Link to home
Create AccountLog in
Avatar of dwknight
dwknight

asked on

Cisco 877 site to site VPN - cannot ping remote peer

Hello,

I have 2 site with cisco 877 routers. There is a main office and a branch office, and I am looking to set up a site to site VPN using preshared keys.

I have run the VPN wizard successfully and have an issue when testing the tunnel - the VPN peer at either end cannot be reached - but all other VPN tunnel tests pass.

I am using ccp 2.4 and the routers have an ios of 12.4.

I can ping from inside each office to google.com (external test ping)

I cannot ping from outside each office to the external interface of each office (internet to dialer0)

I have looked at the router firewall and found the following:

The outside to self has no rule that allowed icmp rule - allow (inbound)

I have added a rule from the ip address of the 'other office' static public ip address to self for icmp - but it still will not work. I have even tried any to any - icmp on the outside to self.

Any suggestions to resolve this issue would be greatly appreciated.
Avatar of cmgibson
cmgibson
Flag of United States of America image

The easiest way to troubleshoot would be if you could paste the relevant sections of the running config, just xxxx out any sensitive info please. If you can do this, I'm sure we will be able to get you an answer pretty quickly.
Avatar of dwknight
dwknight

ASKER

Many thanks for the response - a bit more background - first time that I have used CCP and very little work done with cisco routers in the past.

I have run the VPN wizard more than once, and it appears that there is more than one VPN configuration in the config file.

Both the main office and the site office have almost identical configurations - customized for the site specific ip addressing; and the main office has port forwarding for SBS 2011 plus VPN ports open for the current Microsoft VPN solution (that I am hoping to replace with the cisco VPN solution).

Any advice that you could provide would be a great help!

---------------- the config

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <removed>
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime 10
!
<crypto removed>

dot11 syslog
no ip source-route
!
!
ip port-map user-protocol--2 port udp 3389
ip port-map user-protocol--3 port tcp 987
ip port-map user-protocol--1 port tcp 3389
ip cef
no ip bootp server
ip domain name <removed>
ip name-server <removed>
ip name-server <removed>
!
!
parameter-map type <removed>

!
!
username <removed>
!
!
crypto isakmp policy 1
 <removed>
!
!
<removed>
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to<remote office ip address removed>
 set peer <remote office ip address removed>
 set transform-set ESP-3DES-SHA9
 match address 137
!
crypto map SDM_CMAP_4 1 ipsec-isakmp
 description Tunnel to<remote office ip address removed>
 set peer <remote office ip address removed>
 set transform-set InterSite-TransformSet
 match address 121
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 113
class-map type inspect match-any DPKICMPVPNPrelimSetupPingAllowed
 match protocol icmp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 116
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 107
 match protocol user-protocol--3
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
 match access-group 122
class-map type inspect match-all sdm-nat-http-1
 match access-group 105
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 103
 match protocol user-protocol--2
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 120
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 102
 match protocol user-protocol--1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
 match access-group 126
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 104
 match protocol smtp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
 match access-group 124
class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
 match access-group 128
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
 match access-group 127
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-all sdm-nat-isakmp-1
 match access-group 108
 match protocol isakmp
class-map type inspect match-any SDM_IGMP
 match access-group name SDM_IGMP
class-map type inspect match-any CorpPing4VPNEst
 match class-map SDM_IGMP
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
 match class-map CorpPing4VPNEst
 match access-group name ICMPFromCorpToRehab
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 115
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 111
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
 match access-group 129
class-map type inspect match-all sdm-cls-VPNOutsideToInside-11
 match access-group 130
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-12
 match access-group 132
class-map type inspect match-all sdm-cls-VPNOutsideToInside-13
 match access-group 134
class-map type inspect match-all sdm-cls-VPNOutsideToInside-14
 match access-group 136
class-map type inspect match-all sdm-cls-VPNOutsideToInside-15
 match access-group 138
class-map type inspect match-all sdm-cls-VPNOutsideToInside-16
 match access-group 139
class-map type inspect match-all sdm-cls-VPNOutsideToInside-17
 match access-group 140
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all sdm-nat-l2tp-1
 match access-group 110
 match protocol l2tp
class-map type inspect match-all sdm-nat-ipsec-msft-1
 match access-group 109
 match protocol ipsec-msft
class-map type inspect match-all ccp-cls-ccp-permit-1
 match class-map DPKICMPVPNPrelimSetupPingAllowed
 match access-group name VPNICMPPrelimPing
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 101
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-nat-https-1
 match access-group 106
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-cls-ccp-permit-icmpreply-1
  pass log
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-isakmp-1
  inspect
 class type inspect sdm-nat-ipsec-msft-1
  inspect
 class type inspect sdm-nat-l2tp-1
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-7
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-8
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-9
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-10
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-11
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-13
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-14
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-15
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-16
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-17
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-12
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security out-zone
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <removed>
 ppp chap password <removed>
 ppp pap sent-username <removed> password <removed>
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.16.2 3389 interface Dialer0 3389
ip nat inside source static udp 192.168.16.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.16.3 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.3 80 interface Dialer0 80
ip nat inside source static tcp 192.168.16.3 443 interface Dialer0 443
ip nat inside source static tcp 192.168.16.3 987 interface Dialer0 987
ip nat inside source static udp 192.168.16.2 500 interface Dialer0 500
ip nat inside source static udp 192.168.16.3 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.16.3 1701 interface Dialer0 1701
ip nat inside source static tcp 192.168.16.3 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended ICMPFromCorpToRehab
 remark CCP_ACL Category=128
 permit ip host <remote office ip removed> host <remote office ip removed>
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_IGMP
 remark CCP_ACL Category=0
 permit ip any any
ip access-list extended VPNICMPPrelimPing
 remark CCP_ACL Category=128
 permit ip host <remote office ip removed> any
!
logging trap debugging
access-list 100 remark CCP_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip host <main office ip removed> any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.16.3
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.16.3
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.16.3
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.16.3
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 192.168.16.2
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 192.168.16.3
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 192.168.16.3
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip any host 192.168.16.3
access-list 112 remark CCP_ACL Category=4
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 113 remark CCP_ACL Category=0
access-list 113 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 114 remark CCP_ACL Category=4
access-list 114 remark IPSec Rule
access-list 114 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 115 remark CCP_ACL Category=128
access-list 115 permit ip host <remote office ip removed> any
access-list 116 remark CCP_ACL Category=0
access-list 116 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 117 remark CCP_ACL Category=4
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 119 remark CCP_ACL Category=4
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 121 remark CCP_ACL Category=4
access-list 121 remark IPSec Rule
access-list 121 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 123 remark CCP_ACL Category=4
access-list 123 remark IPSec Rule
access-list 123 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 124 remark CCP_ACL Category=0
access-list 124 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 125 remark CCP_ACL Category=4
access-list 125 remark IPSec Rule
access-list 125 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 126 remark CCP_ACL Category=0
access-list 126 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 127 remark CCP_ACL Category=0
access-list 127 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 128 remark CCP_ACL Category=0
access-list 128 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 129 remark CCP_ACL Category=0
access-list 129 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 130 remark CCP_ACL Category=0
access-list 130 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 131 remark CCP_ACL Category=4
access-list 131 remark IPSec Rule
access-list 131 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 132 remark CCP_ACL Category=0
access-list 132 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 133 remark CCP_ACL Category=4
access-list 133 remark IPSec Rule
access-list 133 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 134 remark CCP_ACL Category=0
access-list 134 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 135 remark CCP_ACL Category=4
access-list 135 remark IPSec Rule
access-list 135 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 136 remark CCP_ACL Category=0
access-list 136 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 137 remark CCP_ACL Category=4
access-list 137 remark IPSec Rule
access-list 137 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 138 remark CCP_ACL Category=0
access-list 138 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 139 remark CCP_ACL Category=0
access-list 139 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 140 remark CCP_ACL Category=0
access-list 140 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
banner exec ^C
! < banner edited out>

^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

------ end of config
WOW!! That is one heck of a config. CDP does it a little different than I would from the CLI. It will take me a little bit to map out each of those ACL's and what it's doing. Give me a day or so, and I will hopefully have a suggestion. If I was to post some recommended changes, would you feel comfortable pasting them into a SSH or Telnet session? Or would you prefer CCP instructions?
cmgibson,

Thank you very much for your immediate feedback.

I think for this first run, I would be more comfortable with ccp - and thanks for the options regarding the input.

I also wanted to let you know that I have gone through the VPN manager and removed the multiple vpn settings - made by the VPN config wizard when run by me multiple times.

I have posted below - I am assuming (a big assumption) that the firewall rules will be updated when I re-run the wizard?

------------------ the config

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <removed>
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 <removed>
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime 10
!
crypto pki trustpoint TP-self-signed-<removed>
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-<removed>
 revocation-check none
 rsakeypair TP-self-signed-<removed>
!
!
crypto pki certificate chain TP-self-signed-<removed>
 certificate self-signed 01
      <removed>
        quit
dot11 syslog
no ip source-route
!
!
ip port-map user-protocol--2 port udp 3389
ip port-map user-protocol--3 port tcp 987
ip port-map user-protocol--1 port tcp 3389
ip cef
no ip bootp server
ip domain name <removed>
ip name-server <removed>
ip name-server <removed>
!
!
parameter-map type regex ccp-regex-nonascii
 pattern [^\x00-\x80]

!
!
username <removed> privilege 15 secret 5 <removed>
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key <removed> address <remote office ip removed>
!
!
crypto ipsec transform-set ESP-3DES-SHA9 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to<remote office ip removed>
 set peer <remote office ip removed>
 set transform-set ESP-3DES-SHA9
 match address 137
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 113
class-map type inspect match-any DPKICMPVPNPrelimSetupPingAllowed
 match protocol icmp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
 match access-group 118
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 116
class-map type inspect match-all sdm-nat-user-protocol--3-1
 match access-group 107
 match protocol user-protocol--3
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
 match access-group 122
class-map type inspect match-all sdm-nat-http-1
 match access-group 105
 match protocol http
class-map type inspect match-all sdm-nat-user-protocol--2-1
 match access-group 103
 match protocol user-protocol--2
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
 match access-group 120
class-map type inspect match-all sdm-nat-user-protocol--1-1
 match access-group 102
 match protocol user-protocol--1
class-map type inspect match-all sdm-cls-VPNOutsideToInside-7
 match access-group 126
class-map type inspect match-all sdm-nat-smtp-1
 match access-group 104
 match protocol smtp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-6
 match access-group 124
class-map type inspect match-all sdm-cls-VPNOutsideToInside-9
 match access-group 128
class-map type inspect match-all sdm-cls-VPNOutsideToInside-8
 match access-group 127
class-map type inspect match-all SDM_GRE
 match access-group name SDM_GRE
class-map type inspect match-any CCP_PPTP
 match class-map SDM_GRE
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any ccp-skinny-inspect
 match protocol skinny
class-map type inspect match-all sdm-nat-isakmp-1
 match access-group 108
 match protocol isakmp
class-map type inspect match-any SDM_IGMP
 match access-group name SDM_IGMP
class-map type inspect match-any CorpPing4VPNEst
 match class-map SDM_IGMP
class-map type inspect match-all ccp-cls-ccp-permit-icmpreply-1
 match class-map CorpPing4VPNEst
 match access-group name ICMPFromCorpToRehab
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 115
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-all sdm-nat-pptp-1
 match access-group 111
 match protocol pptp
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-h323nxg-inspect
 match protocol h323-nxg
class-map type inspect match-all sdm-cls-VPNOutsideToInside-10
 match access-group 129
class-map type inspect match-all sdm-cls-VPNOutsideToInside-11
 match access-group 130
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all sdm-cls-VPNOutsideToInside-12
 match access-group 132
class-map type inspect match-all sdm-cls-VPNOutsideToInside-13
 match access-group 134
class-map type inspect match-all sdm-cls-VPNOutsideToInside-14
 match access-group 136
class-map type inspect match-all sdm-cls-VPNOutsideToInside-15
 match access-group 138
class-map type inspect match-all sdm-cls-VPNOutsideToInside-16
 match access-group 139
class-map type inspect match-all sdm-cls-VPNOutsideToInside-17
 match access-group 140
class-map type inspect match-any ccp-h225ras-inspect
 match protocol h225ras
class-map type inspect match-any ccp-h323annexe-inspect
 match protocol h323-annexe
class-map type inspect match-all sdm-nat-l2tp-1
 match access-group 110
 match protocol l2tp
class-map type inspect match-all sdm-nat-ipsec-msft-1
 match access-group 109
 match protocol ipsec-msft
class-map type inspect match-all ccp-cls-ccp-permit-1
 match class-map DPKICMPVPNPrelimSetupPingAllowed
 match access-group name VPNICMPPrelimPing
class-map type inspect match-any ccp-h323-inspect
 match protocol h323
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
 match access-group 101
class-map type inspect match-any ccp-sip-inspect
 match protocol sip
class-map type inspect match-all sdm-nat-https-1
 match access-group 106
 match protocol https
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-cls-ccp-permit-icmpreply-1
  pass log
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
 class type inspect sdm-nat-user-protocol--1-1
  inspect
 class type inspect sdm-nat-user-protocol--2-1
  inspect
 class type inspect sdm-nat-smtp-1
  inspect
 class type inspect sdm-nat-http-1
  inspect
 class type inspect sdm-nat-https-1
  inspect
 class type inspect sdm-nat-user-protocol--3-1
  inspect
 class type inspect sdm-nat-isakmp-1
  inspect
 class type inspect sdm-nat-ipsec-msft-1
  inspect
 class type inspect sdm-nat-l2tp-1
  inspect
 class type inspect sdm-nat-pptp-1
  inspect
 class type inspect CCP_PPTP
  pass
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-7
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-8
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-9
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-10
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-11
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-13
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-14
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-15
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-16
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-17
  pass
 class class-default
  drop log
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class type inspect ccp-sip-inspect
  inspect
 class type inspect ccp-h323-inspect
  inspect
 class type inspect ccp-h323annexe-inspect
  inspect
 class type inspect ccp-h225ras-inspect
  inspect
 class type inspect ccp-h323nxg-inspect
  inspect
 class type inspect ccp-skinny-inspect
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-12
  inspect
 class class-default
  drop
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 no atm ilmi-keepalive
!
interface ATM0.1 point-to-point
 description $ES_WAN$
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 zone-member security out-zone
 pvc 8/35
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 ip address 192.168.16.1 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip tcp adjust-mss 1452
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1492
 ip flow ingress
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <removed>
 ppp chap password 7 <removed>
 ppp pap sent-username <removed> password 7 <removed>
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source static tcp 192.168.16.2 3389 interface Dialer0 3389
ip nat inside source static udp 192.168.16.2 3389 interface Dialer0 3389
ip nat inside source static tcp 192.168.16.3 25 interface Dialer0 25
ip nat inside source static tcp 192.168.16.3 80 interface Dialer0 80
ip nat inside source static tcp 192.168.16.3 443 interface Dialer0 443
ip nat inside source static tcp 192.168.16.3 987 interface Dialer0 987
ip nat inside source static udp 192.168.16.2 500 interface Dialer0 500
ip nat inside source static udp 192.168.16.3 4500 interface Dialer0 4500
ip nat inside source static udp 192.168.16.3 1701 interface Dialer0 1701
ip nat inside source static tcp 192.168.16.3 1723 interface Dialer0 1723
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
ip access-list extended ICMPFromCorpToRehab
 remark CCP_ACL Category=128
 permit ip host <remote office ip address removed> host <remote office ip address removed>
ip access-list extended SDM_AH
 remark CCP_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark CCP_ACL Category=1
 permit esp any any
ip access-list extended SDM_GRE
 remark CCP_ACL Category=1
 permit gre any any
ip access-list extended SDM_IGMP
 remark CCP_ACL Category=0
 permit ip any any
ip access-list extended VPNICMPPrelimPing
 remark CCP_ACL Category=128
 permit ip host <remote office ip address removed> any
!
logging trap debugging
access-list 100 remark CCP_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny   ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip host 255.255.255.255 any
access-list 101 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip host <main office ip address removed>any
access-list 102 remark CCP_ACL Category=0
access-list 102 permit ip any host 192.168.16.2
access-list 103 remark CCP_ACL Category=0
access-list 103 permit ip any host 192.168.16.2
access-list 104 remark CCP_ACL Category=0
access-list 104 permit ip any host 192.168.16.3
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip any host 192.168.16.3
access-list 106 remark CCP_ACL Category=0
access-list 106 permit ip any host 192.168.16.3
access-list 107 remark CCP_ACL Category=0
access-list 107 permit ip any host 192.168.16.3
access-list 108 remark CCP_ACL Category=0
access-list 108 permit ip any host 192.168.16.2
access-list 109 remark CCP_ACL Category=0
access-list 109 permit ip any host 192.168.16.3
access-list 110 remark CCP_ACL Category=0
access-list 110 permit ip any host 192.168.16.3
access-list 111 remark CCP_ACL Category=0
access-list 111 permit ip any host 192.168.16.3
access-list 113 remark CCP_ACL Category=0
access-list 113 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 115 remark CCP_ACL Category=128
access-list 115 permit ip host <remote office ip address removed> any
access-list 116 remark CCP_ACL Category=0
access-list 116 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 118 remark CCP_ACL Category=0
access-list 118 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 120 remark CCP_ACL Category=0
access-list 120 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 122 remark CCP_ACL Category=0
access-list 122 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 124 remark CCP_ACL Category=0
access-list 124 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 126 remark CCP_ACL Category=0
access-list 126 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 127 remark CCP_ACL Category=0
access-list 127 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 128 remark CCP_ACL Category=0
access-list 128 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 129 remark CCP_ACL Category=0
access-list 129 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 130 remark CCP_ACL Category=0
access-list 130 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 132 remark CCP_ACL Category=0
access-list 132 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 134 remark CCP_ACL Category=0
access-list 134 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 136 remark CCP_ACL Category=0
access-list 136 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 137 remark CCP_ACL Category=4
access-list 137 remark IPSec Rule
access-list 137 permit ip 192.168.16.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 138 remark CCP_ACL Category=0
access-list 138 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 139 remark CCP_ACL Category=0
access-list 139 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 140 remark CCP_ACL Category=0
access-list 140 permit ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run

!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 100
!
!
control-plane
!
<banner removed>

^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

------------------ the end of the config
Unfortunately removing the VPN config does not remove the auto-generated firewall rules. There are still about 40 different rules, many of which are duplicated (I'm sure the multiple VPN's auto created a lot of the same rules) I will try to give you some instructions for CCP to go in and remove the unnecessary ones once I determine exactly which ones they are.
ASKER CERTIFIED SOLUTION
Avatar of dwknight
dwknight

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Resolved.