Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
2
Replies

VPN configuration on 892fsp

alficho23
Level 1
Level 1

‎05-25-2023 04:32 PM

Hi Guys,

I`m struggeling with this for few weeks already, without any result.

I have int g8 as wan with public ip on DMZ. I would like to connect on this IP to my home VPN.

As a client is any connect with imported system certificate.
I can connect no problem from local lan, but no chance when calling public address. My assumption that it is due to ACLs not configured as they should be.

Any advice will be much appriciated !!!!

Building configuration...

 


Current configuration : 10625 bytes
!
! Last configuration change at 21:56:08 UTC Thu May 25 2023 by tomek
!
version 15.9
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname xxx
!
boot-start-marker
boot-end-marker
!
!
enable password xxx
!
aaa new-model
!
!
aaa authorization network IKEv2_GROUP_AUTHZ local
!
!
!
!
!
!
aaa session-id common
!
crypto pki server VPN_CA
no database archive
grant auto
eku server-auth client-auth
database url flash:ca
!
crypto pki trustpoint VPN_CA
revocation-check crl
rsakeypair VPN_CA
!
crypto pki trustpoint VPNSERVERCERT
enrollment url http://192.168.99.199:80
subject-name CN=vpn.xxx,OU=IT,O=RMTech
subject-alt-name vpn.xxx
revocation-check none
rsakeypair VPNSERVERCERT
!
!
!
crypto pki certificate map CERT_MAP 10
issuer-name co cn = vpn_ca
!
crypto pki certificate chain VPN_CA
certificate ca 01
xxx
quit
crypto pki certificate chain VPNSERVERCERT
certificate 02
xxx
quit
certificate ca 01
xxx
quit
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!


!
ip dhcp excluded-address 10.20.10.1 10.20.10.30
ip dhcp excluded-address 192.168.10.1 192.168.10.30
ip dhcp excluded-address 10.30.10.1 10.30.10.30
!
ip dhcp pool LAN-TRUNK
network 10.20.10.0 255.255.255.0
default-router 10.20.10.1
dns-server 1.1.1.1 8.8.8.8
!
ip dhcp pool IOT
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 1.1.1.1 8.8.8.8
!
ip dhcp pool CCTV
network 10.30.10.0 255.255.255.0
default-router 10.30.10.1
dns-server 1.1.1.1 8.8.8.8
!
!
!
ip domain name xxx
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C892FSP-K9 sn xxx
!
!
username tomek password 0 xxx
!
redundancy
!
crypto ikev2 authorization policy IKEv2_AUTHZ_POLICY
pool VPNPOOL
dns 1.1.1.1
!
crypto ikev2 proposal default
encryption aes-cbc-256 aes-cbc-192 aes-cbc-128
integrity sha512 sha384 sha256
group 21 20 14 19
!
crypto ikev2 policy default
match fvrf any
proposal default
!
!
crypto ikev2 profile IKEv2_PROFILE
match certificate CERT_MAP
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint VPNSERVERCERT
aaa authorization group cert list IKEv2_GROUP_AUTHZ IKEv2_AUTHZ_POLICY
virtual-template 1
!
no crypto ikev2 http-url cert
!
!
!
!
!
!
crypto ipsec profile IPSEC_PROFILE
set reverse-route gateway 192.168.99.1
set ikev2-profile IKEv2_PROFILE
!
!
!
!
!
!
!
!
interface Loopback0
ip address 172.16.1.1 255.255.255.255
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
switchport access vlan 10
switchport mode trunk
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
switchport access vlan 100
switchport mode trunk
no ip address
!
interface GigabitEthernet5
switchport access vlan 100
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address 192.168.99.199 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet9
no ip address
shutdown
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
description Cisco AnyConnect IKEv2
ip unnumbered Loopback0
ip mtu 1400
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1360
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC_PROFILE
!
interface Vlan1
ip address 10.20.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan10
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Vlan100
ip address 10.30.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool VPNPOOL 10.0.0.1 10.0.0.50
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list 1 interface GigabitEthernet8 overload
ip nat inside source list NAT interface GigabitEthernet8 overload
ip nat outside source list OUTSIDE-IN interface GigabitEthernet8
ip route 0.0.0.0 0.0.0.0 192.168.99.1
ip ssh version 2
!
ip access-list extended NAT
permit ip 10.0.0.0 0.0.0.255 any
deny ip any any
ip access-list extended OUTSIDE-IN
permit udp any any eq isakmp non500-isakmp
deny ip any any
permit esp any any
ip access-list extended vlan_sep
permit ip 10.20.10.0 0.0.0.255 any
!
ipv6 ioam timestamp
!
access-list 1 permit 10.20.10.0 0.0.0.255
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 10.30.10.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
line con 0
password xxx
no modem enable
line aux 0
line vty 0 4
transport input ssh
!
scheduler allocate 20000 1000
ntp server ip 0.pool.ntp.org
ntp server ip 1.pool.ntp.org
ntp server ip 2.pool.ntp.org
ntp server ip 3.pool.ntp.org

 

Labels:
0 Helpful
2 Replies 2

Cisco_Virtual_Engineer
Level 3
Level 3

‎06-02-2023 08:18 AM

Based on your configuration, it seems that you have properly set up the VPN with AnyConnect and IKEv2. However, as you mentioned, the issue might be with the ACL configuration.

I would suggest to modify your "OUTSIDE-IN" ACL to allow the IKE and NAT-T traffic:

```
ip access-list extended OUTSIDE-IN
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit udp any any eq 4500
permit esp any any
deny ip any any
```

Additionally, apply the "OUTSIDE-IN" access-list to the WAN interface:

```
interface GigabitEthernet8
ip address 192.168.99.199 255.255.255.0
ip nat outside
ip virtual-reassembly in
ip access-group OUTSIDE-IN in
duplex auto
speed auto
```

Also, make sure that the firewall on your local LAN allows the necessary traffic, such as IKE (UDP 500), NAT-T (UDP 4500), and ESP (IP protocol 50).

If this still does not work, you might need to check if your ISP or any other devices in the path are blocking the VPN traffic. It is also possible that the public IP address you are using is not properly forwarded to your Cisco device. Make sure that the public IP address is reachable and forwarded correctly to the Cisco device's WAN interface.
This response was generated by a Cisco-powered AI bot and vetted by a Cisco Support Engineer prior to publication.
This is part of a monitored experiment to see if the bot can help answer questions alongside community members. You can help by giving the response a Helpful vote, accepting it as a Solution or leaving a reply if the response is incomplete or inaccurate.
0 Helpful

alficho23
Level 1
Level 1

‎11-28-2023 04:59 PM

Absoluty not help-full in any way. Considering to give up on cisco solution. Please help me what am I missing here ?

0 Helpful
Customers Also Viewed These Support Documents