Solved

Cisco 881 Easy VPN server can connect but no access to resources

Posted on 2011-02-28
30
3,433 Views
Last Modified: 2012-05-11
Hi,

I'm a new member who has been reading other solutions and can't quite find what it is I'm looking for. So I decided to post a new question and hopefully someone can help. This is not a very complex issue, probably just a NAT or routing issue but I'm not sure how to handle it.

I'm running a Cisco 881 and have setup an Easy VPN Server. I have attached the config below. I am able to make a connection and get an IP assigned from the VPN DHCP pool, however, I cannot ping any devices nor access any of the internal resources (network shares, RDP, application servers, etc.).  The only thing I can access is a telnet connection to the router itself (192.168.0.1 when connected to the VPN). This is the only time I see packets received in the Cisco VPN client software. Here's the config:

Building configuration...

Current configuration : 7002 bytes
!
! Last configuration change at 09:26:16 PCTime Thu Feb 24 2011 by acclaim_admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hbg_acclaim_rtr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$tcAf$2muPMKaKKjJJ8qbQAHVBU0
!
aaa new-model
!
!
aaa authentication login default none
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-3282243984
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-
Certificate-3282243984
 revocation-check none
 rsakeypair TP-self-signed-3282243984
!
!
crypto pki certificate chain TP-self-signed-3282243984
 certificate self-signed 01
  30820261 308201CA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323832 32343339 3834301E 170D3130 31303139 31383537
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32383232
  34333938 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A73B 5A1DCB70 3AED7C95 F2C68BA5 021D407A C271A5A6 A799A913 48EA36C5
  A76161D1 AAEA48C1 C9CF09E1 B00598D9 FF6D7F19 DCB00241 4A62AF8D 2F24BBF4
  261B1958 5C876488 84D82BFB 1B9318B2 574B034A 942F0037 2E884907 B614AF73
  1637ED30 052E426D DE4F06BA 35666064 BECABCC9 D6FD0F4A FB652754 02D5B599
  B1A10203 010001A3 81883081 85300F06 03551D13 0101FF04 05300301 01FF3032
  0603551D 11042B30 29822768 62675F61 63636C61 696D5F72 74722E68 6267312E
  6163636C 61696D73 79737465 6D732E63 6F6D301F 0603551D 23041830 16801487
  C3A3E826 93946B90 572DE60F 07D92184 DFB4F830 1D060355 1D0E0416 041487C3
  A3E82693 946B9057 2DE60F07 D92184DF B4F8300D 06092A86 4886F70D 01010405
  00038181 001CFF17 2A2B172A C5969EEA 5D086A4C ECC3286E 7EA38878 6A150347
  71C5B209 CDDA6D47 4508E80B C3DB9CDE C2C6596F 5BAA14D6 1137D4E8 5D7E397D
  9EF0C549 6A2D91D9 6565E9A7 1E1052A0 08AE22DA FCA6EDF9 7617F666 481314F8
  36284C9E 493642A2 A89681EE 01968514 E02544D6 CF769734 3BD99AB9 882A109E
  B5A438E6 46
      quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name XXX.XXXXXXXXX.com
ip name-server 192.168.0.2
ip name-server xx.xxx.xxx.xx
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX1436800G
!
!
username XXXXXX privilege 15 secret 5 $1$L07G$PLfhovE4Lx4A.65eIdivN0
username XXXXXX privilege 15 secret 5 $1$pE9q$/YV28460.a.l.poZa9fqW.
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XXXXXX
 key XXXXXXXXX
 pool Dot_1_240
 acl 100
 max-users 4
crypto isakmp profile ciscocp-ike-profile-1
   match identity group XXXXXX
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Loopback0
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
 ip address 75.XXX.XXX.X3 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool Dot_1_240 192.168.1.240 192.168.1.243
ip default-gateway 75.XXX.XXX.X4
ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.0.11 80 interface FastEthernet4 80
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 75.XXX.XXX.X4
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CC


% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------


^C
banner login ^CCAuthorized access only!


 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
Comment
Question by:Robert-bo-bobert
  • 14
  • 12
30 Comments
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35004169
Hello,

Try below
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
crypto isakmp client configuration group XXXXXX
No acl 100
acl 101
0
 

Author Comment

by:Robert-bo-bobert
ID: 35006904
Thank you, I will try tonight as this is a production environment and cannot make changes during the day. I will let you know if it works.
0
 

Author Comment

by:Robert-bo-bobert
ID: 35014099
I've made the change you suggested but I am still in the same situation, unable to ping or access resources on the 192.168.0.X subnet.
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35014220
How did u connect to router for VPN ?
Dialup or any other ?



Vikrant
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35014241
0
 

Author Comment

by:Robert-bo-bobert
ID: 35018255
Thanks for the link, I read through the thread and my current config and I see what needs changed. I will implement the removal of 'no ip proxy-arp' from VLAN 1 in about 7 hours and let you know how it works.
0
 

Author Comment

by:Robert-bo-bobert
ID: 35022008
I missed the part about how i'm connecting to the VPN, sorry. I'm connecting though a cable connection using the Cisco VPN Client software, v5.0.06.0160
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35024004
Did u apply that part ?
0
 

Author Comment

by:Robert-bo-bobert
ID: 35027287
I did apply :

conf t
int vlan1
ip proxy-arp

It made no difference. Here is my current config now:

Building configuration...

Current configuration : 6681 bytes
!
! Last configuration change at 17:30:10 PCTime Wed Mar 2 2011 by acclaim_admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hbg_acclaim_rtr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$tcAf$2muPMKaKKjJJ8qbQAHVBU0
!
aaa new-model
!
!
aaa authentication login default none
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-3282243984
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3282243984
 revocation-check none
 rsakeypair TP-self-signed-3282243984
!
!
crypto pki certificate chain TP-self-signed-3282243984
 certificate self-signed 01
  30820261 308201CA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323832 32343339 3834301E 170D3130 31303139 31383537
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32383232
  34333938 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A73B 5A1DCB70 3AED7C95 F2C68BA5 021D407A C271A5A6 A799A913 48EA36C5
  A76161D1 AAEA48C1 C9CF09E1 B00598D9 FF6D7F19 DCB00241 4A62AF8D 2F24BBF4
  261B1958 5C876488 84D82BFB 1B9318B2 574B034A 942F0037 2E884907 B614AF73
  1637ED30 052E426D DE4F06BA 35666064 BECABCC9 D6FD0F4A FB652754 02D5B599
  B1A10203 010001A3 81883081 85300F06 03551D13 0101FF04 05300301 01FF3032
  0603551D 11042B30 29822768 62675F61 63636C61 696D5F72 74722E68 6267312E
  6163636C 61696D73 79737465 6D732E63 6F6D301F 0603551D 23041830 16801487
  C3A3E826 93946B90 572DE60F 07D92184 DFB4F830 1D060355 1D0E0416 041487C3
  A3E82693 946B9057 2DE60F07 D92184DF B4F8300D 06092A86 4886F70D 01010405
  00038181 001CFF17 2A2B172A C5969EEA 5D086A4C ECC3286E 7EA38878 6A150347
  71C5B209 CDDA6D47 4508E80B C3DB9CDE C2C6596F 5BAA14D6 1137D4E8 5D7E397D
  9EF0C549 6A2D91D9 6565E9A7 1E1052A0 08AE22DA FCA6EDF9 7617F666 481314F8
  36284C9E 493642A2 A89681EE 01968514 E02544D6 CF769734 3BD99AB9 882A109E
  B5A438E6 46
        quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name XXXX.XXXXXXXXXXX.com
ip name-server 192.168.0.2
ip name-server 68.87.64.146
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX1436800G
!
!
username acclaim_admin privilege 15 secret 5 $1$L07G$PLfhovE4Lx4A.65eIdivN0
username EZ privilege 15 secret 5 $1$pE9q$/YV28460.a.l.poZa9fqW.
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XXXXXX
 key XXXXXX
 pool Dot_1_240
 acl 101
 max-users 4
crypto isakmp profile ciscocp-ike-profile-1
   match identity group XXXXXX
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
 ip address 7X.XXX.XXX.X3 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet4
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool Dot_1_240 192.168.1.240 192.168.1.243
ip default-gateway 7X.XXX.XXX.X4
ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.0.11 80 interface FastEthernet4 80
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 7X.XXX.XXX.X4
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCC
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------

^C
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35034011
Try ur internal intreface under Virt tem 1
ip unnumbered  internal interface

for example
interface Virtual-Template1 type tunnel
 ip unnumbered interface Vlan1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
0
 

Author Comment

by:Robert-bo-bobert
ID: 35036735
Thank you for your suggestion, I will implement it In about 7 hrs and let you know how it works. If you think of anything else in the mean time post it and I can try that as well.
0
 

Author Comment

by:Robert-bo-bobert
ID: 35069847
Again tried your suggestion and no luck.
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35069899
please post ur config again
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 

Author Comment

by:Robert-bo-bobert
ID: 35071396
This is the current running (and boot) config...
Building configuration...

Current configuration : 6656 bytes
!
! Last configuration change at 18:23:39 PCTime Mon Mar 7 2011
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname hbg_acclaim_rtr
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$tcAf$2muPMKaKKjJJ8qbQAHVBU0
!
aaa new-model
!
!
aaa authentication login default none
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PCTime -5
!
crypto pki trustpoint TP-self-signed-3282243984
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3282243984
 revocation-check none
 rsakeypair TP-self-signed-3282243984
!
!
crypto pki certificate chain TP-self-signed-3282243984
 certificate self-signed 01
  30820261 308201CA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33323832 32343339 3834301E 170D3130 31303139 31383537
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32383232
  34333938 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A73B 5A1DCB70 3AED7C95 F2C68BA5 021D407A C271A5A6 A799A913 48EA36C5
  A76161D1 AAEA48C1 C9CF09E1 B00598D9 FF6D7F19 DCB00241 4A62AF8D 2F24BBF4
  261B1958 5C876488 84D82BFB 1B9318B2 574B034A 942F0037 2E884907 B614AF73
  1637ED30 052E426D DE4F06BA 35666064 BECABCC9 D6FD0F4A FB652754 02D5B599
  B1A10203 010001A3 81883081 85300F06 03551D13 0101FF04 05300301 01FF3032
  0603551D 11042B30 29822768 62675F61 63636C61 696D5F72 74722E68 6267312E
  6163636C 61696D73 79737465 6D732E63 6F6D301F 0603551D 23041830 16801487
  C3A3E826 93946B90 572DE60F 07D92184 DFB4F830 1D060355 1D0E0416 041487C3
  A3E82693 946B9057 2DE60F07 D92184DF B4F8300D 06092A86 4886F70D 01010405
  00038181 001CFF17 2A2B172A C5969EEA 5D086A4C ECC3286E 7EA38878 6A150347
  71C5B209 CDDA6D47 4508E80B C3DB9CDE C2C6596F 5BAA14D6 1137D4E8 5D7E397D
  9EF0C549 6A2D91D9 6565E9A7 1E1052A0 08AE22DA FCA6EDF9 7617F666 481314F8
  36284C9E 493642A2 A89681EE 01968514 E02544D6 CF769734 3BD99AB9 882A109E
  B5A438E6 46
        quit
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name XXXX.XXXXXXXXXX.com
ip name-server 192.168.0.2
ip name-server 68.87.64.146
no ipv6 cef
!
!
license udi pid CISCO881-K9 sn FTX1436800G
!
!
username admin privilege 15 secret 5 $1$L07G$PLfhovE4Lx4A.65eIdivN0
username XXXXXX privilege 15 secret 5 $1$pE9q$/YV28460.a.l.poZa9fqW.
crypto ctcp port 10000
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XXXXXXXX
 key XXXXXXXX
 pool Dot_1_240
 acl 101
 max-users 4
crypto isakmp profile ciscocp-ike-profile-1
   match identity group XXXXXXXX
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ETH-WAN$$FW_OUTSIDE$$ES_WAN$
 ip address 7X.XXX.XXX.X3 255.255.255.252
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nbar protocol-discovery
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered Vlan1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 192.168.0.1 255.255.255.0
 no ip redirects
 no ip unreachables
 ip flow ingress
 ip flow egress
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
ip local pool Dot_1_240 192.168.1.240 192.168.1.243
ip default-gateway 7X.XXX.XXX.X4
ip forward-protocol nd
ip http server
ip http port 8080
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.0.11 80 interface FastEthernet4 80
ip nat inside source list 100 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 7X.XXX.XXX.X4
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.0.0 0.0.0.255
access-list 100 remark CCP_ACL Category=2
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
no cdp run

!
!
!
!
!
control-plane
!
banner exec ^CCC


% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^CCCAuthorized access only!


 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 no modem enable
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35079012
can you please Post result of "sh cryp ip sa" & sho route

Vikrant
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35079184
Ok I Edit some  configuration please use as per below, I hope this will help because I tried this on My router

crypto isakmp client configuration group XXXXXXXX
 key XXXXXXXX
 Dns X.X.X.X
 pool Dot_1_240
 save-password
 SplitTunnel
 max-users 4
crypto isakmp profile ciscocp-ike-profile-1
   match identity group XXXXXXXX
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   !
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto dynamic-map dynmap 10
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
crypto map vpnmap 10 ipsec-isakmp dynamic dynmap


& enter"crypto map vpnmap" under WAN Port

ip access-list extended SplitTunnel
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any

0
 

Author Comment

by:Robert-bo-bobert
ID: 35087264
The output of "sh cryp ip sa" & sho route is completely blank. I will edit the config and apply the change in a few hours and post a response letting you know the result. Thank you.
0
 

Author Comment

by:Robert-bo-bobert
ID: 35089786
I can now ping to the 192.168.0.XXX subnet but cannot access any resources such as share drives, RDP, applications usings servers on the 192.168.0.XXX subnet.
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35090372
if u r able to ping 192.168.0.XX subnet then u should be able to resources, Try to ping any live system from vpn client, Please post output of "sh cryp ip sa" & sho route after established VPN




Vikrant
0
 

Author Comment

by:Robert-bo-bobert
ID: 35091749
When the VPN tunnel is active I can no longer manager the router from either the public or private IP it is assigned. So I can not get the output you are looking for.
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35092555
are u able to ping Router when VPN is UP from Client
0
 

Author Comment

by:Robert-bo-bobert
ID: 35098470
Should this section also be added under the WAN interface?

ip access-list extended SplitTunnel
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 192.168.1.0 0.0.0.255 any
0
 

Author Comment

by:Robert-bo-bobert
ID: 35101077
This is the output for Show crypto ipsec sa when connected to the VPN, show route was still blank:


hbg_acclaim_rtr#sh crypto ipsec sa

interface: FastEthernet4
    Crypto map tag: vpnmap, local addr 75.151.187.73

   protected vrf: (none)
   local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
   remote ident (addr/mask/prot/port): (192.168.1.240/255.255.255.255/0/0)
   current_peer 174.60.130.58 port 60655
     PERMIT, flags={}
    #pkts encaps: 96, #pkts encrypt: 96, #pkts digest: 96
    #pkts decaps: 403, #pkts decrypt: 403, #pkts verify: 403
    #pkts compressed: 0, #pkts decompressed: 0
    #pkts not compressed: 0, #pkts compr. failed: 0
    #pkts not decompressed: 0, #pkts decompress failed: 0
    #send errors 0, #recv errors 0

     local crypto endpt.: 75.151.187.73, remote crypto endpt.: 174.60.130.58
     path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
     current outbound spi: 0xB96E1AD3(3111000787)
     PFS (Y/N): N, DH group: none

     inbound esp sas:
      spi: 0xA3308A5D(2737867357)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 1, flow_id: Onboard VPN:1, sibling_flags 80000046, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4561247/3491)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     inbound ah sas:

     inbound pcp sas:

     outbound esp sas:
      spi: 0xB96E1AD3(3111000787)
        transform: esp-3des esp-sha-hmac ,
        in use settings ={Tunnel, }
        conn id: 2, flow_id: Onboard VPN:2, sibling_flags 80000046, crypto map: vpnmap
        sa timing: remaining key lifetime (k/sec): (4561361/3491)
        IV size: 8 bytes
        replay detection support: Y
        Status: ACTIVE

     outbound ah sas:

     outbound pcp sas:
0
 

Accepted Solution

by:
Robert-bo-bobert earned 0 total points
ID: 35132382
Ok, what I ended up doing was defaulting the router and loading the original config I had posted and it just worked, not sure why it wasn't working but now it is. Thanks for all the ideas.
0
 
LVL 6

Assisted Solution

by:vikrantambhore
vikrantambhore earned 250 total points
ID: 35135267
So u mean my comment wasn't helpfull for you ?
0
 
LVL 6

Expert Comment

by:vikrantambhore
ID: 35146315
Sorry i don't have any questions, please go with Robert-bo-bobert,
0
 
LVL 5

Expert Comment

by:Netminder
ID: 35321896
Restarting closing process.

Netminder
Sr Admin
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now