cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1666
Views
0
Helpful
5
Replies

L2L ipsec VPN - unable to access published server

noneckturtle
Level 1
Level 1

I've got a site to site ipsec vpn setup between myself and a nother location. At my site is a Cisco 877-M at the other site is ISA Server 2006.

The ipsec to site2 is up and I can ping machines on the LAN in both directions.

At my site port 80 is forwarded from WAN to my internal web server. I'm unable to access the web site via ip or name from Site2. I'm in the process of setting up Site3 and stopped so that I can get the access to the internal server working first.

Config of the 877 is below.


!
! Last configuration change at 12:15:56 AEDT Tue Mar 9 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log uptime
service password-encryption
service internal
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
enable secret 5 <cut>
!
no aaa new-model
!
!
!
clock timezone AEST 10
clock summer-time AEDT recurring last Sun Oct 2:00 1 Sun Apr 3:00
!
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.100 192.231.203.132 192.231.203.3
   lease infinite
!
!
ip cef
no ip bootp server
ip domain name mydomainname.com
ip host members.dyndns.org 63.208.196.95
ip name-server 192.168.1.100
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect name WAN udp router-traffic
ip inspect name WAN pptp
ip inspect name WAN http
ip inspect name WAN https
ip inspect name WAN sip
ip inspect name WAN icmp
ip inspect name WAN ftp
ip inspect name WAN dns audit-trail on timeout 5
ip inspect name WAN fragment maximum 256 timeout 1
ip inspect name WAN telnet
ip inspect name WAN bittorrent
ip inspect name WAN edonkey
ip inspect name WAN gnutella
ip inspect name WAN fasttrack
ip inspect name WAN snmp
ip inspect name WAN imaps alert on audit-trail on
ip inspect name WAN imap
ip inspect name WAN esmtp alert on audit-trail on
ip inspect name WAN ipsec-msft
ip inspect name WAN ssh
ip inspect name WAN tcp router-traffic
ip inspect name WAN isakmp audit-trail on timeout 5
ip inspect name WAN snmptrap
ip ddns update method DynDNS
HTTP
  add http://Username:Password@members.dyndns.org/nic/update?system=dyndns&hostname=Password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
  remove http://Username:Password@members.dyndns.org/nic/update?system=dyndns&hostname=Password@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
log config
  logging enable
  hidekeys
path tftp://192.168.1.100/cfg-$h
username admin privilege 15 password 7 <cut>
!
!
ip ssh authentication-retries 2
!
class-map match-any VOICE-MATCH-DSCP
match  dscp ef
class-map match-any VOICE-MATCH-ACL
match access-group 120
!
!
policy-map VOICE-OUT
class VOICE-MATCH-DSCP
    priority percent 40
class class-default
    fair-queue
     random-detect
policy-map VOICE-IN
class VOICE-MATCH-ACL
  set ip dscp ef
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key cut address xxx.xxx.xxx.34 no-xauth
crypto isakmp key cut address xxx.xxx.xxx.246 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set isavpn esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map CISCO 1 ipsec-isakmp
set peer xxx.xxx.xxx.34
set transform-set isavpn
set pfs group2
match address acl_vpn
!
!
!
!
interface ATM0
description --- ADSL ---
bandwidth 3000
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
dsl bitswap both
!
pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
speed 100
!
!
interface FastEthernet1
!
!
interface FastEthernet2
!
!
interface FastEthernet3
!
!
interface Vlan1
description --- Ethernet LAN ---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
!
service-policy input VOICE-IN
!
interface Dialer0
description --- ADSL ---
ip ddns update hostname host.mydomainname.com
ip ddns update DynDNS
ip address negotiated
ip access-group WAN-IN in
ip mtu 1478
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect WAN out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp chap hostname username@isp.net
ppp chap password 7 <cut>
crypto map CISCO
!
max-reserved-bandwidth 100
service-policy output VOICE-OUT
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat translation timeout 300
ip nat translation tcp-timeout 600
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 300
ip nat translation icmp-timeout 120
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.100 2222 interface Dialer0 2222
ip nat inside source static tcp 192.168.1.60 29091 interface Dialer0 29091
ip nat inside source static udp 192.168.1.60 29091 interface Dialer0 29091
ip nat inside source static udp 192.168.1.100 2222 interface Dialer0 2222
ip nat inside source static tcp 192.168.1.60 3724 interface Dialer0 3724
ip nat inside source static tcp 192.168.1.60 6112 interface Dialer0 6112
ip nat inside source static udp 192.168.1.3 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.3 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.4 3074 interface Dialer0 3074
ip nat inside source static udp 192.168.1.4 88 interface Dialer0 88
ip nat inside source static udp 192.168.1.4 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.100 10000 interface Dialer0 10000
ip nat inside source static tcp 192.168.1.100 10000 interface Dialer0 10000
ip nat inside source static tcp 192.168.1.100 443 interface Dialer0 443
ip nat inside source static udp 192.168.1.100 443 interface Dialer0 443
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended WAN-IN
remark CCP_ACL Category=17
permit ip host xxx.xxx.xxx.246 192.168.1.0 0.0.0.255
permit tcp 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit icmp 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit udp host 122.148.66.246 any eq non500-isakmp
permit udp host 122.148.66.246 any eq isakmp
permit esp host 122.148.66.246 any
permit ahp host 122.148.66.246 any
remark Auto generated by SDM for NTP (123) 192.43.244.18
permit udp host 192.43.244.18 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 209.81.9.7
permit udp host 209.81.9.7 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 128.118.25.5
permit udp host 128.118.25.5 eq ntp any eq ntp
permit ip host xxx.xxx.xxx.34 192.168.1.0 0.0.0.255
permit icmp 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit ip 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit tcp 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit udp 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit udp host xxx.xxx.xxx.34 any eq non500-isakmp
permit udp host xxx.xxx.xxx.34 any eq isakmp
permit esp host xxx.xxx.xxx.34 any
permit ahp host xxx.xxx.xxx.34 any
permit tcp any any eq 1723
permit tcp any any eq www log
permit tcp any any eq smtp
permit tcp any any eq 443 log
permit gre any any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
permit udp any any eq 5060 log
permit tcp any any eq 5060 log
permit udp any any eq 80 log
permit tcp any any eq 2222 log
permit udp any any eq 2222 log
permit tcp any any eq 10000 log
permit udp any any eq 10000 log
ip access-list extended acl_nat
deny   ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any log
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
!
logging trap debugging
logging 192.168.1.100
access-list 1 permit 192.83.231.0 0.0.0.255
access-list 1 permit 203.26.95.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit xxx.xxx.xxx.34
access-list 10 permit 192.168.1.100
access-list 100 remark CCP_ACL Category=18
access-list 100 deny   ip 192.168.1.0 0.0.0.255 host 122.148.66.246
access-list 100 deny   tcp 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 log
access-list 100 deny   icmp 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 log
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255 log
access-list 100 deny   ip 192.168.1.0 0.0.0.255 host xxx.xxx.xxx.34
access-list 100 deny   icmp 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
access-list 100 deny   tcp 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 115 remark ********Allowed NTP Servers
access-list 115 permit udp host 192.43.244.18 any eq ntp
access-list 115 permit udp host 209.81.9.7 any eq ntp
access-list 115 permit udp host 128.118.25.5 any eq ntp
access-list 120 permit ip host 192.168.1.3 any
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
snmp-server community MyCommunity972 RW 10
snmp-server community public RO
snmp-server ifindex persist
snmp-server location
snmp-server contact
snmp-server chassis-id Cisco877-ADSL-Router
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps flash insertion removal
snmp-server enable traps aaa_server
snmp-server enable traps atm pvc
snmp-server enable traps atm subif
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps cpu threshold
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 192.168.1.100 version 2c MyCommunity972
snmp-server host 192.168.1.60 version 2c MyCommunity972
!
control-plane
!
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp master
ntp server 128.118.25.5 source Dialer0
ntp server 209.81.9.7 source Dialer0
ntp server 192.43.244.18 source Dialer0
end

5 Replies 5

Hi,

You cannot access the web server from Site2.

When you say that port 80 is being forwarded from the WAN you mean this commands?

ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.100 80 interface Dialer0 80

To which IP are you pointing to reach the server via web? To the public Dialer IP or to the private IP?

You need to specify the interesting traffic for VPN from that IP.

The traffic that is going to be encrypted in the L2L tunnel is the traffic in ACL ''acl_vpn''

ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log

The server is 192.168.1.100, but you need to bypass NAT for this server when going through the tunnel.

Here you have it:

access-list 100 deny   tcp 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log

Try applying the route-map to the STATIC NAT statement.

I think that what is happening is that NAT is taking place for that server on port 80 and therefore you cannot reach it through the tunnel.

Can you verify this?

Federico.

Federico,

Thanks for responding,

I have tried accessing the server via both the private and Dialer ip. Neither one works. But I can ping the server private ip from same machine on Site2. The ISA Server proxy logs at Site2 show the http request going out, but no reponse is received from the web server. The apache logs on the server show no requests coming through.

I'm new to this Cisco IOS stuff so I'm unsure of where/how to apply the route-map. Perhaps you can explain a little further? I tried doing something similar with the route-map last night and I ended up being still connected to the internet and ipsec vpn, but all traffic was going out the ipsec. I still couldn't access the web server though so I reloaded the router to revert the config back.

I think your right about it being a nat issue. I was reading  up on the order that NAT and acls are processed and it appears as if the problem is known. I just can't figure out how to make the required changes so this works.

Regards,

David

You can try the following:

Applying the route-map to the inside interface:

interface Vlan 1
ip policy route-map SDM_RMAP_1

Then, to make sure that the VPN is coming up, you check the status of the tunnel with the following commands:
phase1:  sh cry isa sa
phase2:  sh cry ips sa

Please post the output of both lines. (you have to do the commands, after trying to send traffic
through the tunnel).

Also, on the ACL applied to the outside Dialer interface, I see a permit udp any any eq 80 line, but
I don't see a permit tcp any any eq 80 (for web traffic).

Federico.

OK. So I made a few changes and put the route-map on the VLAN1 interface and I ended up in the same situation where the ipsec was up and I could connect to a machine 192.168.16.3, but had lost access to the internet.

Below is what the config was before I reloaded the device to revert back the changes.


!
! Last configuration change at 17:29:04 AEDT Thu Mar 11 2010 by admin
!
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec show-timezone
service timestamps log uptime
service password-encryption
service internal
!
hostname cisco
!
boot-start-marker
boot-end-marker
!
logging buffered 16000
enable secret 5 <>
!
no aaa new-model
!
!
!
clock timezone AEST 10
clock summer-time AEDT recurring last Sun Oct 2:00 1 Sun Apr 3:00
!
dot11 syslog
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.10
!
ip dhcp pool lan
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 192.168.1.100 192.231.203.132 192.231.203.3
   lease infinite
!
!
ip cef
no ip bootp server
ip domain name mydomain.com
ip host members.dyndns.org 63.208.196.95
ip name-server 192.168.1.100
ip name-server 192.231.203.132
ip name-server 192.231.203.3
ip inspect name WAN udp router-traffic
ip inspect name WAN pptp
ip inspect name WAN http
ip inspect name WAN https
ip inspect name WAN sip
ip inspect name WAN icmp
ip inspect name WAN ftp
ip inspect name WAN dns audit-trail on timeout 5
ip inspect name WAN fragment maximum 256 timeout 1
ip inspect name WAN telnet
ip inspect name WAN bittorrent
ip inspect name WAN edonkey
ip inspect name WAN gnutella
ip inspect name WAN fasttrack
ip inspect name WAN snmp
ip inspect name WAN imaps alert on audit-trail on
ip inspect name WAN imap
ip inspect name WAN esmtp alert on audit-trail on
ip inspect name WAN ipsec-msft
ip inspect name WAN ssh
ip inspect name WAN tcp router-traffic
ip inspect name WAN isakmp audit-trail on timeout 5
ip inspect name WAN snmptrap
ip ddns update method DynDNS
HTTP
  add http://Username:Password@members.dyndns.org/nic/update?system=dyndns&hostname=Password@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=
  remove http://Username:Password@members.dyndns.org/nic/update?system=dyndns&hostname=Password@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=
interval maximum 28 0 0 0
interval minimum 28 0 0 0
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
archive
log config
  logging enable
  hidekeys
path tftp://192.168.1.100/cfg-$h
username admin privilege 15 password 7 <>
!
!
ip ssh authentication-retries 2
!
class-map match-any VOICE-MATCH-DSCP
match  dscp ef
class-map match-any VOICE-MATCH-ACL
match access-group 120
!
!
policy-map VOICE-OUT
class VOICE-MATCH-DSCP
    priority percent 40
class class-default
    fair-queue
     random-detect
policy-map VOICE-IN
class VOICE-MATCH-ACL
  set ip dscp ef
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp key <> address xxx.xxx.xxx.34 no-xauth
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 30 periodic
!
!
crypto ipsec transform-set isavpn esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map CISCO 1 ipsec-isakmp
set peer xxx.xxx.xxx.34
set transform-set isavpn
set pfs group2
match address acl_vpn
!
!
!
!
interface ATM0
description --- ADSL ---
bandwidth 3000
no ip address
no atm ilmi-keepalive
dsl operating-mode adsl2+
dsl bitswap both
!
pvc 8/35
  tx-ring-limit 3
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
!
!
interface FastEthernet0
description --- Plugged into Cisco 2900XL switch ---
speed 100
!
!
interface FastEthernet1
description --- Plugged into Linksys 3102 VOIP ATA ---
!
!
interface FastEthernet2
!
!
interface FastEthernet3
description --- Plugged into Panasonic DMR-XW350 ---
!
!
interface Vlan1
description --- Ethernet LAN ---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
ip policy route-map SDM_RMAP_1
!
service-policy input VOICE-IN
!
interface Dialer0
description --- Internode ADSL ---
ip ddns update hostname <>
ip ddns update DynDNS
ip address negotiated
ip access-group WAN-IN in
ip mtu 1478
ip nbar protocol-discovery
ip flow ingress
ip flow egress
ip nat outside
ip inspect WAN out
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer idle-timeout 0
dialer persistent
dialer-group 1
ppp chap hostname <>
ppp chap password 7 <>
crypto map CISCO
!
max-reserved-bandwidth 100
service-policy output VOICE-OUT
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
!
ip nat translation timeout 300
ip nat translation tcp-timeout 600
ip nat translation finrst-timeout 120
ip nat translation syn-timeout 300
ip nat translation icmp-timeout 120
no ip nat service sip tcp port 5060
no ip nat service sip udp port 5060
ip nat inside source static tcp 192.168.1.100 2222 interface Dialer0 2222
ip nat inside source static tcp 192.168.1.60 29091 interface Dialer0 29091
ip nat inside source static udp 192.168.1.60 29091 interface Dialer0 29091
ip nat inside source static udp 192.168.1.100 2222 interface Dialer0 2222
ip nat inside source static tcp 192.168.1.60 3724 interface Dialer0 3724
ip nat inside source static tcp 192.168.1.60 6112 interface Dialer0 6112
ip nat inside source static udp 192.168.1.3 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.3 5060 interface Dialer0 5060
ip nat inside source static tcp 192.168.1.4 3074 interface Dialer0 3074
ip nat inside source static udp 192.168.1.4 88 interface Dialer0 88
ip nat inside source static udp 192.168.1.4 3074 interface Dialer0 3074
ip nat inside source static tcp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.100 80 interface Dialer0 80
ip nat inside source static udp 192.168.1.100 10000 interface Dialer0 10000
ip nat inside source static tcp 192.168.1.100 10000 interface Dialer0 10000
ip nat inside source static tcp 192.168.1.100 443 interface Dialer0 443
ip nat inside source static udp 192.168.1.100 443 interface Dialer0 443
ip nat inside source static tcp 192.168.1.100 53 interface Dialer0 53
ip nat inside source static udp 192.168.1.100 53 interface Dialer0 53
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended WAN-IN
remark Auto generated by SDM for NTP (123) 192.43.244.18
permit udp host 192.43.244.18 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 209.81.9.7
permit udp host 209.81.9.7 eq ntp any eq ntp
remark Auto generated by SDM for NTP (123) 128.118.25.5
permit udp host 128.118.25.5 eq ntp any eq ntp
permit ip host xxx.xxx.xxx.34 192.168.1.0 0.0.0.255 log
permit ip 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit tcp 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit udp 192.168.16.0 0.0.0.255 192.168.1.0 0.0.0.255 log
permit udp host xxx.xxx.xxx.34 any eq non500-isakmp
permit udp host xxx.xxx.xxx.34 any eq isakmp log
permit esp host xxx.xxx.xxx.34 any log
permit ahp host xxx.xxx.xxx.34 any log
permit tcp any any eq 1723
permit tcp any any eq www log
permit tcp any any eq smtp
permit tcp any any eq 443 log
permit gre any any
permit tcp any any eq 3074
permit udp any any eq 3074
permit udp any any eq 88
permit udp any any eq 5060 log
permit tcp any any eq 5060 log
permit udp any any eq 80 log
permit tcp any any eq 2222 log
permit udp any any eq 2222 log
permit tcp any any eq 10000 log
permit udp any any eq 10000 log
permit tcp any any eq domain log
permit udp any any eq domain log
ip access-list extended acl_nat
deny   ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
permit ip 192.168.1.0 0.0.0.255 any log
ip access-list extended acl_vpn
permit ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
!
logging trap debugging
logging 192.168.1.100
access-list 1 permit 192.83.231.0 0.0.0.255
access-list 1 permit 203.26.95.0 0.0.0.255
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 10 permit xxx.xxx.xxx.34
access-list 10 permit 192.168.1.100
access-list 100 deny   ip 192.168.1.0 0.0.0.255 host xxx.xxx.xxx.34 log
access-list 100 deny   icmp 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
access-list 100 deny   ip 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
access-list 100 deny   tcp 192.168.1.0 0.0.0.255 192.168.16.0 0.0.0.255 log
access-list 100 permit ip 192.168.1.0 0.0.0.255 any log
access-list 115 remark ********Allowed NTP Servers
access-list 115 permit udp host 192.43.244.18 any eq ntp
access-list 115 permit udp host 209.81.9.7 any eq ntp
access-list 115 permit udp host 128.118.25.5 any eq ntp
access-list 120 permit ip host 192.168.1.3 any
no cdp run

