cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2478
Views
0
Helpful
4
Replies

Cisco 876 VPN Server setup

ZharkoAtkovski
Level 1
Level 1

Hi Guys,

I have a problem with setting up my cisco 876 router as a vpn server.

This is my layout:

Local Network -> Cisco876 -> Internet Coud <- VPN Client (Windows vpn client or Cisco VPN client)

So my goal is to be able to reach the local network from the VPN Client machine.

When I try to connect to the router i get the following messages:

"Secure VPN Connection terminated locally by the Client.

Reason 412: The remote peer is no longer responding"  -  This is the message when i try to connect using Cisco VPN Client

"Error 619: A connection to the remote computer could not be established, so the port for this connection was closed." - This is the message i get when i use windows vpn connection.

Here is my config (it's a bit of a mess):

Please have in mind that i'm very new to cisco so a step-by-step guidance would be very appreciated.

Building configuration...


Current configuration : 23375 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CEI

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 xxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login Zharko local

aaa authentication login USER local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network default if-authenticated

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network hw-client-groupname local

aaa authorization network GROUP local

!

!

aaa session-id common

!

crypto pki trustpoint tti

revocation-check crl

rsakeypair tti

!

!

dot11 syslog

no ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool CEI

   network 192.168.100.0 255.255.255.0

   default-router 192.168.100.1

   dns-server 192.168.100.200 192.168.100.202 62.162.32.6 62.162.32.7

   lease infinite

!

!

ip name-server 192.168.100.200

ip name-server 192.168.100.202

ip name-server 62.162.32.6

ip name-server 62.162.32.7

ip port-map user-protocol--2 port tcp 50

ip port-map user-protocol--3 port tcp 1792

ip port-map user-protocol--1 port udp 5500

ip port-map user-protocol--6 port udp 51

ip port-map user-protocol--7 port tcp 5900

ip port-map user-protocol--5 port udp 50

ip port-map user-protocol--19 port tcp 8085

ip port-map user-protocol--18 port tcp 251

ip port-map user-protocol--13 port tcp 5678

ip port-map user-protocol--12 port tcp 99

ip port-map user-protocol--22 port tcp 8080

ip port-map user-protocol--10 port tcp 1701

ip port-map user-protocol--23 port udp 8080

ip port-map user-protocol--17 port tcp 212

ip port-map user-protocol--24 port tcp 3389

ip port-map user-protocol--16 port udp 499

ip port-map user-protocol--15 port tcp 1700

ip port-map user-protocol--14 port tcp 120

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel receive-window 256

!

vpdn-group PPTP

accept-dialin

  protocol pptp

  virtual-template 1

!

!

!

username zharko privilege 15 view root secret 5 xxxxxxxx

username vpn password 7 xxxxxxx

!

!

crypto isakmp policy 1

encr aes

authentication pre-share

group 2

lifetime 7200

crypto isakmp key Cisco address 0.0.0.0 0.0.0.0

crypto isakmp client configuration address-pool local EZVPN_POOL

!

crypto isakmp client configuration group EZVPN

key Cisco123

dns 4.2.2.2

wins 4.2.2.2

pool EZVPN_POOL

netmask 255.255.255.0

crypto isakmp profile EZVPN_PROFILE

   match identity group EZVPN

   client authentication list USER

   isakmp authorization list GROUP

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set EZVPN_SET esp-aes esp-sha-hmac

!

crypto ipsec profile EZVPN_PROFILE

set transform-set EZVPN_SET

set isakmp-profile EZVPN_PROFILE

!

!

archive

log config

  hidekeys

!

!

!

class-map type inspect match-all sdm-nat-user-protocol--5-7

match access-group 2056

match protocol user-protocol--5

class-map type inspect match-all sdm-nat-user-protocol--3-1

match access-group 124

match protocol user-protocol--3

class-map type inspect match-all sdm-nat-user-protocol--4-7

match access-group 2055

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 116

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--7-7

match access-group 2060

match protocol user-protocol--7

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 120

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-http-2

match access-group 104

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--2-3

match access-group 142

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--6-7

match access-group 2059

match protocol user-protocol--6

class-map type inspect match-all sdm-nat-user-protocol--9-7

match access-group 2062

class-map type inspect match-all sdm-nat-user-protocol--8-7

match access-group 2061

class-map type inspect match-all sdm-nat-user-protocol--4-8

match access-group 2081

class-map type inspect match-all sdm-nat-user-protocol--5-8

match access-group 2082

match protocol user-protocol--5

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-all sdm-nat-http-9

match access-group 2067

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--3-8

match access-group 2080

class-map type inspect match-all sdm-nat-user-protocol--1-8

match access-group 2078

class-map type inspect match-all sdm-nat-pptp-8

match access-group 2077

match protocol pptp

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-all sdm-nat-isakmp-7

match access-group 2057

match protocol isakmp

class-map type inspect match-all sdm-nat-isakmp-8

match access-group 2083

match protocol isakmp

class-map type inspect match-all sdm-nat-pptp-1

match access-group 125

match protocol pptp

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-all sdm-nat-user-protocol--16-1

match access-group 141

match protocol user-protocol--16

class-map type inspect match-all sdm-nat-user-protocol--10-7

match access-group 2064

match protocol user-protocol--10

class-map type inspect match-all sdm-nat-user-protocol--15-2

match access-group 108

match protocol user-protocol--15

class-map type inspect match-all sdm-nat-user-protocol--11-7

match access-group 2065

class-map type inspect match-all sdm-nat-user-protocol--2-14

match access-group 2079

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--24-1

match access-group 114

match protocol user-protocol--24

class-map type inspect match-all sdm-nat-user-protocol--14-2

match access-group 107

match protocol user-protocol--14

class-map type inspect match-all sdm-nat-user-protocol--14-1

match access-group 139

match protocol user-protocol--14

class-map type inspect match-all sdm-nat-user-protocol--13-6

match access-group 2070

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--24-2

match access-group 123

match protocol user-protocol--24

class-map type inspect match-all sdm-nat-user-protocol--15-1

match access-group 140

match protocol user-protocol--15

class-map type inspect match-all sdm-nat-user-protocol--12-6

match access-group 2068

match protocol user-protocol--12

class-map type inspect match-all sdm-nat-user-protocol--16-2

match access-group 115

match protocol user-protocol--16

class-map type inspect match-all sdm-nat-user-protocol--15-6

match access-group 2072

match protocol user-protocol--15

class-map type inspect match-all sdm-nat-user-protocol--22-2

match access-group 112

match protocol user-protocol--22

class-map type inspect match-all sdm-nat-user-protocol--21-1

match access-group 111

class-map type inspect match-all sdm-nat-user-protocol--13-1

match access-group 138

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--14-6

match access-group 2071

match protocol user-protocol--14

class-map type inspect match-all sdm-nat-user-protocol--23-2

match access-group 122

match protocol user-protocol--23

class-map type inspect match-all sdm-nat-user-protocol--22-3

match access-group 121

match protocol user-protocol--22

class-map type inspect match-all sdm-nat-user-protocol--2-13

match access-group 2074

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--20-2

match access-group 2157

class-map type inspect match-all sdm-nat-user-protocol--23-1

match access-group 113

match protocol user-protocol--23

class-map type inspect match-all sdm-nat-user-protocol--13-2

match access-group 106

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--11-1

match access-group 118

class-map type inspect match-all sdm-nat-user-protocol--16-6

match access-group 2073

match protocol user-protocol--16

class-map type inspect match-all sdm-nat-user-protocol--22-1

match access-group 2159

match protocol user-protocol--22

class-map type inspect match-all sdm-nat-user-protocol--21-2

match access-group 2158

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-nat-user-protocol--19-5

match access-group 2156

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-user-protocol--19-2

match access-group 2076

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-user-protocol--19-3

match access-group 119

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-user-protocol--19-1

match access-group 110

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-l2tp-7

match access-group 2058

match protocol l2tp

class-map type inspect match-all sdm-nat-l2tp-8

match access-group 2084

match protocol l2tp

class-map type inspect match-any SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-all sdm-nat-ipsec-msft-6

match access-group 2066

match protocol ipsec-msft

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-any gre

description gre

match access-group 189

match protocol pptp

match protocol l2tp

match protocol gtpv0

match protocol gtpv1

match protocol gdoi

match protocol isakmp

match protocol ipsec-msft

match protocol ssp

class-map type inspect match-all sdm-nat-https-7

match access-group 2063

match protocol https

class-map type inspect match-all sdm-nat-dnsix-6

match access-group 2069

match protocol dnsix

class-map type inspect match-all sdm-protocol-http

match protocol http

class-map type inspect match-all sdm-nat-dnsix-1

match access-group 137

match protocol dnsix

class-map type inspect match-all sdm-nat-https-2

match access-group 103

match protocol https

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all sdm-nat-dnsix-2

match access-group 105

match protocol dnsix

class-map type inspect match-all sdm-nat-ftp-2

match access-group 117

match protocol ftp

class-map type inspect match-all sdm-nat-ftp-3

match access-group 2075

match protocol ftp

class-map type inspect match-all sdm-nat-ftp-1

match access-group 109

match protocol ftp

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  inspect

class class-default

  pass

policy-map SDM-QoS-Policy-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--11-1

  inspect

class type inspect sdm-nat-dnsix-1

  inspect

class type inspect sdm-nat-user-protocol--13-1

  inspect

class type inspect sdm-nat-user-protocol--14-1

  inspect

class type inspect sdm-nat-user-protocol--15-1

  inspect

class type inspect sdm-nat-user-protocol--16-1

  inspect

class type inspect sdm-nat-user-protocol--2-3

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-ftp-1

  inspect

class type inspect sdm-nat-user-protocol--19-1

  inspect

class type inspect sdm-nat-user-protocol--21-1

  inspect

class type inspect sdm-nat-user-protocol--22-2

  inspect

class type inspect sdm-nat-user-protocol--23-1

  inspect

class type inspect sdm-nat-user-protocol--24-1

  inspect

class type inspect sdm-nat-https-2

  inspect

class type inspect sdm-nat-http-2

  inspect

class type inspect sdm-nat-dnsix-2

  inspect

class type inspect sdm-nat-user-protocol--13-2

  inspect

class type inspect sdm-nat-user-protocol--14-2

  inspect

class type inspect sdm-nat-user-protocol--15-2

  inspect

class type inspect sdm-nat-user-protocol--16-2

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class type inspect sdm-nat-ftp-2

  inspect

class type inspect sdm-nat-user-protocol--19-3

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-user-protocol--22-3

  inspect

class type inspect sdm-nat-user-protocol--23-2

  inspect

class type inspect sdm-nat-user-protocol--24-2

  inspect

class type inspect sdm-nat-user-protocol--3-1

  inspect

class type inspect sdm-nat-pptp-1

  inspect

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class class-default

policy-map type inspect sdm-permit

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class type inspect SDM-Voice-permit

  inspect

class class-default

  pass

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface Tunnel0

ip address 10.0.0.1 255.255.255.0

ip mtu 1476

zone-member security in-zone

keepalive 10 3

tunnel source 192.168.100.1

tunnel destination 192.168.100.208

tunnel path-mtu-discovery

!

interface BRI0

no ip address

encapsulation hdlc

ip route-cache flow

shutdown

!

interface ATM0

no ip address

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$

pvc 1/32

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly

no ip route-cache

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

tunnel protection ipsec profile EZVPN_PROFILE

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

ip route-cache flow

dialer pool 1

ppp chap hostname xxxxxx

ppp chap password xxxxxx

ppp pap sent-username xxxxxx password 7 xxxxxx

!

interface Dialer21

no ip address

!

ip local pool EZVPN_POOL 10.0.0.10 10.0.0.20

ip local pool PPTP_POOL 10.1.1.5 10.1.1.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.100.202 443 interface Dialer1 443

ip nat inside source static tcp 192.168.100.208 80 interface Dialer1 80

ip nat inside source static tcp 192.168.100.1 90 interface Dialer1 98

ip nat inside source static tcp 192.168.100.1 5678 interface Dialer1 5678

ip nat inside source static tcp 192.168.100.1 120 interface Dialer1 130

ip nat inside source static tcp 192.168.100.1 1700 interface Dialer1 1702

ip nat inside source static udp 192.168.100.1 499 interface Dialer1 501

ip nat inside source static tcp 192.168.100.1 50 interface Dialer1 51

ip nat inside source static tcp 192.168.100.202 21 interface Dialer1 21

ip nat inside source static tcp 192.168.100.202 8085 interface Dialer1 8085

ip nat inside source static udp 192.168.100.19 5500 interface Dialer1 5500

ip nat inside source static tcp 192.168.100.208 8080 interface Dialer1 8080

ip nat inside source static udp 192.168.100.208 8080 interface Dialer1 8080

ip nat inside source static tcp 192.168.100.208 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.100.1 1792 interface Dialer1 1792

ip nat inside source static tcp 192.168.100.208 1723 interface Dialer1 1723

!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark SDM_ACL Category=0

permit gre any any

ip access-list extended SDM_IP

remark SDM_ACL Category=1

permit ip any any

ip access-list extended gre

remark gre

remark SDM_ACL Category=64

permit gre any any

!

logging trap debugging

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.100.202

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host 192.168.100.202

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host 192.168.100.202

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host 192.168.100.208

access-list 105 remark SDM_ACL Category=0

access-list 105 permit ip any host 192.168.100.1

access-list 106 remark SDM_ACL Category=0

access-list 106 permit ip any host 192.168.100.1

access-list 107 remark SDM_ACL Category=0

access-list 107 permit ip any host 192.168.100.1

access-list 108 remark SDM_ACL Category=0

access-list 108 permit ip any host 192.168.100.1

access-list 109 remark SDM_ACL Category=0

access-list 109 permit ip any host 192.168.100.202

access-list 110 permit tcp any host 192.168.100.208 eq 1723

access-list 110 permit gre any host 192.168.100.208

access-list 111 remark SDM_ACL Category=0

access-list 111 permit ip any host 192.168.100.19

access-list 112 remark SDM_ACL Category=0

access-list 112 permit ip any host 192.168.100.208

access-list 113 remark SDM_ACL Category=0

access-list 113 permit ip any host 192.168.100.208

access-list 114 remark SDM_ACL Category=0

access-list 114 permit ip any host 192.168.100.208

access-list 115 remark SDM_ACL Category=0

access-list 115 permit ip any host 192.168.100.1

access-list 116 remark SDM_ACL Category=0

access-list 116 permit ip any host 192.168.100.1

access-list 117 remark SDM_ACL Category=0

access-list 117 permit ip any host 192.168.100.202

access-list 118 remark SDM_ACL Category=0

access-list 118 permit ip any host 192.168.100.1

access-list 119 remark SDM_ACL Category=0

access-list 119 permit ip any host 192.168.100.202

access-list 120 remark SDM_ACL Category=0

access-list 120 permit ip any host 192.168.100.19

access-list 121 remark SDM_ACL Category=0

access-list 121 permit ip any host 192.168.100.208

access-list 122 remark SDM_ACL Category=0

access-list 122 permit ip any host 192.168.100.208

access-list 123 remark SDM_ACL Category=0

access-list 123 permit ip any host 192.168.100.208

access-list 124 remark SDM_ACL Category=0

access-list 124 permit ip any host 192.168.100.1

access-list 125 remark SDM_ACL Category=0

access-list 125 permit ip any host 192.168.100.208

access-list 137 remark SDM_ACL Category=0

access-list 137 permit ip any host 192.168.100.1

access-list 138 remark SDM_ACL Category=0

access-list 138 permit ip any host 192.168.100.1

access-list 139 remark SDM_ACL Category=0

access-list 139 permit ip any host 192.168.100.1

access-list 140 remark SDM_ACL Category=0

access-list 140 permit ip any host 192.168.100.1

access-list 141 remark SDM_ACL Category=0

access-list 141 permit ip any host 192.168.100.1

access-list 142 remark SDM_ACL Category=0

access-list 142 permit ip any host 192.168.100.1

access-list 189 remark permit PPTP passthrough

access-list 189 remark SDM_ACL Category=2

access-list 189 permit tcp any any eq 1723

access-list 189 permit gre any any

access-list 2055 remark SDM_ACL Category=0

access-list 2055 permit ip any host 192.168.100.202

access-list 2056 remark SDM_ACL Category=0

access-list 2056 permit ip any host 192.168.100.202

access-list 2057 remark SDM_ACL Category=0

access-list 2057 permit ip any host 192.168.100.202

access-list 2058 remark SDM_ACL Category=0

access-list 2058 permit ip any host 192.168.100.202

access-list 2059 remark SDM_ACL Category=0

access-list 2059 permit ip any host 192.168.100.202

access-list 2060 remark SDM_ACL Category=0

access-list 2060 permit ip any host 192.168.100.202

access-list 2061 remark SDM_ACL Category=0

access-list 2061 permit ip any host 192.168.100.202

access-list 2062 remark SDM_ACL Category=0

access-list 2062 permit ip any host 192.168.100.202

access-list 2063 remark SDM_ACL Category=0

access-list 2063 permit ip any host 192.168.100.202

access-list 2156 remark SDM_ACL Category=0

access-list 2156 permit ip any host 192.168.100.202

access-list 2157 remark SDM_ACL Category=0

access-list 2157 permit ip any host 192.168.100.19

access-list 2158 remark SDM_ACL Category=0

access-list 2158 permit ip any host 192.168.100.19

access-list 2159 remark SDM_ACL Category=0

access-list 2159 permit ip any host 192.168.100.208

!

!

!

!

control-plane

!

!

line con 0

password 7 xxxxxxx

no modem enable

line aux 0

line vty 0 4

password 7 xxxxxxx

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

Thanks in advance.

Zharko

4 Replies 4

praprama
Cisco Employee
Cisco Employee

Hi,

From a VPN configuration standpoint, everything looks fine. There are a couple of things i would like to bring to your notice otherwise:

1) The cirtual template interface has the below configuration:

interface Virtual-Template1 type tunnel

ip unnumbered Vlan1

ip nat inside

ip virtual-reassembly

no ip route-cache

tunnel mode ipsec ipv4

tunnel  path-mtu-discovery

tunnel protection ipsec  profile EZVPN_PROFILE

We should not have the "ip nat inside" on the above interface as that will cause communication issues when we connect to the VPN. Please remove that.

2) I see you have a zone-pair from outside to self zones as below:

zone-pair security sdm-zp-out-self source out-zone  destination self

service-policy type inspect  sdm-permit

policy-map type inspect sdm-permit

class class-default

As we see, there is nothing being allowed in the above policy-map and hence all request from VPN clients will be dropped. Please try adding the below config and let's see how it goes.

ip access-list extended SDM_UDP_VPN

permit udp any any eq 4500

class-map type inspect match-any SDM_UDP_VPN

match access-group SDM_UDP_VPN

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match class-map SDM_UDP_VPN

policy-map type inspect sdm-permit

class SDM_EASY_VPN_SERVER_PT

inspect

This should allow the VPN connections to the router.

3) the virtual-template interface also needs to be part of a zone for traffic to be able to pass thorugh it. I noticed you have an ezvpn-zone created but no interfaces assigned to it. I assume the purpose of creating it was to ass the cirtual-template interface to that zone. Please add the below commands as well to do that:

interface Virtual-Template1 type tunnel

zone-member security ezvpn-zone

Please implement the above and let me know how things go!

Thanks and Regards,

Prapanch

Hi Prapanch

I tried adding the lines that you suggested but i came across these errors:

CEI(config-cmap)#match access-group SDM_UDP_VPN
% Invalid input detected at '^' marker.

CEI(config-pmap)#class SDM_EASY_VPN_SERVER_PT
CEI(config-pmap-c)#inspect
%Protocol isakmp configured in class-map SDM_EASY_VPN_SERVER_TRAFFIC cannot be configured for the self zone. Please remove the protocol and retry

I tested afterwards, and still couldn't connect getting this message:

The remote connection was not made because the attempted VPN tunnels failed. The VPN server might be unreachable. If this connection is attempting to use an L2TP/IPsec tunnel, the security parameters required for IPsec negotiation might not be configured properly.

Thanks
Zharko

Hi Zharko,

Could you post the current config? Want to see what changes have been accepted/rejected. Also, when trying to connect using the Cisco VPN client, please forward the outputs of "debug cry isa" and "debug crypto ipsec" from the router.

Also, please enable "ip inspect log drop-pkt" before connecting and then you should be able to see which packets are being dropped by the zone based firewall in the syslogs.

Thanks and Regards,

Prapanch

Hi Prapanch,

Here is my current config, i have done some changes you suggested:

Building configuration...

Current configuration : 23347 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname CEI

!

boot-start-marker

boot-end-marker

!

logging buffered 51200

logging console critical

enable secret 5 xxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authentication ppp default local

aaa authorization exec default local

aaa authorization network default if-authenticated

aaa authorization network sdm_vpn_group_ml_1 local

aaa authorization network hw-client-groupname local

aaa authorization network sdm_vpn_group_ml_2 local

!

!

aaa session-id common

!

crypto pki trustpoint tti

revocation-check crl

rsakeypair tti

!

!

dot11 syslog

no ip cef

!

!

no ip dhcp use vrf connected

!

ip dhcp pool CEI

   network 192.168.100.0 255.255.255.0

   default-router 192.168.100.1

   dns-server 192.168.100.200 192.168.100.202 62.162.32.6 62.162.32.7

   lease infinite

!

!

ip name-server 192.168.100.200

ip name-server 192.168.100.202

ip name-server 62.162.32.6

ip name-server 62.162.32.7

ip port-map user-protocol--2 port tcp 50

ip port-map user-protocol--3 port tcp 1792

ip port-map user-protocol--1 port udp 5500

ip port-map user-protocol--6 port udp 51

ip port-map user-protocol--7 port tcp 5900

ip port-map user-protocol--5 port udp 50

ip port-map user-protocol--19 port tcp 8085

ip port-map user-protocol--18 port tcp 251

ip port-map user-protocol--13 port tcp 5678

ip port-map user-protocol--12 port tcp 99

ip port-map user-protocol--22 port tcp 8080

ip port-map user-protocol--10 port tcp 1701

ip port-map user-protocol--23 port udp 8080

ip port-map user-protocol--17 port tcp 212

ip port-map user-protocol--24 port tcp 3389

ip port-map user-protocol--16 port udp 499

ip port-map user-protocol--15 port tcp 1700

ip port-map user-protocol--14 port tcp 120

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group 1

! Default PPTP VPDN group

accept-dialin

  protocol pptp

  virtual-template 1

l2tp tunnel receive-window 256

!

vpdn-group PPTP

accept-dialin

  protocol pptp

  virtual-template 1

!

!

!

username zharko privilege 15 view root secret 5 xxxxxxxxxx

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group VPN_POOL

key 123456

dns 192.168.100.200 192.168.100.202

domain ceimk

pool SDM_POOL_1

max-users 5

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group VPN_POOL

   client authentication list sdm_vpn_xauth_ml_2

   isakmp authorization list sdm_vpn_group_ml_2

   client configuration address respond

   virtual-template 2

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile EZVPN

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

archive

log config

  hidekeys

!

!

!

class-map type inspect match-all sdm-nat-user-protocol--5-7

match access-group 2056

match protocol user-protocol--5

class-map type inspect match-all sdm-nat-user-protocol--3-1

match access-group 124

match protocol user-protocol--3

class-map type inspect match-all sdm-nat-user-protocol--4-7

match access-group 2055

class-map type inspect match-all sdm-nat-http-1

match access-group 102

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--2-1

match access-group 116

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--7-7

match access-group 2060

match protocol user-protocol--7

class-map type inspect match-all sdm-nat-user-protocol--1-1

match access-group 120

match protocol user-protocol--1

class-map type inspect match-all sdm-nat-http-2

match access-group 104

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--2-3

match access-group 142

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--6-7

match access-group 2059

match protocol user-protocol--6

class-map type inspect match-all sdm-nat-user-protocol--9-7

match access-group 2062

class-map type inspect match-all sdm-nat-user-protocol--8-7

match access-group 2061

class-map type inspect match-all sdm-nat-user-protocol--4-8

match access-group 2081

class-map type inspect match-all sdm-nat-user-protocol--5-8

match access-group 2082

match protocol user-protocol--5

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-all sdm-nat-http-9

match access-group 2067

match protocol http

class-map type inspect match-all sdm-nat-user-protocol--3-8

match access-group 2080

class-map type inspect match-all sdm-nat-user-protocol--1-8

match access-group 2078

class-map type inspect match-all sdm-nat-pptp-8

match access-group 2077

match protocol pptp

class-map type inspect match-any sdm-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-insp-traffic

match class-map sdm-cls-insp-traffic

class-map type inspect match-all sdm-nat-isakmp-7

match access-group 2057

match protocol isakmp

class-map type inspect match-all sdm-nat-isakmp-8

match access-group 2083

match protocol isakmp

class-map type inspect match-all sdm-nat-pptp-1

match access-group 125

match protocol pptp

class-map type inspect match-any SDM-Voice-permit

match protocol h323

match protocol skinny

match protocol sip

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_UDP_VPN

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match class-map SDM_UDP_VPN

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-all sdm-nat-user-protocol--16-1

match access-group 141

match protocol user-protocol--16

class-map type inspect match-all sdm-nat-user-protocol--10-7

match access-group 2064

match protocol user-protocol--10

class-map type inspect match-all sdm-nat-user-protocol--15-2

match access-group 108

match protocol user-protocol--15

class-map type inspect match-all sdm-nat-user-protocol--11-7

match access-group 2065

class-map type inspect match-all sdm-nat-user-protocol--2-14

match access-group 2079

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--24-1

match access-group 114

match protocol user-protocol--24

class-map type inspect match-all sdm-nat-user-protocol--14-2

match access-group 107

match protocol user-protocol--14

class-map type inspect match-all sdm-nat-user-protocol--14-1

match access-group 139

match protocol user-protocol--14

class-map type inspect match-all sdm-nat-user-protocol--13-6

match access-group 2070

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--24-2

match access-group 123

match protocol user-protocol--24

class-map type inspect match-all sdm-nat-user-protocol--15-1

match access-group 140

match protocol user-protocol--15

class-map type inspect match-all sdm-nat-user-protocol--12-6

match access-group 2068

match protocol user-protocol--12

class-map type inspect match-all sdm-nat-user-protocol--16-2

match access-group 115

match protocol user-protocol--16

class-map type inspect match-all sdm-nat-user-protocol--15-6

match access-group 2072

match protocol user-protocol--15

class-map type inspect match-all sdm-nat-user-protocol--22-2

match access-group 112

match protocol user-protocol--22

class-map type inspect match-all sdm-nat-user-protocol--21-1

match access-group 111

class-map type inspect match-all sdm-nat-user-protocol--13-1

match access-group 138

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--14-6

match access-group 2071

match protocol user-protocol--14

class-map type inspect match-all sdm-nat-user-protocol--23-2

match access-group 122

match protocol user-protocol--23

class-map type inspect match-all sdm-nat-user-protocol--22-3

match access-group 121

match protocol user-protocol--22

class-map type inspect match-all sdm-nat-user-protocol--2-13

match access-group 2074

match protocol user-protocol--2

class-map type inspect match-all sdm-nat-user-protocol--20-2

match access-group 2157

class-map type inspect match-all sdm-nat-user-protocol--23-1

match access-group 113

match protocol user-protocol--23

class-map type inspect match-all sdm-nat-user-protocol--13-2

match access-group 106

match protocol user-protocol--13

class-map type inspect match-all sdm-nat-user-protocol--11-1

match access-group 118

class-map type inspect match-all sdm-nat-user-protocol--16-6

match access-group 2073

match protocol user-protocol--16

class-map type inspect match-all sdm-nat-user-protocol--22-1

match access-group 2159

match protocol user-protocol--22

class-map type inspect match-all sdm-nat-user-protocol--21-2

match access-group 2158

class-map type inspect match-any sdm-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all sdm-nat-user-protocol--19-5

match access-group 2156

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-user-protocol--19-2

match access-group 2076

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-user-protocol--19-3

match access-group 119

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-user-protocol--19-1

match access-group 110

match protocol user-protocol--19

class-map type inspect match-all sdm-nat-l2tp-7

match access-group 2058

match protocol l2tp

class-map type inspect match-all sdm-nat-l2tp-8

match access-group 2084

match protocol l2tp

class-map type inspect match-any SDM_GRE

match access-group name SDM_GRE

class-map type inspect match-all sdm-nat-ipsec-msft-6

match access-group 2066

match protocol ipsec-msft

class-map type inspect match-all sdm-invalid-src

match access-group 100

class-map type inspect match-all sdm-icmp-access

match class-map sdm-cls-icmp-access

class-map type inspect match-any gre

description gre

match access-group 189

match protocol pptp

match protocol l2tp

match protocol gtpv0

match protocol gtpv1

match protocol gdoi

match protocol isakmp

match protocol ipsec-msft

match protocol ssp

class-map type inspect match-all sdm-nat-https-7

match access-group 2063

match protocol https

class-map type inspect match-all sdm-nat-dnsix-6

match access-group 2069

match protocol dnsix

class-map type inspect match-all sdm-protocol-http

match protocol http

class-map type inspect match-all sdm-nat-dnsix-1

match access-group 137

match protocol dnsix

class-map type inspect match-all sdm-nat-https-2

match access-group 103

match protocol https

class-map type inspect match-all sdm-nat-https-1

match access-group 101

match protocol https

class-map type inspect match-all sdm-nat-dnsix-2

match access-group 105

match protocol dnsix

class-map type inspect match-all sdm-nat-ftp-2

match access-group 117

match protocol ftp

class-map type inspect match-all sdm-nat-ftp-3

match access-group 2075

match protocol ftp

class-map type inspect match-all sdm-nat-ftp-1

match access-group 109

match protocol ftp

!

!

policy-map type inspect sdm-permit-icmpreply

class type inspect sdm-icmp-access

  inspect

class class-default

  pass

policy-map SDM-QoS-Policy-1

policy-map type inspect sdm-pol-NATOutsideToInside-1

class type inspect sdm-nat-user-protocol--11-1

  inspect

class type inspect sdm-nat-dnsix-1

  inspect

class type inspect sdm-nat-user-protocol--13-1

  inspect

class type inspect sdm-nat-user-protocol--14-1

  inspect

class type inspect sdm-nat-user-protocol--15-1

  inspect

class type inspect sdm-nat-user-protocol--16-1

  inspect

class type inspect sdm-nat-user-protocol--2-3

  inspect

class type inspect sdm-nat-https-1

  inspect

class type inspect sdm-nat-http-1

  inspect

class type inspect sdm-nat-ftp-1

  inspect

class type inspect sdm-nat-user-protocol--19-1

  inspect

class type inspect sdm-nat-user-protocol--21-1

  inspect

class type inspect sdm-nat-user-protocol--22-2

  inspect

class type inspect sdm-nat-user-protocol--23-1

  inspect

class type inspect sdm-nat-user-protocol--24-1

  inspect

class type inspect sdm-nat-https-2

  inspect

class type inspect sdm-nat-http-2

  inspect

class type inspect sdm-nat-dnsix-2

  inspect

class type inspect sdm-nat-user-protocol--13-2

  inspect

class type inspect sdm-nat-user-protocol--14-2

  inspect

class type inspect sdm-nat-user-protocol--15-2

  inspect

class type inspect sdm-nat-user-protocol--16-2

  inspect

class type inspect sdm-nat-user-protocol--2-1

  inspect

class type inspect sdm-nat-ftp-2

  inspect

class type inspect sdm-nat-user-protocol--19-3

  inspect

class type inspect sdm-nat-user-protocol--1-1

  inspect

class type inspect sdm-nat-user-protocol--22-3

  inspect

class type inspect sdm-nat-user-protocol--23-2

  inspect

class type inspect sdm-nat-user-protocol--24-2

  inspect

class type inspect sdm-nat-user-protocol--3-1

  inspect

class type inspect sdm-nat-pptp-1

  inspect

class class-default

policy-map type inspect sdm-inspect

class type inspect sdm-invalid-src

  drop log

class type inspect sdm-insp-traffic

  inspect

class type inspect sdm-protocol-http

  inspect

class class-default

policy-map type inspect sdm-permit

class type inspect SDM_EASY_VPN_SERVER_PT

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class type inspect SDM-Voice-permit

  inspect

class class-default

  pass

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security sdm-zp-self-out source self destination out-zone

service-policy type inspect sdm-permit-icmpreply

zone-pair security sdm-zp-out-self source out-zone destination self

service-policy type inspect sdm-permit

zone-pair security sdm-zp-in-out source in-zone destination out-zone

service-policy type inspect sdm-inspect

zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-NATOutsideToInside-1

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

!

interface BRI0

no ip address

encapsulation hdlc

ip route-cache flow

shutdown

!

interface ATM0

no ip address

ip route-cache flow

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$

pvc 1/32

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template1 type tunnel

no ip address

zone-member security ezvpn-zone

no ip route-cache

tunnel mode ipsec ipv4

tunnel path-mtu-discovery

!

interface Virtual-Template2 type tunnel

ip unnumbered Vlan1

zone-member security ezvpn-zone

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.100.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip route-cache flow

!

interface Dialer1

description $FW_OUTSIDE$

mtu 1492

ip address negotiated

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

ip route-cache flow

dialer pool 1

ppp chap hostname xxxxxxxx

ppp chap password 7 075E731F1A5C4F

ppp pap sent-username xxxxxxxx password 7 xxxxxxxxx

!

interface Dialer21

no ip address

!

ip local pool SDM_POOL_1 10.0.0.5 10.0.0.10

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer1

!

!

ip http server

no ip http secure-server

ip nat inside source list 1 interface Dialer1 overload

ip nat inside source static tcp 192.168.100.202 443 interface Dialer1 443

ip nat inside source static tcp 192.168.100.208 80 interface Dialer1 80

ip nat inside source static tcp 192.168.100.1 90 interface Dialer1 98

ip nat inside source static tcp 192.168.100.1 5678 interface Dialer1 5678

ip nat inside source static tcp 192.168.100.1 120 interface Dialer1 130

ip nat inside source static tcp 192.168.100.1 1700 interface Dialer1 1702

ip nat inside source static udp 192.168.100.1 499 interface Dialer1 501

ip nat inside source static tcp 192.168.100.1 50 interface Dialer1 51

ip nat inside source static tcp 192.168.100.202 21 interface Dialer1 21

ip nat inside source static tcp 192.168.100.202 8085 interface Dialer1 8085

ip nat inside source static udp 192.168.100.19 5500 interface Dialer1 5500

ip nat inside source static tcp 192.168.100.208 8080 interface Dialer1 8080

ip nat inside source static udp 192.168.100.208 8080 interface Dialer1 8080

ip nat inside source static tcp 192.168.100.208 3389 interface Dialer1 3389

ip nat inside source static tcp 192.168.100.1 1792 interface Dialer1 1792

ip nat inside source static tcp 192.168.100.208 1723 interface Dialer1 1723

!

ip access-list extended SDM_AH

remark SDM_ACL Category=1

permit ahp any any

ip access-list extended SDM_ESP

remark SDM_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark SDM_ACL Category=0

permit gre any any

ip access-list extended SDM_IP

remark SDM_ACL Category=1

permit ip any any

ip access-list extended SDM_UDP_VPN

permit udp any any eq non500-isakmp

ip access-list extended gre

remark gre

remark SDM_ACL Category=64

permit gre any any

!

logging trap debugging

access-list 1 remark SDM_ACL Category=16

access-list 1 permit 192.168.100.0 0.0.0.255

access-list 100 remark SDM_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark SDM_ACL Category=0

access-list 101 permit ip any host 192.168.100.202

access-list 102 remark SDM_ACL Category=0

access-list 102 permit ip any host 192.168.100.202

access-list 103 remark SDM_ACL Category=0

access-list 103 permit ip any host 192.168.100.202

access-list 104 remark SDM_ACL Category=0

access-list 104 permit ip any host 192.168.100.208

access-list 105 remark SDM_ACL Category=0

access-list 105 permit ip any host 192.168.100.1

access-list 106 remark SDM_ACL Category=0

access-list 106 permit ip any host 192.168.100.1

access-list 107 remark SDM_ACL Category=0

access-list 107 permit ip any host 192.168.100.1

access-list 108 remark SDM_ACL Category=0

access-list 108 permit ip any host 192.168.100.1

access-list 109 remark SDM_ACL Category=0

access-list 109 permit ip any host 192.168.100.202

access-list 110 permit tcp any host 192.168.100.208 eq 1723

access-list 110 permit gre any host 192.168.100.208

access-list 111 remark SDM_ACL Category=0

access-list 111 permit ip any host 192.168.100.19

access-list 112 remark SDM_ACL Category=0

access-list 112 permit ip any host 192.168.100.208

access-list 113 remark SDM_ACL Category=0

access-list 113 permit ip any host 192.168.100.208

access-list 114 remark SDM_ACL Category=0

access-list 114 permit ip any host 192.168.100.208

access-list 115 remark SDM_ACL Category=0

access-list 115 permit ip any host 192.168.100.1

access-list 116 remark SDM_ACL Category=0

access-list 116 permit ip any host 192.168.100.1

access-list 117 remark SDM_ACL Category=0

access-list 117 permit ip any host 192.168.100.202

access-list 118 remark SDM_ACL Category=0

access-list 118 permit ip any host 192.168.100.1

access-list 119 remark SDM_ACL Category=0

access-list 119 permit ip any host 192.168.100.202

access-list 120 remark SDM_ACL Category=0

access-list 120 permit ip any host 192.168.100.19

access-list 121 remark SDM_ACL Category=0

access-list 121 permit ip any host 192.168.100.208

access-list 122 remark SDM_ACL Category=0

access-list 122 permit ip any host 192.168.100.208

access-list 123 remark SDM_ACL Category=0

access-list 123 permit ip any host 192.168.100.208

access-list 124 remark SDM_ACL Category=0

access-list 124 permit ip any host 192.168.100.1

access-list 125 remark SDM_ACL Category=0

access-list 125 permit ip any host 192.168.100.208

access-list 137 remark SDM_ACL Category=0

access-list 137 permit ip any host 192.168.100.1

access-list 138 remark SDM_ACL Category=0

access-list 138 permit ip any host 192.168.100.1

access-list 139 remark SDM_ACL Category=0

access-list 139 permit ip any host 192.168.100.1

access-list 140 remark SDM_ACL Category=0

access-list 140 permit ip any host 192.168.100.1

access-list 141 remark SDM_ACL Category=0

access-list 141 permit ip any host 192.168.100.1

access-list 142 remark SDM_ACL Category=0

access-list 142 permit ip any host 192.168.100.1

access-list 189 remark permit PPTP passthrough

access-list 189 remark SDM_ACL Category=2

access-list 189 permit tcp any any eq 1723

access-list 189 permit gre any any

access-list 2055 remark SDM_ACL Category=0

access-list 2055 permit ip any host 192.168.100.202

access-list 2056 remark SDM_ACL Category=0

access-list 2056 permit ip any host 192.168.100.202

access-list 2057 remark SDM_ACL Category=0

access-list 2057 permit ip any host 192.168.100.202

access-list 2058 remark SDM_ACL Category=0

access-list 2058 permit ip any host 192.168.100.202

access-list 2059 remark SDM_ACL Category=0

access-list 2059 permit ip any host 192.168.100.202

access-list 2060 remark SDM_ACL Category=0

access-list 2060 permit ip any host 192.168.100.202

access-list 2061 remark SDM_ACL Category=0

access-list 2061 permit ip any host 192.168.100.202

access-list 2062 remark SDM_ACL Category=0

access-list 2062 permit ip any host 192.168.100.202

access-list 2063 remark SDM_ACL Category=0

access-list 2063 permit ip any host 192.168.100.202

access-list 2156 remark SDM_ACL Category=0

access-list 2156 permit ip any host 192.168.100.202

access-list 2157 remark SDM_ACL Category=0

access-list 2157 permit ip any host 192.168.100.19

access-list 2158 remark SDM_ACL Category=0

access-list 2158 permit ip any host 192.168.100.19

access-list 2159 remark SDM_ACL Category=0

access-list 2159 permit ip any host 192.168.100.208

!

!

!

!

control-plane

!

!

line con 0

password 7 xxxxxxx

no modem enable

line aux 0

line vty 0 4

password 7 xxxxxxxxx

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

!

webvpn context Default_context

ssl authenticate verify all

!

no inservice

!

end

The errors that i'm getting from the router are the following:

IKEv2 version 2 detected, Dropping packet!

and

Processing of Aggressive mode failed with peer at [my local ip address]

Would this whole thing work if I just disable the firewall? And if it would, then please give me the procedure on how to do that.

Thanks,

Zharko