Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Client VPN stopped working

Hello,

I'm new to this site. I'm posting againg for help on this VPN. I've still been unable to access equipment inside this VPN.

We've  had a client VPN that was working till recently. We did make some  changes including upgrading the firmware on our 871. We do not know what  broke the VPN and our support has transferred colleges.

I have some IP knowledge and some minor VPN experience.

The VPN still connects. I can ping and access the router, but we can no longer access our inside equipment.

When I connect to this VPN I get an IP of 192.168.2.246. I can ping 192.168.2.1 (VLAN 1 Interface on the router). I can not ping anyother 192.168.2.x addresses. Traceroute shows that the ping does go across the vpn, however the router is sending the traffic back out it's public IP instead of to the inside device.

Looking for help and apprecieate any assistence.

I've included our config.

The inside IPs we are trying access through the VPN are in the 192.168.2.0/24

------------------- begin config ---------------------

Main#sh run

Building configuration...

Current configuration : 8724 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname Main

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login default local none

aaa authentication login VPNAUTH local

aaa authorization network VPNAUTH local

aaa authorization network sdm_vpn_group_ml_1 local

!

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1790949024

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1790949024

revocation-check none

rsakeypair TP-self-signed-1790949024

!

!

crypto pki certificate chain TP-self-signed-1790949024

certificate self-signed 01

      quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.2.1

ip dhcp excluded-address 192.168.2.240 192.168.2.249

ip dhcp excluded-address 192.168.2.212

ip dhcp excluded-address 192.168.2.200

!

ip dhcp pool dhcp-pool

   import all

   network 192.168.2.0 255.255.255.0

   default-router 192.168.2.1

   dns-server 8.8.8.8 8.8.4.4

   lease 0 2

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name ourMFG

ip inspect name SDM_LOW dns

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW https

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW imap

ip inspect name SDM_LOW pop3

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW esmtp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW l2tp

!

no ipv6 cef

!

multilink bundle-name authenticated

vpdn enable

!

vpdn-group L2TP

! Default L2TP VPDN group

! Default PPTP VPDN group

accept-dialin

  protocol any

  virtual-template 1

no l2tp tunnel authentication

!

!

!

username

!

!

crypto isakmp policy 1

encr 3des

hash md5

authentication pre-share

group 2

lifetime 3600

!

crypto isakmp policy 2

authentication pre-share

lifetime 84600

crypto isakmp key *********** address 0.0.0.0 0.0.0.0

!

crypto isakmp client configuration group ourvpn

key ********

pool L2TPVPN

acl 150

max-users 9

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

   match identity group ourvpn

   isakmp authorization list sdm_vpn_group_ml_1

   client configuration address respond

   virtual-template 2

!

crypto ipsec security-association lifetime seconds 600

!

crypto ipsec transform-set testproposal esp-3des esp-md5-hmac

mode transport

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

crypto dynamic-map headofficeVPN_dynmap 1

set transform-set testproposal

qos pre-classify

!

!

crypto map headofficeVPN isakmp authorization list VPNAUTH

crypto map headofficeVPN client configuration address respond

crypto map headofficeVPN 65535 ipsec-isakmp dynamic headofficeVPN_dynmap

!

archive

  log config

  hidekeys

!

!

!

class-map match-any voice_traffic

match  dscp ef

class-map match-any vpn_traffic

match access-group name IKE

!

!

policy-map traffic

class voice_traffic

    priority percent 66

class vpn_traffic

    bandwidth percent 5

class class-default

!

!

!

!

interface FastEthernet0

service-policy output traffic

!

interface FastEthernet1

service-policy output traffic

!

interface FastEthernet2

service-policy output traffic

!

interface FastEthernet3

service-policy output traffic

!

interface FastEthernet4

description WAN

ip address 208.104.168.71 255.255.255.0

ip access-group 102 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat outside

ip inspect SDM_LOW out

ip virtual-reassembly

speed 100

full-duplex

no cdp enable

crypto map headofficeVPN

service-policy output traffic

!

interface Virtual-Template1

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

peer default ip address pool L2TPVPN

ppp authentication ms-chap-v2 ms-chap

!

interface Virtual-Template2 type tunnel

ip unnumbered FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

ip address 192.168.2.1 255.255.255.0

ip access-group 101 in

no ip redirects

no ip unreachables

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

!

ip local pool L2TPVPN 192.168.2.240 192.168.2.249

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 208.104.168.1

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source list 175 interface FastEthernet4 overload

!

ip access-list extended IKE

permit udp any eq isakmp any eq isakmp

!

access-list 23 permit 192.168.2.0 0.0.0.255

access-list 23 permit 192.168.5.0 0.0.0.255

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 permit ip any any

access-list 102 remark auto generated by SDM firewall configuration

access-list 102 remark SDM_ACL Category=1

access-list 102 permit udp 208.104.244.44 0.0.0.1 eq domain any

access-list 102 permit udp 208.104.2.36 0.0.0.1 eq domain any

access-list 102 permit udp any any eq non500-isakmp

access-list 102 permit udp any any eq isakmp

access-list 102 permit esp any any

access-list 102 permit tcp any any eq 1723

access-list 102 permit gre any any

access-list 102 permit ahp any any

access-list 102 permit udp any eq bootps any eq bootpc

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

access-list 102 permit icmp any any time-exceeded

access-list 102 permit icmp any any unreachable

access-list 102 permit tcp any any eq telnet

access-list 102 deny   ip 10.0.0.0 0.255.255.255 any

access-list 102 deny   ip 172.16.0.0 0.15.255.255 any

access-list 102 deny   ip 192.168.0.0 0.0.255.255 any

access-list 102 deny   ip 127.0.0.0 0.255.255.255 any

access-list 102 deny   ip host 255.255.255.255 any

access-list 102 deny   ip any any log

access-list 113 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 150 permit ip 192.168.2.0 0.0.0.255 any log

access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255

access-list 175 permit ip 192.168.2.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

line con 0

exec-timeout 60 0

logging synchronous

no modem enable

line aux 0

line vty 0 4

access-class 23 in

privilege level 15

logging synchronous

transport input telnet ssh

!

scheduler max-task-time 5000

end

Main#exit

422
Views
0
Helpful
0
Replies
CreatePlease to create content