- Cisco Community
- Technology and Support
- Security
- VPN
- Re: Cisco 876 VPN Server setup
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Cisco 876 VPN Server setup
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2010 05:47 AM
Hi Guys,
I have a problem with setting up my cisco 876 router as a vpn server.
This is my layout:
Local Network -> Cisco876 -> Internet Coud <- VPN Client (Windows vpn client or Cisco VPN client)
So my goal is to be able to reach the local network from the VPN Client machine.
When I try to connect to the router i get the following messages:
"Secure VPN Connection terminated locally by the Client.
Reason 412: The remote peer is no longer responding" - This is the message when i try to connect using Cisco VPN Client
"Error 619: A connection to the remote computer could not be established, so the port for this connection was closed." - This is the message i get when i use windows vpn connection.
Here is my config (it's a bit of a mess):
Please have in mind that i'm very new to cisco so a step-by-step guidance would be very appreciated.
Building configuration...
Current configuration : 23375 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CEI
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login Zharko local
aaa authentication login USER local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network hw-client-groupname local
aaa authorization network GROUP local
!
!
aaa session-id common
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
dot11 syslog
no ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool CEI
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 192.168.100.200 192.168.100.202 62.162.32.6 62.162.32.7
lease infinite
!
!
ip name-server 192.168.100.200
ip name-server 192.168.100.202
ip name-server 62.162.32.6
ip name-server 62.162.32.7
ip port-map user-protocol--2 port tcp 50
ip port-map user-protocol--3 port tcp 1792
ip port-map user-protocol--1 port udp 5500
ip port-map user-protocol--6 port udp 51
ip port-map user-protocol--7 port tcp 5900
ip port-map user-protocol--5 port udp 50
ip port-map user-protocol--19 port tcp 8085
ip port-map user-protocol--18 port tcp 251
ip port-map user-protocol--13 port tcp 5678
ip port-map user-protocol--12 port tcp 99
ip port-map user-protocol--22 port tcp 8080
ip port-map user-protocol--10 port tcp 1701
ip port-map user-protocol--23 port udp 8080
ip port-map user-protocol--17 port tcp 212
ip port-map user-protocol--24 port tcp 3389
ip port-map user-protocol--16 port udp 499
ip port-map user-protocol--15 port tcp 1700
ip port-map user-protocol--14 port tcp 120
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 256
!
vpdn-group PPTP
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username zharko privilege 15 view root secret 5 xxxxxxxx
username vpn password 7 xxxxxxx
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 7200
crypto isakmp key Cisco address 0.0.0.0 0.0.0.0
crypto isakmp client configuration address-pool local EZVPN_POOL
!
crypto isakmp client configuration group EZVPN
key Cisco123
dns 4.2.2.2
wins 4.2.2.2
pool EZVPN_POOL
netmask 255.255.255.0
crypto isakmp profile EZVPN_PROFILE
match identity group EZVPN
client authentication list USER
isakmp authorization list GROUP
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac
!
crypto ipsec profile EZVPN_PROFILE
set transform-set EZVPN_SET
set isakmp-profile EZVPN_PROFILE
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--5-7
match access-group 2056
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 124
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--4-7
match access-group 2055
class-map type inspect match-all sdm-nat-http-1
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 116
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--7-7
match access-group 2060
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 120
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-http-2
match access-group 104
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 142
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--6-7
match access-group 2059
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--9-7
match access-group 2062
class-map type inspect match-all sdm-nat-user-protocol--8-7
match access-group 2061
class-map type inspect match-all sdm-nat-user-protocol--4-8
match access-group 2081
class-map type inspect match-all sdm-nat-user-protocol--5-8
match access-group 2082
match protocol user-protocol--5
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-all sdm-nat-http-9
match access-group 2067
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--3-8
match access-group 2080
class-map type inspect match-all sdm-nat-user-protocol--1-8
match access-group 2078
class-map type inspect match-all sdm-nat-pptp-8
match access-group 2077
match protocol pptp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-isakmp-7
match access-group 2057
match protocol isakmp
class-map type inspect match-all sdm-nat-isakmp-8
match access-group 2083
match protocol isakmp
class-map type inspect match-all sdm-nat-pptp-1
match access-group 125
match protocol pptp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-nat-user-protocol--16-1
match access-group 141
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--10-7
match access-group 2064
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--15-2
match access-group 108
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--11-7
match access-group 2065
class-map type inspect match-all sdm-nat-user-protocol--2-14
match access-group 2079
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--24-1
match access-group 114
match protocol user-protocol--24
class-map type inspect match-all sdm-nat-user-protocol--14-2
match access-group 107
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--14-1
match access-group 139
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--13-6
match access-group 2070
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--24-2
match access-group 123
match protocol user-protocol--24
class-map type inspect match-all sdm-nat-user-protocol--15-1
match access-group 140
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--12-6
match access-group 2068
match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--16-2
match access-group 115
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--15-6
match access-group 2072
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--22-2
match access-group 112
match protocol user-protocol--22
class-map type inspect match-all sdm-nat-user-protocol--21-1
match access-group 111
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 138
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--14-6
match access-group 2071
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--23-2
match access-group 122
match protocol user-protocol--23
class-map type inspect match-all sdm-nat-user-protocol--22-3
match access-group 121
match protocol user-protocol--22
class-map type inspect match-all sdm-nat-user-protocol--2-13
match access-group 2074
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--20-2
match access-group 2157
class-map type inspect match-all sdm-nat-user-protocol--23-1
match access-group 113
match protocol user-protocol--23
class-map type inspect match-all sdm-nat-user-protocol--13-2
match access-group 106
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 118
class-map type inspect match-all sdm-nat-user-protocol--16-6
match access-group 2073
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--22-1
match access-group 2159
match protocol user-protocol--22
class-map type inspect match-all sdm-nat-user-protocol--21-2
match access-group 2158
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--19-5
match access-group 2156
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-user-protocol--19-2
match access-group 2076
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-user-protocol--19-3
match access-group 119
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-user-protocol--19-1
match access-group 110
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-l2tp-7
match access-group 2058
match protocol l2tp
class-map type inspect match-all sdm-nat-l2tp-8
match access-group 2084
match protocol l2tp
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-all sdm-nat-ipsec-msft-6
match access-group 2066
match protocol ipsec-msft
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-any gre
description gre
match access-group 189
match protocol pptp
match protocol l2tp
match protocol gtpv0
match protocol gtpv1
match protocol gdoi
match protocol isakmp
match protocol ipsec-msft
match protocol ssp
class-map type inspect match-all sdm-nat-https-7
match access-group 2063
match protocol https
class-map type inspect match-all sdm-nat-dnsix-6
match access-group 2069
match protocol dnsix
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-dnsix-1
match access-group 137
match protocol dnsix
class-map type inspect match-all sdm-nat-https-2
match access-group 103
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all sdm-nat-dnsix-2
match access-group 105
match protocol dnsix
class-map type inspect match-all sdm-nat-ftp-2
match access-group 117
match protocol ftp
class-map type inspect match-all sdm-nat-ftp-3
match access-group 2075
match protocol ftp
class-map type inspect match-all sdm-nat-ftp-1
match access-group 109
match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map SDM-QoS-Policy-1
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--11-1
inspect
class type inspect sdm-nat-dnsix-1
inspect
class type inspect sdm-nat-user-protocol--13-1
inspect
class type inspect sdm-nat-user-protocol--14-1
inspect
class type inspect sdm-nat-user-protocol--15-1
inspect
class type inspect sdm-nat-user-protocol--16-1
inspect
class type inspect sdm-nat-user-protocol--2-3
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ftp-1
inspect
class type inspect sdm-nat-user-protocol--19-1
inspect
class type inspect sdm-nat-user-protocol--21-1
inspect
class type inspect sdm-nat-user-protocol--22-2
inspect
class type inspect sdm-nat-user-protocol--23-1
inspect
class type inspect sdm-nat-user-protocol--24-1
inspect
class type inspect sdm-nat-https-2
inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-nat-dnsix-2
inspect
class type inspect sdm-nat-user-protocol--13-2
inspect
class type inspect sdm-nat-user-protocol--14-2
inspect
class type inspect sdm-nat-user-protocol--15-2
inspect
class type inspect sdm-nat-user-protocol--16-2
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-ftp-2
inspect
class type inspect sdm-nat-user-protocol--19-3
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--22-3
inspect
class type inspect sdm-nat-user-protocol--23-2
inspect
class type inspect sdm-nat-user-protocol--24-2
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect SDM-Voice-permit
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface Tunnel0
ip address 10.0.0.1 255.255.255.0
ip mtu 1476
zone-member security in-zone
keepalive 10 3
tunnel source 192.168.100.1
tunnel destination 192.168.100.208
tunnel path-mtu-discovery
!
interface BRI0
no ip address
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 1/32
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
no ip route-cache
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
!
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 1
ppp chap hostname xxxxxx
ppp chap password xxxxxx
ppp pap sent-username xxxxxx password 7 xxxxxx
!
interface Dialer21
no ip address
!
ip local pool EZVPN_POOL 10.0.0.10 10.0.0.20
ip local pool PPTP_POOL 10.1.1.5 10.1.1.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.202 443 interface Dialer1 443
ip nat inside source static tcp 192.168.100.208 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.1 90 interface Dialer1 98
ip nat inside source static tcp 192.168.100.1 5678 interface Dialer1 5678
ip nat inside source static tcp 192.168.100.1 120 interface Dialer1 130
ip nat inside source static tcp 192.168.100.1 1700 interface Dialer1 1702
ip nat inside source static udp 192.168.100.1 499 interface Dialer1 501
ip nat inside source static tcp 192.168.100.1 50 interface Dialer1 51
ip nat inside source static tcp 192.168.100.202 21 interface Dialer1 21
ip nat inside source static tcp 192.168.100.202 8085 interface Dialer1 8085
ip nat inside source static udp 192.168.100.19 5500 interface Dialer1 5500
ip nat inside source static tcp 192.168.100.208 8080 interface Dialer1 8080
ip nat inside source static udp 192.168.100.208 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.100.208 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.100.1 1792 interface Dialer1 1792
ip nat inside source static tcp 192.168.100.208 1723 interface Dialer1 1723
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark SDM_ACL Category=0
permit gre any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended gre
remark gre
remark SDM_ACL Category=64
permit gre any any
!
logging trap debugging
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.100.202
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.100.202
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.100.202
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.100.208
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.100.1
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.100.1
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.100.1
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.100.1
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.100.202
access-list 110 permit tcp any host 192.168.100.208 eq 1723
access-list 110 permit gre any host 192.168.100.208
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 192.168.100.19
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 192.168.100.208
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 192.168.100.208
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 192.168.100.208
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 192.168.100.1
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 192.168.100.1
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 192.168.100.202
access-list 118 remark SDM_ACL Category=0
access-list 118 permit ip any host 192.168.100.1
access-list 119 remark SDM_ACL Category=0
access-list 119 permit ip any host 192.168.100.202
access-list 120 remark SDM_ACL Category=0
access-list 120 permit ip any host 192.168.100.19
access-list 121 remark SDM_ACL Category=0
access-list 121 permit ip any host 192.168.100.208
access-list 122 remark SDM_ACL Category=0
access-list 122 permit ip any host 192.168.100.208
access-list 123 remark SDM_ACL Category=0
access-list 123 permit ip any host 192.168.100.208
access-list 124 remark SDM_ACL Category=0
access-list 124 permit ip any host 192.168.100.1
access-list 125 remark SDM_ACL Category=0
access-list 125 permit ip any host 192.168.100.208
access-list 137 remark SDM_ACL Category=0
access-list 137 permit ip any host 192.168.100.1
access-list 138 remark SDM_ACL Category=0
access-list 138 permit ip any host 192.168.100.1
access-list 139 remark SDM_ACL Category=0
access-list 139 permit ip any host 192.168.100.1
access-list 140 remark SDM_ACL Category=0
access-list 140 permit ip any host 192.168.100.1
access-list 141 remark SDM_ACL Category=0
access-list 141 permit ip any host 192.168.100.1
access-list 142 remark SDM_ACL Category=0
access-list 142 permit ip any host 192.168.100.1
access-list 189 remark permit PPTP passthrough
access-list 189 remark SDM_ACL Category=2
access-list 189 permit tcp any any eq 1723
access-list 189 permit gre any any
access-list 2055 remark SDM_ACL Category=0
access-list 2055 permit ip any host 192.168.100.202
access-list 2056 remark SDM_ACL Category=0
access-list 2056 permit ip any host 192.168.100.202
access-list 2057 remark SDM_ACL Category=0
access-list 2057 permit ip any host 192.168.100.202
access-list 2058 remark SDM_ACL Category=0
access-list 2058 permit ip any host 192.168.100.202
access-list 2059 remark SDM_ACL Category=0
access-list 2059 permit ip any host 192.168.100.202
access-list 2060 remark SDM_ACL Category=0
access-list 2060 permit ip any host 192.168.100.202
access-list 2061 remark SDM_ACL Category=0
access-list 2061 permit ip any host 192.168.100.202
access-list 2062 remark SDM_ACL Category=0
access-list 2062 permit ip any host 192.168.100.202
access-list 2063 remark SDM_ACL Category=0
access-list 2063 permit ip any host 192.168.100.202
access-list 2156 remark SDM_ACL Category=0
access-list 2156 permit ip any host 192.168.100.202
access-list 2157 remark SDM_ACL Category=0
access-list 2157 permit ip any host 192.168.100.19
access-list 2158 remark SDM_ACL Category=0
access-list 2158 permit ip any host 192.168.100.19
access-list 2159 remark SDM_ACL Category=0
access-list 2159 permit ip any host 192.168.100.208
!
!
!
!
control-plane
!
!
line con 0
password 7 xxxxxxx
no modem enable
line aux 0
line vty 0 4
password 7 xxxxxxx
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
Thanks in advance.
Zharko
- Labels:
-
VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2010 08:28 AM
Hi,
From a VPN configuration standpoint, everything looks fine. There are a couple of things i would like to bring to your notice otherwise:
1) The cirtual template interface has the below configuration:
interface Virtual-Template1 type tunnel
ip unnumbered Vlan1
ip nat inside
ip virtual-reassembly
no ip route-cache
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
tunnel protection ipsec profile EZVPN_PROFILE
We should not have the "ip nat inside" on the above interface as that will cause communication issues when we connect to the VPN. Please remove that.
2) I see you have a zone-pair from outside to self zones as below:
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
policy-map type inspect sdm-permit
class class-default
As we see, there is nothing being allowed in the above policy-map and hence all request from VPN clients will be dropped. Please try adding the below config and let's see how it goes.
ip access-list extended SDM_UDP_VPN
permit udp any any eq 4500
class-map type inspect match-any SDM_UDP_VPN
match access-group SDM_UDP_VPN
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match class-map SDM_UDP_VPN
policy-map type inspect sdm-permit
class SDM_EASY_VPN_SERVER_PT
inspect
This should allow the VPN connections to the router.
3) the virtual-template interface also needs to be part of a zone for traffic to be able to pass thorugh it. I noticed you have an ezvpn-zone created but no interfaces assigned to it. I assume the purpose of creating it was to ass the cirtual-template interface to that zone. Please add the below commands as well to do that:
interface Virtual-Template1 type tunnel
zone-member security ezvpn-zone
Please implement the above and let me know how things go!
Thanks and Regards,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2010 09:07 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2010 09:40 AM
Hi Zharko,
Could you post the current config? Want to see what changes have been accepted/rejected. Also, when trying to connect using the Cisco VPN client, please forward the outputs of "debug cry isa" and "debug crypto ipsec" from the router.
Also, please enable "ip inspect log drop-pkt" before connecting and then you should be able to see which packets are being dropped by the zone based firewall in the syslogs.
Thanks and Regards,
Prapanch
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2010 01:51 AM
Hi Prapanch,
Here is my current config, i have done some changes you suggested:
Building configuration...
Current configuration : 23347 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname CEI
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network default if-authenticated
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network hw-client-groupname local
aaa authorization network sdm_vpn_group_ml_2 local
!
!
aaa session-id common
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
dot11 syslog
no ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool CEI
network 192.168.100.0 255.255.255.0
default-router 192.168.100.1
dns-server 192.168.100.200 192.168.100.202 62.162.32.6 62.162.32.7
lease infinite
!
!
ip name-server 192.168.100.200
ip name-server 192.168.100.202
ip name-server 62.162.32.6
ip name-server 62.162.32.7
ip port-map user-protocol--2 port tcp 50
ip port-map user-protocol--3 port tcp 1792
ip port-map user-protocol--1 port udp 5500
ip port-map user-protocol--6 port udp 51
ip port-map user-protocol--7 port tcp 5900
ip port-map user-protocol--5 port udp 50
ip port-map user-protocol--19 port tcp 8085
ip port-map user-protocol--18 port tcp 251
ip port-map user-protocol--13 port tcp 5678
ip port-map user-protocol--12 port tcp 99
ip port-map user-protocol--22 port tcp 8080
ip port-map user-protocol--10 port tcp 1701
ip port-map user-protocol--23 port udp 8080
ip port-map user-protocol--17 port tcp 212
ip port-map user-protocol--24 port tcp 3389
ip port-map user-protocol--16 port udp 499
ip port-map user-protocol--15 port tcp 1700
ip port-map user-protocol--14 port tcp 120
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
l2tp tunnel receive-window 256
!
vpdn-group PPTP
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username zharko privilege 15 view root secret 5 xxxxxxxxxx
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_POOL
key 123456
dns 192.168.100.200 192.168.100.202
domain ceimk
pool SDM_POOL_1
max-users 5
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group VPN_POOL
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile EZVPN
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
!
!
archive
log config
hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--5-7
match access-group 2056
match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--3-1
match access-group 124
match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--4-7
match access-group 2055
class-map type inspect match-all sdm-nat-http-1
match access-group 102
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
match access-group 116
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--7-7
match access-group 2060
match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--1-1
match access-group 120
match protocol user-protocol--1
class-map type inspect match-all sdm-nat-http-2
match access-group 104
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-3
match access-group 142
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--6-7
match access-group 2059
match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--9-7
match access-group 2062
class-map type inspect match-all sdm-nat-user-protocol--8-7
match access-group 2061
class-map type inspect match-all sdm-nat-user-protocol--4-8
match access-group 2081
class-map type inspect match-all sdm-nat-user-protocol--5-8
match access-group 2082
match protocol user-protocol--5
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-all sdm-nat-http-9
match access-group 2067
match protocol http
class-map type inspect match-all sdm-nat-user-protocol--3-8
match access-group 2080
class-map type inspect match-all sdm-nat-user-protocol--1-8
match access-group 2078
class-map type inspect match-all sdm-nat-pptp-8
match access-group 2077
match protocol pptp
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-all sdm-nat-isakmp-7
match access-group 2057
match protocol isakmp
class-map type inspect match-all sdm-nat-isakmp-8
match access-group 2083
match protocol isakmp
class-map type inspect match-all sdm-nat-pptp-1
match access-group 125
match protocol pptp
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_UDP_VPN
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
match class-map SDM_UDP_VPN
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-all sdm-nat-user-protocol--16-1
match access-group 141
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--10-7
match access-group 2064
match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--15-2
match access-group 108
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--11-7
match access-group 2065
class-map type inspect match-all sdm-nat-user-protocol--2-14
match access-group 2079
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--24-1
match access-group 114
match protocol user-protocol--24
class-map type inspect match-all sdm-nat-user-protocol--14-2
match access-group 107
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--14-1
match access-group 139
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--13-6
match access-group 2070
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--24-2
match access-group 123
match protocol user-protocol--24
class-map type inspect match-all sdm-nat-user-protocol--15-1
match access-group 140
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--12-6
match access-group 2068
match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--16-2
match access-group 115
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--15-6
match access-group 2072
match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--22-2
match access-group 112
match protocol user-protocol--22
class-map type inspect match-all sdm-nat-user-protocol--21-1
match access-group 111
class-map type inspect match-all sdm-nat-user-protocol--13-1
match access-group 138
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--14-6
match access-group 2071
match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--23-2
match access-group 122
match protocol user-protocol--23
class-map type inspect match-all sdm-nat-user-protocol--22-3
match access-group 121
match protocol user-protocol--22
class-map type inspect match-all sdm-nat-user-protocol--2-13
match access-group 2074
match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--20-2
match access-group 2157
class-map type inspect match-all sdm-nat-user-protocol--23-1
match access-group 113
match protocol user-protocol--23
class-map type inspect match-all sdm-nat-user-protocol--13-2
match access-group 106
match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--11-1
match access-group 118
class-map type inspect match-all sdm-nat-user-protocol--16-6
match access-group 2073
match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--22-1
match access-group 2159
match protocol user-protocol--22
class-map type inspect match-all sdm-nat-user-protocol--21-2
match access-group 2158
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--19-5
match access-group 2156
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-user-protocol--19-2
match access-group 2076
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-user-protocol--19-3
match access-group 119
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-user-protocol--19-1
match access-group 110
match protocol user-protocol--19
class-map type inspect match-all sdm-nat-l2tp-7
match access-group 2058
match protocol l2tp
class-map type inspect match-all sdm-nat-l2tp-8
match access-group 2084
match protocol l2tp
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-all sdm-nat-ipsec-msft-6
match access-group 2066
match protocol ipsec-msft
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-any gre
description gre
match access-group 189
match protocol pptp
match protocol l2tp
match protocol gtpv0
match protocol gtpv1
match protocol gdoi
match protocol isakmp
match protocol ipsec-msft
match protocol ssp
class-map type inspect match-all sdm-nat-https-7
match access-group 2063
match protocol https
class-map type inspect match-all sdm-nat-dnsix-6
match access-group 2069
match protocol dnsix
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-dnsix-1
match access-group 137
match protocol dnsix
class-map type inspect match-all sdm-nat-https-2
match access-group 103
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 101
match protocol https
class-map type inspect match-all sdm-nat-dnsix-2
match access-group 105
match protocol dnsix
class-map type inspect match-all sdm-nat-ftp-2
match access-group 117
match protocol ftp
class-map type inspect match-all sdm-nat-ftp-3
match access-group 2075
match protocol ftp
class-map type inspect match-all sdm-nat-ftp-1
match access-group 109
match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
inspect
class class-default
pass
policy-map SDM-QoS-Policy-1
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-user-protocol--11-1
inspect
class type inspect sdm-nat-dnsix-1
inspect
class type inspect sdm-nat-user-protocol--13-1
inspect
class type inspect sdm-nat-user-protocol--14-1
inspect
class type inspect sdm-nat-user-protocol--15-1
inspect
class type inspect sdm-nat-user-protocol--16-1
inspect
class type inspect sdm-nat-user-protocol--2-3
inspect
class type inspect sdm-nat-https-1
inspect
class type inspect sdm-nat-http-1
inspect
class type inspect sdm-nat-ftp-1
inspect
class type inspect sdm-nat-user-protocol--19-1
inspect
class type inspect sdm-nat-user-protocol--21-1
inspect
class type inspect sdm-nat-user-protocol--22-2
inspect
class type inspect sdm-nat-user-protocol--23-1
inspect
class type inspect sdm-nat-user-protocol--24-1
inspect
class type inspect sdm-nat-https-2
inspect
class type inspect sdm-nat-http-2
inspect
class type inspect sdm-nat-dnsix-2
inspect
class type inspect sdm-nat-user-protocol--13-2
inspect
class type inspect sdm-nat-user-protocol--14-2
inspect
class type inspect sdm-nat-user-protocol--15-2
inspect
class type inspect sdm-nat-user-protocol--16-2
inspect
class type inspect sdm-nat-user-protocol--2-1
inspect
class type inspect sdm-nat-ftp-2
inspect
class type inspect sdm-nat-user-protocol--19-3
inspect
class type inspect sdm-nat-user-protocol--1-1
inspect
class type inspect sdm-nat-user-protocol--22-3
inspect
class type inspect sdm-nat-user-protocol--23-2
inspect
class type inspect sdm-nat-user-protocol--24-2
inspect
class type inspect sdm-nat-user-protocol--3-1
inspect
class type inspect sdm-nat-pptp-1
inspect
class class-default
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
drop log
class type inspect sdm-insp-traffic
inspect
class type inspect sdm-protocol-http
inspect
class class-default
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
class class-default
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class type inspect SDM-Voice-permit
inspect
class class-default
pass
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
!
!
!
interface BRI0
no ip address
encapsulation hdlc
ip route-cache flow
shutdown
!
interface ATM0
no ip address
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$
pvc 1/32
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
no ip address
zone-member security ezvpn-zone
no ip route-cache
tunnel mode ipsec ipv4
tunnel path-mtu-discovery
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
zone-member security ezvpn-zone
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.100.1 255.255.255.0
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip route-cache flow
!
interface Dialer1
description $FW_OUTSIDE$
mtu 1492
ip address negotiated
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
ip route-cache flow
dialer pool 1
ppp chap hostname xxxxxxxx
ppp chap password 7 075E731F1A5C4F
ppp pap sent-username xxxxxxxx password 7 xxxxxxxxx
!
interface Dialer21
no ip address
!
ip local pool SDM_POOL_1 10.0.0.5 10.0.0.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
no ip http secure-server
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.100.202 443 interface Dialer1 443
ip nat inside source static tcp 192.168.100.208 80 interface Dialer1 80
ip nat inside source static tcp 192.168.100.1 90 interface Dialer1 98
ip nat inside source static tcp 192.168.100.1 5678 interface Dialer1 5678
ip nat inside source static tcp 192.168.100.1 120 interface Dialer1 130
ip nat inside source static tcp 192.168.100.1 1700 interface Dialer1 1702
ip nat inside source static udp 192.168.100.1 499 interface Dialer1 501
ip nat inside source static tcp 192.168.100.1 50 interface Dialer1 51
ip nat inside source static tcp 192.168.100.202 21 interface Dialer1 21
ip nat inside source static tcp 192.168.100.202 8085 interface Dialer1 8085
ip nat inside source static udp 192.168.100.19 5500 interface Dialer1 5500
ip nat inside source static tcp 192.168.100.208 8080 interface Dialer1 8080
ip nat inside source static udp 192.168.100.208 8080 interface Dialer1 8080
ip nat inside source static tcp 192.168.100.208 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.100.1 1792 interface Dialer1 1792
ip nat inside source static tcp 192.168.100.208 1723 interface Dialer1 1723
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark SDM_ACL Category=0
permit gre any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
ip access-list extended SDM_UDP_VPN
permit udp any any eq non500-isakmp
ip access-list extended gre
remark gre
remark SDM_ACL Category=64
permit gre any any
!
logging trap debugging
access-list 1 remark SDM_ACL Category=16
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark SDM_ACL Category=0
access-list 101 permit ip any host 192.168.100.202
access-list 102 remark SDM_ACL Category=0
access-list 102 permit ip any host 192.168.100.202
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 192.168.100.202
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 192.168.100.208
access-list 105 remark SDM_ACL Category=0
access-list 105 permit ip any host 192.168.100.1
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 192.168.100.1
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 192.168.100.1
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 192.168.100.1
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 192.168.100.202
access-list 110 permit tcp any host 192.168.100.208 eq 1723
access-list 110 permit gre any host 192.168.100.208
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 192.168.100.19
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 192.168.100.208
access-list 113 remark SDM_ACL Category=0
access-list 113 permit ip any host 192.168.100.208
access-list 114 remark SDM_ACL Category=0
access-list 114 permit ip any host 192.168.100.208
access-list 115 remark SDM_ACL Category=0
access-list 115 permit ip any host 192.168.100.1
access-list 116 remark SDM_ACL Category=0
access-list 116 permit ip any host 192.168.100.1
access-list 117 remark SDM_ACL Category=0
access-list 117 permit ip any host 192.168.100.202
access-list 118 remark SDM_ACL Category=0
access-list 118 permit ip any host 192.168.100.1
access-list 119 remark SDM_ACL Category=0
access-list 119 permit ip any host 192.168.100.202
access-list 120 remark SDM_ACL Category=0
access-list 120 permit ip any host 192.168.100.19
access-list 121 remark SDM_ACL Category=0
access-list 121 permit ip any host 192.168.100.208
access-list 122 remark SDM_ACL Category=0
access-list 122 permit ip any host 192.168.100.208
access-list 123 remark SDM_ACL Category=0
access-list 123 permit ip any host 192.168.100.208
access-list 124 remark SDM_ACL Category=0
access-list 124 permit ip any host 192.168.100.1
access-list 125 remark SDM_ACL Category=0
access-list 125 permit ip any host 192.168.100.208
access-list 137 remark SDM_ACL Category=0
access-list 137 permit ip any host 192.168.100.1
access-list 138 remark SDM_ACL Category=0
access-list 138 permit ip any host 192.168.100.1
access-list 139 remark SDM_ACL Category=0
access-list 139 permit ip any host 192.168.100.1
access-list 140 remark SDM_ACL Category=0
access-list 140 permit ip any host 192.168.100.1
access-list 141 remark SDM_ACL Category=0
access-list 141 permit ip any host 192.168.100.1
access-list 142 remark SDM_ACL Category=0
access-list 142 permit ip any host 192.168.100.1
access-list 189 remark permit PPTP passthrough
access-list 189 remark SDM_ACL Category=2
access-list 189 permit tcp any any eq 1723
access-list 189 permit gre any any
access-list 2055 remark SDM_ACL Category=0
access-list 2055 permit ip any host 192.168.100.202
access-list 2056 remark SDM_ACL Category=0
access-list 2056 permit ip any host 192.168.100.202
access-list 2057 remark SDM_ACL Category=0
access-list 2057 permit ip any host 192.168.100.202
access-list 2058 remark SDM_ACL Category=0
access-list 2058 permit ip any host 192.168.100.202
access-list 2059 remark SDM_ACL Category=0
access-list 2059 permit ip any host 192.168.100.202
access-list 2060 remark SDM_ACL Category=0
access-list 2060 permit ip any host 192.168.100.202
access-list 2061 remark SDM_ACL Category=0
access-list 2061 permit ip any host 192.168.100.202
access-list 2062 remark SDM_ACL Category=0
access-list 2062 permit ip any host 192.168.100.202
access-list 2063 remark SDM_ACL Category=0
access-list 2063 permit ip any host 192.168.100.202
access-list 2156 remark SDM_ACL Category=0
access-list 2156 permit ip any host 192.168.100.202
access-list 2157 remark SDM_ACL Category=0
access-list 2157 permit ip any host 192.168.100.19
access-list 2158 remark SDM_ACL Category=0
access-list 2158 permit ip any host 192.168.100.19
access-list 2159 remark SDM_ACL Category=0
access-list 2159 permit ip any host 192.168.100.208
!
!
!
!
control-plane
!
!
line con 0
password 7 xxxxxxx
no modem enable
line aux 0
line vty 0 4
password 7 xxxxxxxxx
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
The errors that i'm getting from the router are the following:
IKEv2 version 2 detected, Dropping packet!
and
Processing of Aggressive mode failed with peer at [my local ip address]
Would this whole thing work if I just disable the firewall? And if it would, then please give me the procedure on how to do that.
Thanks,
Zharko
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide