ezvpn not working

Unanswered Question
May 17th, 2010
User Badges:

Hi,


The   router is performing PAT   for internet access and I'm trying to enable it as an EZVPN server  Using  the Cisco VPN client, I'm able to connect it and bring up the  tunnel. i  can pass traffic by vpn and can ping the local server but  can't access  it by RDP.


please help me out.


my configuration is mention bellow.


Router#sho run
Building configuration...


Current configuration : 5113 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$4Pcy$V0KWLPKy5/GW/4ItWVooR0
enable password 7 05080F1C22431B5D4A
!
aaa new-model
!
!
aaa authentication login userlist local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3568720321
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3568720321
revocation-check none
rsakeypair TP-self-signed-3568720321
!
!
crypto pki certificate chain TP-self-signed-3568720321
certificate self-signed 01
  3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33353638 37323033 3231301E 170D3039 30323038 30343432
  35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 35363837
  32303332 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009A4D 046918DB 53A18A29 7027920E D4EE15B8 342DD4A3 2F4C9FB1 D6EC01E2
  6ECD5A63 1844B147 72A024CB F95526F6 E2A0C212 0495C1F1 D0643420 C694FCDF
  D0C8DC64 D011E938 BDBCE22A A042802D A2B3E913 A7F0D459 034C90F2 6761DF40
  92A463E0 10EA258E 12C70CA5 25C485D2 42C3F09E B8ED14EC 2DCA58F6 785296B1
  B8F70203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
  551D1104 0A300882 06526F75 74657230 1F060355 1D230418 30168014 41623CBF
  E9F77DBD 254E6B12 7464C621 1174205B 301D0603 551D0E04 16041441 623CBFE9
  F77DBD25 4E6B1274 64C62111 74205B30 0D06092A 864886F7 0D010104 05000381
  8100856D 3FFC63DF A46C49BC CFD0495F 66F20D47 A117A01F BD1F0E98 397334C6
  519C3F41 F4D308DF AD4A7095 D6B39DF7 376EACF9 017DF07E 8E70F3B2 A5F29EFD
  EAE4FED6 53718BDD E12ABF98 7348B6B8 B9E2AF6F 19E5130D A1ABC24B 7DAC37B3
  288376D5 9CAE2859 9E028739 B59B2C58 65335375 09FC8D9A 6CA6C3D8 6AB5D5EC 7705
        quit
dot11 syslog
no ip source-route
ip cef
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip name-server 202.56.215.54
ip name-server 202.56.215.55
!
!
!
username vcsd privilege 15 password 7 0610062A45400E260C1916020D
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp identity hostname
crypto isakmp client configuration address-pool local VIKING_POOL_1
crypto isakmp xauth timeout 60


!
crypto isakmp client configuration group xxxxxxxxxxxxxx
key xxxxxxxxxx
dns 202.56.215.54 202.56.215.55
pool VIKING_POOL_1
acl 110
max-users 6
netmask 255.255.255.0
crypto isakmp profile VPNclient
   description VPN clients profile
   match identity group xxxxxxxxxxx
   client authentication list userlist
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-md5-hmac
!
crypto dynamic-map VIKING_INDIA_1 65535
set transform-set ESP-3DES-SHA1
set isakmp-profile VPNclient
reverse-route
!
!
crypto map VIKING_INDIA_1 65535 ipsec-isakmp dynamic VIKING_INDIA_1
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description *****AIRTEL WAN LINK******
ip address 122.x.x.x 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map VIKING_INDIA_1
!
interface Vlan1
ip address 192.168.1.5 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool VIKING_POOL_1 192.168.15.1 192.168.15.6
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 122.x.x.x
!
no ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.1.2 3389 interface FastEthernet4 3389
ip nat inside source static tcp 192.168.1.2 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.1.2 443 interface FastEthernet4 443
ip nat inside source static tcp 192.168.1.2 445 interface FastEthernet4 445
ip nat inside source list 101 interface FastEthernet4 overload


!
ip access-list extended Internet-inbound-ACL
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
permit tcp any any eq 3389
permit tcp any any
ip access-list extended Internet-inbounf-ACL
!
access-list 101 deny   ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
no cdp run
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
password 7 0610062A45400E260C1916020D
!
scheduler max-task-time 5000
end


Router#

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
stonnet72 Fri, 05/21/2010 - 09:02
User Badges:

I think that you are missing


ip access-list extended Internet-inbound-ACL
permit icmp any any  echo
permit icmp any any echo-reply
permit icmp any any  traceroute
permit gre any any
permit esp any any
permit tcp  any any eq 3389
permit tcp any any
ip access-list extended  Internet-inbounf-ACL
!
access-list 101 deny   ip 192.168.1.0  0.0.0.255 192.168.15.0 0.0.0.255
access-list 101 permit ip  192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.1.0  0.0.0.255 any

access-list 110 extended permit tcp host x.x.x.x host x.x.x.x eq 3389 (note: you will probably want to be more specific with what 
is allowed to RDP, allowing all any host creates a security concern)

Although you have the "permit tcp any" rule above, i think that you need the ACL-list extended rule here below as well.

Hope this helps

Actions

This Discussion