07-23-2012 10:26 PM - edited 03-07-2019 07:56 AM
Hi,
Hi,
I configured a dynamic vpn(easy vpn) in a cisco isr. But the vpn clients cannot access any of the lan devices. VPN pool is 10.0.0.1- 10.0.0.20 & internal network address is 172.17.x.x.Please help me out.
see my configuration:
Router#sh run
Building configuration...
Current configuration : 12165 bytes
!
! NVRAM config last updated at 10:51:38 UTC Fri Jul 20 2012 by
version 15.1
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
enable secret xxxxxxxx.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN-USER-XAUTH local
aaa authorization exec default local
aaa authorization network VPN-GROUP local
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxx
ip name-server xxxx
ip name-server xxxx
!
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-
revocation-check none
rsakeypair TP-self-signed-2049522683
!
crypto pki trustpoint tti
revocation-check crl
!
!
username xxx privilege 15 password xxxx
username xxxxx privilege 15 password xxxxx
username xxxxx password 0 xxxxxx
!
class-map type inspect http match-any HTTP-PORT-MISUSE
match request port-misuse im
match request port-misuse p2p
match req-resp protocol-violation
match request port-misuse tunneling
class-map type inspect match-all ICMP
match access-group name INTERNET-ACL-IT
match protocol icmp
class-map type inspect match-all SMTP
match access-group name INTERNET-ACL-IT
match protocol smtp
class-map type inspect match-all HTTP-ACCESS
match protocol http
match access-group name INTERNET-ACL-IT
class-map type inspect match-all UDP
match access-group name INTERNET-ACL-IT
match protocol udp
class-map type inspect match-all HTTPs-ACCESS
match access-group name INTERNET-ACL-IT
match protocol https
class-map type inspect match-all TCP
match access-group name INTERNET-ACL-IT
match protocol tcp
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all DNS
match access-group name INTERNET-ACL-IT
match protocol dns
class-map type inspect match-all VPN-ACCESS
match access-group 121
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
class-map type inspect match-all POP3
match access-group name INTERNET-ACL-IT
match protocol pop3
!
policy-map type inspect IN-TO-OUT-POLICY
class type inspect HTTP-ACCESS
inspect
class type inspect HTTPs-ACCESS
inspect
class type inspect UDP
inspect
class type inspect TCP
inspect
class type inspect DNS
inspect
class type inspect SMTP
inspect
class type inspect POP3
inspect
class type inspect ICMP
inspect
class type inspect invalid-src
drop log
class class-default
drop log
policy-map type inspect OUT-TO-IN-POLICY
class type inspect VPN-ACCESS
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxx
key 6 xxxxxxxx
dns xxxxxxxx
pool VPN-POOL-1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile VPN-IKE-PROFILE
match identity group xxxxxxxx
client authentication list VPN-USER-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set TRANSFORM-SET esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-PROFILE-1
set transform-set TRANSFORM-SET
set isakmp-profile VPN-IKE-PROFILE
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE
ip address xxxxxxxxx 255.255.252.0
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template2 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security INSIDE
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-PROFILE-1
!
ip local pool VPN-POOL-1 10.0.0.1 10.0.0.30
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx
ip route 192.168.1.0 255.255.255.0 172.17.x.x
ip route 192.168.4.0 255.255.255.0 172.17.x.x
!
ip access-list extended INTERNET-ACL-IT
permit ip host 172.17.x.x any
permit ip host 172.17.x.x any
permit ip host 172.17.x.x any
permit ip host 172.17.x.x any
permit ip host 172.17.x.x any
!
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
transport input rlogin ssh
!
scheduler allocate 20000 1000
end
Regards,
Tony
07-25-2012 03:30 AM
Hi,
Try to add the below ACL to your router intead of the existing ACL:-
access-list 103 deny ip any 10.0.0.0 0.0.0.255
access-list 103 permit ip 172.17.0.0 0.0.255.255 any
access-list 103 permit ip 192.168.0.0 0.0.255.255 any
access-list 151 permit ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 151 permit ip 192.168.0.0 0.0.255.255 10.0.0.0 0.0.0.255
then match the ACL 151 under (crypto isakmp client configuration group xxxxx)
acl 151
Let know if your ploblem solved.
Regards
07-26-2012 11:21 PM
Hello Ali,
My problem got solved when I attach the interface Virtual-Template2 type tunnel to the OUTSIDE zone.
Anyway thank you for your reply.
Best Regards,
Tony
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide