VPN-Profile-1-ike-profile-1
set isakmp-profile vpn-ike-profile-1

Can you send the config you have right now please?

Except that I don't see any missconfiguration. There was 1 on the virtual-template that thanks to Georg it's been corrected.

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hamid Amir · ‎08-30-2017

Hi Francesco

Yes i did the change you and George suggested .

and below exaclly the configuration at thge moment.

Kind Regards

Hamid

Router#conf t
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#crypto isakmp profile vpn-ike-profile-1
Router(conf-isa-prof)#
Router(conf-isa-prof)# no match identity group CCLIENTvpn
Router(conf-isa-prof)#end
Router#
*Aug 31 06:12:45.193: %SYS-5-CONFIG_I: Configured from console by faieza on cons ole
Router#wr
Building configuration...
[OK]
Router#sh run
Building configuration...

Current configuration : 6324 bytes
!
! Last configuration change at 06:12:45 UTC Thu Aug 31 2017 by faieza
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa authorization network CCLIENT-VPN local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
crypto pki certificate chain TP-self-signed-4137654229
certificate self-signed 01
quit
!
!
!
!

!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username faieza privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username admin secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key firewall.cx
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile vpn-ike-profile-1
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8050afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8050afb35580@skydsl password 0 ef59851e
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.0.20 192.168.0.25
ip local pool VPN-Pool 192.168.1.200 192.168.1.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
!
webvpn sslvpn-vif nat inside
end

Georg Pauwen · ‎08-31-2017

Hello,

a few things are still incorrect (marked in bold):

Current configuration : 6324 bytes
!
! Last configuration change at 06:12:45 UTC Thu Aug 31 2017 by faieza
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
aaa new-model
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa authorization network CCLIENT-VPN local
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
crypto pki certificate chain TP-self-signed-4137654229
certificate self-signed 01
quit
!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.210
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
vtp domain SKYBB
vtp mode transparent
username faieza privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username admin secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
controller VDSL 0
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key firewall.cx
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile vpn-ike-profile-1
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8050afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8050afb35580@skydsl password 0 ef59851e
ppp ipcp dns request
no cdp enable
!
--> no ip local pool VPN-Pool 192.168.0.20 192.168.0.25
ip local pool VPN-Pool 192.168.1.200 192.168.1.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
--> no permit ip 192.168.0.0 0.0.0.255 any
permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
--> no webvpn sslvpn-vif nat inside

Hamid Amir · ‎08-31-2017

Hi George

Sorry about that; i couldnt see bold text in outlook.

still not working

Below the updated configuration as you suggested.

kind Regards

Hamid

Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip access-list extended vpn_resources
Router(config-ext-nacl)#no permit ip 192.168.0.0 0.0.0.255 any
Router(config-ext-nacl)#end
Router#
*Aug 31 15:41:41.265: %SYS-5-CONFIG_I: Configured from console by faieza on consolewr
Building configuration...
[OK]
Router#sh run
Building configuration...

Current configuration : 6260 bytes
!
! Last configuration change at 15:41:41 UTC Thu Aug 31 2017 by faieza
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa authorization network CCLIENT-VPN local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
crypto pki certificate chain TP-self-signed-4137654229
certificate self-signed 01

!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.210
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!

multilink bundle-name authenticated
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username faieza privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username admin secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
controller VDSL 0
!

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key firewall.cx
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile vpn-ike-profile-1
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8050afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8050afb35580@skydsl password 0 ef57b51e
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.1.200 192.168.1.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
control-plane
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end

Georg Pauwen · ‎08-31-2017

Hello,

there is still a mistake in your access list. Remove 'permit ip any any' as the first line, as this line renders the access list basically useless:

ip access-list extended any
--> no permit ip any any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
permit ip 192.168.1.0 0.0.0.255 any

Hamid Amir · ‎08-31-2017

Hi Gerorge

I updated my configuration but still i cannt connect from outside.

kind Regards

Hamid

ip access-list extended any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane