07-09-2012 02:52 AM
Hi,
I have configured an easy vpn server in cisco 1905 ISR using ccp. The router was already configured with zone based firewall. With the help of vpn client i can reach only upto the internal interface of the router but can't access the LAN of my company. Do i need to change any configuration in ZBF since it is configured as 'deny any' from outside to inside ? If then what all protocols do i need to match ? Also is there any NAT exemption for the VPN clients ? Please help me out !! Thanks in advance.
Please see my full configuration:
Router#sh run
Building configuration...
Current configuration : 8150 bytes
!
! Last configuration change at 05:40:32 UTC Wed Jul 4 2012 by
! NVRAM config last updated at 06:04:00 UTC Tue Jul 3 2012 by
! NVRAM config last updated at 06:04:00 UTC Tue Jul 3 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
ip name-server xxxxxxxxx
ip name-server yyyyyyyyy
!
multilink bundle-name authenticated
!
parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com
parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com
parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com
parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com
parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com
parameter-map type urlf-glob PERMITTEDSITES
pattern *
parameter-map type urlf-glob HOTMAIL
pattern hotmail.com
pattern *.hotmail.com
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2049533683
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2049533683
revocation-check none
rsakeypair TP-self-signed-2049533683
!
crypto pki trustpoint tti
revocation-check crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-4966226213
certificate self-signed 01
3082022B 30820194 A0030201 02111101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43647274
69666963 6174652D 32303439 35323236 3833301E 170D3132 30363232 30363332
quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn xxxxxx
license boot module c1900 technology-package datak9
username xxxxxxx privilege 15 password 0 xxxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match server-domain urlf-glob FACEBOOK
match server-domain urlf-glob YOUTUBE
match server-domain urlf-glob CRICKET
match server-domain urlf-glob CRICKET1
match server-domain urlf-glob HOTMAIL
class-map type urlfilter match-any PERMITTEDSITES
match server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
log
reset
class type urlfilter PERMITTEDSITES
allow
log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
inspect
class class-default
pass
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
drop log
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class-default
drop
policy-map type inspect OUT-TO-IN-POLICY
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
!
crypto ctcp port 10000
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 10
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpntunnel
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set TSQ-TRANSFORM esp-des esp-md5-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set TSQ-TRANSFORM
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERNET-FW-OUTSIDE
ip address xxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 172.17.0.11 172.17.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 yyyyyyyyy
ip route 192.168.1.0 255.255.255.0 172.17.0.6
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip yyyyyy yyyyyy any
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end
Solved! Go to Solution.
07-09-2012 05:56 AM
A few things to modify:
1) IP Pool needs to be a unique subnet, it can't be the same subnet as your internal subnet.
2) Your NAT ACL 1 needs to be changed to extended ACL so you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
ip nat inside source list 120 interface GigabitEthernet0/1 overload
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
3) OUT to IN policy need to include the VPN traffic:
access-list 121 permit ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255
class-map type inspect match-all vpn-access
match access-group 121
policy-map type inspect OUT-TO-IN-POLICY
class vpn-access
inspect
07-09-2012 05:56 AM
A few things to modify:
1) IP Pool needs to be a unique subnet, it can't be the same subnet as your internal subnet.
2) Your NAT ACL 1 needs to be changed to extended ACL so you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
ip nat inside source list 120 interface GigabitEthernet0/1 overload
no ip nat inside source list 1 interface GigabitEthernet0/1 overload
3) OUT to IN policy need to include the VPN traffic:
access-list 121 permit ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255
class-map type inspect match-all vpn-access
match access-group 121
policy-map type inspect OUT-TO-IN-POLICY
class vpn-access
inspect
07-09-2012 09:32 PM
Hi Jennifer,
Thank you for your reply. I will let you know once i have done with the configuration.
Regards,
Tony
07-10-2012 06:45 AM
Hi Jennifer,
I have followed your suggestion and made appropriate changes in my router configuration but still facing the same problem. The tunnel is up but can't ping any LAN devices. Could you please verify my complete configuration and give me a solution.
Router#sh run
Building configuration...
Current configuration : 8254 bytes
!
! Last configuration change at 12:45:16 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxxx
ip name-server xxxxx
!
multilink bundle-name authenticated
!
parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com
parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com
parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com
parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com
parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com
parameter-map type urlf-glob PERMITTEDSITES
pattern *
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2049683
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2049683
revocation-check none
rsakeypair TP-self-signed-2049683
!
crypto pki trustpoint tti
revocation-check crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2049522683
certificate self-signed 01
69D536DB 8306807D 35BC48C3 93A0C325 371F2C29 4FC5C66F 48B1400E 7DA4AFE7
9677F459 55DBD211 13F91FEE 8DFC9BB1 B1028F43 ACF7BD8A 1ACDA99B AA98A803
2E3F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14116334 EDBA37DF 0AF438D3 CDC3A13F 9BB5E485 90301D06
quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9
license boot module c1900 technology-package datak9
!
