Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
0
Helpful
0
Replies

IPSec VPN Problem Cisco 3845!

webmaster32
Level 1
Level 1

‎05-31-2014 06:04 AM - edited ‎02-21-2020 07:40 PM

Hello,

I have configure an IPSec VPN on my Cisco 3845. The problem i have is that i can successfully connect to the VPN from my mobile phone, i get a LAN ip, but i can't ping any other ip on the LAN.


Below is my configuration file!

Please NOTE: GigabitEthernet is my LAN (ip 192.168.1.1)

ATM0/0/0/ is my WAN.

Thank you very much!

 


!
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!

parameter-map type urlfpolicy trend cprepdenyregex0
parameter-map type urlf-glob cpaddbnwlocparadeny0
 pattern in.gr

!
password encryption aes
voice-card 0
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username admin privilege 15 password 0 XXXXX
!
!
crypto isakmp policy 1
 encr aes
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN-NO-SPLIT
 key 6 CF_fNATQbIhXTAea\Kg[fgd`KbQCcJL`bDUZ
 dns 195.170.0.1 195.170.2.2
 pool VPN-POOL-2
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
crypto ipsec transform-set VPN esp-aes esp-sha-hmac
!
crypto dynamic-map DYN-MAP 10
 set transform-set VPN
!
!
crypto map VPNMAP client authentication list VPN-USERS-AUTHENTICATION
crypto map VPNMAP isakmp authorization list VPN-USERS-AUTHORIZATION
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic DYN-MAP
!
crypto ctcp
archive
 log config
  hidekeys
!
!
!
class-map type inspect match-all sdm-nat-user-protocol--7-1
 match access-group 101
 match protocol user-protocol--7
class-map type inspect match-all sdm-nat-user-protocol--4-2
 match access-group 101
 match protocol user-protocol--4
class-map type inspect match-all sdm-nat-user-protocol--6-1
 match access-group 101
 match protocol user-protocol--6
class-map type inspect match-all sdm-nat-user-protocol--5-1
 match access-group 101
 match protocol user-protocol--5
class-map type inspect match-all sdm-nat-user-protocol--4-1
 match access-group 101
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any pptp
 match protocol pptp
 match class-map SDM_GRE
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 101
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-http-1
 match access-group 101
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 101
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-http-2
 match access-group 102
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 101
 match protocol user-protocol--1
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any pptp-in
 match protocol pptp
 match class-map SDM_GRE
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map pptp-in
 match access-group name any2
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-all sdm-nat-user-protocol--9-1
 match access-group 101
 match protocol user-protocol--9
class-map type inspect match-any pptp_vpn
 match protocol pptp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-3
 match class-map pptp_vpn
 match access-group name pptp_vpn
class-map type inspect match-all sdm-nat-user-protocol--8-1
 match access-group 101
 match protocol user-protocol--8
class-map type inspect match-any AllPackets
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-cls-sdm-pol-NATOutsideToInside-1-2
 match class-map AllPackets
 match access-group name anyTCP
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
 match protocol user-ezvpn-remote
class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT
 match class-map SDM_EASY_VPN_REMOTE_TRAFFIC
 match access-group 105
class-map type urlfilter match-any cpaddbnwlocclassdeny0
 match  server-domain urlf-glob cpaddbnwlocparadeny0
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type urlfilter trend match-any cpcatdenyclass0
 match  url category Adult-Mature-Content
 match  url category Gambling
 match  url category Gay-Lesbian
class-map type inspect match-all sdm-nat-user-protocol--15-2
 match access-group 101
 match protocol user-protocol--15
class-map type inspect match-all sdm-nat-user-protocol--14-3
 match access-group 101
 match protocol user-protocol--14
class-map type inspect match-all sdm-nat-user-protocol--16-1
 match access-group 101
 match protocol user-protocol--16
class-map type inspect match-all sdm-nat-user-protocol--14-2
 match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--17-1
 match access-group 101
 match protocol user-protocol--17
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-nat-user-protocol--14-1
 match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--15-1
 match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--12-1
 match access-group 101
 match protocol user-protocol--12
class-map type inspect match-all sdm-nat-user-protocol--21-1
 match access-group 101
 match protocol user-protocol--21
class-map type inspect match-all sdm-nat-user-protocol--20-1
 match access-group 101
class-map type inspect match-all sdm-nat-user-protocol--13-1
 match access-group 101
 match protocol user-protocol--13
class-map type inspect match-all sdm-nat-user-protocol--10-1
 match access-group 101
 match protocol user-protocol--10
class-map type inspect match-all sdm-nat-user-protocol--20-2
 match access-group 101
 match protocol user-protocol--20
class-map type inspect match-all sdm-nat-user-protocol--11-1
 match access-group 101
 match protocol user-protocol--11
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-all ccp-cls-ccp-inspect-1
 match access-group name admin
class-map type inspect match-all sdm-nat-user-protocol--18-1
 match access-group 101
 match protocol user-protocol--18
class-map type inspect match-all sdm-nat-user-protocol--19-1
 match access-group 101
 match protocol user-protocol--19
class-map type inspect match-any vpn-in
 match protocol pptp
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-any ipsec
 match protocol gdoi
 match protocol ipsec-msft
 match protocol isakmp
 match protocol ssp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-cls-ccp-permit-2
 match class-map ipsec
 match access-group name ipsec
class-map type inspect match-all ccp-cls-ccp-permit-1
 match class-map pptp
 match access-group name any
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all sdm-nat-x11-1
 match access-group 101
 match protocol x11
class-map type inspect match-any https
 match protocol https
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-nat-ssh-1
 match access-group 102
 match protocol ssh
class-map type inspect match-all sdm-nat-vdolive-1
 match access-group 101
 match protocol vdolive
class-map type inspect match-all sdm-nat-https-1
 match access-group 101
 match protocol https
class-map type inspect match-any dns
 match protocol dns
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-ssh-1
  inspect
 class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-2
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-x11-1
  inspect
 class type inspect sdm-nat-vdolive-1
  inspect
 class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect ccp-cls-sdm-pol-NATOutsideToInside-1-3
  pass
 class type inspect sdm-nat-user-protocol--4-2
  inspect
 class type inspect sdm-nat-user-protocol--5-1
  inspect
 class type inspect sdm-nat-user-protocol--6-1
  inspect
 class type inspect sdm-nat-user-protocol--7-1
  inspect
 class type inspect sdm-nat-user-protocol--8-1
  inspect
 class type inspect sdm-nat-user-protocol--9-1
  inspect
 class type inspect sdm-nat-user-protocol--10-1
  inspect
 class type inspect sdm-nat-user-protocol--11-1
  inspect
 class type inspect sdm-nat-user-protocol--12-1
  inspect
 class type inspect sdm-nat-user-protocol--13-1
  inspect
 class type inspect sdm-nat-user-protocol--14-3
  inspect
 class type inspect sdm-nat-user-protocol--15-2
  inspect
 class type inspect sdm-nat-user-protocol--16-1
  inspect
 class type inspect sdm-nat-user-protocol--17-1
  inspect
 class type inspect sdm-nat-user-protocol--18-1
  inspect
 class type inspect sdm-nat-user-protocol--19-1
  inspect
 class type inspect sdm-nat-http-2
  inspect
 class type inspect sdm-nat-user-protocol--20-2
  inspect
 class type inspect sdm-nat-user-protocol--21-1
  inspect
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-cls-ccp-inspect-1
  inspect
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_REMOTE_PT
  pass
 class type inspect ccp-cls-ccp-permit-2
  pass
 class type inspect vpn-in
  pass
 class class-default
  drop
policy-map type inspect urlfilter tight
 parameter type urlfpolicy trend cprepdenyregex0
 class type urlfilter cpaddbnwlocclassdeny0
  reset
  log
 class type urlfilter trend cpcatdenyclass0
  reset
  log
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security in-zone
zone security out-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
!
!
!
!
interface GigabitEthernet0/0
 description $ETH-WAN$$FW_INSIDE$
 ip address 192.168.1.1 255.255.255.0
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 duplex auto
 speed auto
 media-type rj45
!
interface GigabitEthernet0/1
 no ip address
 shutdown
 duplex auto
 speed auto
 media-type rj45
!
interface ATM0/0/0
 no ip address
 no atm ilmi-keepalive
!
interface ATM0/0/0.1 point-to-point
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0
 ip mtu 1492
 zone-member security ezvpn-zone
 ip tcp adjust-mss 1360
 load-interval 30
 peer default ip address pool defaultpool
 no keepalive
 ppp mtu adaptive
 ppp encrypt mppe auto required
 ppp authentication ms-chap ms-chap-v2
 ppp authorization auth
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname XXXX@otenet.gr
 ppp chap password 0 k-XXXXX
 ppp pap sent-username XXXXXotenet.gr password 0 XXXXX
 crypto map VPNMAP
!
ip local pool VPN-POOL-2 192.168.1.110 192.168.1.115
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
ip http server
ip http access-class 3
ip http secure-server
!
!
ip nat inside source static tcp 192.168.1.6 80 interface Dialer0 80
ip nat inside source static tcp 192.168.1.6 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.6 6000 interface Dialer0 6000
ip nat inside source static tcp 192.168.1.6 7000 interface Dialer0 7000
ip nat inside source static tcp 192.168.1.6 8003 interface Dialer0 8003
ip nat inside source static tcp 192.168.1.6 8030 interface Dialer0 8030
ip nat inside source static tcp 192.168.1.6 8060 interface Dialer0 8060
ip nat inside source static tcp 192.168.1.6 81 interface Dialer0 81
ip nat inside source static tcp 192.168.1.6 8200 interface Dialer0 8200
ip nat inside source static tcp 192.168.1.6 8300 interface Dialer0 8300
ip nat inside source static tcp 192.168.1.6 8302 interface Dialer0 8302
ip nat inside source static tcp 192.168.1.6 8886 interface Dialer0 8886
ip nat inside source static tcp 192.168.1.6 4899 interface Dialer0 4899
ip nat inside source static udp 192.168.1.6 4899 interface Dialer0 4899
ip nat inside source static udp 192.168.1.6 8300 interface Dialer0 8300
ip nat inside source static udp 192.168.1.6 8200 interface Dialer0 8200
ip nat inside source static udp 192.168.1.6 8003 interface Dialer0 8003
ip nat inside source static udp 192.168.1.6 8060 interface Dialer0 8060
ip nat inside source static udp 192.168.1.6 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.6 8030 interface Dialer0 8030
ip nat inside source static udp 192.168.1.6 81 interface Dialer0 81
ip nat inside source static udp 192.168.1.6 8302 interface Dialer0 8302
ip nat inside source static udp 192.168.1.6 8886 interface Dialer0 8886
ip nat inside source static tcp 192.168.1.2 80 interface Dialer0 60613
ip nat inside source static udp 192.168.1.6 7000 interface Dialer0 7000
ip nat inside source static udp 192.168.1.6 6000 interface Dialer0 6000
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 53533
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended NAT
 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
ip access-list extended NAT-ACL
 remark CCP_ACL Category=16
 deny   ip any host 192.168.1.110
 deny   ip any host 192.168.1.111
 deny   ip any host 192.168.1.112
 deny   ip any host 192.168.1.113
 deny   ip any host 192.168.1.114
 deny   ip any host 192.168.1.115
 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended admin
 remark CCP_ACL Category=128
 permit ip host 192.168.1.10 any
 permit ip host 192.168.1.7 any
ip access-list extended any
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended any2
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended anyTCP
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended ipsec
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended pptp_vpn
 remark CCP_ACL Category=128
 permit ip any any
!
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark CCP_ACL Category=2
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 3 remark Auto generated by SDM Management Access feature
access-list 3 remark CCP_ACL Category=1
access-list 3 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=0
access-list 101 permit ip any host 192.168.1.6
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.1.2
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq telnet
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq www
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
access-list 103 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
access-list 103 deny   tcp any host 192.168.1.1 eq telnet
access-list 103 deny   tcp any host 192.168.1.1 eq 22
access-list 103 deny   tcp any host 192.168.1.1 eq www
access-list 103 deny   tcp any host 192.168.1.1 eq 443
access-list 103 deny   tcp any host 192.168.1.1 eq cmd
access-list 103 deny   udp any host 192.168.1.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark Auto generated by SDM Management Access feature
access-list 104 remark CCP_ACL Category=1
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark CCP_ACL Category=128
access-list 105 permit ip host 79.129.45.176 any
dialer-list 1 protocol ip permit
!
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address NAT-ACL
!
!
!
control-plane
!
!
!
!
mgcp fax t38 ecm
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 transport input ssh
 transport output ssh
!
scheduler allocate 20000 1000
end

 

Labels:
0 Helpful
0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents