Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 877 DMVPN and easyVPN

Hey Guys

Im having some problems getting easyvpn to work throught the CLI on a 877. I can get the vpn to establish the connection from the vpn client on an xp machine but i cant access any local resources and then after about 1 minute or so it drops out

Any help is appreciated

Here is my conf

!This is the running config of the router: 10.0.1.1
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname advancecisco
!
boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-24.T2.bin
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 52000
enable secret 5
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network advancevpn local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-142142351
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-142142351
revocation-check none
rsakeypair TP-self-signed-142142351
!
!
crypto pki certificate chain TP-self-signed-142142351
certificate self-signed 01
CERTHERE
   quit
dot11 syslog
no ip source-route
!
!
!
!
ip cef
no ip bootp server
ip domain name
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip port-map user-easyvpn port tcp 10000 description easyvpn
ip port-map user-RDP port tcp 3389 description RDP
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
username admin privilege 15 secret 5
username test secret 5
crypto keyring dmvpnspokes
  pre-shared-key address 0.0.0.0 0.0.0.0 key apresharekey
!
crypto isakmp policy 10
hash md5
authentication pre-share
!
crypto isakmp policy 20
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group advancevpn
key anotherkey
dns 10.0.1.7
domain domain name
pool dynpool
acl 114
include-local-lan
netmask 255.255.255.0
crypto isakmp profile VPNclient
   match identity group advancevpn
   client authentication list userauthen
   isakmp authorization list advancevpn
   client configuration address respond
crypto isakmp profile DMVPN
   keyring dmvpnspokes
   match identity address 0.0.0.0
!
!
crypto ipsec transform-set strong esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile cisco
set security-association lifetime seconds 120
set transform-set strong
set isakmp-profile DMVPN
!
!
crypto dynamic-map dynmap 10
set transform-set strong
set isakmp-profile VPNclient
reverse-route
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
crypto map ipsec-maps client authentication list userauthen
crypto map ipsec-maps isakmp authorization list groupauthor
crypto map ipsec-maps client configuration address respond
!
crypto ctcp
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
!
class-map type inspect match-all sdm-nat-syslog-1
match access-group 111
match protocol syslog
class-map type inspect match-all sdm-nat-http-4
match access-group 112
match protocol http
class-map type inspect match-all sdm-nat-http-1
match access-group 103
match protocol http
class-map type inspect match-all sdm-nat-http-2
match access-group 106
match protocol http
class-map type inspect match-any RDP
match protocol user-RDP
class-map type inspect match-all sdm-cls-sdm-pol-NATOutsideToInside-1-1
match class-map RDP
match access-group name ConnectwiseRDP
class-map type inspect match-all sdm-nat-http-3
match access-group 109
match protocol http
class-map type inspect match-all sdm-nat-smtp-1
match access-group 108
match protocol smtp
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM-Voice-permit
match protocol h323
match protocol skinny
match protocol sip
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-invalid-src
match access-group 102
class-map type inspect match-all sdm-protocol-http
match protocol http
class-map type inspect match-all sdm-nat-https-2
match access-group 110
match protocol https
class-map type inspect match-all sdm-nat-https-1
match access-group 104
match protocol https
class-map type inspect match-all sdm-nat-ftp-1
match access-group 107
match protocol ftp
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-NATOutsideToInside-1
class type inspect sdm-nat-http-1
  inspect
class type inspect sdm-cls-sdm-pol-NATOutsideToInside-1-1
  inspect
class type inspect sdm-nat-https-1
  inspect
class type inspect sdm-nat-http-2
  inspect
class type inspect sdm-nat-ftp-1
  inspect
class type inspect sdm-nat-smtp-1
  inspect
class type inspect sdm-nat-http-3
  inspect
class type inspect sdm-nat-https-2
  inspect
class type inspect sdm-nat-syslog-1
  inspect
class type inspect sdm-nat-http-4
  inspect
class class-default
  drop
policy-map type inspect sdm-inspect
class type inspect sdm-invalid-src
  drop log
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect SDM-Voice-permit
  inspect
class class-default
  pass
policy-map type inspect sdm-permit
class type inspect SDM_EASY_VPN_SERVER_PT
  pass
class class-default
  drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
  pass
class class-default
  drop log
!
zone security ezvpn-zone
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-NATOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-NATOutsideToInside-1
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
!
!
!
interface Tunnel0
ip address 10.0.58.1 255.255.255.0
no ip redirects
ip mtu 1440
ip nhrp authentication abcRp:
ip nhrp map multicast dynamic
ip nhrp network-id 1
ip nhrp holdtime 300
tunnel source Vlan1
tunnel mode gre multipoint
tunnel key 0
tunnel protection ipsec profile cisco
!
interface Null0
no ip unreachables
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
no atm ilmi-keepalive
!
interface ATM0.2 point-to-point
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
pvc 8/35
  pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
ip address 10.0.1.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1412
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname username

ppp chap password blahaj

crypto map dynmap
!
ip local pool dynpool 10.0.56.1 10.0.56.100
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip route 10.1.1.0 255.255.255.0 10.0.1.17 permanent
ip route 10.1.10.0 255.255.255.0 10.0.1.17 permanent
ip http server
ip http access-class 3
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source route-map notvpn interface Dialer1 overload
ip nat inside source static tcp 10.0.1.6 80 EXTIP 80 extendable
ip nat inside source static tcp 10.0.1.6 443 EXTIP 443 extendable
ip nat inside source static tcp 10.0.0.3 80 EXTIP 80 extendable
ip nat inside source static tcp 10.0.1.4 21 EXTIP 21 extendable
ip nat inside source static tcp 10.0.1.25 25 EXTIP 25 extendable
ip nat inside source static tcp 10.0.1.64 80 EXTIP 80 extendable
ip nat inside source static tcp 10.0.1.7 443 EXTIP 443 extendable
ip nat inside source static udp 10.0.1.25 514 EXTIP 514 extendable
ip nat inside source static tcp 10.0.1.6 3389 EXTIP 3389 extendable
ip nat inside source static tcp 10.0.1.16 80 EXTIP 8082 extendable
!
ip access-list extended ConnectwiseRDP
remark SDM_ACL Category=128
permit ip host 205.232.23.50 host 10.0.1.6
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark SDM_ACL Category=1
permit ip any any
!
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.1.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 10.0.1.0 0.0.0.255
access-list 2 deny   any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 10.0.1.0 0.0.0.255
access-list 3 deny   any
access-list 100 remark VTY Access-class list
access-list 100 remark SDM_ACL Category=1
access-list 100 permit ip 10.0.1.0 0.0.0.255 any
access-list 100 deny   ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 permit ip 10.0.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 255.255.255.255 any
access-list 102 permit ip 127.0.0.0 0.255.255.255 any
access-list 103 remark SDM_ACL Category=0
access-list 103 permit ip any host 10.0.1.6
access-list 104 remark SDM_ACL Category=0
access-list 104 permit ip any host 10.0.1.6
access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 10.0.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.1.0 0.0.0.255 any
access-list 105 permit ip 10.1.10.0 0.0.0.255 any
access-list 106 remark SDM_ACL Category=0
access-list 106 permit ip any host 10.0.0.3
access-list 107 remark SDM_ACL Category=0
access-list 107 permit ip any host 10.0.1.4
access-list 108 remark SDM_ACL Category=0
access-list 108 permit ip any host 10.0.1.25
access-list 109 remark SDM_ACL Category=0
access-list 109 permit ip any host 10.0.1.64
access-list 110 remark SDM_ACL Category=0
access-list 110 permit ip any host 10.0.1.7
access-list 111 remark SDM_ACL Category=0
access-list 111 permit ip any host 10.0.1.25
access-list 112 remark SDM_ACL Category=0
access-list 112 permit ip any host 10.0.1.16
access-list 113 remark SDM_ACL Category=4
access-list 113 permit ip 10.0.1.0 0.0.0.255 any
access-list 114 permit ip 10.0.1.0 0.0.0.255 10.0.56.0 0.0.0.255
access-list 114 permit ip 10.0.1.0 0.0.0.255 any
access-list 114 permit ip 10.0.56.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 115 deny   ip 10.0.1.0 0.0.0.255 10.0.56.0 0.0.0.255
access-list 115 permit ip any any
dialer-list 1 protocol ip permit
no cdp run

!
!
!
!
route-map notvpn permit 1
match ip address 115
!
!
control-plane
!
banner login ^CYour Session Had Been Logged.
^C
!
line con 0
login authentication local_authen
no modem enable
transport output telnet
line aux 0
login authentication local_authen
transport output telnet
line vty 0 4
access-class 100 in
privilege level 15
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

988
Views
0
Helpful
0
Replies
CreatePlease to create content