Hi All,

I'm looking on many forums for an answer, but I cannot get it working.

I have configured EasyVPN with CCP and also with CLI. I had it both working perfect, except the most important thing.

I can connect with the Cisco VPN client to the router, but i'm not able to connect or even ping a system inside the remote network. My laptop gets an IP address from the address pool of the router.

I really hope someone can help me before my manager is losing his patience :-)

Here is my config. (before someone is mentioning it, i have to clean up my config a bit...I mean, look at the acl's )

Current configuration : 13939 bytes

!

! Last configuration change at 12:26:53 UTC Thu Jan 9 2014 by admin

version 15.2

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname Router

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 10240

logging console critical

enable secret 4 ********

!

aaa new-model

!

!

aaa authentication login local_authen local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec local_author local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

no process cpu extended history

!

!

crypto pki trustpoint TP-self-signed-********

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-********

revocation-check none

rsakeypair TP-self-signed-********

!

!

crypto pki certificate chain TP-self-signed-********

certificate self-signed 01

  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 33303239 34303934 3438301E 170D3133 30343032 30353436

  31345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30323934

  30393434 3830819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100B9C3 F8E6BD43 3351D861 68398114 D31AACC1 CE16CDDA 7F0876BC 6E55EA3C

  5F258D90 20FC882D 42C90257 92DB9113 B461DD81 4080153F 6AE041AD E5BDDF7E

  7C21BD1B 35F05CCB F6D34A4D 6B04C309 F39D8426 865E2BFE 9E8051F2 6F411A49

  D71FBF0C 1AC85BEE 355563FB 2353D0C7 28D49071 840AF99B AF59D768 FCDCDF03

  94FF0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603

  551D2304 18301680 145ACD47 89D51095 70BE5400 595E826A 6A9E5E95 71301D06

  03551D0E 04160414 5ACD4789 D5109570 BE540059 5E826A6A 9E5E9571 300D0609

  2A864886 F70D0101 05050003 8181003B 1988FFCD 93112A99 707B7AD8 B56A08C0

  C274B974 B076AA19 BAFCC868 F118AE7D 4D8A55E2 42D8F9A9 9D617093 7EF6D459

  6BC0A990 BF5AF3E8 8E7F2787 41F4BFE2 65A1A3B0 D726033A 47A24D29 159ABF92

  16DBCF5C EC6602C2 E6137C0B C1FC7125 37E9CE49 82B45E18 FAB31A36 990BB3BC

  30D9EE8E 8B0A9F7C DC0B6C2B FA2740

            quit

no ip source-route

ip cef

!

!

!

!

!

!

no ip bootp server

ip name-server ********

ip name-server ********

no ipv6 cef

!

parameter-map type protocol-info yahoo-servers

server name scs.msg.yahoo.com

server name scsa.msg.yahoo.com

server name scsb.msg.yahoo.com

server name scsc.msg.yahoo.com

server name scsd.msg.yahoo.com

server name cs16.msg.dcn.yahoo.com

server name cs19.msg.dcn.yahoo.com

server name cs42.msg.dcn.yahoo.com

server name cs53.msg.dcn.yahoo.com

server name cs54.msg.dcn.yahoo.com

server name ads1.vip.scd.yahoo.com

server name radio1.launch.vip.dal.yahoo.com

server name in1.msg.vip.re2.yahoo.com

server name data1.my.vip.sc5.yahoo.com

server name address1.pim.vip.mud.yahoo.com

server name edit.messenger.yahoo.com

server name messenger.yahoo.com

server name http.pager.yahoo.com

server name privacy.yahoo.com

server name csa.yahoo.com

server name csb.yahoo.com

server name csc.yahoo.com

parameter-map type protocol-info msn-servers

server name messenger.hotmail.com

server name gateway.messenger.hotmail.com

server name webmessenger.msn.com

parameter-map type protocol-info aol-servers

server name login.oscar.aol.com

server name toc.oscar.aol.com

server name oam-d09a.blue.aol.com

multilink bundle-name authenticated

!

!

license udi pid C3900-SPE100/K9 sn ********

!

!

username admin privilege 15 secret 4 ********

username guido privilege 15 secret 4 ********

!

redundancy

!

!

!

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect imap match-any ccp-app-imap

match invalid-command

class-map type inspect match-any ccp-cls-protocol-p2p

match protocol edonkey signature

match protocol gnutella signature

match protocol kazaa2 signature

match protocol fasttrack signature

match protocol bittorrent signature

class-map type inspect match-all sdm-nat-http-1

match access-group 101

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--1-2

match access-group 102

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 101

class-map type inspect smtp match-any ccp-app-smtp

match data-length gt 5000000

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-h323nxg-inspect

match protocol h323-nxg

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-cls-protocol-im

match protocol ymsgr yahoo-servers

match protocol msnmsgr msn-servers

match protocol aol aol-servers

class-map type inspect match-all ccp-protocol-pop3

match protocol pop3

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any ccp-h323annexe-inspect

match protocol h323-annexe

class-map type inspect match-any ccp-cls-insp-traffic

match protocol pptp

match protocol dns

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol tcp

match protocol udp

class-map type inspect pop3 match-any ccp-app-pop3

match invalid-command

class-map type inspect match-all SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-imap

match protocol imap

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all ccp-protocol-smtp

match protocol smtp

class-map type inspect match-all ccp-protocol-http

match protocol http

class-map type inspect match-any CCP_PPTP

match class-map SDM_GRE

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-all ccp-protocol-p2p

match class-map ccp-cls-protocol-p2p

class-map type inspect match-all ccp-protocol-im

match class-map ccp-cls-protocol-im

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

!

policy-map type inspect pop3 ccp-action-pop3

class type inspect pop3 ccp-app-pop3

  log

  reset

policy-map type inspect smtp ccp-action-smtp

class type inspect smtp ccp-app-smtp

  reset

policy-map type inspect ccp-pol-outToIn

class type inspect ccp-protocol-http

  inspect

class type inspect CCP_PPTP

  pass

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-user-protocol--1-2

  inspect

class class-default

  drop log

policy-map type inspect imap ccp-action-imap

class type inspect imap ccp-app-imap

  log

  reset

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-protocol-smtp

  inspect

  service-policy smtp ccp-action-smtp

class type inspect ccp-protocol-imap

  inspect

  service-policy imap ccp-action-imap

class type inspect ccp-protocol-pop3

  inspect

  service-policy pop3 ccp-action-pop3

class type inspect ccp-protocol-p2p

  drop log

class type inspect ccp-protocol-im

  drop log

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-sip-inspect

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h323annexe-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class type inspect ccp-h323nxg-inspect

  inspect

class type inspect ccp-skinny-inspect

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class class-default

  pass

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

!

zone security in-zone

zone security out-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security ccp-zp-out-zone-To-in-zone source out-zone destination in-zone

service-policy type inspect ccp-pol-outToIn

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group jmgvpn

key ****

pool SDM_POOL_1

include-local-lan

max-users 10

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group jmgvpn

   client authentication list ciscocp_vpn_xauth_ml_1

   isakmp authorization list ciscocp_vpn_group_ml_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

!

interface Null0

no ip unreachables

!

interface Embedded-Service-Engine0/0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

!

interface GigabitEthernet0/0

description JMG$FW_INSIDE$

ip address 10.0.14.*** 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly in

zone-member security in-zone

glbp 10 ip 10.0.14.***

glbp 10 authentication text JMG

glbp 10 forwarder preempt delay minimum 100

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/1

description Cloud$ETH-LAN$$FW_INSIDE$

ip address 10.3.15.*** 255.255.255.252

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

zone-member security in-zone

duplex auto

speed auto

no mop enabled

!

interface GigabitEthernet0/2

description Internet (Only in use on R01)$FW_OUTSIDE$$ETH-WAN$

ip address 46.144.***.*** 255.255.255.240

no ip redirects

no ip proxy-arp

ip verify unicast reverse-path

ip flow ingress

ip flow egress

ip nat outside

ip virtual-reassembly in

zone-member security out-zone

duplex auto

speed auto

media-type rj45

no mop enabled

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

ip local pool SDM_POOL_1 192.168.1.1 192.168.1.10

ip forward-protocol nd

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 10 interface GigabitEthernet0/2 overload

ip nat inside source list 11 interface GigabitEthernet0/2 overload

ip nat inside source static tcp 10.0.14.*** 443 interface GigabitEthernet0/2 443

ip nat inside source static tcp 10.0.14.*** 80 interface GigabitEthernet0/2 80

ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/2 permanent

ip route 10.0.0.0 255.0.0.0 GigabitEthernet0/1 permanent

ip route 10.1.14.*** 255.255.255.0 10.0.14.*** permanent

!

ip access-list extended SDM_GRE

remark CCP_ACL Category=1

permit gre any any

!

logging trap debugging

access-list 1 remark HTTP Access-class list

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 10.3.15.24 0.0.0.3

access-list 1 permit 10.0.14.0 0.0.0.255

access-list 1 deny   any

access-list 3 remark CCP_ACL Category=2

access-list 3 permit 10.5.14.0 0.0.0.255

access-list 3 permit 10.0.14.0 0.0.0.255

access-list 5 remark CCP_ACL Category=2

access-list 5 permit 10.0.14.0 0.0.0.255

access-list 6 remark CCP_ACL Category=2

access-list 6 permit 10.0.14.0 0.0.0.255

access-list 7 remark CCP_ACL Category=2

access-list 7 permit 10.0.14.0 0.0.0.255

access-list 8 remark CCP_ACL Category=2

access-list 8 permit 10.0.14.0 0.0.0.255

access-list 9 remark CCP_ACL Category=2

access-list 9 permit 10.0.14.0 0.0.0.255

access-list 10 remark CCP_ACL Category=2

access-list 10 permit 10.0.14.0 0.0.0.255

access-list 11 remark CCP_ACL Category=2

access-list 11 permit 10.0.14.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip 192.168.253.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=0

access-list 101 permit ip any host 10.0.14.153

access-list 102 remark CCP_ACL Category=0

access-list 102 permit ip any host 10.0.14.173

no cdp run

!

!

!

!

!

control-plane

!

!

banner login ^CCCPlease login. Or leave if you have no right to be here.^C

!

line con 0

login authentication local_authen

transport output telnet

line aux 0

login authentication local_authen

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

line vty 5 15

access-class 23 in

authorization exec local_author

login authentication local_authen

transport input telnet ssh

!

scheduler allocate 20000 1000

scheduler interval 500

!

end