Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1508
Views
0
Helpful
1
Replies

Easy VPN connects but no traffic

cg1network
Level 1
Level 1

‎12-22-2013 06:19 AM

I have setup Easy VPN server on a Cisco 887VA router for an iPad and iPhone to connect.

The VPN connects and the client gets an ip address both sides are sending packets but nothing is being recieved at either end.

Here is the config,

version 15.1

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service sequence-numbers

!

hostname VDSL-Router

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

aaa authorization network ciscocp_vpn_group_ml_4 local

!

!

!

!

!

aaa session-id common

!

memory-size iomem 10

crypto pki token default removal timeout 0

!

!

ip source-route

!

!

!

!

!

ip cef

no ip bootp server

ip host ***********************************

ip host **********************************

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 208.67.222.222

no ipv6 cef

!

!

multilink bundle-name authenticated

vpdn enable

!

!

license udi pid CISCO887VA-M-K9 sn FCZ***********

license boot module c880-data level advipservices

!

!

username ****** privilege 15 secret **********************

!

!

!

!

controller VDSL 0

operating mode vdsl2

!

ip tcp synwait-time 10

!

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map match-any hidata

match access-group name hidata

class-map type inspect match-any ccp-cls-insp-traffic

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map match-any Hi-data

match access-group name hidata

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any vpn

match protocol isakmp

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map vpn

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map CCP-QoS-Policy-1

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map CCP-QoS-Policy-2

class hidata

  bandwidth percent 75

class class-default

  fair-queue

  random-detect

policy-map CCP-QoS-Policy-3

class Hi-data

  priority percent 75

class class-default

  fair-queue

policy-map sdm-qos-test-123

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

policy-map type inspect ccp-permit

class type inspect ccp-cls-ccp-permit-1

  pass

class class-default

  drop

policy-map type inspect ccp-pol-outToIn

class type inspect CCP_PPTP

  pass

class class-default

  drop log

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security in-zone

zone security out-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in2 source ezvpn-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

!

crypto ctcp

!

crypto isakmp policy 1

encr aes 256

authentication pre-share

group 2

!

crypto isakmp client configuration group Remote

key test

dns 8.8.8.8

domain ***************

pool SDM_POOL_1

save-password

crypto isakmp profile ciscocp-ike-profile-1

   match identity group Remote

   client authentication list ciscocp_vpn_xauth_ml_3

   isakmp authorization list ciscocp_vpn_group_ml_4

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac

crypto ipsec transform-set iPhone esp-aes 256 esp-sha-hmac

no crypto ipsec nat-transparency udp-encapsulation

!

crypto ipsec profile CiscoCP_Profile1

set transform-set iPhone

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface Loopback0

description $FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

zone-member security in-zone

!

interface Ethernet0

description $ETH-WAN$

no ip address

ip flow ingress

ip tcp adjust-mss 1412

pppoe-client dial-pool-number 1

!

interface ATM0

no ip address

ip flow ingress

shutdown

no atm ilmi-keepalive

pvc 0 0/38

!

!

interface FastEthernet0

no ip address

!

interface FastEthernet1

no ip address

!

interface FastEthernet2

no ip address

!

interface FastEthernet3

no ip address

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly in

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description LAN$FW_INSIDE$

ip address 10.0.0.10 255.0.0.0

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

ip tcp adjust-mss 1412

!

interface Dialer1

description Dialer interface for VDSL$FW_OUTSIDE$

mtu 1492

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip mtu 1452

ip nbar protocol-discovery

ip flow ingress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer-group 1

ppp authentication chap callin

ppp chap hostname **********dsl.net

ppp chap password 0 ***********

ppp ipcp address accept

no cdp enable

!

ip local pool SDM_POOL_1 192.168.10.1 192.168.10.250

ip forward-protocol nd

ip http server

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip dns server

ip nat inside source list nat interface Dialer1 overload

ip route 0.0.0.0 0.0.0.0 Dialer1

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended hidata

remark CCP_ACL Category=256

permit ip 10.6.0.0 0.0.255.255 any

ip access-list extended nat

remark CCP_ACL Category=18

deny   ip 0.0.0.0 255.0.0.0 0.0.0.0 255.255.255.0

permit ip 10.0.0.0 0.255.255.255 any

!

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 10.0.0.0 0.255.255.255 any

access-list 102 remark CCP_ACL Category=1

access-list 102 permit tcp any any eq 10000

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp any any eq 10000

access-list 105 remark CCP_ACL Category=1

access-list 105 permit tcp any any eq 10000

access-list 106 remark CCP_ACL Category=1

access-list 106 permit tcp any any eq 10000

access-list 107 remark CCP_ACL Category=1

access-list 107 permit tcp any any eq 10000

access-list 108 remark CCP_ACL Category=1

access-list 108 permit tcp any any eq 10000

access-list 109 remark CCP_ACL Category=1

access-list 109 permit tcp any any eq 10000

access-list 110 remark CCP_ACL Category=1

access-list 110 permit tcp any any eq 10000

!

!

!

!

!

!

!

control-plane

!

!

line con 0

line aux 0

line vty 0 4

transport input telnet

! 4000 1000

scheduler interval 500

ntp update-calendar

ntp server 129.6.15.28 source Dialer1

ntp server 129.6.15.29 prefer source Dialer1

end

Labels:
0 Helpful
1 Reply 1

nitin mohan
Level 1
Level 1

‎12-30-2013 09:30 AM

I think the nat exception is missing,

you need to deny the internal traffic before the it gets natted on the outside interface

0 Helpful
Customers Also Viewed These Support Documents