EasyVPN not accessible from some networks - applied ACL how??

Hi folks,

We have a Cisco 1800 Series Router with two site-to-site VPNs and an EasyVPN Server.

After we added our most recent site-to-site, EasyVPN seemed to stop working.

After some troubleshooting, it turns out that named networks in ACL 103 can access EasyVPN with no problems. If your IP is not listed in that ACL, then the "remote peer is not responding" message comes up in the VPN client (i.e. username and password box doesn't show up).

I can't see how ACL 103 relates to EasyVPN or more specifically, how to get EasyVPN to ignore the ACL and be wide open.

Any assistance would be greatly appreciated! Edited config below.

Thanks in advance!

 
Current configuration : 17171 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname ******
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 ***********
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec local_author local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
aaa session-id common
clock timezone **** 12
clock summer-time **** recurring last Sun Sep 2:00 1 Sun Apr 2:00
!
crypto pki trustpoint TP-self-signed-1713403326
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1713403326
 revocation-check none
 rsakeypair TP-self-signed-1713403326
!
!
crypto pki certificate chain TP-self-signed-1713403326
 certificate self-signed 01
  802ED9F8 22D39C9B 43468C08 5CFC634C 2B55EC6F 9BEBBBEF 900A1E93 81DCC388
  56BFB80D DE392955 6B340808 DF8CF6C7 47F12D56 A4FFB853 FC3470DB D51EBB0E
  E9A4EB44 F0679CF3 06BBBE92 6DE623F5 BBEF7A57 F59631F6 DF872163 390CDB4E
  CF1B2CF7 51C666CF B305E3E9 19EADF87 462A258C
        quit
dot11 syslog
no ip source-route
ip cef
!
!
!
!
no ip bootp server
ip domain name ******.local
ip name-server n.n.n.n
ip name-server n.n.n.n
ip port-map user-smtp26 port tcp 26
ip port-map user-rdp3390 port tcp 3390
ip port-map user-rdp3389 port tcp 3389
!
multilink bundle-name authenticated
!
!
username administrator privilege 15 secret 5 *********
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key ********* address ******
crypto isakmp key ********* address ******
!
crypto isakmp client configuration group vpn
 key *********
 dns 192.168.1.81
 domain ******.local
 pool SDM_POOL_1
 netmask 255.255.255.0
!
crypto isakmp client configuration group vpn2_group
 key *********
 pool SDM_POOL_1
 acl 106
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpn
   match identity group vpn2_group
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 2 ipsec-isakmp
 description Tunnel to******
 set peer ******
 set transform-set ESP-3DES-SHA1
 match address 101
crypto map SDM_CMAP_1 3 ipsec-isakmp
 description Tunnel to******
 set peer ******
 set transform-set ESP-3DES-SHA2
 match address 102
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 104
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 108
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 107
class-map type inspect match-any SMTP_OUT_IN
 match protocol smtp
 match protocol user-smtp26
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
 match class-map SMTP_OUT_IN
 match access-group name SMTP_TRAFFIC_OUT_IN
class-map type inspect match-any RDP3390_OUT_IN
 match protocol user-rdp3390
 match access-group name RDP3390_TRAFFIC_OUT_IN
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-all RDP_OUT_IN
 match protocol user-rdp3389
 match access-group name RDP_TRAFFIC_OUT_IN
class-map type inspect match-any CCP-Voice-permit
 match protocol h323
 match protocol skinny
 match protocol sip
class-map type inspect match-any HTTPS_IN
 match protocol https
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 103
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any Protocols_DMZ_To_Outside
 match protocol http
 match protocol https
 match protocol dns
 match protocol ntp
 match protocol icmp
 match protocol telnet
class-map type inspect match-all sdm-cls--2
 match class-map Protocols_DMZ_To_Outside
 match access-group name DMZ_To_Outside
class-map type inspect match-any SMTP_TO_DMZ
 match protocol smtp
class-map type inspect match-all sdm-cls--1
 match class-map SMTP_TO_DMZ
 match access-group name Outside_to_DMZ
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
 match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any HTTPS_To_DMZ
 match protocol https
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any SMTP26_IN
 match protocol user-smtp26
class-map type inspect match-all sdm-cls-ccp-permit-1
 match access-group name From_Gen-i
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--3-1
 match class-map SMTP26_IN
 match access-group name SMTP_DMZ_TO_IN
class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--1-1
 match class-map HTTPS_To_DMZ
 match access-group name HTTPS_Outside_To_DMZ
class-map type inspect match-all sdm-cls-sdm-policy-sdm-cls--3-2
 match class-map HTTPS_IN
 match access-group name HTTPS_TRAFFIC_DMZ_TO_IN
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect RDP_OUT_IN
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect RDP3390_OUT_IN
  inspect
 class class-default
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect CCP-Voice-permit
  inspect
 class class-default
  pass
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-cls-ccp-permit-1
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--1
 class type inspect sdm-cls-sdm-policy-sdm-cls--1-1
  inspect
 class type inspect sdm-cls--1
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--3
 class type inspect sdm-cls-sdm-policy-sdm-cls--3-1
  inspect
 class type inspect sdm-cls-sdm-policy-sdm-cls--3-2
  inspect
 class class-default
policy-map type inspect sdm-policy-sdm-cls--2
 class type inspect sdm-cls--2
  inspect
 class class-default
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone security dmz-zone
zone security dmz-in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-zone-dmz-zone source out-zone destination dmz-zone
 service-policy type inspect sdm-policy-sdm-cls--1
zone-pair security sdm-zp-dmz-zone-out-zone source dmz-zone destination out-zone
 service-policy type inspect sdm-policy-sdm-cls--2
zone-pair security sdm-zp-dmz-in-zone-in-zone source dmz-in-zone destination in-zone
 service-policy type inspect sdm-policy-sdm-cls--3
bridge irb
!
!
!
interface Null0
 no ip unreachables
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_LAN$$FW_INSIDE$
 ip address 192.168.1.254 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
!
interface FastEthernet0/1
 description $ES_WAN$$FW_OUTSIDE$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface FastEthernet0/1/0
 ip address 192.168.2.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security dmz-zone
 duplex auto
 speed auto
!
interface FastEthernet0/1/1
 ip address 192.168.3.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 zone-member security dmz-in-zone
 duplex auto
 speed auto
!
interface Virtual-Template1 type tunnel
 ip unnumbered FastEthernet0/0
 zone-member security ezvpn-zone
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 ppp authentication pap callin
 ppp pap sent-username *********@****** password 7 *********
 crypto map SDM_CMAP_1
 crypto ipsec df-bit clear
!
interface BVI1
 no ip address
!
ip local pool SDM_POOL_1 172.16.0.1 172.16.0.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
!
ip http server
ip http access-class 2
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source static tcp 192.168.1.95 26 ****** 25 extendable
ip nat inside source static tcp 192.168.2.253 443 ****** 443 extendable
ip nat inside source static tcp 192.168.1.94 3389 ****** 3389 extendable
ip nat inside source static tcp 192.168.1.96 3389 ****** 3390 extendable
!
ip access-list extended DMZ_To_Outside
 remark CCP_ACL Category=128
 permit ip any any
ip access-list extended HTTPS_Outside_To_DMZ
 remark CCP_ACL Category=128
 permit ip any host 192.168.2.253
ip access-list extended HTTPS_TRAFFIC_DMZ_TO_IN
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.95
ip access-list extended Outside_to_DMZ
 remark CCP_ACL Category=128
 permit ip any host 192.168.2.253
ip access-list extended RDP3390_TRAFFIC_OUT_IN
 remark CCP_ACL Category=128
 permit ip host ****** host 192.168.1.96
 permit ip host ****** host 192.168.1.96
 permit ip host ****** host 192.168.1.96
 permit ip host ****** host 192.168.1.96
ip access-list extended RDP_TRAFFIC_OUT_IN
 remark CCP_ACL Category=128
 permit ip host ****** host 192.168.1.94
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_IP
 remark CCP_ACL Category=1
 permit ip any any
ip access-list extended SMTP_DMZ_TO_IN
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.95
ip access-list extended SMTP_TRAFFIC_OUT_IN
 remark CCP_ACL Category=128
 permit ip any host 192.168.1.95
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.21.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark CCP_ACL Category=1
access-list 2 permit 192.168.1.0 0.0.0.255
access-list 2 permit 192.168.21.0 0.0.0.255
access-list 2 deny   any
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host ****** any
access-list 103 permit ip host ****** any
access-list 103 permit ip host ****** any
access-list 103 permit ip host ****** any
access-list 104 remark CCP_ACL Category=0
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.21.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 105 remark CCP_ACL Category=2
access-list 105 remark IPSec Rule
access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 105 remark IPSec Rule
access-list 105 deny   ip 192.168.1.0 0.0.0.255 192.168.21.0 0.0.0.255
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 permit ip 192.168.2.0 0.0.0.255 any
access-list 106 remark CCP_ACL Category=4
access-list 106 permit ip 192.168.1.0 0.0.0.255 any
access-list 108 remark CCP_ACL Category=0
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.50.0 0.0.0.255 192.168.1.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 105
!
!
!
!
control-plane
!
bridge 1 protocol ieee
!
!
banner login ^CCCAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login authentication local_authen
 transport output telnet
line aux 0
 login authentication local_authen
 transport output telnet
line vty 0 4
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
line vty 5 15
 authorization exec local_author
 login authentication local_authen
 transport input telnet ssh
!
scheduler allocate 4000 1000
end

Open in new window

slamitAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

John MeggersNetwork ArchitectCommented:
Looks to me like it's part of your zone-based firewall.

access-list 103 remark CCP_ACL Category=128
access-list 103 permit ip host ****** any
access-list 103 permit ip host ****** any
access-list 103 permit ip host ****** any
access-list 103 permit ip host ****** any

class-map type inspect match-all SDM_VPN_PT
 match access-group 103
 match class-map SDM_VPN_TRAFFIC

policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass

zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit

interface Dialer0
 zone-member security out-zone

Could that explain why it's blocking some of the traffic unless it's listed in the ACL?

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
slamitAuthor Commented:
Thanks, you made me go over those rules with a toothcomb again, and, thanks to an earlier concfig I had archived, I found that the following was missing from the original policy-map:

policy-map type inspect ccp-permit
 class type inspect SDM_EASY_VPN_SERVER_TRAFFIC
  pass


Doh!

Thanks! :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.