!
username xxxx privilege 15 password 0 xxx
username xxx privilege 10 password 0 xxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match server-domain urlf-glob FACEBOOK
match server-domain urlf-glob YOUTUBE
match server-domain urlf-glob CRICKET
match server-domain urlf-glob CRICKET1
class-map type urlfilter match-any PERMITTEDSITES
match server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all vpn-access
match access-group 121
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
log
reset
class type urlfilter PERMITTEDSITES
allow
log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
inspect
class class-default
pass
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
drop log
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class-default
drop
policy-map type inspect OUT-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group vpntunnel
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE-FW-OUTSIDE
ip address xxxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 yyyyyyyy
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxxxx yyyyyy any
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end
Please see the client statistics :
Regards,
Tony
07-10-2012 06:52 AM
Pls add the following:
zone security VPN
interface Virtual-Template1 type tunnel
zone-member security VPN
policy-map type inspect VPN-TO-IN-POLICY
class type inspect vpn-access
inspect
zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY
07-10-2012 10:08 PM
Hello Jennifer,
Still the same problem persist. The tunnel is up and i can reach upto the LAN interface of my router. After that there is no reply! As u said i have created the VPN zone and done the configuration. And one more thing, do i need to put any route for the vpn traffic. When i check the ipconfig in the client machine the ip address and default gateway seems to be same. Expecting your continued support.
Please see the latest config:
Router#sh run
Building configuration...
Current configuration : 8514 bytes
!
! Last configuration change at 04:24:50 UTC Wed Jul 11 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxxxxx
ip name-server xxxxxxx
!
multilink bundle-name authenticated
!
parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com
parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com
parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com
parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com
parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com
parameter-map type urlf-glob PERMITTEDSITES
pattern *
10798E30 68DF5F12 6639732D 37144D4A 1F9AB983 F543B4AB BEF54B04 2636038A
61B34F36 B0B59BFE 5EF35701 FDB0B8CB 99315C74 8B2D930E DBF1012F F46B083A
2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10
EC2C4377 7A2F4413 C8A8718B 2CD720
quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn
license boot module c1900 technology-package datak9
!
!
username xxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxxxx
username xxxxxxxxx privilege 10 password 0 xxxxxxxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match server-domain urlf-glob FACEBOOK
match server-domain urlf-glob YOUTUBE
match server-domain urlf-glob CRICKET
match server-domain urlf-glob CRICKET1
class-map type urlfilter match-any PERMITTEDSITES
match server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all vpn-access
match access-group 121
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
log
reset
class type urlfilter PERMITTEDSITES
allow
log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
inspect
class class-default
pass
policy-map type inspect VPN-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
drop log
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class-default
drop
policy-map type inspect OUT-TO-IN-POLICY
class type inspect vpn-access
inspect
class class-default
drop
!
zone security INSIDE
zone security OUTSIDE
zone security VPN
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
zone-pair security VPN-TO-IN source VPN destination INSIDE
service-policy type inspect VPN-TO-IN-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxxxxxxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group tsqvpntunnel
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE-FW-OUTSIDE
ip address xxxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx {INTERNET ROUTE}
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxxxx xxxxxx any
access-list 120 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end
07-11-2012 07:08 AM
No, you don't have to add any route.
If you remove all the zone from the interfaces (for testing purposes only), does the VPN work?
Just wanted to see where exactly the problem is, and the easiest is to rule out it's ZBFW first.
07-12-2012 10:31 AM
Hello Jennifer,
The moment i disabled the ZBF the VPN started working i.e i can enter into the LAN of my company. But since we need the ZBF i enabled it again and i tried to remove VPN zone and added the Virtual Template interface to INSIDE zone like :
interface Virtual-Template1 type tunnel
zone-member security INSIDE
and very happy to say that it worked out i.e i can access the LAN of my company.
Please see the zones :
Router#sh zone security
zone self
Description: System defined zone
zone INSIDE
Member Interfaces:
GigabitEthernet0/0
Virtual-Template1
zone OUTSIDE
Member Interfaces:
GigabitEthernet0/1
Thank you very much for your help Jennifer.
Best Regards,
Tony
07-12-2012 03:18 PM
thanks for the update..
It's strange that when you changed it back to inside it works as we did originally have "inside" zone for the virtual template
Maybe removing and reapplying makes the difference.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide