Solved

cisco 2911 blocking MS vpn client in and out

Posted on 2012-03-12
1
768 Views
Last Modified: 2012-03-15
hi, i got a VPN server which is configured to accept connections from the outside, but whenever i try to connect, i get stuck on username and password, also happens if i try to connect to another vpn server outside of this network. i have the correct nat port forward settings on it (as my other stuff works) if i turn of the zone firewall, i am able to connect, but as soon as i run the wizard again it blocks me out. i cant figure out how to leave the firewall on and still connect to the vpn.

config below...  thanks




!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 102
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 127
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 123
class-map type inspect match-all sdm-nat-user-protocol--1-4
 match access-group 133
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 113
 match protocol user-protocol--3
class-map type inspect match-all sdm-nat-user-protocol--1-3
 match access-group 115
 match protocol user-protocol--1
class-map type inspect match-all sdm-nat-smtp-2
 match access-group 104
 match protocol smtp
class-map type inspect match-all sdm-nat-msrpc-smb-netbio-1
 match access-group 112
class-map type inspect match-any SDM_SNMP
 match access-group name SDM_SNMP
class-map type inspect match-all sdm-nat-http-1
 match access-group 110
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 110
 match protocol user-protocol--2
class-map type inspect match-all sdm-nat-user-protocol--1-2
 match access-group 111
 match protocol user-protocol--1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 131
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 112
class-map type inspect match-any VPN
 match protocol pptp
 match protocol gtpv0
 match protocol gtpv1
 match protocol l2tp
class-map type inspect match-any VPNOut
 match class-map VPN
class-map type inspect match-all sdm-nat-http-2
 match access-group 104
 match protocol http
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 103
 match protocol smtp
class-map type inspect match-any SDM_SHELL
 match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
 match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
 match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
 match class-map SDM_SNMP
 match class-map SDM_SHELL
 match class-map SDM_SSH
 match class-map SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-1
 match class-map SDM_SSH
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol pptp
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol pptp
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 101
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 105
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol pptp
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-all sdm-nat-pptp-2
 match access-group 109
 match protocol pptp
class-map type inspect match-any SDM_IP
 match access-group name SDM_IP
class-map type inspect match-all sdm-nat-telnet-1
 match access-group 110
 match protocol telnet
class-map type inspect match-all sdm-nat-h225ras-1
 match access-group 110
 match protocol h225ras
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-any vpnclient
 match class-map SDM_VPN_TRAFFIC
 match class-map VPN
class-map type inspect match-all ccp-cls-ccp-inspect-1
 match class-map vpnclient
 match access-group name vpnclient
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all sdm-nat-h323-1
 match access-group 110
 match protocol h323
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-any webpage
 match protocol http
 match protocol https
 match protocol smtp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-mgmt-cls-ccp-permit-0
 match class-map sdm-mgmt-cls-1
 match access-group 119
class-map type inspect match-all sdm-nat-ssh-1
 match access-group 111
 match protocol ssh
class-map type inspect match-all sdm-nat-https-1
 match access-group 103
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-smtp-2
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect sdm-nat-pptp-2
  inspect
 class type inspect sdm-nat-telnet-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-h225ras-1
  inspect
 class type inspect sdm-nat-h323-1
  inspect
 class type inspect sdm-nat-http-2
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-ssh-1
  inspect
 class type inspect sdm-nat-user-protocol--1-2
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-user-protocol--1-3
  inspect
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-cls-VPNOutsideToInside-2
  pass
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
 class type inspect sdm-nat-user-protocol--1-4
  inspect
 class class-default
  drop log
policy-map type inspect sdm-permit-gre
 class type inspect SDM_GRE
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class type inspect sdm-mgmt-cls-ccp-permit-0
  inspect
 class class-default
  drop
policy-map type inspect sdm-permit-ip
 class type inspect SDM_IP
  pass
 class class-default
  drop log
!
zone security gre-zone
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-in-gre1 source in-zone destination gre-zone
 service-policy type inspect sdm-permit-ip
zone-pair security ccp-zp-out-gre source out-zone destination gre-zone
 service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security sdm-zp-gre-in1 source gre-zone destination in-zone
 service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
zone-pair security ccp-zp-gre-out source gre-zone destination out-zone
 service-policy type inspect sdm-permit-gre
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit

interface GigabitEthernet0/0
 description $ETH-WAN$$FW_OUTSIDE$
 ip address 12.*.*.221 255.255.255.240 secondary
 ip address 12.*.*.222 255.255.255.240
 ip access-group 126 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip verify unicast reverse-path
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
 !
!
interface GigabitEthernet0/1
 description $ETH-LAN$$FW_INSIDE$
 ip address 10.201.41.1 255.255.255.0
 ip access-group 107 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 duplex auto
 speed auto
 no mop enabled

ip nat inside source static tcp 10.201.41.20 1723 12.69.25.212 1723 extendable
ip nat inside source static tcp 10.201.41.19 1723 12.69.25.213 1723 extendable

ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_HTTPS
 remark CCP_ACL Category=0
 permit tcp any any eq 443
ip access-list extended SDM_IP
 remark CCP_ACL Category=0
 permit ip any any
ip access-list extended SDM_SHELL
 remark CCP_ACL Category=0
 permit tcp any any eq cmd
ip access-list extended SDM_SNMP
 remark CCP_ACL Category=0
 permit udp any any eq snmp
ip access-list extended SDM_SSH
 remark CCP_ACL Category=0
 permit tcp any any eq 22
ip access-list extended gre
 remark CCP_ACL Category=2
 permit gre any any
ip access-list extended vpnclient
 remark CCP_ACL Category=128
 permit ip any any

access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 10.201.41.19

access-list 126 permit tcp any host 12.*.*.213 eq 1723
access-list 126 permit tcp any host 12.*.*.212 eq 1723
access-list 126 permit ip any any
0
Comment
Question by:Comptx
1 Comment
 

Accepted Solution

by:
Comptx earned 0 total points
ID: 37725157
solved on my own using the folowing guide..

http://siskiyoutech.com/blog/?p=78
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now