Hi,

i'm just a beginner in cisco ios, and i've just configured a 867 for wan access via adsl. Now i'm trying to connect to the 867 via a ipsec vpn with a remote client (i.e. a macbook) , and it works ok. But when connected, i can't ping devices nor connect to any remote resource.

The problem - i think - relies on how i configured the ACL rules, but can't understand where i did mistake...

I'm posting below my config:

version 15.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxx
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging exception 100000
logging count
logging userinfo
logging queue-limit 10000
logging buffered 150000 notifications
logging console critical
enable secret 4 xxxx
enable password 7 xxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
!         
!         
!         
!         
!         
aaa session-id common
wan mode dsl
clock timezone MET 1 0
clock summer-time MEDT recurring last Sun Mar 2:00 last Sun Oct 3:00
no ip source-route
no ip gratuitous-arps
ip icmp rate-limit unreachable 1000
!         
!         
!         
ip dhcp excluded-address 192.168.1.1 192.168.1.10
ip dhcp excluded-address 192.168.1.90 192.168.1.209
ip dhcp excluded-address 192.168.1.211 192.168.1.254
!         
ip dhcp pool pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.254
dns-server 208.67.222.222 4.4.4.4 208.67.220.220 8.8.8.8
domain-name xyz.local
!         
ip dhcp pool static
host 192.168.1.210 255.255.255.0
client-identifier 01c4.xxxx.xxxx.e0
default-router 192.168.1.254
dns-server 208.67.222.222 4.4.4.4 208.67.220.220 8.8.8.8
domain-name xyz.local
!         
!         
!         
ip inspect log drop-pkt
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 300
ip inspect hashtable-size 2048
ip inspect tcp synwait-time 20
ip inspect tcp max-incomplete host 300 block-time 60
ip inspect name IDS tcp
ip inspect name IDS udp
ip inspect name IDS ftp
no ip domain lookup
ip domain name xyz.local
ip name-server 4.4.4.4
ip name-server 8.8.8.8
ip ddns update method dyndns
HTTP     
  add http://xxxxxx@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 1 0 0 0
!         
ip cef   
login block-for 60 attempts 3 within 30
no ipv6 cef
!         
parameter-map type inspect global
log dropped-packets enable
max-incomplete low 18000
max-incomplete high 20000
!         
!         
!         
!         
!         
!         
!         
!         
!         
crypto pki trustpoint TP-self-signed-230161162
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-230161162
revocation-check none
rsakeypair TP-self-signed-230161162
!         
!         
crypto pki certificate chain TP-self-signed-230161162
certificate self-signed 01
  30820D29 30820192 A0030201 02020001 300X0609 2A864886 F70D0101 05070030 
  9BBC8790 8B6E9CD5 C84J3ACA 3D
        quit
!         
!         
archive   
log config
  hidekeys
username xxx privilege 15 password 7 xxx
username xxxx secret 5 xxx
!         
!         
controller VDSL 0
!         
ip tcp selective-ack
ip tcp window-size 2144
ip tcp synwait-time 10
!         
!         
!         
!         
!         
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2 
!         
crypto isakmp client configuration group CCLIENT-VPN
key xxxxx
dns 4.4.4.4
domain xyz.local
pool VPN-Pool
acl 120 
max-users 1
crypto isakmp profile vpn-ike-profile-1
   match identity group CCLIENT-VPN
   client authentication list vpn_xauth_ml_1
   isakmp authorization list vpn_group_ml_1
   client configuration address respond
   virtual-template 2
!         
!         
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!         
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!         
!         
!         
!         
!         
!         
!         
interface Null0
no ip unreachables
!         
interface ATM0
description LINEA ADSL
no ip address
ip access-group 131 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no ip route-cache
no atm ilmi-keepalive
pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!       
!         
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
shutdown
!         
interface FastEthernet0
no ip address
!         
interface FastEthernet1
no ip address
!         
interface FastEthernet2
no ip address
!         
interface FastEthernet3
no ip address
!         
interface GigabitEthernet0
no ip address
!         
interface GigabitEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
!         
interface Virtual-Template1
description TUNNEL IPSEC VPN
no ip address
!         
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!         
interface Vlan1
description CONNESSIONE LAN
ip address 192.168.1.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip accounting output-packets
ip flow ingress
ip nat inside
ip virtual-reassembly in
!         
interface Dialer0
description INTERNET ACCESS DIALER
ip ddns update hostname xxxx
ip ddns update dyndns
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
no ip virtual-reassembly in
encapsulation ppp
dialer pool 1
ppp authentication pap chap callin
ppp chap hostname xxxx
ppp chap password 7 0508030328431B5D
ppp pap sent-username xxxx password 7 15110E000X259E71
no cdp enable
!         
ip local pool VPN-Pool 192.168.1.211
ip forward-protocol nd
no ip http server
ip http authentication local
ip http secure-server
!         
!         
ip nat inside source list 100 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.200 4661 interface Dialer0 4661
ip nat inside source static tcp 192.168.1.200 4662 interface Dialer0 4662
ip nat inside source static udp 192.168.1.200 4672 interface Dialer0 4672
ip nat inside source static udp 192.168.1.200 4665 interface Dialer0 4665
ip nat inside source static tcp 192.168.1.200 22 interface Dialer0 2233
ip route 0.0.0.0 0.0.0.0 Dialer0
!         
!         
logging trap debugging
no cdp run
!         
access-list 100 remark *** ACL PER PAT E NAT0 ***
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 100 remark *** Deny NAT per VPN Clients ***
access-list 100 deny   ip 192.168.1.0 0.0.0.255 host 192.168.1.211
access-list 120 remark *** Cisco VPN SPLIT TUNNEL***
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 120 permit ip any host 192.168.1.211
access-list 131 remark *** ACL ANTI-SPOOFING ***
access-list 131 deny   ip host 0.0.0.0 any log
access-list 131 deny   ip 127.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 192.0.2.0 0.0.0.255 any log
access-list 131 deny   ip 224.0.0.0 31.255.255.255 any log
access-list 131 deny   ip 10.0.0.0 0.255.255.255 any log
access-list 131 deny   ip 172.16.0.0 0.15.255.255 any log
access-list 131 deny   ip 192.168.0.0 0.0.255.255 any log
access-list 131 remark *** ACL PER CONTROLLARE TRAFFICO ICMP ***
access-list 131 permit icmp any any echo
access-list 131 permit icmp any any echo-reply
access-list 131 permit icmp any any time-exceeded
access-list 131 permit icmp any any unreachable
access-list 131 permit icmp any any administratively-prohibited
access-list 131 permit icmp any any packet-too-big
access-list 131 permit icmp any any traceroute
access-list 131 deny   icmp any any
access-list 131 remark *** ACL VIRUS E ATTACCHI ***
access-list 131 deny   tcp any any eq 135
access-list 131 deny   udp any any eq 135
access-list 131 deny   udp any any eq netbios-ns
access-list 131 deny   udp any any eq netbios-dgm
access-list 131 deny   tcp any any eq 139
access-list 131 deny   udp any any eq netbios-ss
access-list 131 deny   tcp any any eq 445
access-list 131 deny   tcp any any eq 593
access-list 131 deny   tcp any any eq 2049
access-list 131 deny   udp any any eq 2049
access-list 131 deny   tcp any any eq 2000
access-list 131 deny   tcp any any range 6000 6010
access-list 131 deny   udp any any eq 1433
access-list 131 deny   udp any any eq 1434
access-list 131 deny   udp any any eq 5554
access-list 131 deny   udp any any eq 9996
access-list 131 deny   udp any any eq 113
access-list 131 deny   udp any any eq 3067
access-list 131 remark *** ACL PORTE EM ***
access-list 131 permit tcp any any eq 4661
access-list 131 permit tcp any any eq 4662
access-list 131 permit udp any any eq 4672
access-list 131 permit udp any any eq 4665
access-list 131 remark *** ACL ACCESSI NON AUTORIZZATI ***
access-list 131 deny   ip any any log
access-list 131 permit tcp any any eq 2233
!         
!         
!         
banner motd ^CC
****************************************************************
----------------------------------------------------------------
* ***      //////////  \\\\\\\\\\      ***   *
----------------------------------------------------------------
* *       
****************************************************************
^C       
!         
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 0 0
transport input telnet ssh
transport output telnet ssh
!         
scheduler max-task-time 5000
scheduler allocate 20000 1000
sntp server 193.204.114.232
sntp server 193.204.114.233
sntp server 193.204.114.105
!         
end