cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1933
Views
0
Helpful
4
Replies

Cisco 877W Easy VPN - VPN Connects but clients cannot see the network..

Mike.Ba1ley
Level 1
Level 1

Hi

I have a Cisco 877w that I've set up with Firewall and VPN. After a lot of problems in getting the VPN to connect, I can now get clients VPN clients and my iphone to connect remotely. However when I connect, I cannot see anything on the local LAN. I've been scratching my head for a few days and not made any progress.

I am not sure if I've missed something on the firewall configuration or routing. Could some please have a look at the config and let me know what I've missed, it would be most greatly appreciated!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname ch-home-rt

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$PFSZ$V4gWvmoldeAtPDTDaaruy1

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authentication login ciscocp_vpn_xauth_ml_4 local

aaa authentication login ciscocp_vpn_xauth_ml_5 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

aaa authorization network ciscocp_vpn_group_ml_4 local

aaa authorization network ciscocp_vpn_group_ml_5 local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-4221835501

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4221835501

revocation-check none

rsakeypair TP-self-signed-4221835501

!

!

crypto pki certificate chain TP-self-signed-4221835501

certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34323231 38333535 3031301E 170D3032 30333031 30383538

  34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323138

  33353530 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A44F A3F502A7 22F209B2 6EF1E02A FBB59EA8 47945D0F 141B9621 7DA10016

  0A17E049 529912DC 5BC115FB 7820252C E06CB2A1 7A6C0419 650EFCB5 A08AB45D

  1BA3C0A0 FB388B49 C1ECEB8D A693157C E8952396 C5A79711 4C10958E B3E4429B

  C21A374F CD694218 8DFE483F 942152C0 C6A4FACF 077D2B71 F3D1585D 45EB8990

  4FE70203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 1963682D 686F6D65 2D72742E 796F7572 646F6D61 696E2E63

  6F6D301F 0603551D 23041830 16801490 51D25792 E93DAE59 CEEE452C A2809D27

  C5846230 1D060355 1D0E0416 04149051 D25792E9 3DAE59CE EE452CA2 809D27C5

  8462300D 06092A86 4886F70D 01010405 00038181 000377E8 961706C6 C08D2E75

  32F63A93 1596A93F DA148AAB 8CC1C8FF 7147EF64 37ABD302 EBE6826F 1B51AB60

  B3D64910 5F03B128 236B2210 B57885C2 B139F0BF 835A09FF BB5FE977 315D3649

  5E008DAC DCFF9F3C 9B4564AA A92C7F32 D9247C5D 6BD2637E 32041E63 370149AC

  06E975FA 087A6ECB 3F41F3B8 DA563401 75010A37 BD

   quit

dot11 syslog

!

dot11 ssid Langden

   vlan 1

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 12310007415B5F057C73777E61

!

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 192.168.1.151 192.168.1.254

!

ip dhcp pool ccp-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   lease 0 2

!

ip dhcp pool chLAN

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 212.23.3.100 212.23.6.100

!

!

ip port-map user-ctcp-ezvpnsvr port tcp 10000

ip port-map user-cctudp port udp 88

ip port-map user-ezvpn-remote port udp 10000

no ip bootp server

ip domain name yourdomain.com

ip name-server 212.23.3.100

ip name-server 212.23.6.100

!

!

!

username dnstech privilege 15 secret 5 $1$J1fd$33MY4zTzQ8UljyfvCjdIj0

username chrish privilege 15 secret 5 $1$3Oui$LZhMcqX/rNUPC3RlJeiHX0

!

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group chrisremote

key Hep303

dns 212.23.3.100 212.23.6.100

pool SDM_POOL_1

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group chrisremote

   client authentication list ciscocp_vpn_xauth_ml_5

   isakmp authorization list ciscocp_vpn_group_ml_5

   client configuration address initiate

   client configuration address respond

   virtual-template 5

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto ctcp port 10000

archive

log config

  hidekeys

!

!

!

class-map type inspect match-any SDM_SSLVPN

match access-group name SDM_SSLVPN0

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

match protocol ssh

match protocol telnet

class-map type inspect match-any cctv

match protocol kerberos

match protocol user-cctudp

class-map type inspect match-any SDM_TELNET

match access-group name SDM_TELNET0

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_EIGRP

match access-group name SDM_EIGRP0

class-map type inspect match-any remotesl

match protocol ssh

match protocol telnet

match class-map SDM_AH

match class-map SDM_EIGRP

match class-map SDM_TELNET

match class-map SDM_SSH

match class-map SDM_SSLVPN

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT

match class-map SDM_EASY_VPN_REMOTE_TRAFFIC

match access-group 102

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match protocol user-ctcp-ezvpnsvr

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

match protocol ssp

match protocol gdoi

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-any cctv-both

match protocol user-cctudp

match protocol kerberos

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map remotesl

match access-group name stevelatimer

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect cctv

  pass log

class type inspect sdm-access

  pass

class type inspect ccp-cls-ccp-permit-1

  pass

class class-default

policy-map type inspect ccp-policy-cctv-both

class type inspect cctv-both

  inspect

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone

service-policy type inspect ccp-policy-cctv-both

!

bridge irb

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template5 type tunnel

ip unnumbered BVI1

ip nat inside

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

broadcast-key vlan 1 change 30

!

!

ssid Langden

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

bridge-group 1

!

interface Vlan2

no ip address

bridge-group 2

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname xxxxxx@xxx

ppp chap password 7 1511133C0A0D332C3F

ppp pap sent-username xxxxxx@xxx password 7 02051C6B052117295B

!

interface BVI1

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface BVI2

no ip address

!

ip local pool SDM_POOL_1 192.168.1.220 192.168.1.229

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 2

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.72 88 interface Dialer0 88

ip nat inside source static udp 192.168.1.72 88 interface Dialer0 88

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_EIGRP

remark CCP_ACL Category=0

permit eigrp any any

ip access-list extended SDM_EIGRP0

remark CCP_ACL Category=0

permit eigrp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=0

permit gre any any

ip access-list extended SDM_GRE0

remark CCP_ACL Category=0

permit gre any any

ip access-list extended SDM_HTTP

remark CCP_ACL Category=0

permit tcp any any eq telnet

ip access-list extended SDM_HTTP0

remark CCP_ACL Category=0

permit tcp any any eq telnet

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_IGMP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_IPINIP

remark CCP_ACL Category=0

permit ipinip any any

ip access-list extended SDM_IPINIP0

remark CCP_ACL Category=0

permit ipinip any any

ip access-list extended SDM_NOS

remark CCP_ACL Category=0

permit nos any any

ip access-list extended SDM_OSPF

remark CCP_ACL Category=0

permit ospf any any

ip access-list extended SDM_PCP

remark CCP_ACL Category=0

permit pcp any any

ip access-list extended SDM_PCP0

remark CCP_ACL Category=0

permit pcp any any

ip access-list extended SDM_PIM

remark CCP_ACL Category=0

ip access-list extended SDM_PIM0

remark CCP_ACL Category=0

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

ip access-list extended SDM_SSLVPN

remark CCP_ACL Category=0

permit tcp any any eq 4443

ip access-list extended SDM_SSLVPN0

remark CCP_ACL Category=0

permit tcp any any eq 4443

ip access-list extended SDM_TELNET

remark CCP_ACL Category=0

permit tcp any any

ip access-list extended SDM_TELNET0

remark CCP_ACL Category=0

permit tcp any any

ip access-list extended stevelatimer

remark CCP_ACL Category=128

permit ip host 212.159.12.62 any

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 212.159.12.62 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 82.69.105.59 any

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

The Device is the personal property of Chris Hitchens.

This is a private network, unauthorised access to this device

and network is strictly forbidden

-----------------------------------------------------------------------^C

!

line con 0

exec-timeout 0 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 0 0

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

end

Thanks

Mike

4 Replies 4

Jitendriya Athavale
Cisco Employee
Cisco Employee

i havent yet checked your config but here is what you will need in zbf

------------------ firstly are you able to ping the inside ip of the router or the LAN interface

for vpn to work

make sure that you are not natting traffic from your internal network to the vpn pool ip's

make sure that you have opened port 50 and port 4500 in your access-list on the wan interface

this is what you need in the firewall config

in zone pair from in-out

inspect traffic from your network to pool network

in zone pair from out-in

inspect traffic from pool ip to your network

please let me know if you have done these, if not i can help you set these up

I have the same issue, running Windows 7 64-bit I can login and pin the server but I cannot get it to see the network. I opened the ports on the PC's firewall to make sure it had acess, even dropping the firewall all togther to get through. Any other sugestions?

Hi All

I am still struggling with this. I have moved the VPN IP Pool off the 192.168.1.0/24 subnet and moved it onto the 192.168.2.0/24 subnet ensuring that the virtual interface was not being nat'd to external.

I have also made the firewall change as recommended.

Config now reads:

Building configuration...

Current configuration : 17265 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

service sequence-numbers

!

hostname ch-home-rt

!

boot-start-marker

boot-end-marker

!

logging buffered 51200 warnings

enable secret 5 $1$PFSZ$V4gWvmoldeAtPDTDaaruy1

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authentication login ciscocp_vpn_xauth_ml_3 local

aaa authentication login ciscocp_vpn_xauth_ml_4 local

aaa authentication login ciscocp_vpn_xauth_ml_5 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

aaa authorization network ciscocp_vpn_group_ml_3 local

aaa authorization network ciscocp_vpn_group_ml_4 local

aaa authorization network ciscocp_vpn_group_ml_5 local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-4221835501

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-4221835501

revocation-check none

rsakeypair TP-self-signed-4221835501

!

!

crypto pki certificate chain TP-self-signed-4221835501

certificate self-signed 01

  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030

  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 34323231 38333535 3031301E 170D3032 30333031 30383538

  34385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 32323138

  33353530 3130819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100A44F A3F502A7 22F209B2 6EF1E02A FBB59EA8 47945D0F 141B9621 7DA10016

  0A17E049 529912DC 5BC115FB 7820252C E06CB2A1 7A6C0419 650EFCB5 A08AB45D

  1BA3C0A0 FB388B49 C1ECEB8D A693157C E8952396 C5A79711 4C10958E B3E4429B

  C21A374F CD694218 8DFE483F 942152C0 C6A4FACF 077D2B71 F3D1585D 45EB8990

  4FE70203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603

  551D1104 1D301B82 1963682D 686F6D65 2D72742E 796F7572 646F6D61 696E2E63

  6F6D301F 0603551D 23041830 16801490 51D25792 E93DAE59 CEEE452C A2809D27

  C5846230 1D060355 1D0E0416 04149051 D25792E9 3DAE59CE EE452CA2 809D27C5

  8462300D 06092A86 4886F70D 01010405 00038181 000377E8 961706C6 C08D2E75

  32F63A93 1596A93F DA148AAB 8CC1C8FF 7147EF64 37ABD302 EBE6826F 1B51AB60

  B3D64910 5F03B128 236B2210 B57885C2 B139F0BF 835A09FF BB5FE977 315D3649

  5E008DAC DCFF9F3C 9B4564AA A92C7F32 D9247C5D 6BD2637E 32041E63 370149AC

  06E975FA 087A6ECB 3F41F3B8 DA563401 75010A37 BD

   quit

dot11 syslog

!

dot11 ssid Langden

   vlan 1

   authentication open

   authentication key-management wpa

   mbssid guest-mode

   wpa-psk ascii 7 12310007415B5F057C73777E61

!

no ip source-route

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1

ip dhcp excluded-address 192.168.1.1 192.168.1.49

ip dhcp excluded-address 192.168.1.151 192.168.1.254

!

ip dhcp pool ccp-pool

   import all

   network 10.10.10.0 255.255.255.248

   default-router 10.10.10.1

   lease 0 2

!

ip dhcp pool chLAN

   import all

   network 192.168.1.0 255.255.255.0

   default-router 192.168.1.1

   dns-server 212.23.3.100 212.23.6.100

!

!

ip port-map user-ctcp-ezvpnsvr port tcp 10000

ip port-map user-cctudp port udp 88

ip port-map user-ezvpn-remote port udp 10000

no ip bootp server

ip domain name yourdomain.com

ip name-server 212.23.3.100

ip name-server 212.23.6.100

!

!

!

username dnstech privilege 15 secret 5 $1$J1fd$33MY4zTzQ8UljyfvCjdIj0

username chrish privilege 15 secret 5 $1$3Oui$LZhMcqX/rNUPC3RlJeiHX0

!

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local SDM_POOL_1

!

crypto isakmp client configuration group chrisremote

key Hep303

dns 212.23.3.100 212.23.6.100

pool SDM_POOL_2

netmask 255.255.255.0

crypto isakmp profile ciscocp-ike-profile-1

   match identity group chrisremote

   client authentication list ciscocp_vpn_xauth_ml_5

   isakmp authorization list ciscocp_vpn_group_ml_5

   client configuration address initiate

   client configuration address respond

   virtual-template 5

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA2

set isakmp-profile ciscocp-ike-profile-1

!

!

crypto ctcp port 10000

archive

log config

  hidekeys

!

!

!

class-map type inspect match-any SDM_SSLVPN

match access-group name SDM_SSLVPN0

class-map type inspect match-any SDM_HTTPS

match access-group name SDM_HTTPS

class-map type inspect match-any SDM_SSH

match access-group name SDM_SSH

class-map type inspect match-any SDM_SHELL

match access-group name SDM_SHELL

class-map type inspect match-any SDM_TELNET0

match access-group name SDM_TELNET01

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-access

match class-map SDM_HTTPS

match class-map SDM_SSH

match class-map SDM_SHELL

match protocol ssh

match protocol telnet

match class-map SDM_TELNET0

match class-map SDM_AH

class-map type inspect match-any cctv

match protocol kerberos

match protocol user-cctudp

class-map type inspect match-any SDM_TELNET

match access-group name SDM_TELNET0

class-map type inspect match-any ccp-skinny-inspect

match protocol skinny

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_EIGRP

match access-group name SDM_EIGRP0

class-map type inspect match-any remotesl

match protocol ssh

match protocol telnet

match class-map SDM_AH

match class-map SDM_EIGRP

match class-map SDM_TELNET

match class-map SDM_SSH

match class-map SDM_SSLVPN

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_REMOTE_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

class-map type inspect match-all SDM_EASY_VPN_REMOTE_PT

match class-map SDM_EASY_VPN_REMOTE_TRAFFIC

match access-group 102

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match protocol user-ctcp-ezvpnsvr

match class-map SDM_AH

match class-map SDM_ESP

match protocol user-ezvpn-remote

match protocol ssp

match protocol gdoi

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-any ccp-h225ras-inspect

match protocol h225ras

class-map type inspect match-all ccp-cls-ccp-inspect-1

match access-group name lan2vpn

class-map type inspect match-any cctv-both

match protocol user-cctudp

match protocol kerberos

class-map type inspect match-all sdm-access

match class-map sdm-cls-access

match access-group 101

class-map type inspect match-all ccp-cls-ccp-permit-1

match class-map remotesl

match access-group name stevelatimer

class-map type inspect match-any ccp-h323-inspect

match protocol h323

class-map type inspect match-all ccp-cls-ccp-policy-cctv-both-1

match access-group name vpn2lan

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-any ccp-sip-inspect

match protocol sip

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class type inspect ccp-h323-inspect

  inspect

class type inspect ccp-cls-ccp-inspect-1

  inspect

class type inspect ccp-h225ras-inspect

  inspect

class class-default

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect cctv

  pass log

class type inspect sdm-access

  pass

class type inspect ccp-cls-ccp-permit-1

  pass

class class-default

policy-map type inspect ccp-policy-cctv-both

class type inspect ccp-cls-ccp-policy-cctv-both-1

  inspect

class type inspect cctv-both

  inspect

class class-default

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-zone-in-zone source out-zone destination in-zone

service-policy type inspect ccp-policy-cctv-both

!

bridge irb

!

!

interface ATM0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

no atm ilmi-keepalive

dsl operating-mode auto

!

interface ATM0.1 point-to-point

description $ES_WAN$

no ip redirects

no ip unreachables

no ip proxy-arp

pvc 0/38

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface Virtual-Template5 type tunnel

ip unnumbered BVI1

ip virtual-reassembly

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

broadcast-key vlan 1 change 30

!

!

ssid Langden

!

mbssid

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Vlan1

no ip address

bridge-group 1

!

interface Vlan2

no ip address

bridge-group 2

!

interface Dialer0

description $FW_OUTSIDE$

ip address negotiated

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip virtual-reassembly

zone-member security out-zone

encapsulation ppp

dialer pool 1

dialer-group 1

no cdp enable

ppp authentication chap pap callin

ppp chap hostname zen193420@zen

ppp chap password 7 1511133C0A0D332C3F

ppp pap sent-username zen193420@zen password 7 02051C6B052117295B

!

interface BVI1

description $FW_INSIDE$

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

zone-member security in-zone

!

interface BVI2

no ip address

!

ip local pool SDM_POOL_1 192.168.1.220 192.168.1.229

ip local pool SDM_POOL_2 192.168.2.10 192.168.2.30

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0 2

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat inside source list 1 interface Dialer0 overload

ip nat inside source static tcp 192.168.1.72 88 interface Dialer0 88

ip nat inside source static udp 192.168.1.72 88 interface Dialer0 88

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_EIGRP

remark CCP_ACL Category=0

permit eigrp any any

ip access-list extended SDM_EIGRP0

remark CCP_ACL Category=0

permit eigrp any any

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_GRE

remark CCP_ACL Category=0

permit gre any any

ip access-list extended SDM_GRE0

remark CCP_ACL Category=0

permit gre any any

ip access-list extended SDM_HTTP

remark CCP_ACL Category=0

permit tcp any any eq telnet

ip access-list extended SDM_HTTP0

remark CCP_ACL Category=0

permit tcp any any eq telnet

ip access-list extended SDM_HTTPS

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended SDM_IGMP

remark CCP_ACL Category=0

permit ip any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

ip access-list extended SDM_IPINIP

remark CCP_ACL Category=0

permit ipinip any any

ip access-list extended SDM_IPINIP0

remark CCP_ACL Category=0

permit ipinip any any

ip access-list extended SDM_NOS

remark CCP_ACL Category=0

permit nos any any

ip access-list extended SDM_OSPF

remark CCP_ACL Category=0

permit ospf any any

ip access-list extended SDM_PCP

remark CCP_ACL Category=0

permit pcp any any

ip access-list extended SDM_PCP0

remark CCP_ACL Category=0

permit pcp any any

ip access-list extended SDM_PIM

remark CCP_ACL Category=0

ip access-list extended SDM_PIM0

remark CCP_ACL Category=0

ip access-list extended SDM_SHELL

remark CCP_ACL Category=1

permit tcp any any eq cmd

ip access-list extended SDM_SSH

remark CCP_ACL Category=1

permit tcp any any eq 22

ip access-list extended SDM_SSLVPN

remark CCP_ACL Category=0

permit tcp any any eq 4443

ip access-list extended SDM_SSLVPN0

remark CCP_ACL Category=0

permit tcp any any eq 4443

ip access-list extended SDM_TELNET

remark CCP_ACL Category=0

permit tcp any any

ip access-list extended SDM_TELNET0

remark CCP_ACL Category=0

permit tcp any any

ip access-list extended SDM_TELNET01

remark CCP_ACL Category=0

permit tcp any any

ip access-list extended lan2vpn

remark CCP_ACL Category=128

permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

ip access-list extended stevelatimer

remark CCP_ACL Category=128

permit ip host 212.159.12.62 any

ip access-list extended vpn2lan

remark CCP_ACL Category=128

permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255

!

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 23 permit 192.168.0.0 0.0.255.255

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 23 permit any

access-list 23 remark sl

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip host 212.159.12.62 any

access-list 102 remark CCP_ACL Category=128

access-list 102 permit ip host 82.69.105.59 any

dialer-list 1 protocol ip permit

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^C

-----------------------------------------------------------------------

The Device is the personal property of Chris Hitchens.

This is a private network, unauthorised access to this device

and network is strictly forbidden

-----------------------------------------------------------------------^C

!

line con 0

exec-timeout 0 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class 23 in

exec-timeout 0 0

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

end

If someone could have a look at my config it would be greatly appreciated and save my skin LOL

Thanks

Mike

Finally cracked it!

after changing the ip pool subnet and making sure nat was configured correctly, found that the virtual template interface was not attached to ezvpnzone on the firewall. Soon as this was updated , it worked immediately.

Thanks for all your help guys.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: