• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 542
  • Last Modified:

Cisco remote VPN client config with IAS

Trying to configure a 2821 router to allow remote clients to connect. Looks like IAS is cnfigured correctly. The IAS show authentication successful. The client prompts for a username and password, I login and it shows "Securing communication channel" then disconnects. The Cisco client log shows:

101    12:56:56.820  12/20/09  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=8AB230FC3EBC5C3F R_Cookie=024FC51C58CD05AF) reason = DEL_REASON_IKE_NEG_FAILED

102    12:56:56.820  12/20/09  Sev=Info/4      CM/0x63100012
Phase 1 SA deleted before first Phase 2 SA is up cause by "DEL_REASON_IKE_NEG_FAILED".  0 Crypto Active IKE SA, 0 User Authenticated IKE SA in the system

Can someone look at my config below and see what I have missed?

Thank you.
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hostname
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication fail-message ^CCCLogin Failed Unauthorized access and use of this network will be vigorously prosecuted.^C
aaa authentication login default local
aaa authentication login con local
aaa authentication login user local
aaa authentication login clientauth local
aaa authentication login UserAuth group radius
aaa authentication login REMOTE local
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization exec REMOTE local if-authenticated
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.10.1 172.16.10.100
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Internal-Network
   import all
   network 172.16.5.0 255.255.255.0
   default-router 172.16.5.1
   domain-name domain.com
   dns-server 192.168.100.5 172.16.5.1 192.168.100.15
   lease 4
   update arp
!
ip dhcp pool VoIP-Network
   import all
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1
   domain-name domain.com
   dns-server 172.16.5.1
   option 156 ascii "ftpservers=172.16.5.20"
   option 42 ip 172.16.5.20
   lease 4
   update arp
!
!
ip domain name domain.com
ip name-server 64.105.132.250
ip name-server 64.105.132.252
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name HTTP http
ip inspect name TELNET telnet
!
!
voice-card 0
 no dspfarm
!
!
!
crypto pki trustpoint TP-self-signed-3438045733
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3438045733
 revocation-check none
 rsakeypair TP-self-signed-3438045733
!
!
crypto pki certificate chain TP-self-signed-3438045733
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
 
username cisc0admin privilege 15 password 7 xxx
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key xxxxxxx address 208.57.x.x
!
crypto isakmp client configuration group VPN
 key xxxxxx!
 dns 172.16.5.1 192.168.100.5
 domain domain.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   match identity group VPN
   client authentication list UserAuth
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set securevpn esp-des esp-md5-hmac
!
crypto dynamic-map dynmap 5
 set transform-set securevpn
 set isakmp-profile VPNclient
!
!
crypto map VPN 1 ipsec-isakmp
 set peer 208.57.x.x
 set transform-set securevpn
 match address 110
!
!
!
!
interface Vif1
 no ip address
!
interface GigabitEthernet0/0
 description $FW_INSIDE$
 ip address 172.16.5.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $FW_INSIDE$
 ip address 172.16.10.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 no ip mroute-cache
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
 no ip address
!
interface Virtual-Template1
 description $FW_OUTSIDE$
 ip address 66.167.x.x 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect TELNET in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ppp chap hostname xxxxx
 ppp chap password 7 xxxx
 crypto map VPN
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.167.x.x
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.167.x.x 23 extendable
ip nat inside source static tcp 172.16.5.80 80 66.167.x.x 80 extendable
ip nat inside source static tcp 172.16.5.80 9090 66.167.x.x 9090 extendable

!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip 66.167.224.24 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 66.167.224.24 0.0.0.7 any
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.x.x host 66.167.x.x
access-list 103 permit esp host 208.57.x.x host 66.167.x.x
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq 1645
access-list 103 permit tcp any any eq 1646
access-list 103 permit tcp any any eq 1812
access-list 103 permit tcp any any eq 1813
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
 match ip address 199
!
!
!
radius-server host 172.16.5.4 auth-port 1812 acct-port 1813
radius-server host 172.16.5.4 auth-port 1645 acct-port 1646
radius-server key 7 020A54480A0A1B715F0F
!
control-plane

Open in new window

0
andersenks
Asked:
andersenks
  • 6
  • 5
1 Solution
 
andersenksAuthor Commented:
I enabled debug radius. this is what I get when I try to connect...

*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E):Orig. component type = VPN_IPSEC
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E): dropping service type, "radius-server attribute 6 on-for-login-auth" is off
*Dec 21 04:36:19.231: RADIUS(0000006E): Config NAS IP: 0.0.0.0
*Dec 21 04:36:19.231: RADIUS/ENCODE(0000006E): acct_session_id: 105
*Dec 21 04:36:19.231: RADIUS(0000006E): sending
*Dec 21 04:36:19.235: RADIUS/ENCODE: Best Local IP-Address 172.16.5.1 for Radius-Server 172.16.5.4
*Dec 21 04:36:19.235: RADIUS(0000006E): Send Access-Request to 172.16.5.4:1812 id 1645/17, len 75
*Dec 21 04:36:19.235: RADIUS:  authenticator 51 93 2D A0 BE 35 05 42 - 2D 72 CD 83 ED C5 31 57
*Dec 21 04:36:19.235: RADIUS:  User-Name           [1]   15  "administrator"
*Dec 21 04:36:19.235: RADIUS:  User-Password       [2]   18  *
*Dec 21 04:36:19.235: RADIUS:  Calling-Station-Id  [31]  16  "71.106.x.x"
*Dec 21 04:36:19.235: RADIUS:  NAS-IP-Address      [4]   6   172.16.5.1
*Dec 21 04:36:19.239: RADIUS: Received from id 1645/17 172.16.5.4:1812, Access-Accept, len 64
*Dec 21 04:36:19.239: RADIUS:  authenticator C3 0A 18 88 0B 1A F4 10 - A1 1B AD C6 59 51 52 84
*Dec 21 04:36:19.239: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
*Dec 21 04:36:19.239: RADIUS:  Service-Type        [6]   6   Framed                    [2]
*Dec 21 04:36:19.239: RADIUS:  Class               [25]  32
*Dec 21 04:36:19.239: RADIUS:   3F 5F 04 9D 00 00 01 37 00 01 AC 10 05 04 01 CA  [?_?????7????????]
*Dec 21 04:36:19.239: RADIUS:   81 20 ED 10 54 CC 00 00 00 00 00 00 00 15        [? ??T?????????]
*Dec 21 04:36:19.239: RADIUS(0000006E): Received from id 1645/17
*Dec 21 04:36:19.239: RADIUS: Constructed " ppp negotiate"
0
 
Jody LemoineNetwork ArchitectCommented:
It looks like you don't have your dynamic crypto map assigned to the crypto map on the interface.  Try adding the following to see if it clears things up for you.

crypto map VPN 10 ipsec-isakmp dynamic dynmap
0
 
andersenksAuthor Commented:
I s ee what you are sayiing. Reconfigured everything and still having the same issue.... See code below for changes.

Thanks
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname 2821_RO
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication fail-message ^CCCLogin Failed Unauthorized access and use of this network will be vigorously prosecuted.^C
aaa authentication login con local
aaa authentication login user local
aaa authentication login REMOTE local
aaa authentication login userauthen group radius local
aaa authorization console
aaa authorization exec default local
aaa authorization exec con local
aaa authorization exec REMOTE local if-authenticated
aaa authorization network groupauthor local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 172.16.5.1 172.16.5.100
ip dhcp excluded-address 172.16.5.1
ip dhcp excluded-address 172.16.10.1 172.16.10.100
ip dhcp excluded-address 172.16.10.1
!
ip dhcp pool Internal-Network
   import all
   network 172.16.5.0 255.255.255.0
   default-router 172.16.5.1
   domain-name domain.com
   dns-server 192.168.100.5 172.16.5.1 192.168.100.15
   lease 4
   update arp
!
ip dhcp pool VoIP-Network
   import all
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1
   domain-name domain.com
   dns-server 172.16.5.1
   option 156 ascii "ftpservers=172.16.5.20"
   option 42 ip 172.16.5.20
   lease 4
   update arp
!
!
ip domain name domain.com
ip name-server 64.105.132.250
ip name-server 64.105.132.252
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip inspect name HTTP http
ip inspect name TELNET telnet
!
!
voice-card 0
 no dspfarm
!
!
username cisc0admin privilege 15 password 7 0507561C20405A590A
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key l0salt0s address 208.57.93.171
!
crypto isakmp client configuration group LosAltosVPN
 key l0salt0s!
 dns 172.16.5.1 192.168.100.5
 domain domain.com
 pool vpnpool
 acl 140
crypto isakmp profile VPNclient
   match identity group LosAltosVPN
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set securevpn esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set securevpn
 set isakmp-profile VPNclient
!
!
crypto map VPN 1 ipsec-isakmp
 set peer 208.57.93.171
 set transform-set securevpn
 match address 110
!
!
crypto map vpn client authentication list userauthen
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Vif1
 no ip address
!
interface GigabitEthernet0/0
 description $FW_INSIDE$
 ip address 172.16.5.1 255.255.255.0
 ip access-group 101 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface GigabitEthernet0/1
 description $FW_INSIDE$
 ip address 172.16.10.1 255.255.255.0
 ip access-group 102 in
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Serial0/0/0
 no ip address
 encapsulation frame-relay IETF
 no ip mroute-cache
 service-module t1 timeslots 1-24
 frame-relay lmi-type ansi
!
interface Serial0/0/0.1 point-to-point
 no ip mroute-cache
 frame-relay interface-dlci 16 ppp Virtual-Template1
!
interface Virtual-PPP1
 no ip address
!
interface Virtual-Template1
 description $FW_OUTSIDE$
 ip address 66.167.x.x 255.255.255.248
 ip access-group 103 in
 ip verify unicast reverse-path
 ip nat outside
 ip inspect TELNET in
 ip inspect SDM_LOW out
 ip virtual-reassembly
 ppp chap hostname xxxxxxx
 ppp chap password 7 xxxxxx
 crypto map VPN
!
interface Virtual-TokenRing1
 no ip address
 ring-speed 16
!
ip local pool vpnpool 172.16.40.100 172.16.40.254
ip classless
ip route 0.0.0.0 0.0.0.0 66.167.x.x
!
ip dns server
!
ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Virtual-Template1 overload
ip nat inside source static tcp 172.16.5.1 23 66.167.x.x 23 extendable

!
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 100 remark Tunnel to Nelson
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip 66.167.224.24 0.0.0.7 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 66.167.224.24 0.0.0.7 any
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.93.171 host 66.167.x.x
access-list 103 permit esp host 208.57.93.171 host 66.167.x.x
access-list 103 permit udp host 208.57.93.171 host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.93.171 host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.0.0 0.0.255.255
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq 1645
access-list 103 permit tcp any any eq 1646
access-list 103 permit tcp any any eq 1812
access-list 103 permit tcp any any eq 1813
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.15.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel to Nelson
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any
!
route-map nonat permit 10
 match ip address 199
!
!
!
radius-server host 172.16.5.4 auth-port 1812 acct-port 1813
radius-server host 172.16.5.4 auth-port 1645 acct-port 1646
radius-server key 7 xxxxxxx
!
control-plane
!
!
!
!
line con 0
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 password 7 xxxxxxxx
 authorization exec REMOTE
 login authentication REMOTE
 transport input telnet ssh
line vty 5 15
 privilege level 15
 transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

Open in new window

0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
Jody LemoineNetwork ArchitectCommented:
Map names are case sensitive.  You're applying all of your access VPN configuration to crypto map vpn, but all of your site-to-site is on crypto map VPN, the latter of which is the only one assigned to the interface.  Change this...

crypto map vpn client authentication list userauthen
crypto map vpn isakmp authorization list groupauthor
crypto map vpn client configuration address respond
crypto map vpn 10 ipsec-isakmp dynamic dynmap

to this...

crypto map VPN client authentication list userauthen
crypto map VPN isakmp authorization list groupauthor
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic dynmap

...and see if that helps.
0
 
andersenksAuthor Commented:
Ahhh geez.... that was it!  Thank you!

Can you take a look at my access lists? Can't ping from remote PC (172.16.40.x) to the 172.16.x.x network but can ping the 192.168.100.x network accross the tunnel.

If its too invlved I'll open another question.

Thanks again
0
 
Jody LemoineNetwork ArchitectCommented:
Sure.

Your access list 140 only permits IP traffic to/from 192.168.100.0/24 to the VPN pool.

access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255

Add the following to get access to the LAN:

access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255

If you want the VPN to access the ShoreTel network, at the following:

access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255

Just keep going with the same pattern until you have all of the networks that need to go across the VPN added.
0
 
andersenksAuthor Commented:
Tried that with no success, here is the current ACL
access-list 10 permit 172.16.0.0 0.0.255.255
access-list 101 remark ACL for ShoreTel VoIP
access-list 101 deny   ip 66.167.x.x 0.0.0.7 any
access-list 101 deny   ip 172.16.10.0 0.0.0.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 102 remark ACL for network traffic
access-list 102 deny   ip 66.167.x.x 0.0.0.7 any
access-list 102 deny   ip 172.16.5.0 0.0.0.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 permit ip any any
access-list 103 remark Traffic allowed over Virtual Template1 T1
access-list 103 permit ahp host 208.57.x.x host 66.167.x.x
access-list 103 permit esp host 208.57.x.x host 66.167.x.x
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq isakmp
access-list 103 permit udp host 208.57.x.x host 66.167.x.x eq non500-isakmp
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.5.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.10.0 0.0.0.255
access-list 103 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 103 deny   ip 172.16.5.0 0.0.0.255 any
access-list 103 deny   ip 172.16.10.0 0.0.0.255 any
access-list 103 deny   ip 172.16.40.0 0.0.0.255 any
access-list 103 permit icmp any host 66.167.x.x echo-reply
access-list 103 permit icmp any host 66.167.x.x time-exceeded
access-list 103 permit icmp any host 66.167.x.x unreachable
access-list 103 permit tcp any any eq www
access-list 103 permit tcp any any eq 5800
access-list 103 permit tcp any any eq 5900
access-list 103 permit tcp any any eq 9090
access-list 103 permit tcp any any eq 9192
access-list 103 permit tcp any any eq telnet
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit udp any any eq isakmp
access-list 103 permit esp any any
access-list 103 permit gre any any
access-list 103 deny   ip 10.0.0.0 0.255.255.255 any
access-list 103 deny   ip 172.16.0.0 0.0.255.255 any
access-list 103 deny   ip 192.168.0.0 0.0.255.255 any
access-list 103 deny   ip 127.0.0.0 0.255.255.255 any
access-list 103 deny   ip host 255.255.255.255 any
access-list 103 deny   ip host 0.0.0.0 any
access-list 103 deny   ip any any log
access-list 110 remark Tunnel
access-list 110 permit ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 140 permit ip 192.168.100.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.10.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 140 permit ip 172.16.5.0 0.0.0.255 172.16.40.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 permit ip any any

Open in new window

0
 
Jody LemoineNetwork ArchitectCommented:
When you apply the changes to access list 140 and reconnect, what routes show up in your VPN client?
0
 
andersenksAuthor Commented:
I think I got it... had to add a line in the 199 ACL

access-list 199 deny   ip 172.16.0.0 0.0.255.255 192.168.100.0 0.0.0.255
access-list 199 deny   ip 172.16.0.0 0.0.255.255 172.16.40.0 0.0.0.255
access-list 199 permit ip any any

0
 
Jody LemoineNetwork ArchitectCommented:
Whoops... forgot the NAT.  Yes, that'll do it.
0
 
andersenksAuthor Commented:
Thanks Jodylemoine
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now