09-23-2015 05:39 PM - edited 02-21-2020 08:28 PM
Dear eveybody,
I've problem access to internal network after connected to VPN by using IPSec protocol. and i check interface of virtual-template1 it's present "status protocol down" after connected to VPN. i'm not sure it's reated with case can't to access to internal network? pls.help to check my config all and modify, recommend for recheck. thanks you.
Interface IP-Address OK? Method Status Protocol
Virtual-Template1 XXX.XXX.XXx YES TFTP up down
===================================================================
my config
hidekeys
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp keepalive 90 12
!
crypto isakmp client configuration group Test_VPN
key XXXX#@123
dns 123.234.12.22
domain testvpn.vpn
pool test_POOL
acl 102
max-users 3
crypto isakmp profile vpn-ike-profile-1
match identity group Test_VPN
client authentication list vpn-authen_1
isakmp authorization list vpn-group_1
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
!
!
!
!
!
!
!
interface FastEthernet0/0
description -= MetroEthernet
ip address XX.X.XX.zzz 255.255.255.0
ip access-group Inside_Access out
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
no ip mroute-cache
load-interval 30
speed auto
full-duplex
no cdp enable
!
interface FastEthernet0/1
description -= SWITCH CISCO =-
ip address ZZZ.ZZZ.ZZZZ.ZZZ 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect firewall in
ip virtual-reassembly
load-interval 30
speed auto
full-duplex
no cdp enable
arp timeout 1800
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0/0
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool test_POOL 192.168.100.200 192.168.100.210
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
ip http server
no ip http secure-server
!
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip nat inside source list 102 interface FastEthernet0/0 overload
!
ip access-list extended Inside_Access
permit ip XXXX.CCC.cCC.0 0.0.0.255 any
permit ip CCCC.CCCC.CCCC.0 0.0.0.255 any
permit ip CC.XXX.xxx.0 0.0.0.255 any
permit ip any any
permit ip XXXX.XXX.XXX.0 0.0.0.255 any
deny ip any any
ip access-list extended NAT
deny ip any any
!
no logging trap
access-list 101 remark [Deny NAT for VPN Clients]=-
access-list 101 deny ip XXX.XXX.XX.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 deny ip ZZ.Zz.ZZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 101 remark -=[Internet NAT Service]=-
access-list 101 permit ip ZZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZZ.ZZ.ZZ.0 0.0.0.255 any
access-list 101 permit ip ZZZ.ZZZ.X.0 0.0.0.255 any
access-list 102 remark ==[Cisco VPN Users]==
access-list 102 permit ip ZZ.ZZ.ZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 permit ip ZZ.ZZZ.ZZ.0 0.0.0.255 192.168.100.0 0.0.0.255
!
09-23-2015 10:22 PM
you did not bind the isakmp profile under the ipsec profile
10-12-2021 02:51 PM
still showing down after binding
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: