Im trying to figure out why remote access vpn's to our company office fail. The scenario: Currently we have a working situation. The way it works is that users connect on the public ip of an adsl router which nat's the vpn traffic to an internal router. This router then forwards the traffic to the vpn server.
Now, Im implementing a 2nd internet line with more or less the same setup, but instead of a adsl cpe we use a cisco router. When active users should connect the same way with the only difference being a different public ip address
So the only change from the cisco vpn clients prepective is the host. However when testing it did not work. The vpn client times out. With something like 'the vpn peer did not respond' Dont remember the exact error message by heart. Now logic tells me that because it's now working the part between the internal router and vpn gateway is ok. My guess is that this is due to the cisco's access list. I had my own access list, but for some reason I decided to use the SDM firewall config wizard and it generated this access list.
Extended IP access list 100
10 permit tcp any host 126.96.36.199 eq 4500
20 permit tcp any host 188.8.131.52 eq 500
30 permit tcp any host 184.108.40.206 eq 51
40 permit tcp any host 220.127.116.11 eq 50
50 permit tcp any host 18.104.22.168 eq 3101
60 permit tcp any host 22.214.171.124 eq 993
70 permit tcp any host 126.96.36.199 eq 587
80 permit tcp any host 188.8.131.52 eq smtp (722 matches)
90 deny ip 192.168.0.8 0.0.0.7 any (20606 matches)
100 permit icmp any host 184.108.40.206 echo-reply (113 matches)
110 permit icmp any host 220.127.116.11 time-exceeded (54 matches)
120 permit icmp any host 18.104.22.168 unreachable (1051 matches)
130 deny ip 10.0.0.0 0.255.255.255 any (726 matches)
140 deny ip 172.16.0.0 0.15.255.255 any
150 deny ip 192.168.0.0 0.0.255.255 any
160 deny ip 127.0.0.0 0.255.255.255 any
170 deny ip host 255.255.255.255 any
180 deny ip host 0.0.0.0 any
190 deny ip any any log (5163 matches)Extended IP access list 100
Since the natting for the smtp works, I believe the natting is ok. I can ping the vpn server, so routing also seems to be ok. The vpn end-users should receive a vpn ip adres from the 192.168.x.x pool. Can it be that rule 150 is preventing them from connecting? I cannot test, since it's a live enviroment and I will have to schedule a window. Im just trying to figure out what is wrong so I can fix it during a window. Anyone any ideas?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :