This is the config:

class-map type inspect match-any L4-private-public-cmap

match protocol dns

match protocol smtp

match protocol pop3

match protocol https

match protocol ftp

match protocol icmp

match protocol ssh

match protocol isakmp

class-map type inspect http match-any HTTP-L7-private-public-cmap

match req-resp protocol-violation

match request port-misuse any

class-map type inspect match-any HTTP-L4-private-public-cmap

match protocol http

!

!

policy-map type inspect http HTTP-L7-private-public-pmap

class type inspect http HTTP-L7-private-public-cmap

reset

log

class class-default

policy-map type inspect L4-private-public-pmap

class type inspect HTTP-L4-private-public-cmap

inspect

service-policy http HTTP-L7-private-public-pmap

class class-default

drop

!

zone security private

zone security public

zone-pair security private-public source private destination public

service-policy type inspect L4-private-public-pmap

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key 123456 address aaa.bbb.ccc.ddd

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

!

crypto map IPSEC_VPN 3 ipsec-isakmp

set peer aaa.bbb.ccc.ddd

set transform-set ESP-3DES-SHA

match address 103

!

!

!

!

interface Tunnel1

ip address 10.1.1.10 255.255.255.252

keepalive 10 3

tunnel source FastEthernet0/0

tunnel destination aaa.bbb.ccc.ddd

!

!

interface Loopback0

ip address 10.11.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/0

ip address eee.fff.ggg.hhh 255.255.255.248

ip access-group 14 out

ip nat outside

ip virtual-reassembly

zone-member security public

load-interval 30

duplex auto

speed auto

crypto map IPSEC_VPN

!

!

interface FastEthernet0/0/0

!

interface FastEthernet0/0/1

!

interface FastEthernet0/0/2

!

interface FastEthernet0/0/3

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual-reassembly

zone-member security private

load-interval 30

!

ip route 0.0.0.0 0.0.0.0 iii.jjj.kkk.lll

ip route aaa.bbb.ccc.ddd 255.255.252.0 10.1.1.9

ip route aaa.bbb.ccc.ddd 255.255.255.255 iii.jjj.kkk.lll

!

!

ip http server

no ip http secure-server

!

ip nat inside source route-map primary interface FastEthernet0/0 overload

!

ip sla schedule 1 life forever start-time now

access-list 14 permit any

access-list 15 permit any

access-list 102 permit ip 192.168.2.0 0.0.0.255 any

access-list 103 permit gre host eee.fff.ggg.hhh host aaa.bbb.ccc.ddd

!

route-map primary permit 10

match ip address 102

match interface FastEthernet0/0

!

control-plane

!

Thanks

Best Regards

pls configure "ip inspect log drop" and enable "debug policy-firewall det" and get me the logs when you see the problem.

Hi,

it doesn't accept the command: "debug policy-firewall det", is it correct?

Thanks

what version IOS do you use?

Excuse me for the delay but I couldn't write before.

IOS version is: 12.4(13r)T.

Thanks

Sorry but IOS version is: Version 12.4(9)T7 not the other one.

Thanks