01-09-2014 05:10 AM
Hi All,
I'm looking on many forums for an answer, but I cannot get it working.
I have configured EasyVPN with CCP and also with CLI. I had it both working perfect, except the most important thing.
I can connect with the Cisco VPN client to the router, but i'm not able to connect or even ping a system inside the remote network. My laptop gets an IP address from the address pool of the router.
I really hope someone can help me before my manager is losing his patience :-)
Here is my config. (before someone is mentioning it, i have to clean up my config a bit...I mean, look at the acl's )
Current configuration : 13939 bytes
!
! Last configuration change at 12:26:53 UTC Thu Jan 9 2014 by admin
version 15.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 10240
logging console critical
enable secret 4 ********
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
no process cpu extended history
!
!
crypto pki trustpoint TP-self-signed-********
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-********
revocation-check none
rsakeypair TP-self-signed-********
!
!
crypto pki certificate chain TP-self-signed-********
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303239 34303934 3438301E 170D3133 30343032 30353436
31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323934
30393434 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B9C3 F8E6BD43 3351D861 68398114 D31AACC1 CE16CDDA 7F0876BC 6E55EA3C
5F258D90 20FC882D 42C90257 92DB9113 B461DD81 4080153F 6AE041AD E5BDDF7E
7C21BD1B 35F05CCB F6D34A4D 6B04C309 F39D8426 865E2BFE 9E8051F2 6F411A49
D71FBF0C 1AC85BEE 355563FB 2353D0C7 28D49071 840AF99B AF59D768 FCDCDF03
94FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145ACD47 89D51095 70BE5400 595E826A 6A9E5E95 71301D06
03551D0E 04160414 5ACD4789 D5109570 BE540059 5E826A6A 9E5E9571 300D0609
2A864886 F70D0101 05050003 8181003B 1988FFCD 93112A99 707B7AD8 B56A08C0
C274B974 B076AA19 BAFCC868 F118AE7D 4D8A55E2 42D8F9A9 9D617093 7EF6D459
6BC0A990 BF5AF3E8 8E7F2787 41F4BFE2 65A1A3B0 D726033A 47A24D29 159ABF92
16DBCF5C EC6602C2 E6137C0B C1FC7125 37E9CE49 82B45E18 FAB31A36 990BB3BC
30D9EE8E 8B0A9F7C DC0B6C2B FA2740
quit
no ip source-route
ip cef
!
!
!
!
!
!
no ip bootp server
ip name-server ********
ip name-server ********
no ipv6 cef
!
parameter-map type protocol-info yahoo-servers
server name scs.msg.yahoo.com
server name scsa.msg.yahoo.com
server name scsb.msg.yahoo.com
server name scsc.msg.yahoo.com
server name scsd.msg.yahoo.com
server name cs16.msg.dcn.yahoo.com
server name cs19.msg.dcn.yahoo.com
server name cs42.msg.dcn.yahoo.com
server name cs53.msg.dcn.yahoo.com
server name cs54.msg.dcn.yahoo.com
server name ads1.vip.scd.yahoo.com
server name radio1.launch.vip.dal.yahoo.com
server name in1.msg.vip.re2.yahoo.com
server name data1.my.vip.sc5.yahoo.com
server name address1.pim.vip.mud.yahoo.com
server name edit.messenger.yahoo.com
server name messenger.yahoo.com
server name http.pager.yahoo.com
server name privacy.yahoo.com
server name csa.yahoo.com
server name csb.yahoo.com
server name csc.yahoo.com
parameter-map type protocol-info msn-servers
server name messenger.hotmail.com
server name gateway.messenger.hotmail.com
server name webmessenger.msn.com
parameter-map type protocol-info aol-servers
server name login.oscar.aol.com
server name toc.oscar.aol.com
server name oam-d09a.blue.aol.com
multilink bundle-name authenticated
!
!
license udi pid C3900-SPE100/K9 sn ********
!
!
username admin privilege 15 secret 4 ********
username guido privilege 15 secret 4 ********
!
redundancy
!
!
!
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect imap match-any ccp-app-imap
match invalid-command
class-map type inspect match-any ccp-cls-protocol-p2p
match protocol edonkey signature
match protocol gnutella signature
match protocol kazaa2 signature
match protocol fasttrack signature
match protocol bittorrent signature
class-map type inspect match-all sdm-nat-http-1
match access-group 101
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-2
match access-group 102
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 101
class-map type inspect smtp match-any ccp-app-smtp
match data-length gt 5000000
class-map type inspect match-any ccp-skinny-inspect
match protocol skinny
class-map type inspect match-any ccp-h323nxg-inspect
match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any ccp-cls-protocol-im
match protocol ymsgr yahoo-servers
match protocol msnmsgr msn-servers
match protocol aol aol-servers
class-map type inspect match-all ccp-protocol-pop3
match protocol pop3
class-map type inspect match-any ccp-h225ras-inspect
match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
match protocol h323-annexe
class-map type inspect match-any ccp-cls-insp-traffic
match protocol pptp
match protocol dns
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol tcp
match protocol udp
class-map type inspect pop3 match-any ccp-app-pop3
match invalid-command
class-map type inspect match-all SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-any ccp-h323-inspect
match protocol h323
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-any ccp-sip-inspect
match protocol sip
class-map type inspect match-all ccp-protocol-imap
match protocol imap
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all ccp-protocol-smtp
match protocol smtp
class-map type inspect match-all ccp-protocol-http
match protocol http
class-map type inspect match-any CCP_PPTP
match class-map SDM_GRE
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-all ccp-protocol-p2p
match class-map ccp-cls-protocol-p2p
class-map type inspect match-all ccp-protocol-im
match class-map ccp-cls-protocol-im
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
!
policy-map type inspect pop3 ccp-action-pop3
class type inspect pop3 ccp-app-pop3
log
reset
policy-map type inspect smtp ccp-action-smtp
class type inspect smtp ccp-app-smtp
reset
policy-map type inspect ccp-pol-outToIn
class type inspect ccp-protocol-http
inspect
class type inspect CCP_PPTP
pass
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--1-2
inspect
class class-default
drop log
policy-map type inspect imap ccp-action-imap
class type inspect imap ccp-app-imap
log
reset
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-protocol-smtp
inspect
service-policy smtp ccp-action-smtp
class type inspect ccp-protocol-imap
inspect
service-policy imap ccp-action-imap
class type inspect ccp-protocol-pop3
inspect
service-policy pop3 ccp-action-pop3
class type inspect ccp-protocol-p2p
drop log
class type inspect ccp-protocol-im
drop log
class type inspect ccp-insp-traffic
inspect
class type inspect ccp-sip-inspect
inspect
class type inspect ccp-h323-inspect
inspect
class type inspect ccp-h323annexe-inspect
inspect
class type inspect ccp-h225ras-inspect
inspect
class type inspect ccp-h323nxg-inspect
inspect
class type inspect ccp-skinny-inspect
inspect
class class-default
drop
policy-map type inspect ccp-permit
class class-default
pass
policy-map type inspect ccp-permit-icmpreply
class type inspect ccp-icmp-access
inspect
class class-default
pass
!
zone security in-zone
zone security out-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone
service-policy type inspect ccp-pol-outToIn
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group jmgvpn
key ****
pool SDM_POOL_1
include-local-lan
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
match identity group jmgvpn
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Embedded-Service-Engine0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
!
interface GigabitEthernet0/0
description JMG$FW_INSIDE$
ip address 10.0.14.*** 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly in
zone-member security in-zone
glbp 10 ip 10.0.14.***
glbp 10 authentication text JMG
glbp 10 forwarder preempt delay minimum 100
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/1
description Cloud$ETH-LAN$$FW_INSIDE$
ip address 10.3.15.*** 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
zone-member security in-zone
duplex auto
speed auto
no mop enabled
!
interface GigabitEthernet0/2
description Internet (Only in use on R01)$FW_OUTSIDE$$ETH-WAN$
ip address 46.144.***.*** 255.255.255.240
no ip redirects
no ip proxy-arp
ip verify unicast reverse-path
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
zone-member security out-zone
duplex auto
speed auto
media-type rj45
no mop enabled
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 192.168.1.1 192.168.1.10
ip forward-protocol nd
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 10 interface GigabitEthernet0/2 overload
ip nat inside source list 11 interface GigabitEthernet0/2 overload
ip nat inside source static tcp 10.0.14.*** 443 interface GigabitEthernet0/2 443
ip nat inside source static tcp 10.0.14.*** 80 interface GigabitEthernet0/2 80
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 permanent
ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1 permanent
ip route 10.1.14.*** 255.255.255.0 10.0.14.*** permanent
!
ip access-list extended SDM_GRE
remark CCP_ACL Category=1
permit gre any any
!
logging trap debugging
access-list 1 remark HTTP Access-class list
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 10.3.15.24 0.0.0.3
access-list 1 permit 10.0.14.0 0.0.0.255
access-list 1 deny any
access-list 3 remark CCP_ACL Category=2
access-list 3 permit 10.5.14.0 0.0.0.255
access-list 3 permit 10.0.14.0 0.0.0.255
access-list 5 remark CCP_ACL Category=2
access-list 5 permit 10.0.14.0 0.0.0.255
access-list 6 remark CCP_ACL Category=2
access-list 6 permit 10.0.14.0 0.0.0.255
access-list 7 remark CCP_ACL Category=2
access-list 7 permit 10.0.14.0 0.0.0.255
access-list 8 remark CCP_ACL Category=2
access-list 8 permit 10.0.14.0 0.0.0.255
access-list 9 remark CCP_ACL Category=2
access-list 9 permit 10.0.14.0 0.0.0.255
access-list 10 remark CCP_ACL Category=2
access-list 10 permit 10.0.14.0 0.0.0.255
access-list 11 remark CCP_ACL Category=2
access-list 11 permit 10.0.14.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 192.168.253.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 10.0.14.153
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 10.0.14.173
no cdp run
!
!
!
!
!
control-plane
!
!
banner login ^CCCPlease login. Or leave if you have no right to be here.^C
!
line con 0
login authentication local_authen
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
line vty 5 15
access-class 23 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler allocate 20000 1000
scheduler interval 500
!
end
01-09-2014 09:44 AM
Remove the ip nat outside command for a moment during a permitted downtime.
I have a feeling you should do some NAT excemption for the VPN traffic (deny vpn traffic for nat policies).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide