05-31-2014 06:04 AM - edited 02-21-2020 07:40 PM
Hello,
I have configure an IPSec VPN on my Cisco 3845. The problem i have is that i can successfully connect to the VPN from my mobile phone, i get a LAN ip, but i can't ping any other ip on the LAN.
Below is my configuration file!
Please NOTE: GigabitEthernet is my LAN (ip 192.168.1.1)
ATM0/0/0/ is my WAN.
Thank you very much!
!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
parameter-map type urlfpolicy trend cprepdenyregex0
parameter-map type urlf-glob cpaddbnwlocparadeny0
pattern in.gr
!
password encryption aes
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 0 XXXXX
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN-NO-SPLIT
key 6 CF_fNATQbIhXTAea\Kg[fgd`KbQCcJL`bDUZ
dns 195.170.0.1 195.170.2.2
pool VPN-POOL-2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto dynamic-map DYN-MAP 10
set transform-set VPN
!
!
crypto map VPNMAP client authentication list VPN-USERS-AUTHENTICATION
crypto map VPNMAP isakmp authorization list VPN-USERS-AUTHORIZATION
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic DYN-MAP
!
crypto ctcp
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
match access-group 101
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--4-2
match access-group 101
match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
match access-group 101
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
match access-group 101
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
match access-group 101
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any pptp
match protocol pptp
match class-map SDM_GRE
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 101
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 101
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-2
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
match protocol user-protocol--1
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-any pptp-in
match protocol pptp
match class-map SDM_GRE
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
match class-map pptp-in
match access-group name any2
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
match access-group 101
match protocol user-protocol--9
class-map type inspect match-any pptp_vpn
match protocol pptp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-3
match class-map pptp_vpn
match access-group name pptp_vpn
class-map type inspect match-all sdm-nat-user-protocol--8-1
match access-group 101
match protocol user-protocol--8
class-map type inspect match-any AllPackets
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-2
match class-map AllPackets
match access-group name anyTCP
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
match access-group 105
class-map type urlfilter match-any cpaddbnwlocclassdeny0
match server-domain urlf-glob cpaddbnwlocparadeny0
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type urlfilter trend match-any cpcatdenyclass0
match url category Adult-Mature-Content
match url category Gambling
match url category Gay-Lesbian
class-map type inspect match-all sdm-nat-user-protocol--15-2
match access-group 101
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--14-3
match access-group 101
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--16-1
match access-group 101
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--14-2
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--17-1
match access-group 101
match protocol user-protocol--17
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--14-1
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--15-1
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--12-1
match access-group 101
match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--21-1
match access-group 101
match protocol user-protocol--21
class-map type inspect match-all sdm-nat-user-protocol--20-1
match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 101
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--10-1
match access-group 101
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--20-2
match access-group 101
match protocol user-protocol--20
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 101
match protocol user-protocol--11
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
match access-group name admin
class-map type inspect match-all sdm-nat-user-protocol--18-1
match access-group 101
match protocol user-protocol--18
class-map type inspect match-all sdm-nat-user-protocol--19-1
match access-group 101
match protocol user-protocol--19
class-map type inspect match-any vpn-in
match protocol pptp
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ipsec
match protocol gdoi
match protocol ipsec-msft
match protocol isakmp
match protocol ssp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-cls-ccp-permit-2
match class-map ipsec
match access-group name ipsec
class-map type inspect match-all ccp-cls-ccp-permit-1
match class-map pptp
match access-group name any
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all sdm-nat-x11-1
match access-group 101
match protocol x11
class-map type inspect match-any https
match protocol https
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all sdm-nat-ssh-1
match access-group 102
match protocol ssh
class-map type inspect match-all sdm-nat-vdolive-1
match access-group 101
match protocol vdolive
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-any dns
match protocol dns
class-map type inspect match-all ccp-protocol-http
match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ssh-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-2
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-x11-1
inspect
class type inspect sdm-nat-vdolive-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-3
pass
class type inspect sdm-nat-user-protocol--4-2
inspect
class type inspect sdm-nat-user-protocol--5-1
inspect
class type inspect sdm-nat-user-protocol--6-1
inspect
class type inspect sdm-nat-user-protocol--7-1
inspect
class type inspect sdm-nat-user-protocol--8-1
inspect
class type inspect sdm-nat-user-protocol--9-1
inspect
class type inspect sdm-nat-user-protocol--10-1
inspect
class type inspect sdm-nat-user-protocol--11-1
inspect
class type inspect sdm-nat-user-protocol--12-1
inspect
class type inspect sdm-nat-user-protocol--13-1
inspect
class type inspect sdm-nat-user-protocol--14-3
inspect
class type inspect sdm-nat-user-protocol--15-2
inspect
class type inspect sdm-nat-user-protocol--16-1
inspect
class type inspect sdm-nat-user-protocol--17-1
inspect
class type inspect sdm-nat-user-protocol--18-1
inspect
class type inspect sdm-nat-user-protocol--19-1
inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-nat-user-protocol--20-2
inspect
class type inspect sdm-nat-user-protocol--21-1
inspect
class class-default
drop log
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-cls-ccp-inspect-1
inspect
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_REMOTE_PT
pass
class type inspect ccp-cls-ccp-permit-2
pass
class type inspect vpn-in
pass
class class-default
drop
policy-map type inspect urlfilter tight
parameter type urlfpolicy trend cprepdenyregex0
class type urlfilter cpaddbnwlocclassdeny0
reset
log
class type urlfilter trend cpcatdenyclass0
reset
log
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
!
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
!
interface GigabitEthernet0/0
description $ETH-WAN$$FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip flow ingress
ip flow egress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
duplex auto
speed auto
media-type rj45
!
interface GigabitEthernet0/1
no ip address
shutdown
duplex auto
speed auto
media-type rj45
!
interface ATM0/0/0
no ip address
no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface Virtual-Template1
ip unnumbered GigabitEthernet0/0
ip mtu 1492
zone-member security ezvpn-zone
ip tcp adjust-mss 1360
load-interval 30
peer default ip address pool defaultpool
no keepalive
ppp mtu adaptive
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
ppp authorization auth
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXX@otenet.gr
ppp chap password 0 k-XXXXX
ppp pap sent-username XXXXXotenet.gr password 0 XXXXX
crypto map VPNMAP
!
ip local pool VPN-POOL-2 192.168.1.110 192.168.1.115
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
ip http server
ip http access-class 3
ip http secure-server
!
!
ip nat inside source static tcp 192.168.1.6 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.6 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.6 6000 interface Dialer0 6000
ip nat inside source static tcp 192.168.1.6 7000 interface Dialer0 7000
ip nat inside source static tcp 192.168.1.6 8003 interface Dialer0 8003
ip nat inside source static tcp 192.168.1.6 8030 interface Dialer0 8030
ip nat inside source static tcp 192.168.1.6 8060 interface Dialer0 8060
ip nat inside source static tcp 192.168.1.6 81 interface Dialer0 81
ip nat inside source static tcp 192.168.1.6 8200 interface Dialer0 8200
ip nat inside source static tcp 192.168.1.6 8300 interface Dialer0 8300
ip nat inside source static tcp 192.168.1.6 8302 interface Dialer0 8302
ip nat inside source static tcp 192.168.1.6 8886 interface Dialer0 8886
ip nat inside source static tcp 192.168.1.6 4899 interface Dialer0 4899
ip nat inside source static udp 192.168.1.6 4899 interface Dialer0 4899
ip nat inside source static udp 192.168.1.6 8300 interface Dialer0 8300
ip nat inside source static udp 192.168.1.6 8200 interface Dialer0 8200
ip nat inside source static udp 192.168.1.6 8003 interface Dialer0 8003
ip nat inside source static udp 192.168.1.6 8060 interface Dialer0 8060
ip nat inside source static udp 192.168.1.6 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.6 8030 interface Dialer0 8030
ip nat inside source static udp 192.168.1.6 81 interface Dialer0 81
ip nat inside source static udp 192.168.1.6 8302 interface Dialer0 8302
ip nat inside source static udp 192.168.1.6 8886 interface Dialer0 8886
ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 60613
ip nat inside source static udp 192.168.1.6 7000 interface Dialer0 7000
ip nat inside source static udp 192.168.1.6 6000 interface Dialer0 6000
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 53533
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended NAT
deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended NAT-ACL
remark CCP_ACL Category=16
deny ip any host 192.168.1.110
deny ip any host 192.168.1.111
deny ip any host 192.168.1.112
deny ip any host 192.168.1.113
deny ip any host 192.168.1.114
deny ip any host 192.168.1.115
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
ip access-list extended admin
remark CCP_ACL Category=128
permit ip host 192.168.1.10 any
permit ip host 192.168.1.7 any
ip access-list extended any
remark CCP_ACL Category=128
permit ip any any
ip access-list extended any2
remark CCP_ACL Category=128
permit ip any any
ip access-list extended anyTCP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended ipsec
remark CCP_ACL Category=128
permit ip any any
ip access-list extended pptp_vpn
remark CCP_ACL Category=128
permit ip any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.6
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.2
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 deny tcp any host 192.168.1.1 eq telnet
access-list 103 deny tcp any host 192.168.1.1 eq 22
access-list 103 deny tcp any host 192.168.1.1 eq www
access-list 103 deny tcp any host 192.168.1.1 eq 443
access-list 103 deny tcp any host 192.168.1.1 eq cmd
access-list 103 deny udp any host 192.168.1.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host 79.129.45.176 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address NAT-ACL
!
!
!
control-plane
!
!
!
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
end
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide