Solved

cisco 2911 blocking MS vpn client in and out

Posted on 2012-03-12
1
789 Views
Last Modified: 2012-03-15
hi, i got a VPN server which is configured to accept connections from the outside, but whenever i try to connect, i get stuck on username and password, also happens if i try to connect to another vpn server outside of this network. i have the correct nat port forward settings on it (as my other stuff works) if i turn of the zone firewall, i am able to connect, but as soon as i run the wizard again it blocks me out. i cant figure out how to leave the firewall on and still connect to the vpn.

config below...  thanks




!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 127
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 123
class-map type inspect match-all sdm-nat-user-protocol--1-4
 match access-group 133
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 113
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--1-3
 match access-group 115
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-2
 match access-group 104
 match protocol smtp
class-map type inspect match-all sdm-nat-msrpc-smb-netbio-1
 match access-group 112
class-map type inspect match-any SDM_SNMP
 match access-group name SDM_SNMP
class-map type inspect match-all sdm-nat-http-1
 match access-group 110
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 110
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
 match access-group 111
 match protocol user-protocol--1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 131
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 112
class-map type inspect match-any VPN
 match protocol pptp
 match protocol gtpv0
 match protocol gtpv1
 match protocol l2tp
class-map type inspect match-any VPNOut
 match class-map VPN
class-map type inspect match-all sdm-nat-http-2
 match access-group 104
 match protocol http
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
 match class-map SDM_SNMP
 match class-map SDM_SHELL
 match class-map SDM_SSH
 match class-map SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-1
 match class-map SDM_SSH
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol pptp
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol pptp
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 101
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 105
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-2
 match access-group 109
 match protocol pptp
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-all sdm-nat-telnet-1
 match access-group 110
 match protocol telnet
class-map type inspect match-all sdm-nat-h225ras-1
 match access-group 110
 match protocol h225ras
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any vpnclient
 match class-map SDM_VPN_TRAFFIC
 match class-map VPN
class-map type inspect match-all ccp-cls-ccp-inspect-1
 match class-map vpnclient
 match access-group name vpnclient
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all sdm-nat-h323-1
 match access-group 110
 match protocol h323
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-any webpage
 match protocol http
 match protocol https
 match protocol smtp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
 match class-map sdm-mgmt-cls-1
 match access-group 119
class-map type inspect match-all sdm-nat-ssh-1
 match access-group 111
 match protocol ssh
class-map type inspect match-all sdm-nat-https-1
 match access-group 103
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-smtp-2
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect sdm-nat-pptp-2
  inspect
 class type inspect sdm-nat-telnet-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-h225ras-1
  inspect
 class type inspect sdm-nat-h323-1
  inspect
 class type inspect sdm-nat-http-2
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-ssh-1
  inspect
 class type inspect sdm-nat-user-protocol--1-2
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-user-protocol--1-3
  inspect
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-cls-VPNOutsideToInside-2
  pass
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
 class type inspect sdm-nat-user-protocol--1-4
  inspect
 class class-default
  drop log
policy-map type inspect sdm-permit-gre
 class type inspect SDM_GRE
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security gre-zone
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone
 service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-gre source out-zone destination gre-zone
 service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-gre-out source gre-zone destination out-zone
 service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit

interface GigabitEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 12.*.*.221 255.255.255.240 secondary
 ip address 12.*.*.222 255.255.255.240
 ip access-group 126 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
 !
!
interface GigabitEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.201.41.1 255.255.255.0
 ip access-group 107 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled

ip nat inside source static tcp 10.201.41.20 1723 12.69.25.212 1723 extendable
ip nat inside source static tcp 10.201.41.19 1723 12.69.25.213 1723 extendable

ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=0
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark CCP_ACL Category=0
 permit ip any any
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=0
 permit tcp any any eq cmd
ip access-list extended SDM_SNMP
 remark CCP_ACL Category=0
 permit udp any any eq snmp
ip access-list extended SDM_SSH
 remark CCP_ACL Category=0
 permit tcp any any eq 22
ip access-list extended gre
 remark CCP_ACL Category=2
 permit gre any any
ip access-list extended vpnclient
 remark CCP_ACL Category=128
 permit ip any any

access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.201.41.19

access-list 126 permit tcp any host 12.*.*.213 eq 1723
access-list 126 permit tcp any host 12.*.*.212 eq 1723
access-list 126 permit ip any any
0
Comment
Question by:Comptx
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 

Accepted Solution

by:
Comptx earned 0 total points
ID: 37725157
solved on my own using the folowing guide..

http://siskiyoutech.com/blog/?p=78
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
2-Factor authentication VPN for staff and suppliers 6 92
Review of OCA certificate policy 1 57
Sonicwall TZ 190 2 37
VOIP gateways - feedback 23 125
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question