Hi,

I have 2 problems:

When I'm connected to the SR520 (using VLAN 75), I can't access to my UC520 VLAN whatever vlan, 1 or 100. However when I disable the firewall in the SR520 I don't have any problem. Can you help me check what configuration is blocking the access?. The UC520 doesn't have any problem and the firewall is disable in it. The problem is only in the SR520, because is in this equipment where I disable the firewall. In the final is the configuration:

And the other problem is when I try to connect to the VPN, first, when the firewall is up, I can't not connect never. I have to disable, when I disable the firewall, using the EZ VPN Client I can connect successfully in a Windows 32bits laptop, however when I try to connect using the Cisco AnyConnect VPN Client in a laptop with Windows 64bits I receive the following message:

VPN >> connect xxx.xxx.xxx.xxx (public ip address of the SR520)

Warning: The following Certificate received from the Server could not be verified:
Name: IOS-Self-Signed-Certificate-3133312779

Fingerprint: CF10DCBC8BC79B07247D38347025D141BD10ED8B

accept? [y/n]: y

>> warning: Unable to process response from xxx.xxx.xxx.xxx

>> state: Disconnected

Can you help me to check the configuration?.

Greetings...!

Current configuration : 12177 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname SR520
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 $1$pUwH$.VWJ15mt5/0k.0tXQNtGi.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login Foxtrot_sdm_easyvpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network Foxtrot_sdm_easyvpn_group_ml_1 local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3133312779
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3133312779
revocation-check none
rsakeypair TP-self-signed-3133312779
!
!
crypto pki certificate chain TP-self-signed-3133312779
certificate self-signed 01
  3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33313333 33313237 3739301E 170D3032 30333034 31383334
  31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 31333333
  31323737 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C055 7FBEC196 CDF2156C 00FB3357 124C3334 4FAACDBA 523BF3E7 C50AA846
  2237C205 36BD71E5 7FDD0F14 7B907835 FD75727B 880106A1 00CD60AD 2E4FA8A1
  217CBA82 56A30F45 49D0A833 D3911E5E 8E40243F 389D7937 1DD2DA4A 7E30E1A4
  AE7E666A 729768F9 AEC825F4 6564026A 02F3B427 6F079E02 52E67B94 797F65C1
  35BD0203 010001A3 65306330 0F060355 1D130101 FF040530 030101FF 30100603
  551D1104 09300782 05535235 3230301F 0603551D 23041830 168014AF 02830610
  5140B726 8BAB2483 F2A6F74F 78B7DB30 1D060355 1D0E0416 0414AF02 83061051
  40B7268B AB2483F2 A6F74F78 B7DB300D 06092A86 4886F70D 01010405 00038181
  00128654 58015AAC B8AAACC4 AD7A29FB 743FA382 44BF099C F6B7B704 7C43C6EE
  2971CE84 C60C2F41 81A828EB 33A22175 C1E4B5B8 5334604C 9E2651F0 EECB38DC
  ABA6F504 23E3A601 633494CD 5E9BE051 71A757CC DD2D5EDD 65EEE383 0DC4ECBA
  B671A2F5 AB431B33 989B4CEC 3747D7CE F2D25A51 035CCDA8 37841988 4067EDC4 A8
        quit
dot11 syslog
!
dot11 ssid NetHumans
   vlan 75
   authentication open
!
ip source-route
!
!
ip dhcp excluded-address 192.168.75.1 192.168.75.10
!
ip dhcp pool inside
   network 192.168.75.0 255.255.255.0
   default-router 192.168.75.1
   dns-server 192.168.75.1
!
!
ip cef
ip inspect log drop-pkt
!
no ipv6 cef
multilink bundle-name authenticated

parameter-map type inspect z1-z2-pmap
audit-trail on
!
!
username cisco privilege 15 secret 5 $1$pOzo$paREgWgFYZgGTjvXV3o/n.
username falcon secret 5 $1$.Soe$VeAAAAAAAAAAAAAAAAAAA/
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group EZVPN_GROUP_1
key AAAAAAAAAATYF465
dns 192.168.135.10 192.168.75.1
pool SDM_POOL_1
acl 104
max-users 10
crypto isakmp profile sdm-ike-profile-1
   match identity group EZVPN_GROUP_1
   client authentication list Foxtrot_sdm_easyvpn_xauth_ml_1
   isakmp authorization list Foxtrot_sdm_easyvpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
  hidekeys
!
!
!
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any CMAP_non500isakmp
match access-group 106
class-map type inspect match-any SDM-Voice-permit
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any CMAP_isakmp
match access-group 105
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match class-map SDM_AH
match class-map SDM_ESP
match class-map CMAP_isakmp
match class-map CMAP_non500isakmp
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-h323-1
match access-group 103
match protocol h323
class-map type inspect match-all SDM-inspect-staticnat-in
match access-group name staticnat
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all dhcp_out_self
match access-group name dhcp-resp-permit
class-map type inspect match-all dhcp_self_out
match access-group name dhcp-req-permit
class-map type inspect match-all sdm-nat-sip-2
match access-group 102
match protocol sip
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-sip-1
match access-group 101
match protocol sip
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect dhcp_self_out
  pass
class type inspect sdm-cls-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-inspect
class type inspect SDM-Voice-permit
  pass
class type inspect sdm-cls-insp-traffic
  inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-protocol-http
  inspect z1-z2-pmap
class class-default
  pass
policy-map type inspect sdm-inspect-voip-in
class type inspect SDM-inspect-staticnat-in
  pass
class type inspect SDM-Voice-permit
  pass
class type inspect sdm-nat-sip-1
  inspect
class type inspect sdm-nat-sip-2
  inspect
class type inspect sdm-nat-h323-1
  inspect
class class-default
  drop
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class type inspect dhcp_out_self
  pass
class class-default
  drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-in source out-zone destination in-zone
service-policy type inspect sdm-inspect-voip-in
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
bridge irb
!
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 8/81
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
switchport trunk native vlan 75
switchport mode trunk
macro description cisco-switch
!
interface FastEthernet1
switchport access vlan 50
!
interface FastEthernet2
switchport access vlan 75
!
interface FastEthernet3
switchport access vlan 75
!
interface Virtual-Template1 type tunnel
ip unnumbered BVI75
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 75 key 1 size 128bit 7 3DBD35B65AAAAAA291F2BB29181A transmit-ke
y
encryption vlan 75 mode wep mandatory
!
ssid NetHumans
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Dot11Radio0.75
encapsulation dot1Q 75 native
bridge-group 75
bridge-group 75 subscriber-loop-control
bridge-group 75 spanning-disabled
bridge-group 75 block-unknown-source
no bridge-group 75 source-learning
no bridge-group 75 unicast-flooding
!
interface Vlan1
no ip address
bridge-group 1
!
interface Vlan75
no ip address
bridge-group 75
bridge-group 75 spanning-disabled
!
interface Vlan100
no ip address
bridge-group 100
!
interface Vlan50
no ip address
bridge-group 50
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname internetuser
ppp chap password 7 AAAAAAAABBC0C0517
ppp pap sent-username internetuser password 7 AAAAAAAABBC0C0517
ppp ipcp dns request
!
interface BVI75
description $FW_INSIDE$
ip address 192.168.75.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface BVI1
no ip address
!
interface BVI100
no ip address
!
interface BVI50
description $FW_INSIDE$
ip address 192.168.50.1 255.255.255.0
zone-member security in-zone
!
ip local pool SDM_POOL_1 192.168.135.221 192.168.135.230
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 192.168.75.2
ip route 10.1.10.0 255.255.255.0 192.168.75.2
ip route 192.168.50.0 255.255.255.0 BVI50
ip route 192.168.135.0 255.255.255.0 192.168.75.2
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.75.2 5060 interface Dialer1 5060
ip nat inside source static udp 192.168.75.2 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.75.2 1720 interface Dialer1 1720
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 1 permit 192.168.135.0 0.0.0.255    /* I Changed because my data network address in the UC520 is 192.168.135.0 */
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.75.2
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=4
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended dhcp-req-permit
remark SDM_ACL Category=1
permit udp any eq bootpc any eq bootps
ip access-list extended dhcp-resp-permit
remark SDM_ACL Category=1
permit udp any eq bootps any eq bootpc
ip access-list extended staticnat
remark SDM_ACL Category=1
permit tcp any any eq 5060
permit udp any any eq 5060
permit tcp any any eq 1720
!
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.75.0 0.0.0.255
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 1 permit 10.1.10.0 0.0.0.255
access-list 1 permit 192.168.135.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.75.2
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.75.2
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.75.2
access-list 104 remark SDM_ACL Category=4
access-list 104 permit ip 192.168.135.0 0.0.0.255 any
access-list 104 permit ip 192.168.75.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=1
access-list 105 permit udp any any eq isakmp
access-list 106 remark SDM_ACL Category=1
access-list 106 permit udp any any eq non500-isakmp
dialer-list 1 protocol ip permit
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
bridge 50 protocol ieee
bridge 50 route ip
bridge 75 route ip
bridge 100 protocol ieee
bridge 100 route ip
banner login ^CSR520 Base Config - MFG 1.0 ^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
end