Recently I have purchased my first Cisco ISR2 2911 with two WAN ports.

Both of them are used through Policy Based Routing. Traffic filtering is done by Trend-Micro Content Based Security.

Only Remote Access VPN is needed to finish off the configuration.

SmartNet Engineer has been trying to configure it for a month now. For a moment I even had to disconnect one of the links to prove him that one of my ISPs is not maliciously filtering the traffic.

He tried very basic configuration with local DHCP pool and VPN configuration on a physical interface but it would not connect further then the ISR.

So I have returned to original configuration with EasyVPN Virtual-Template interface and internal Microsoft DHCP so I can manage the pool centrally (see config below).

Cisco VPN client gets its IP from the server but Default Gateway IP is exactly the same, is don’t think it is ok.

Currently I can PING internal interface of the ISR from the VPN but not any inside network hosts.

Could you help please because I lost my hope in the SmatNet.

service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname c2911
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-1.T.bin
boot-end-marker
!
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network ciscocp_vpn_group_ml_1 local 
!
!
!
!
!
aaa session-id common
!
clock timezone London 0 0
clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00
!
no ipv6 cef
no ip source-route
!
!
!
!
!
ip domain name firma.com
ip host trps.trendmicro.com 216.104.8.100
ip name-server 10.57.124.42
ip port-map user-protocol--1 port tcp 3389
ip inspect tcp reassembly queue length 64
ip cef
!
multilink bundle-name authenticated
!
parameter-map type urlfpolicy trend cptrendparacatdeny0
 allow-mode on
 block-page message "The website you have accessed is blocked as per corporate policy"
parameter-map type regex ccp-regex-nonascii
 pattern [^\x00-\x80]
parameter-map type urlf-glob cplocclassurlfgloburlblock0
 pattern *.facebook.com
parameter-map type urlf-glob cpaddbnwlocparapermit3
 pattern email.btconnect.com
 pattern *.email.btconnect.com
 pattern *.linkedin.com

parameter-map type trend-global global-param-map
 cache-entry-lifetime 48
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint Equifax_Secure_CA
 revocation-check none
!
crypto pki trustpoint NetworkSolutions_CA
 revocation-check none
!
crypto pki trustpoint trps1_server
 revocation-check none
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
 subject-name e=sdmtest@sdmtest.com
 revocation-check crl
!
crypto pki trustpoint TP-self-signed-2793878619
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-2793878619
 revocation-check none
!
!
crypto pki certificate chain Equifax_Secure_CA
 certificate ca 35CF
  0D010105 
....
  2AA72349
   quit
crypto pki certificate chain NetworkSolutions_CA
 certificate ca 10EA
  308204A6 
....
  9505FB0A 
  
   quit
crypto pki certificate chain trps1_server
 certificate ca 00
  30820208
....
  882BFEC3 
   quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain TP-self-signed-2619
 certificate self-signed 01
  3082022B ...
  D1DC12
   quit
license udi pid CISCO2911/K9 sn XXXXXXXX
!
!
username xxxx privilege 15 secret 5 xxxx
!
redundancy
!
!
!
!
!
!
track 10 ip sla 1 reachability
 delay down 15 up 15
!
track 20 ip sla 2 reachability
 delay down 15 up 15
!
class-map type inspect match-all sdm-nat-user-protocol--1-2
 match access-group 103
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 104
 match protocol http
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type urlfilter match-any cpaddbnwlocclasspermit3
 match  server-domain urlf-glob cpaddbnwlocparapermit3
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type urlfilter match-any cplocclassurlblock0
 match  server-domain urlf-glob cplocclassurlfgloburlblock0
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type urlfilter trend match-any cptrendclasscatdeny0
 match  url category Adult-Mature-Content
 match  url category Gambling
 match  url category Marijuana
 match  url category Nudity
 match  url category Pornography
 match  url category Violence-hate-racism
 match  url category Alcohol-Tobacco
 match  url category Chat-Instant-Messaging
 match  url category Cult-Occult
 match  url category For-Kids
 match  url category Games
 match  url category Gay-Lesbian
 match  url category Illegal-Drugs
 match  url category Sex-education
 match  url category Weapons
 match  url category Illegal-Questionable
 match  url category Intimate-apparel-swimsuit
 match  url category Peer-to-Peer
 match  url category Personals-Dating
 match  url category Proxy-Avoidance
 match  url category Social-Networking
 match  url category Spam
 match  url category Tasteless
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type urlfilter trend match-any cptrendclassrepdeny0
 match  url reputation ADWARE
 match  url reputation DIALER
 match  url reputation DISEASE-VECTOR
 match  url reputation HACKING
 match  url reputation PASSWORD-CRACKING-APPLICATIONS
 match  url reputation PHISHING
 match  url reputation POTENTIALLY-MALICIOUS-SOFTWARE
 match  url reputation SPYWARE
 match  url reputation VIRUS-ACCOMPLICE
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-invalid-src
 match access-group 102
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect 
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect 
 class type inspect sdm-nat-user-protocol--1-2
  inspect 
 class class-default
  drop
policy-map type inspect urlfilter cppolicymap-1
 parameter type urlfpolicy trend cptrendparacatdeny0
 class type urlfilter cpaddbnwlocclasspermit3
  allow
  log
 class type urlfilter cplocclassurlblock0
  reset
  log
 class type urlfilter trend cptrendclasscatdeny0
  reset
  log
 class type urlfilter trend cptrendclassrepdeny0
  reset
  log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect 
  service-policy urlfilter cppolicymap-1
 class type inspect ccp-insp-traffic
  inspect 
 class type inspect ccp-sip-inspect
  inspect 
 class type inspect ccp-h323-inspect
  inspect 
 class type inspect ccp-h323annexe-inspect
  inspect 
 class type inspect ccp-h225ras-inspect
  inspect 
 class type inspect ccp-h323nxg-inspect
  inspect 
 class type inspect ccp-skinny-inspect
  inspect 
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_PT
  pass
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
! 
crypto logging ezvpn
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group GROUPPOLICY1
 key xxxxxxx
 dns 10.57.124.42 10.57.124.159
 domain firma.com
 dhcp server 10.57.124.159
crypto isakmp profile ciscocp-ike-profile-1
   match identity group GROUPPOLICY1
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile CiscoCP_Profile1
 set security-association idle-time 28800
 set transform-set ESP-3DES-SHA 
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
 no ip address
 shutdown
!
interface GigabitEthernet0/0
 description *** LAN INTERFACE ***$FW_INSIDE$
 ip address 10.57.124.254 255.255.254.0
 ip nat inside
 ip virtual-reassembly in
 zone-member security in-zone
 ip policy route-map PBR
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description *** LINK TO BT ***$FW_OUTSIDE$$ETH-WAN$
 ip address 1.1.1.210 255.255.255.240
 ip nbar protocol-discovery
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface GigabitEthernet0/2
 description *** LINK TO BE ***$FW_OUTSIDE$$ETH-WAN$
 ip address 2.2.2.154 255.255.252.0
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly in
 zone-member security out-zone
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered GigabitEthernet0/2
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
ip forward-protocol nd
!
ip http server
ip http secure-server
ip flow-top-talkers
 top 4
 sort-by bytes
 cache-timeout 600000
!
ip dns server
ip nat inside source static tcp 10.57.124.92 3389 interface GigabitEthernet0/1 3389
ip nat inside source static tcp 10.57.124.48 80 interface GigabitEthernet0/1 80
ip nat inside source route-map ISP1 interface GigabitEthernet0/1 overload
ip nat inside source route-map ISP2 interface GigabitEthernet0/2 overload
ip route 0.0.0.0 0.0.0.0 1.1.1.209 track 10
ip route 0.0.0.0 0.0.0.0 2.2.2.1 track 20
ip route 216.104.8.100 255.255.255.255 2.2.2.1
!
ip access-list extended NATTRANSLATE
 remark DO NOT NAT VPN
 deny   ip 10.57.124.0 0.0.1.255 10.57.124.0 0.0.1.255
 permit ip 10.57.124.0 0.0.1.255 any
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
!
ip sla 1
 icmp-echo 1.1.1.209
 frequency 5
ip sla schedule 1 life forever start-time now
ip sla 2
 icmp-echo 2.2.2.1
 frequency 5
ip sla schedule 2 life forever start-time now
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.57.124.0 0.0.1.255
access-list 10 permit 10.57.124.0 0.0.1.255
access-list 100 deny   ip 10.57.124.0 0.0.1.255 213.123.26.0 0.0.1.255
access-list 100 deny   ip 10.57.124.0 0.0.1.255 host 194.72.6.57
access-list 100 deny   ip 10.57.124.0 0.0.1.255 host 194.73.82.242
access-list 100 deny   ip host 10.57.124.48 any
access-list 100 deny   ip host 10.57.124.92 any
access-list 100 permit ip any any
access-list 101 permit ip any any
access-list 102 remark CCP_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip 2.2.2.0 0.0.3.255 any
access-list 102 permit ip 1.1.1.208 0.0.0.15 any
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip host a.a.a.140 host 10.57.124.92
access-list 103 permit ip host b.b.b.114.248 host 10.57.124.92
access-list 103 permit ip host c.c.c.202 host 10.57.124.92
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 10.57.124.48
!
!
!
!
route-map PBR permit 10
 match ip address 100
 set ip next-hop verify-availability 2.2.2.1 1 track 20
!
route-map PBR permit 30
 match ip address 101
 set ip next-hop verify-availability 1.1.1.209 2 track 10
!
route-map ISP2 permit 10
 match ip address NATTRANSLATE
 match interface GigabitEthernet0/2
!
route-map ISP1 permit 10
 match ip address NATTRANSLATE
 match interface GigabitEthernet0/1
!
!
!
!
!
control-plane
!
!
banner login ^CCThis system is the property of company ...
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line 2
 no activation-character
 no exec
 transport preferred none
 transport input all
 transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
 stopbits 1
line vty 0 4
 password 7 xxxxx
 logging synchronous
 transport input all
!
scheduler allocate 20000 1000
ntp update-calendar
ntp server 0.europe.pool.ntp.org source GigabitEthernet0/2
ntp server uk.pool.ntp.org prefer source GigabitEthernet0/2
end