cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1226
Views
0
Helpful
3
Replies

Easy VPN Question

Hi all,

I have a question about setting up an Easy VPN server on my 3725 router running IOS c3725-adventerprisek9-mz.124-25.bin

Currently I have this router set up as my home router/lab router for learning purposes.  Connection wise, I have my home subnet, 10.0.0.0/24 NAT overloaded to my static public IP xx.xx.xx.xx.  and all routing is done by one static route to my ISP.

After I use CCP's Easy VPN wizard to deliver the commands to my router, no computers on my LAN can access the Internet any longer.

My question is, is this by design?  Is there a way I can configure my router to route my LAN traffic to the Internet and act as a Easy VPN server?

I've included my configs before and after the Easy VPN change, as well as a list of the commands CCP wants to deliver to the router.

My existing configuration before I make the VPN change:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging userinfo

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!        

aaa session-id common

clock timezone GMT 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

ip cef   

!        

!        

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.2 10.0.0.23

ip dhcp excluded-address 10.0.0.100

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.42

ip dhcp excluded-address 10.0.0.56

ip dhcp excluded-address 10.0.0.50

ip dhcp excluded-address 10.0.0.254

ip dhcp excluded-address 10.0.0.86

ip dhcp excluded-address 10.0.0.253

!        

ip dhcp pool LAN_Pool

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.1

   dns-server xx.xx.xx.xx xx.xx.xx.xx

   lease infinite

!        

!        

ip domain name xxxxxxxx.com

ip name-server xx.xx.xx.xx

ip name-server xx.xx.xx.xx

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash://attack-drop.sdf

ip ips notify SDEE

ip ips name sdm_ips_rule

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

crypto pki trustpoint TP-self-signed-2670148948

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2670148948

revocation-check none

rsakeypair TP-self-signed-2670148948

!        

!        

crypto pki certificate chain TP-self-signed-2670148948

certificate self-signed 01

<Certificate omitted>

<user info omitted>

!        

!        

ip ssh maxstartups 2

ip ssh logging events

ip ssh version 2

!        

!        

!        

!        

!               

interface Loopback1

description $FW_INSIDE$

ip address 1.1.1.1 255.255.255.0

ip virtual-reassembly

!        

interface FastEthernet0/0

description EXTERNAL CONNECTION TO ISP$ETH-WAN$$FW_OUTSIDE$

bandwidth 100000

ip address xx.xx.xx.xx xx.xx.xx.xx

ip broadcast-address xx.xx.xx.xx

ip verify unicast reverse-path

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

!        

interface Serial0/0

no ip address

shutdown

!        

interface FastEthernet0/1

description INTERNAL CONNECTION TO LAN$ETH-LAN$$FW_INSIDE$

bandwidth 100000

ip address 10.0.0.1 255.255.255.0

ip broadcast-address 10.0.0.255

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!

interface Serial0/1

no ip address

shutdown

clock rate 125000

!        

interface Serial0/2

no ip address

shutdown

clock rate 125000

!        

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx

!        

ip flow-export version 5

ip flow-export destination 10.0.0.25 9996

ip flow-top-talkers

top 50  

sort-by packets

cache-timeout 30000

!        

no ip http server

ip http authentication local

no ip http secure-server

ip http max-connections 2

ip http timeout-policy idle 300 life 300 requests 30

ip nat pool R1_Pool xx.xx.xx.xx xx.xx.xx.xx netmask xx.xx.xx.xx

ip nat inside source list 1 pool R1_Pool overload

ip nat inside source static tcp 10.0.0.3 21 xx.xx.xx.xx 21 extendable

ip nat inside source static tcp 10.0.0.7 22 xx.xx.xx.xx 22 extendable

ip nat inside source static tcp 10.0.0.11 25 xx.xx.xx.xx 25 extendable

ip nat inside source static tcp 10.0.0.3 80 xx.xx.xx.xx 80 extendable

ip nat inside source static tcp 10.0.0.56 88 xx.xx.xx.xx 88 extendable

ip nat inside source static udp 10.0.0.56 88 xx.xx.xx.xx 88 extendable

ip nat inside source static tcp 10.0.0.11 110 xx.xx.xx.xx 110 extendable

ip nat inside source static tcp 10.0.0.11 143 xx.xx.xx.xx 143 extendable

ip nat inside source static tcp 10.0.0.3 443 xx.xx.xx.xx 443 extendable

ip nat inside source static tcp 10.0.0.20 1024 xx.xx.xx.xx 1024 extendable

ip nat inside source static tcp 10.0.0.21 1100 xx.xx.xx.xx 1100 extendable

ip nat inside source static tcp 10.0.0.23 1105 xx.xx.xx.xx 1105 extendable

ip nat inside source static tcp 10.0.0.22 1110 xx.xx.xx.xx 1110 extendable

ip nat inside source static tcp 10.0.0.26 1115 xx.xx.xx.xx 1115 extendable

ip nat inside source static tcp 10.0.0.8 1723 xx.xx.xx.xx 1723 extendable

ip nat inside source static udp 10.0.0.86 1900 xx.xx.xx.xx 1900 extendable

ip nat inside source static tcp 10.0.0.1 22 xx.xx.xx.xx 2222 extendable

ip nat inside source static tcp 10.0.0.86 2869 xx.xx.xx.xx 2869 extendable

ip nat inside source static tcp 10.0.0.56 3074 xx.xx.xx.xx 3074 extendable

ip nat inside source static udp 10.0.0.56 3074 xx.xx.xx.xx 3074 extendable

ip nat inside source static tcp 10.0.0.10 5090 xx.xx.xx.xx 5090 extendable

ip nat inside source static tcp 10.0.0.3 8080 xx.xx.xx.xx 8080 extendable

!

logging history debugging

logging trap debugging

logging facility syslog

logging host xx.xx.xx.xx transport udp port 61325

access-list 1 permit 10.0.0.0 0.0.0.255

!        

menu R1 title ^CMenu                   

Cisco 3725 ^C

menu R1 prompt ^C Please Make A Selection ^C

menu R1 text 1 Restart Router

menu R1 command 1 reload

menu R1 text 2 Ping Google [Layer 3/4]

menu R1 command 2 ping google.com

menu R1 text 3 Ping ISP [Layer 3]

menu R1 command 3 ping xx.xx.xx.xx

menu R1 text 4 Active NAT Translations [Layer 3]

menu R1 command 4 sh ip nat trans

menu R1 text 5 Clear Current NAT Translations [Layer 3]

menu R1 command 5 clear ip nat trans *

menu R1 text 6 Fan Status [Layer 1]

menu R1 command 6 sh env

menu R1 text 7 Show Interface Status [Layer 1/2]

menu R1 command 7 sh ip int bri

menu R1 text 8 Neighbors [Layer 2]

menu R1 command 8 sh cdp ne

menu R1 text 9 Show NetFlow Stats [Layer 3]

menu R1 command 9 sh ip cache flow

menu R1 text 10 Show Top Talkers [Layer 3]

menu R1 command 10 sh ip flow top-talkers

menu R1 text 11 Exit

menu R1 command 11 menu-exit

menu R1 status-line

menu R1 line-mode

!        

!        

!        

control-plane

!        

!        

!        

!        

!        

!        

!        

!        

!

!

privilege exec level 2 traceroute

privilege exec level 2 ping

privilege exec level 2 reload

privilege exec level 2 show version

privilege exec level 2 show

!        

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

transport output ssh

line vty 5 903

privilege level 15

transport input ssh

transport output ssh

!        

ntp logging

ntp clock-period 17180565

ntp server xx.xx.xx.xx

!        

end

Here's what CCP wnats to deliver to my router after the wizard configuration:

IKE Policies:

___________________________________________________

Hash          DH Group                    Authentication          Encryption

-----------------------------------------------------------------------------------------

SHA_1          group2                              PRE_SHARE          3DES

-----------------------------------------------------------------------------------------

Transform Set:

Name: ESP-3DES-SHA

ESP Encryption: ESP_3DES

ESP Integrity: ESP_SHA_HMAC

Mode: TUNNEL

Group Policy Lookup Method List                    : Local

User Authentication Method List                    : Local

Idle Timer                                        : 00:15:00 (HH:MM:SS)

Number of Group Policies                              : 1

--------------------------------------------------------------------------

Group Policy Name          : RemoteUsers

--------------------------------------------------------------------------

Key                              : *******

Pool                              : SDM_POOL_1

DNS Servers                    : <NONE>

Domain Name                    : <NONE>

WINS Servers                    : <NONE>

Split ACL                    : <NONE>

Split DNS                    : <NONE>

Group Lock                    : Disabled

Save password                    : Enabled

Firewall Are-U-There          : Disabled

Include-local-lan                    : Disabled

Subnet Mask                    : 255.255.255.0

Backup Servers                    : <NONE>

Maximum connections          : 5

PFS                              : Disabled

Maximum logins per user          : 1

Auto Update                    : Not Configured

--------------------------------------------------------------------------


My Config after the Easy VPN change:

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging userinfo

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

clock timezone GMT 0

clock summer-time GMT recurring last Sun Mar 1:00 last Sun Oct 2:00

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.0.0.2 10.0.0.23

ip dhcp excluded-address 10.0.0.100

ip dhcp excluded-address 10.0.0.1

ip dhcp excluded-address 10.0.0.42

ip dhcp excluded-address 10.0.0.56

ip dhcp excluded-address 10.0.0.50

ip dhcp excluded-address 10.0.0.254

ip dhcp excluded-address 10.0.0.86

ip dhcp excluded-address 10.0.0.253

!

ip dhcp pool LAN_Pool

   network 10.0.0.0 255.255.255.0

   default-router 10.0.0.1

   dns-server 67.210.150.21 208.95.18.150

   lease infinite

!

!

ip domain name morphius.com

ip name-server xx.xx.xx.xx

ip name-server xx.xx.xx.xx

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

ip ips sdf location flash://attack-drop.sdf

ip ips notify SDEE

ip ips name sdm_ips_rule

!        

!        

!        

!        

!        

!        

!

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

!        

crypto pki trustpoint TP-self-signed-2670148948

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2670148948

revocation-check none

rsakeypair TP-self-signed-2670148948

!        

!        

<Certificate omitted>

<user info omitted>

!        

!        

ip ssh maxstartups 2

ip ssh logging events

ip ssh version 2

!        

!        

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2 

!        

crypto isakmp client configuration group RemoteUsers

key xxxxxxxx

pool SDM_POOL_1

max-users 2

netmask 255.255.255.0

!        

!        

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!        

crypto dynamic-map SDM_DYNMAP_1 1

set security-association idle-time 900

set transform-set ESP-3DES-SHA

reverse-route

!        

!        

crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!        

!        

!        

!        

interface Loopback1

description $FW_INSIDE$

ip address 1.1.1.1 255.255.255.0

ip virtual-reassembly

!        

interface FastEthernet0/0

description EXTERNAL CONNECTION TO ISP$ETH-WAN$$FW_OUTSIDE$

bandwidth 100000

ip address xx.xx.xx.xx xx.xx.xx.xx

ip broadcast-address xx.xx.xx.xx

ip verify unicast reverse-path

ip flow ingress

ip flow egress

ip nat outside

ip ips sdm_ips_rule in

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

no cdp enable

crypto map SDM_CMAP_1

!        

interface Serial0/0

no ip address

shutdown

!        

interface FastEthernet0/1

description INTERNAL CONNECTION TO LAN$ETH-LAN$$FW_INSIDE$

bandwidth 100000

ip address 10.0.0.1 255.255.255.0

ip broadcast-address 10.0.0.255

ip flow ingress

ip flow egress

ip nat inside

ip virtual-reassembly

ip route-cache flow

duplex auto

speed auto

!        

interface Serial0/1

no ip address

shutdown

clock rate 125000

!        

interface Serial0/2

no ip address

shutdown

clock rate 125000

!        

ip local pool SDM_POOL_1 10.0.0.70 10.0.0.80

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx

!        

ip flow-export version 5

ip flow-export destination 10.0.0.25 9996

ip flow-top-talkers

top 50  

sort-by packets

cache-timeout 30000

!        

ip http server

ip http authentication local

ip http secure-server

ip http max-connections 2

ip http timeout-policy idle 300 life 300 requests 30

ip nat pool R1_Pool xx.xx.xx.xx xx.xx.xx.xx netmask xx.xx.xx.xx

ip nat inside source route-map SDM_RMAP_1 pool R1_Pool

ip nat inside source static tcp 10.0.0.3 21 xx.xx.xx.xx 21 route-map SDM_RMAP_7 extendable

ip nat inside source static tcp 10.0.0.7 22 xx.xx.xx.xx 22 route-map SDM_RMAP_6 extendable

ip nat inside source static tcp 10.0.0.11 25 xx.xx.xx.xx 25 route-map SDM_RMAP_16 extendable

ip nat inside source static tcp 10.0.0.3 80 xx.xx.xx.xx 80 route-map SDM_RMAP_10 extendable

ip nat inside source static tcp 10.0.0.56 88 xx.xx.xx.xx 88 route-map SDM_RMAP_19 extendable

ip nat inside source static udp 10.0.0.56 88 xx.xx.xx.xx 88 route-map SDM_RMAP_13 extendable

ip nat inside source static tcp 10.0.0.11 110 xx.xx.xx.xx 110 route-map SDM_RMAP_18 extendable

ip nat inside source static tcp 10.0.0.11 143 xx.xx.xx.xx 143 route-map SDM_RMAP_17 extendable

ip nat inside source static tcp 10.0.0.3 443 xx.xx.xx.xx 443 route-map SDM_RMAP_14 extendable

ip nat inside source static tcp 10.0.0.20 1024 xx.xx.xx.xx 1024 route-map SDM_RMAP_12 extendable

ip nat inside source static tcp 10.0.0.21 1100 xx.xx.xx.xx 1100 route-map SDM_RMAP_2 extendable

ip nat inside source static tcp 10.0.0.23 1105 xx.xx.xx.xx 1105 route-map SDM_RMAP_5 extendable

ip nat inside source static tcp 10.0.0.22 1110 xx.xx.xx.xx 1110 route-map SDM_RMAP_20 extendable

ip nat inside source static tcp 10.0.0.26 1115 xx.xx.xx.xx 1115 route-map SDM_RMAP_22 extendable

ip nat inside source static tcp 10.0.0.8 1723 xx.xx.xx.xx 1723 route-map SDM_RMAP_8 extendable

ip nat inside source static udp 10.0.0.86 1900 xx.xx.xx.xx 1900 route-map SDM_RMAP_21 extendable

ip nat inside source static tcp 10.0.0.1 22 xx.xx.xx.xx 2222 route-map SDM_RMAP_3 extendable

ip nat inside source static tcp 10.0.0.86 2869 xx.xx.xx.xx 2869 route-map SDM_RMAP_11 extendable

ip nat inside source static tcp 10.0.0.56 3074 xx.xx.xx.xx 3074 route-map SDM_RMAP_15 extendable

ip nat inside source static udp 10.0.0.56 3074 xx.xx.xx.xx 3074 route-map SDM_RMAP_23 extendable

ip nat inside source static tcp 10.0.0.10 5090 xx.xx.xx.xx 5090 route-map SDM_RMAP_4 extendable

ip nat inside source static tcp 10.0.0.3 8080 xx.xx.xx.xx 8080 route-map SDM_RMAP_9 extendable

!        

logging history debugging

logging trap debugging

logging facility syslog

logging host xx.xx.xx.xx transport udp port 61325

access-list 1 remark CCP_ACL Category=16

access-list 1 permit 10.0.0.0 0.0.0.255

access-list 100 remark CCP_ACL Category=2

access-list 100 deny   ip any host 10.0.0.70

access-list 100 deny   ip any host 10.0.0.71

access-list 100 deny   ip any host 10.0.0.72

access-list 100 deny   ip any host 10.0.0.73

access-list 100 deny   ip any host 10.0.0.74

access-list 100 deny   ip any host 10.0.0.75

access-list 100 deny   ip any host 10.0.0.76

access-list 100 deny   ip any host 10.0.0.77

access-list 100 deny   ip any host 10.0.0.78

access-list 100 deny   ip any host 10.0.0.79

access-list 100 deny   ip any host 10.0.0.80

access-list 100 deny   tcp host 10.0.0.3 eq ftp any

access-list 100 deny   tcp host 10.0.0.7 eq 22 any

access-list 100 deny   tcp host 10.0.0.11 eq smtp any

access-list 100 deny   tcp host 10.0.0.3 eq www any

access-list 100 deny   tcp host 10.0.0.56 eq 88 any

access-list 100 deny   udp host 10.0.0.56 eq 88 any

access-list 100 deny   tcp host 10.0.0.11 eq pop3 any

access-list 100 deny   tcp host 10.0.0.11 eq 143 any

access-list 100 deny   tcp host 10.0.0.3 eq 443 any

access-list 100 deny   tcp host 10.0.0.20 eq 1024 any

access-list 100 deny   tcp host 10.0.0.21 eq 1100 any

access-list 100 deny   tcp host 10.0.0.23 eq 1105 any

access-list 100 deny   tcp host 10.0.0.22 eq 1110 any

access-list 100 deny   tcp host 10.0.0.26 eq 1115 any

access-list 100 deny   tcp host 10.0.0.8 eq 1723 any

access-list 100 deny   udp host 10.0.0.86 eq 1900 any

access-list 100 deny   tcp host 10.0.0.1 eq 22 any

access-list 100 deny   tcp host 10.0.0.86 eq 2869 any

access-list 100 deny   tcp host 10.0.0.56 eq 3074 any

access-list 100 deny   udp host 10.0.0.56 eq 3074 any

access-list 100 deny   tcp host 10.0.0.10 eq 5090 any

access-list 100 deny   tcp host 10.0.0.3 eq 8080 any

access-list 100 permit ip 10.0.0.0 0.0.0.255 any

access-list 101 remark CCP_ACL Category=2

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.80

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.79

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.78

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.77

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.76

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.75

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.74

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.73

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.72

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.71

access-list 101 deny   ip host 10.0.0.21 host 10.0.0.70

access-list 101 permit tcp host 10.0.0.21 eq 1100 any

access-list 102 remark CCP_ACL Category=2

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.80

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.79

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.78

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.77

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.76

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.75

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.74

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.73

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.72

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.71

access-list 102 deny   ip host 10.0.0.1 host 10.0.0.70

access-list 102 permit tcp host 10.0.0.1 eq 22 any

access-list 103 remark CCP_ACL Category=2

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.80

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.79

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.78

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.77

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.76

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.75

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.74

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.73

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.72

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.71

access-list 103 deny   ip host 10.0.0.10 host 10.0.0.70

access-list 103 permit tcp host 10.0.0.10 eq 5090 any

access-list 104 remark CCP_ACL Category=2

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.80

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.79

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.78

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.77

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.76

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.75

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.74

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.73

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.72

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.71

access-list 104 deny   ip host 10.0.0.23 host 10.0.0.70

access-list 104 permit tcp host 10.0.0.23 eq 1105 any

access-list 105 remark CCP_ACL Category=2

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.80

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.79

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.78

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.77

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.76

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.75

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.74

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.73

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.72

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.71

access-list 105 deny   ip host 10.0.0.7 host 10.0.0.70

access-list 105 permit tcp host 10.0.0.7 eq 22 any

access-list 106 remark CCP_ACL Category=2

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.80

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.79

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.78

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.77

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.76

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.75

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.74

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.73

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.72

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.71

access-list 106 deny   ip host 10.0.0.3 host 10.0.0.70

access-list 106 permit tcp host 10.0.0.3 eq ftp any

access-list 107 remark CCP_ACL Category=2

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.80

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.79

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.78

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.77

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.76

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.75

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.74

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.73

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.72

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.71

access-list 107 deny   ip host 10.0.0.8 host 10.0.0.70

access-list 107 permit tcp host 10.0.0.8 eq 1723 any

access-list 108 remark CCP_ACL Category=2

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.80

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.79

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.78

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.77

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.76

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.75

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.74

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.73

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.72

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.71

access-list 108 deny   ip host 10.0.0.3 host 10.0.0.70

access-list 108 permit tcp host 10.0.0.3 eq 8080 any

access-list 109 remark CCP_ACL Category=2

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.80

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.79

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.78

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.77

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.76

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.75

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.74

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.73

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.72

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.71

access-list 109 deny   ip host 10.0.0.3 host 10.0.0.70

access-list 109 permit tcp host 10.0.0.3 eq www any

access-list 110 remark CCP_ACL Category=2

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.80

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.79

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.78

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.77

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.76

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.75

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.74

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.73

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.72

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.71

access-list 110 deny   ip host 10.0.0.86 host 10.0.0.70

access-list 110 permit tcp host 10.0.0.86 eq 2869 any

access-list 111 remark CCP_ACL Category=2

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.80

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.79

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.78

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.77

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.76

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.75

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.74

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.73

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.72

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.71

access-list 111 deny   ip host 10.0.0.20 host 10.0.0.70

access-list 111 permit tcp host 10.0.0.20 eq 1024 any

access-list 112 remark CCP_ACL Category=2

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.80

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.79

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.78

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.77

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.76

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.75

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.74

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.73

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.72

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.71

access-list 112 deny   ip host 10.0.0.56 host 10.0.0.70

access-list 112 permit udp host 10.0.0.56 eq 88 any

access-list 113 remark CCP_ACL Category=2

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.80

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.79

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.78

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.77

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.76

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.75

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.74

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.73

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.72

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.71

access-list 113 deny   ip host 10.0.0.3 host 10.0.0.70

access-list 113 permit tcp host 10.0.0.3 eq 443 any

access-list 114 remark CCP_ACL Category=2

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.80

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.79

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.78

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.77

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.76

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.75

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.74

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.73

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.72

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.71

access-list 114 deny   ip host 10.0.0.56 host 10.0.0.70

access-list 114 permit tcp host 10.0.0.56 eq 3074 any

access-list 115 remark CCP_ACL Category=2

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.80

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.79

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.78

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.77

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.76

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.75

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.74

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.73

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.72

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.71

access-list 115 deny   ip host 10.0.0.11 host 10.0.0.70

access-list 115 permit tcp host 10.0.0.11 eq smtp any

access-list 116 remark CCP_ACL Category=2

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.80

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.79

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.78

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.77

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.76

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.75

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.74

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.73

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.72

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.71

access-list 116 deny   ip host 10.0.0.11 host 10.0.0.70

access-list 116 permit tcp host 10.0.0.11 eq 143 any

access-list 117 remark CCP_ACL Category=2

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.80

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.79

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.78

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.77

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.76

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.75

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.74

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.73

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.72

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.71

access-list 117 deny   ip host 10.0.0.11 host 10.0.0.70

access-list 117 permit tcp host 10.0.0.11 eq pop3 any

access-list 118 remark CCP_ACL Category=2

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.80

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.79

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.78

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.77

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.76

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.75

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.74

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.73

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.72

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.71

access-list 118 deny   ip host 10.0.0.56 host 10.0.0.70

access-list 118 permit tcp host 10.0.0.56 eq 88 any

access-list 119 remark CCP_ACL Category=2

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.80

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.79

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.78

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.77

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.76

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.75

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.74

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.73

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.72

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.71

access-list 119 deny   ip host 10.0.0.22 host 10.0.0.70

access-list 119 permit tcp host 10.0.0.22 eq 1110 any

access-list 120 remark CCP_ACL Category=2

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.80

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.79

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.78

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.77

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.76

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.75

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.74

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.73

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.72

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.71

access-list 120 deny   ip host 10.0.0.86 host 10.0.0.70

access-list 120 permit udp host 10.0.0.86 eq 1900 any

access-list 121 remark CCP_ACL Category=2

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.80

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.79

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.78

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.77

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.76

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.75

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.74

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.73

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.72

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.71

access-list 121 deny   ip host 10.0.0.26 host 10.0.0.70

access-list 121 permit tcp host 10.0.0.26 eq 1115 any

access-list 122 remark CCP_ACL Category=2

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.80

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.79

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.78

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.77

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.76

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.75

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.74

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.73

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.72

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.71

access-list 122 deny   ip host 10.0.0.56 host 10.0.0.70

access-list 122 permit udp host 10.0.0.56 eq 3074 any

!        

menu R1 title ^CMenu                   

Cisco 3725 ^C

menu R1 prompt ^C Please Make A Selection ^C

menu R1 text 1 Restart Router

menu R1 command 1 reload

menu R1 text 2 Ping Google [Layer 3/4]

menu R1 command 2 ping google.com

menu R1 text 3 Ping ISP [Layer 3]

menu R1 command 3 ping xx.xx.xx.xx

menu R1 text 4 Active NAT Translations [Layer 3]

menu R1 command 4 sh ip nat trans

menu R1 text 5 Clear Current NAT Translations [Layer 3]

menu R1 command 5 clear ip nat trans *

menu R1 text 6 Fan Status [Layer 1]

menu R1 command 6 sh env

menu R1 text 7 Show Interface Status [Layer 1/2]

menu R1 command 7 sh ip int bri

menu R1 text 8 Neighbors [Layer 2]

menu R1 command 8 sh cdp ne

menu R1 text 9 Show NetFlow Stats [Layer 3]

menu R1 command 9 sh ip cache flow

menu R1 text 10 Show Top Talkers [Layer 3]

menu R1 command 10 sh ip flow top-talkers

menu R1 text 11 Exit

menu R1 command 11 menu-exit

menu R1 status-line

menu R1 line-mode

!

route-map SDM_RMAP_15 permit 1

match ip address 114

!

route-map SDM_RMAP_14 permit 1

match ip address 113

!

route-map SDM_RMAP_17 permit 1

match ip address 116

!

route-map SDM_RMAP_16 permit 1

match ip address 115

!

route-map SDM_RMAP_22 permit 1

match ip address 121

!

route-map SDM_RMAP_11 permit 1

match ip address 110

!

route-map SDM_RMAP_23 permit 1

match ip address 122

!

route-map SDM_RMAP_10 permit 1

match ip address 109

!

route-map SDM_RMAP_13 permit 1

match ip address 112

!

route-map SDM_RMAP_20 permit 1

match ip address 119

!

route-map SDM_RMAP_12 permit 1

match ip address 111

!

route-map SDM_RMAP_21 permit 1

match ip address 120

!

route-map SDM_RMAP_19 permit 1

match ip address 118

!

route-map SDM_RMAP_18 permit 1

match ip address 117

!

route-map SDM_RMAP_4 permit 1

match ip address 103

!

route-map SDM_RMAP_5 permit 1

match ip address 104

!

route-map SDM_RMAP_6 permit 1

match ip address 105

!

route-map SDM_RMAP_7 permit 1

match ip address 106

!

route-map SDM_RMAP_1 permit 1

match ip address 100

!

route-map SDM_RMAP_2 permit 1

match ip address 101

!

route-map SDM_RMAP_3 permit 1

match ip address 102

!

route-map SDM_RMAP_8 permit 1

match ip address 107

!

route-map SDM_RMAP_9 permit 1

match ip address 108

!

!

!        

control-plane

!        

!        

!        

!        

!        

!        

!        

!        

!        

!

privilege exec level 2 traceroute

privilege exec level 2 ping

privilege exec level 2 reload

privilege exec level 2 show version

privilege exec level 2 show

!        

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input ssh

transport output ssh

line vty 5 903

privilege level 15

transport input ssh

transport output ssh

!        

ntp logging

ntp clock-period 17180581

ntp server xx.xx.xx.xx

!        

end

Anyone have any idea what I'm doing wrong?  Any help is greatly appreciated.

3 Replies 3

Michael Muenz
Level 5
Level 5

This one is missing:

ip nat inside source list 1 pool R1_Pool overload

Or you need an overload when your nat pool is too small (you X'ed it out):

ip nat inside source route-map SDM_RMAP_1 pool R1_Pool

Michael

Please rate all helpful posts

Michael Please rate all helpful posts

Hey ciscomax thanks for the reply;

Can you elaborate?  I have the first command you listed already in my config (before CCP added the VPN server) for overloading my NAT:

ip nat inside source list 1 pool R1_Pool overload

and after CCP adds the EzVPN commands, I have the second command you listed in my config:

ip nat inside source route-map SDM_RMAP_1 pool R1_Pool

For clarification, I only have one static public IP available to use.

Did you mean something else?

Joshua,

after adding CCP commands the first is/was missing. If you have only 1 IP address, why don't you just overload Fa0/0?

Michael

Please rate all helpful posts

Michael Please rate all helpful posts
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: