Hi All, I'm looking on many forums for an answer, but I cannot get it working. I have configured EasyVPN with CCP and also with CLI. I had it both working perfect, except the most important thing. I can connect with the Cisco VPN client to the router, but i'm not able to connect or even ping a system inside the remote network. My laptop gets an IP address from the address pool of the router. I really hope someone can help me before my manager is losing his patience :-) Here is my config. (before someone is mentioning it, i have to clean up my config a bit...I mean, look at the acl's ) Current configuration : 13939 bytes ! ! Last configuration change at 12:26:53 UTC Thu Jan 9 2014 by admin version 15.2 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname Router ! boot-start-marker boot-end-marker ! ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 10240 logging console critical enable secret 4 ******** ! aaa new-model ! ! aaa authentication login local_authen local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authorization exec local_author local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common no process cpu extended history ! ! crypto pki trustpoint TP-self-signed-******** enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-******** revocation-check none rsakeypair TP-self-signed-******** ! ! crypto pki certificate chain TP-self-signed-******** certificate self-signed 01 3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030 31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 33303239 34303934 3438301E 170D3133 30343032 30353436 31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323934 30393434 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 8100B9C3 F8E6BD43 3351D861 68398114 D31AACC1 CE16CDDA 7F0876BC 6E55EA3C 5F258D90 20FC882D 42C90257 92DB9113 B461DD81 4080153F 6AE041AD E5BDDF7E 7C21BD1B 35F05CCB F6D34A4D 6B04C309 F39D8426 865E2BFE 9E8051F2 6F411A49 D71FBF0C 1AC85BEE 355563FB 2353D0C7 28D49071 840AF99B AF59D768 FCDCDF03 94FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603 551D2304 18301680 145ACD47 89D51095 70BE5400 595E826A 6A9E5E95 71301D06 03551D0E 04160414 5ACD4789 D5109570 BE540059 5E826A6A 9E5E9571 300D0609 2A864886 F70D0101 05050003 8181003B 1988FFCD 93112A99 707B7AD8 B56A08C0 C274B974 B076AA19 BAFCC868 F118AE7D 4D8A55E2 42D8F9A9 9D617093 7EF6D459 6BC0A990 BF5AF3E8 8E7F2787 41F4BFE2 65A1A3B0 D726033A 47A24D29 159ABF92 16DBCF5C EC6602C2 E6137C0B C1FC7125 37E9CE49 82B45E18 FAB31A36 990BB3BC 30D9EE8E 8B0A9F7C DC0B6C2B FA2740 quit no ip source-route ip cef ! ! ! ! ! ! no ip bootp server ip name-server ******** ip name-server ******** no ipv6 cef ! parameter-map type protocol-info yahoo-servers server name scs.msg.yahoo.com server name scsa.msg.yahoo.com server name scsb.msg.yahoo.com server name scsc.msg.yahoo.com server name scsd.msg.yahoo.com server name cs16.msg.dcn.yahoo.com server name cs19.msg.dcn.yahoo.com server name cs42.msg.dcn.yahoo.com server name cs53.msg.dcn.yahoo.com server name cs54.msg.dcn.yahoo.com server name ads1.vip.scd.yahoo.com server name radio1.launch.vip.dal.yahoo.com server name in1.msg.vip.re2.yahoo.com server name data1.my.vip.sc5.yahoo.com server name address1.pim.vip.mud.yahoo.com server name edit.messenger.yahoo.com server name messenger.yahoo.com server name http.pager.yahoo.com server name privacy.yahoo.com server name csa.yahoo.com server name csb.yahoo.com server name csc.yahoo.com parameter-map type protocol-info msn-servers server name messenger.hotmail.com server name gateway.messenger.hotmail.com server name webmessenger.msn.com parameter-map type protocol-info aol-servers server name login.oscar.aol.com server name toc.oscar.aol.com server name oam-d09a.blue.aol.com multilink bundle-name authenticated ! ! license udi pid C3900-SPE100/K9 sn ******** ! ! username admin privilege 15 secret 4 ******** username guido privilege 15 secret 4 ******** ! redundancy ! ! ! ! ! ip tcp synwait-time 10 ip ssh time-out 60 ip ssh authentication-retries 2 ! class-map type inspect imap match-any ccp-app-imap match invalid-command class-map type inspect match-any ccp-cls-protocol-p2p match protocol edonkey signature match protocol gnutella signature match protocol kazaa2 signature match protocol fasttrack signature match protocol bittorrent signature class-map type inspect match-all sdm-nat-http-1 match access-group 101 match protocol http class-map type inspect match-all sdm-nat-user-protocol--1-2 match access-group 102 class-map type inspect match-all sdm-nat-user-protocol--1-1 match access-group 101 class-map type inspect smtp match-any ccp-app-smtp match data-length gt 5000000 class-map type inspect match-any ccp-skinny-inspect match protocol skinny class-map type inspect match-any ccp-h323nxg-inspect match protocol h323-nxg class-map type inspect match-any ccp-cls-icmp-access match protocol icmp match protocol tcp match protocol udp class-map type inspect match-any ccp-cls-protocol-im match protocol ymsgr yahoo-servers match protocol msnmsgr msn-servers match protocol aol aol-servers class-map type inspect match-all ccp-protocol-pop3 match protocol pop3 class-map type inspect match-any ccp-h225ras-inspect match protocol h225ras class-map type inspect match-any ccp-h323annexe-inspect match protocol h323-annexe class-map type inspect match-any ccp-cls-insp-traffic match protocol pptp match protocol dns match protocol https match protocol icmp match protocol imap match protocol pop3 match protocol tcp match protocol udp class-map type inspect pop3 match-any ccp-app-pop3 match invalid-command class-map type inspect match-all SDM_GRE match access-group name SDM_GRE class-map type inspect match-any ccp-h323-inspect match protocol h323 class-map type inspect match-all ccp-invalid-src match access-group 100 class-map type inspect match-any ccp-sip-inspect match protocol sip class-map type inspect match-all ccp-protocol-imap match protocol imap class-map type inspect match-all sdm-nat-https-1 match access-group 101 match protocol https class-map type inspect match-all ccp-protocol-smtp match protocol smtp class-map type inspect match-all ccp-protocol-http match protocol http class-map type inspect match-any CCP_PPTP match class-map SDM_GRE class-map type inspect match-all ccp-insp-traffic match class-map ccp-cls-insp-traffic class-map type inspect match-all ccp-protocol-p2p match class-map ccp-cls-protocol-p2p class-map type inspect match-all ccp-protocol-im match class-map ccp-cls-protocol-im class-map type inspect match-all ccp-icmp-access match class-map ccp-cls-icmp-access ! policy-map type inspect pop3 ccp-action-pop3 class type inspect pop3 ccp-app-pop3 log reset policy-map type inspect smtp ccp-action-smtp class type inspect smtp ccp-app-smtp reset policy-map type inspect ccp-pol-outToIn class type inspect ccp-protocol-http inspect class type inspect CCP_PPTP pass class type inspect sdm-nat-http-1 inspect class type inspect sdm-nat-https-1 inspect class type inspect sdm-nat-user-protocol--1-1 inspect class type inspect sdm-nat-user-protocol--1-2 inspect class class-default drop log policy-map type inspect imap ccp-action-imap class type inspect imap ccp-app-imap log reset policy-map type inspect ccp-inspect class type inspect ccp-invalid-src drop log class type inspect ccp-protocol-http inspect class type inspect ccp-protocol-smtp inspect service-policy smtp ccp-action-smtp class type inspect ccp-protocol-imap inspect service-policy imap ccp-action-imap class type inspect ccp-protocol-pop3 inspect service-policy pop3 ccp-action-pop3 class type inspect ccp-protocol-p2p drop log class type inspect ccp-protocol-im drop log class type inspect ccp-insp-traffic inspect class type inspect ccp-sip-inspect inspect class type inspect ccp-h323-inspect inspect class type inspect ccp-h323annexe-inspect inspect class type inspect ccp-h225ras-inspect inspect class type inspect ccp-h323nxg-inspect inspect class type inspect ccp-skinny-inspect inspect class class-default drop policy-map type inspect ccp-permit class class-default pass policy-map type inspect ccp-permit-icmpreply class type inspect ccp-icmp-access inspect class class-default pass ! zone security in-zone zone security out-zone zone-pair security ccp-zp-self-out source self destination out-zone service-policy type inspect ccp-permit-icmpreply zone-pair security ccp-zp-in-out source in-zone destination out-zone service-policy type inspect ccp-inspect zone-pair security ccp-zp-out-self source out-zone destination self service-policy type inspect ccp-permit zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone service-policy type inspect ccp-pol-outToIn ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group jmgvpn key **** pool SDM_POOL_1 include-local-lan max-users 10 netmask 255.255.255.0 crypto isakmp profile ciscocp-ike-profile-1 match identity group jmgvpn client authentication list ciscocp_vpn_xauth_ml_1 isakmp authorization list ciscocp_vpn_group_ml_1 client configuration address respond virtual-template 1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode tunnel ! crypto ipsec profile CiscoCP_Profile1 set transform-set ESP-3DES-SHA set isakmp-profile ciscocp-ike-profile-1 ! ! ! ! ! ! ! interface Null0 no ip unreachables ! interface Embedded-Service-Engine0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip flow ingress shutdown ! interface GigabitEthernet0/0 description JMG$FW_INSIDE$ ip address 10.0.14.*** 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress ip nat inside ip virtual-reassembly in zone-member security in-zone glbp 10 ip 10.0.14.*** glbp 10 authentication text JMG glbp 10 forwarder preempt delay minimum 100 duplex auto speed auto no mop enabled ! interface GigabitEthernet0/1 description Cloud$ETH-LAN$$FW_INSIDE$ ip address 10.3.15.*** 255.255.255.252 no ip redirects no ip unreachables no ip proxy-arp ip flow ingress zone-member security in-zone duplex auto speed auto no mop enabled ! interface GigabitEthernet0/2 description Internet (Only in use on R01)$FW_OUTSIDE$$ETH-WAN$ ip address 46.144.***.*** 255.255.255.240 no ip redirects no ip proxy-arp ip verify unicast reverse-path ip flow ingress ip flow egress ip nat outside ip virtual-reassembly in zone-member security out-zone duplex auto speed auto media-type rj45 no mop enabled ! interface Virtual-Template1 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ip local pool SDM_POOL_1 192.168.1.1 192.168.1.10 ip forward-protocol nd ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ! ip nat inside source list 10 interface GigabitEthernet0/2 overload ip nat inside source list 11 interface GigabitEthernet0/2 overload ip nat inside source static tcp 10.0.14.*** 443 interface GigabitEthernet0/2 443 ip nat inside source static tcp 10.0.14.*** 80 interface GigabitEthernet0/2 80 ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 permanent ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1 permanent ip route 10.1.14.*** 255.255.255.0 10.0.14.*** permanent ! ip access-list extended SDM_GRE remark CCP_ACL Category=1 permit gre any any ! logging trap debugging access-list 1 remark HTTP Access-class list access-list 1 remark CCP_ACL Category=1 access-list 1 permit 10.3.15.24 0.0.0.3 access-list 1 permit 10.0.14.0 0.0.0.255 access-list 1 deny any access-list 3 remark CCP_ACL Category=2 access-list 3 permit 10.5.14.0 0.0.0.255 access-list 3 permit 10.0.14.0 0.0.0.255 access-list 5 remark CCP_ACL Category=2 access-list 5 permit 10.0.14.0 0.0.0.255 access-list 6 remark CCP_ACL Category=2 access-list 6 permit 10.0.14.0 0.0.0.255 access-list 7 remark CCP_ACL Category=2 access-list 7 permit 10.0.14.0 0.0.0.255 access-list 8 remark CCP_ACL Category=2 access-list 8 permit 10.0.14.0 0.0.0.255 access-list 9 remark CCP_ACL Category=2 access-list 9 permit 10.0.14.0 0.0.0.255 access-list 10 remark CCP_ACL Category=2 access-list 10 permit 10.0.14.0 0.0.0.255 access-list 11 remark CCP_ACL Category=2 access-list 11 permit 10.0.14.0 0.0.0.255 access-list 100 remark CCP_ACL Category=128 access-list 100 permit ip host 255.255.255.255 any access-list 100 permit ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip 192.168.253.0 0.0.0.255 any access-list 101 remark CCP_ACL Category=0 access-list 101 permit ip any host 10.0.14.153 access-list 102 remark CCP_ACL Category=0 access-list 102 permit ip any host 10.0.14.173 no cdp run ! ! ! ! ! control-plane ! ! banner login ^CCCPlease login. Or leave if you have no right to be here.^C ! line con 0 login authentication local_authen transport output telnet line aux 0 login authentication local_authen transport output telnet line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 23 in authorization exec local_author login authentication local_authen transport input telnet ssh line vty 5 15 access-class 23 in authorization exec local_author login authentication local_authen transport input telnet ssh ! scheduler allocate 20000 1000 scheduler interval 500 ! end
... View more