!
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 100
!
snmp-server community MyCommunity972 RW 10
snmp-server community public RO
snmp-server ifindex persist
snmp-server location <>
snmp-server contact <>
snmp-server chassis-id Cisco877-ADSL-Router
snmp-server enable traps snmp linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps tty
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface-old
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps disassociate
snmp-server enable traps deauthenticate
snmp-server enable traps authenticate-fail
snmp-server enable traps dot11-qos
snmp-server enable traps switch-over
snmp-server enable traps rogue-ap
snmp-server enable traps wlan-wep
snmp-server enable traps flash insertion removal
snmp-server enable traps aaa_server
snmp-server enable traps atm pvc
snmp-server enable traps atm subif
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps cpu threshold
snmp-server enable traps ipsla
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps pw vc
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 192.168.1.100 version 2c MyCommunity972
snmp-server host 192.168.1.60 version 2c MyCommunity972
!
control-plane
!
!
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 1 in
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
ntp master
ntp server 128.118.25.5 source Dialer0
ntp server 209.81.9.7 source Dialer0
ntp server 192.43.244.18 source Dialer0
end

When the IPsec tunnel is up you lose Internet?

Should not happen, because according to your configuration the only VPN traffic flows between networks:
192.168.1.0/24 and 192.168.16.0/24

Let's look at the logs when you attempt to bring up the tunnel:  sh log

Federico.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: