Hi Jennifer,

Thank you for your reply. I will let you know once i have done with the configuration.

Regards,

Tony

Hi Jennifer,

I have followed your suggestion and made appropriate changes in my router configuration but still facing the same problem. The tunnel is up but can't ping any  LAN devices. Could you please verify my complete configuration and give me a solution.

Router#sh run
Building configuration...

Current configuration : 8254 bytes
!
! Last configuration change at 12:45:16 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxxx
ip name-server xxxxx
!
multilink bundle-name authenticated
!

parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com

parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com

parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com

parameter-map type urlf-glob PERMITTEDSITES
pattern *

crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-2049683
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2049683
revocation-check none
rsakeypair TP-self-signed-2049683
!
crypto pki trustpoint tti
revocation-check crl
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
!
crypto pki certificate chain TP-self-signed-2049522683
certificate self-signed 01
 
  69D536DB 8306807D 35BC48C3 93A0C325 371F2C29 4FC5C66F 48B1400E 7DA4AFE7
  9677F459 55DBD211 13F91FEE 8DFC9BB1 B1028F43 ACF7BD8A 1ACDA99B AA98A803
  2E3F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14116334 EDBA37DF 0AF438D3 CDC3A13F 9BB5E485 90301D06
 
        quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9
license boot module c1900 technology-package datak9
!
!
username xxxx privilege 15 password 0 xxx
username xxx privilege 10 password 0 xxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match  server-domain urlf-glob FACEBOOK
match  server-domain urlf-glob YOUTUBE
match  server-domain urlf-glob CRICKET
match  server-domain urlf-glob CRICKET1
class-map type urlfilter match-any PERMITTEDSITES
match  server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all vpn-access
match access-group 121
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
  log
  reset
class type urlfilter PERMITTEDSITES
  allow
  log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
  inspect
class class-default
  pass
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
  drop log
class type inspect tsq-http
  inspect
  service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect OUT-TO-IN-POLICY
class type inspect vpn-access
  inspect
class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group vpntunnel
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE-FW-OUTSIDE
ip address xxxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 yyyyyyyy
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxxxx yyyyyy any
access-list 120 deny   ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end

Please see the client statistics :

Regards,

Tony

Pls add the following:

zone security VPN

interface Virtual-Template1 type tunnel

  zone-member security VPN

policy-map type inspect VPN-TO-IN-POLICY

class type inspect vpn-access

  inspect

zone-pair security VPN-TO-IN source VPN destination INSIDE service-policy type inspect VPN-TO-IN-POLICY

Hello Jennifer,

Still the same problem persist. The tunnel is up and i can reach upto the LAN interface of my router. After that there is no reply! As u said i have created the VPN zone and done the configuration. And one more thing, do i need to put any route for the vpn traffic. When i check the ipconfig in the client machine the ip address and default gateway seems to be same.  Expecting your continued support.

Please see the latest config:

Router#sh run
Building configuration...

Current configuration : 8514 bytes
!
! Last configuration change at 04:24:50 UTC Wed Jul 11 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
! NVRAM config last updated at 07:30:45 UTC Tue Jul 10 2012 by
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security passwords min-length 6
no logging buffered
enable secret 5 xxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
!
!
no ipv6 cef
ip source-route
no ip gratuitous-arps
ip cef
!
!
!
!
!
ip name-server xxxxxxx
ip name-server xxxxxxx
!
multilink bundle-name authenticated
!

parameter-map type urlfpolicy local TSQ-URL-FILTER
alert off
block-page message "Blocked as per policy"
parameter-map type urlf-glob FACEBOOK
pattern facebook.com
pattern *.facebook.com

parameter-map type urlf-glob YOUTUBE
pattern youtube.com
pattern *.youtube.com

parameter-map type urlf-glob CRICKET
pattern espncricinfo.com
pattern *.espncricinfo.com

parameter-map type urlf-glob CRICKET1
pattern webcric.com
pattern *.webcric.com

parameter-map type urlf-glob YAHOO
pattern *.yahoo.com
pattern yahoo.com

parameter-map type urlf-glob PERMITTEDSITES
pattern *

  10798E30 68DF5F12 6639732D 37144D4A 1F9AB983 F543B4AB BEF54B04 2636038A
  61B34F36 B0B59BFE 5EF35701 FDB0B8CB 99315C74 8B2D930E DBF1012F F46B083A
  2C8F75C9 06DB66DE 225BCD7E B1982CA8 13821856 11FC0397 C7A73397 76DF5B10
  EC2C4377 7A2F4413 C8A8718B 2CD720
        quit
crypto pki certificate chain tti
crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn
license boot module c1900 technology-package datak9
!
!
username xxxxxxxxxxx privilege 15 password 0 xxxxxxxxxxxxxx
username xxxxxxxxx privilege 10 password 0 xxxxxxxxx
!
redundancy
!
!
!
!
!
class-map type inspect match-any tsq-inspection-traffic
match protocol dns
match protocol ftp
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
match protocol l2tp
class-map type urlfilter match-any BLOCKEDSITES
match  server-domain urlf-glob FACEBOOK
match  server-domain urlf-glob YOUTUBE
match  server-domain urlf-glob CRICKET
match  server-domain urlf-glob CRICKET1
class-map type urlfilter match-any PERMITTEDSITES
match  server-domain urlf-glob PERMITTEDSITES
class-map type inspect match-all tsq-insp-traffic
match class-map tsq-inspection-traffic
class-map type inspect match-all vpn-access
match access-group 121
class-map type inspect match-all tsq-http
match protocol http
class-map type inspect match-any tsq-icmp
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all tsq-invalid-src
match access-group 100
class-map type inspect match-all tsq-icmp-access
match class-map tsq-icmp
!
!
policy-map type inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
  log
  reset
class type urlfilter PERMITTEDSITES
  allow
  log
policy-map type inspect SELF-TO-OUT-POLICY
class type inspect tsq-icmp-access
  inspect
class class-default
  pass
policy-map type inspect VPN-TO-IN-POLICY
class type inspect vpn-access
  inspect
class class-default
  drop
policy-map type inspect IN-TO-OUT-POLICY
class type inspect tsq-invalid-src
  drop log
class type inspect tsq-http
  inspect
  service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
  inspect
class class-default
  drop
policy-map type inspect OUT-TO-IN-POLICY
class type inspect vpn-access
  inspect
class class-default
  drop
!
zone security INSIDE
zone security OUTSIDE
zone security VPN
zone-pair security OUT-TO-IN source OUTSIDE destination INSIDE
service-policy type inspect OUT-TO-IN-POLICY
zone-pair security IN-TO-OUT source INSIDE destination OUTSIDE
service-policy type inspect IN-TO-OUT-POLICY
zone-pair security SELF-TO-OUT source self destination OUTSIDE
service-policy type inspect SELF-TO-OUT-POLICY
zone-pair security VPN-TO-IN source VPN destination INSIDE
service-policy type inspect VPN-TO-IN-POLICY
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpntunnel
key xxxxxxxxxxxxxxxx
pool SDM_POOL_1
include-local-lan
max-users 20
netmask 255.0.0.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group tsqvpntunnel
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
!
interface GigabitEthernet0/0
description LAN INTERFACE-FW-INSIDE
ip address 172.17.0.71 255.255.0.0
ip nat inside
ip virtual-reassembly in
zone-member security INSIDE
duplex auto
speed auto
!
interface GigabitEthernet0/1
description WAN-INTERNET-INTERFACE-FW-OUTSIDE
ip address xxxxxxx yyyyyyy
ip nat outside
ip virtual-reassembly in
zone-member security OUTSIDE
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
ip mask-reply
ip directed-broadcast
shutdown
no fair-queue
clock rate 2000000
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/0
zone-member security VPN
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
ip local pool SDM_POOL_1 10.0.0.1 10.0.0.20
ip forward-protocol nd
!
no ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 120 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 xxxxxxxxxxx {INTERNET ROUTE}
ip route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip xxxxxx xxxxxx any
access-list 120 deny   ip 172.17.0.0 0.0.255.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 172.17.0.0 0.0.255.255 any
access-list 121 permit ip 10.0.0.0 0.0.0.255 172.17.0.0 0.0.255.255
!
!
!
!
!
!
!
!
control-plane
!
!
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input rlogin ssh
!
scheduler allocate 20000 1000
end

No, you don't have to add any route.

If you remove all the zone from the interfaces (for testing purposes only), does the VPN work?

Just wanted to see where exactly the problem is, and the easiest is to rule out it's ZBFW first.

Hello Jennifer,

The moment i disabled the ZBF the VPN started working i.e i can enter into the LAN of my company. But since we need the ZBF i enabled it again and i tried to remove VPN zone and added the Virtual Template interface to INSIDE zone like :

interface Virtual-Template1 type tunnel

zone-member security INSIDE

and very happy to say that it worked out i.e i can access the LAN of my company.

Please see the zones :

Router#sh zone security
zone self
Description: System defined zone

zone INSIDE
Member Interfaces:
GigabitEthernet0/0
Virtual-Template1

zone OUTSIDE
Member Interfaces:
GigabitEthernet0/1

Thank you very much for your help Jennifer.

Best Regards,

Tony

thanks for the update..

It's strange that when you changed it back to inside it works as we did originally have "inside" zone for the virtual template

Maybe removing and reapplying makes the difference.