Question

No Internal Ping -- Cisco 2811 IPSEC VPN

Asked by: aseisman

I am trying to configure an IPSEC vpn on my 2811 router. I am able to connect to the VPN, however I cannot ping any internal resources, including the internal IP of the router, 10.0.1.1.

yourname#show run
Building configuration...
 
Current configuration : 6025 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
!
aaa session-id common
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool LAN
   import all
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1 
   dns-server 4.2.2.1 4.2.2.2 
   lease infinite
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3579361095
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3579361095
 revocation-check none
 rsakeypair TP-self-signed-3579361095
!
!
crypto pki certificate chain TP-self-signed-3579361095
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33353739 33363130 3935301E 170D3039 30373234 31383238 
  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373933 
  36313039 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B4D4 BE8AFDC2 BD85F413 5F195E04 12765448 B54D2EC4 B9FCE684 6E76C730 
  DF0ACE7A 9E64A5CE 820638C5 3867C494 5783B5A7 44DAB643 73CAE524 A19DC4EB 
  E881D7F4 88E838F7 AA1AA8E0 1FDBBD70 124FD296 AA087A96 4AB2B925 E51F6961 
  37C8E89D 4B3B1FD2 AAD11B2D EB0A1708 368265B2 3EBCF88A E00B349E D4B32FE1 
  5F390203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 145DAA56 8BE4F9C9 CCE4C686 35F858D1 288E158D 
  56301D06 03551D0E 04160414 5DAA568B E4F9C9CC E4C68635 F858D128 8E158D56 
  300D0609 2A864886 F70D0101 04050003 81810009 FC7C05C6 4BA3C656 92E1BED5 
  55F65E3D CE40917B 6276AA35 59C46A93 75D9F723 280521E3 5EB353D0 D4751C49 
  F643FED1 65E2D0E0 8B4FB1DF 0459BD9F C00AB3E4 E7BB1F93 EEC47774 4A7C0245 
  4524AFA2 4138FFF9 A4195C2A CB50397F AF6B94F7 529161AB 08C49D98 0E9DD561 
  6B6AC26F E48F07F3 F2E85B6B 26AEAB22 110784
  	quit
!
!
username aseisman privilege 15 secret 5 $1$4ApO$cLg18ne2hFW3sHy01yNsE0
username aaron password 0 pam123
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client
 key pam123
 dns 4.2.2.1
 wins 10.0.1.1
 domain manvantage.com
 pool ippool
 acl 102
 include-local-lan
 netmask 255.255.255.0
!         
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set myset 
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
!
!
!
!
interface FastEthernet0/0
 description $Cable$
 ip address EXTERNAL_IP 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip local pool ippool 10.0.1.160 10.0.1.191
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.57.246.169 251
ip route 0.0.0.0 0.0.0.0 96.56.92.137 251
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.15.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.15.255 any
!
!
route-map RMAP_1 permit 1
 match ip address 102
 match interface FastEthernet0/0
!
!
!
control-plane
!         
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use. 
 
For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
 
yourname#
                                  
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:

Select allOpen in new window

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-08-10 at 15:40:08ID24641625
Tags

cisco

,

router

,

IOS

,

vpn

,

ipsec

Topics

Virtual Private Networking (VPN)

,

Network Routers

Participating Experts
3
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco IPSEC vpn
    I am planning to setup a cisco ipsec vpn. Does a windows certificate server need to be installed on the domain or can cisco device itself provide the certificate to remote access clients ? The cisco device is cisco 1700 with advanced security IOS
  2. Greenbow IPSEC VPN
    I have successfully completed a tunnel to my ssg5 router with the Grenbow IPSEC VPN application but I'm unable to ping any computers on my network. I have configured the VPN connection on a different subset and everything appears to working but I am probably missing one small...
  3. IPSEC VPN
    I am having trouble getting a VPN connection established. I have 2 ZyWALL 70 firewalls with latest firmware at 2 different locations. I have tried several different configurations and I can get phase 1 working but phase 2 gives me errors which I will post in the code sectio...
  4. IPSec
    What are the advantages and disadvantages of implementing IPSec using these methods: 1. Gateway to Gateway (using Firewall features) 2. Gateway to Gateway (using Router) 3a. Host to host (tunnel mode) 3b. Host to host (transport mode) Is it true that IPSec theory host to ho...
  5. IPSec VPN
    I have to implement hub and spoke VPN topology using one juniper router as a spoke and one cisco router as a hub and one as a spoke. So there will be 3 routers in total. I also need to use Juniper Netscreen in it. Can you tell me if i can use netscreen firewall instead of t...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: oalvaPosted on 2009-08-10 at 16:32:36ID: 25065063

when you do a traceroute from the internal network to one of the tunnel ip does it just stop or go out your internet?
if it goes out the internet you probably need a deny in access list 102 and it must come before the permit.

 

by: aseismanPosted on 2009-08-10 at 17:09:16ID: 25065273

When I do a traceroute to one of the the tunnel IPs it just stops.

 

by: mikecrPosted on 2009-08-10 at 19:03:25ID: 25065672

Change your 102 ACL to relfect the networks that you are attempting to get to and don't use the any keyword. I've seen IPSEC have issues with this type configuration.

 

by: aseismanPosted on 2009-08-11 at 03:47:53ID: 25067591

The IP pool for the VPN is 10.0.1.160 0.0.0.31, and I want to be able to access any of the 10.0.1. addresses on the local network. Please suggest how the access list should read, I have tried many things and none of them work.

 

by: AbruhnPosted on 2009-08-11 at 04:07:13ID: 25067680

Hi

Try to modify the 102 access-list, so it's looking like this:

no access-list 102
access-list 102 deny ip 10.0.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 102 permit ip 10.0.0.0 0.0.15.255 any

Then the router dont NAT traffic from the inside to the ipsec clients!



regards

 

by: aseismanPosted on 2009-08-11 at 05:53:50ID: 25068386

Still cannot ping any resources. Also tried pinging connected client from the router directly, that does not work either.

 

by: mikecrPosted on 2009-08-11 at 06:21:31ID: 25068666

The access list for the IPSEC is separate from the access list that you need to use for NAT

Try this:

interface fe0/0
no ip nat outside
no crypto map clientmap

no ip nat inside source route-map RMAP_1 interface FastEthernet0/0 overload

no access-list 102
access-list 102 permit ip 10.0.1.0 0.0.0.255 any

access-list 103 deny ip 10.0.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.0.1.0 0.0.0.255 any
ip nat inside source list 103 interface fe0/0 overload

int fe0/0
ip nat outside
crypto map clientmap

Let us know what happens.

 

by: aseismanPosted on 2009-08-11 at 07:15:12ID: 25069297

From the VPN client upon trying to connect:

Error: No Hostname exists for this connection entry. Unable to make VPN connection.

% Invalid input detected at '^' marker.
 
yourname(config)#crypto isakmp client configuration group 3000client
yourname(config-isakmp-group)#end
yourname#show run
Building configuration...
 
Current configuration : 6259 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local 
!
!
aaa session-id common
dot11 syslog
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool LAN
   import all
   network 10.0.1.0 255.255.255.0
   default-router 10.0.1.1 
   dns-server 4.2.2.1 4.2.2.2 
   lease infinite
!
!
ip domain name yourdomain.com
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-3579361095
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3579361095
 revocation-check none
 rsakeypair TP-self-signed-3579361095
!
!
crypto pki certificate chain TP-self-signed-3579361095
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 33353739 33363130 3935301E 170D3039 30373234 31383238 
  35335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649 
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35373933 
  36313039 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281 
  8100B4D4 BE8AFDC2 BD85F413 5F195E04 12765448 B54D2EC4 B9FCE684 6E76C730 
  DF0ACE7A 9E64A5CE 820638C5 3867C494 5783B5A7 44DAB643 73CAE524 A19DC4EB 
  E881D7F4 88E838F7 AA1AA8E0 1FDBBD70 124FD296 AA087A96 4AB2B925 E51F6961 
  37C8E89D 4B3B1FD2 AAD11B2D EB0A1708 368265B2 3EBCF88A E00B349E D4B32FE1 
  5F390203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603 
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 
  301F0603 551D2304 18301680 145DAA56 8BE4F9C9 CCE4C686 35F858D1 288E158D 
  56301D06 03551D0E 04160414 5DAA568B E4F9C9CC E4C68635 F858D128 8E158D56 
  300D0609 2A864886 F70D0101 04050003 81810009 FC7C05C6 4BA3C656 92E1BED5 
  55F65E3D CE40917B 6276AA35 59C46A93 75D9F723 280521E3 5EB353D0 D4751C49 
  F643FED1 65E2D0E0 8B4FB1DF 0459BD9F C00AB3E4 E7BB1F93 EEC47774 4A7C0245 
  4524AFA2 4138FFF9 A4195C2A CB50397F AF6B94F7 529161AB 08C49D98 0E9DD561 
  6B6AC26F E48F07F3 F2E85B6B 26AEAB22 110784
  	quit
!
!
username aseisman privilege 15 secret 5 $1$4ApO$cLg18ne2hFW3sHy01yNsE0
username aaron password 0 pam123
archive
 log config
  hidekeys
! 
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group 3000client
 key pam123
 dns 4.2.2.1
 wins 10.0.1.1
 domain manvantage.com
 pool ippool
 acl 103
 include-local-lan
 netmask 255.255.255.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac 
!
crypto dynamic-map dynmap 10
 set transform-set myset 
 reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap 
!
!
!
!
!
!
interface FastEthernet0/0
 description $Cable$
 ip address EXTERNAL_IP 255.255.255.248
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map clientmap
!
interface FastEthernet0/1
 ip address 10.0.1.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip local pool ippool 10.0.1.160 10.0.1.191
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 96.57.246.169 251
ip route 0.0.0.0 0.0.0.0 96.56.92.137 251
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet0/0 overload
ip nat inside source route-map RMAP_1 interface FastEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.15.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 10.0.1.0 0.0.0.255
access-list 102 permit ip 10.0.1.0 0.0.0.255 any
access-list 103 deny   ip 10.0.1.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 103 permit ip 10.0.1.0 0.0.0.255 any
!
!
route-map RMAP_1 permit 1
 match ip address 102
 match interface FastEthernet0/0
!
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Router and Security Device Manager (SDM) is installed on this device and 
it provides the default username "cisco" for  one-time use. If you have already 
used the username "cisco" to login to the router and your IOS image supports the 
"one-time" user option, then this username has already expired. You will not be 
able to login to the router with this username after you exit this session.
 
It is strongly suggested that you create a new username with a privilege level 
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to 
use.
 
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device. 
This feature requires the one-time use of the username "cisco" 
with the password "cisco". The default username and password have a privilege level of 15.
 
Please change these publicly known initial credentials using SDM or the IOS CLI. 
Here are the Cisco IOS commands.
 
username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco
 
Replace <myuser> and <mypassword> with the username and password you want to use. 
 
For more information about SDM please follow the instructions in the QUICK START 
GUIDE for your router or go to http://www.cisco.com/go/sdm 
-----------------------------------------------------------------------
^C
!
line con 0
line aux 0
line vty 0 4
 access-class 23 in
 privilege level 15
 transport input telnet ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
 
yourname#
                                              
1:
2:
3:
4:
5:
6:
7:
8:
9:
10:
11:
12:
13:
14:
15:
16:
17:
18:
19:
20:
21:
22:
23:
24:
25:
26:
27:
28:
29:
30:
31:
32:
33:
34:
35:
36:
37:
38:
39:
40:
41:
42:
43:
44:
45:
46:
47:
48:
49:
50:
51:
52:
53:
54:
55:
56:
57:
58:
59:
60:
61:
62:
63:
64:
65:
66:
67:
68:
69:
70:
71:
72:
73:
74:
75:
76:
77:
78:
79:
80:
81:
82:
83:
84:
85:
86:
87:
88:
89:
90:
91:
92:
93:
94:
95:
96:
97:
98:
99:
100:
101:
102:
103:
104:
105:
106:
107:
108:
109:
110:
111:
112:
113:
114:
115:
116:
117:
118:
119:
120:
121:
122:
123:
124:
125:
126:
127:
128:
129:
130:
131:
132:
133:
134:
135:
136:
137:
138:
139:
140:
141:
142:
143:
144:
145:
146:
147:
148:
149:
150:
151:
152:
153:
154:
155:
156:
157:
158:
159:
160:
161:
162:
163:
164:
165:
166:
167:
168:
169:
170:
171:
172:
173:
174:
175:
176:
177:
178:
179:
180:
181:
182:
183:
184:
185:
186:
187:
188:
189:
190:
191:
192:
193:
194:
195:
196:
197:
198:
199:
200:
201:
202:
203:
204:
205:
206:
207:
208:
209:
210:
211:
212:
213:
214:
215:
216:
217:
218:
219:
220:
221:
222:
223:
224:
225:
226:
227:
228:

Select allOpen in new window

 

by: mikecrPosted on 2009-08-11 at 08:05:47ID: 25069896

You will need to remove the crypto map from the FE interface and also the nat.

no crypto map clientmap
no ip nat outside

Add them back when you get done making the rest of these changes.

Remove this:

no ip nat inside source route-map RMAP_1 interface FastEthernet0/0 overload

Change the ACL, you used the wrong one.
EDIT THIS:

crypto isakmp client configuration group 3000client
  acl 103
 
SHOULD BE THIS:

crypto isakmp client configuration group 3000client
  acl 102
 
Once you made the changes, try it again.

 

by: mikecrPosted on 2009-08-11 at 08:37:12ID: 25070265

Everything working okay? If you need anything else, let me know.

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...