Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

SSL VPN trouble

When I try to connect from remote host to SSL VPN on 2911 router, I get following errors:

Cisco Systems VPN Client Version 5.0.07.0410
Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 3
Config file directory: C:\Program Files\Cisco Systems\VPN Client\

1      12:52:38.538  11/26/11  Sev=Warning/2 IKE/0xE300009B
Invalid SPI size (PayloadNotify:116)

2      12:52:38.538  11/26/11  Sev=Warning/3 IKE/0xA3000058
Received malformed message or negotiation no longer active (message id: 0x00000000)

It doesn't matter what username and password I use; I guess it never gets to that point of authentication.

Any suggestions? Running-config below:

Building configuration...

Current configuration : 16633 bytes

!

! Last configuration change at 11:28:48 PCTime Sat Nov 26 2011 by xxx

! NVRAM config last updated at 16:45:09 PCTime Fri Nov 25 2011 by xxx

! NVRAM config last updated at 16:45:09 PCTime Fri Nov 25 2011 by xxxxx

version 15.1

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname SFGallery

!

boot-start-marker

boot-end-marker

!

!

no logging buffered

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

!

!

!

!

aaa session-id common

!

clock timezone PCTime -7 0

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

no ipv6 cef

ip source-route

ip cef

!

!

!

!

!

ip domain name gpgallery.com

ip name-server 10.10.10.10

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip name-server 10.10.10.80

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint test_trustpoint_config_created_for_sdm

subject-name e=sdmtest@sdmtest.com

revocation-check crl

!

crypto pki trustpoint SFGallery_Certificate

enrollment selfsigned

serial-number none

ip-address none

revocation-check crl

rsakeypair SFGallery_Certificate_RSAKey 512

!

!

crypto pki certificate chain test_trustpoint_config_created_for_sdm

crypto pki certificate chain SFGallery_Certificate

certificate self-signed 01

30820194 3082013E A0030201 02020101 300D0609 2A864886 F70D0101 05050030

28312630 2406092A 864886F7 0D010902 16175346 47616C6C 6572792E 67706761

6C6C6572 792E636F 6D301E17 0D313131 31323230 34333233 315A170D 32303031

30313030 30303030 5A302831 26302406 092A8648 86F70D01 09021617 53464761

6C6C6572 792E6770 67616C6C 6572792E 636F6D30 5C300D06 092A8648 86F70D01

01010500 034B0030 48024100 993C9074 AD95147D EC76B19B 824EA499 4C760A3C

25057180 3348DAB7 074D6441 0FEED924 0385E47C E9B393C5 CB304B0C AC77C1E8

FF2ADAF0 1D492AAC DC58388F 02030100 01A35330 51300F06 03551D13 0101FF04

05300301 01FF301F 0603551D 23041830 16801452 5378B365 FA6BA8CA CA961FDF

57E7C401 03C09B30 1D060355 1D0E0416 04145253 78B365FA 6BA8CACA 961FDF57

E7C40103 C09B300D 06092A86 4886F70D 01010505 00034100 2249E24A 95AC0FE6

DE1D523C EA0DDBDE 4A5FF376 78A987BD 8EBE6197 9D7039D4 6E982DFC C6176C7B

B563ABA3 5988148B B40B5250 FE15C70A E0A65080 3822D684

          quit

license udi pid CISCO2911/K9 sn FTX1542AKJ3

license boot module c2900 technology-package securityk9

license boot module c2900 technology-package datak9

!

!

username xxxx privilege 15 secret 5 xxxx

username xxxxxx  privilege 15 secret 5 xxxx

!

redundancy

!

!

!

!

no ip ftp passive

ip ssh version 1

!

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

!

!

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

pass

!

zone security sslvpn-zone

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key TempVPN1# address 209.101.19.226

!

crypto isakmp client configuration group SFGallery

key 12ui##143222

pool SDM_POOL_1

max-users 25

netmask 255.255.252.0

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to209.101.19.226

set peer 209.101.19.226

set transform-set ESP-3DES-SHA1

match address 107

!

!

!

!

!

interface Loopback1

ip address 192.168.5.1 255.255.255.0

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description T1 Cybermesa$ETH-WAN$

ip address 65.19.62.60 255.255.255.240

ip access-group 105 in

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface GigabitEthernet0/1

description LANOverloadNet$ETH-WAN$

ip address 172.16.0.1 255.255.252.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/2

description LAN$ETH-LAN$

ip address 10.10.10.2 255.255.255.128

ip access-group 100 in

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback1

!

interface Virtual-Template2

ip unnumbered Loopback1

zone-member security sslvpn-zone

!

!

ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254

ip forward-protocol nd

!

ip http server

ip http access-class 1

ip http authentication local

no ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 10

sort-by bytes

cache-timeout 60000

!

ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload

ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload

ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent

ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent

ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent

ip route 172.16.0.0 255.255.252.0 GigabitEthernet0/1 permanent

ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

!

no logging trap

logging 10.10.10.107

access-list 1 permit 192.168.1.2

access-list 1 remark CCP_ACL Category=1

access-list 1 permit 172.16.4.0 0.0.3.255

access-list 1 permit 10.10.10.128 0.0.0.31

access-list 1 remark Auto generated by SDM Management Access feature

access-list 1 permit 65.19.62.48 0.0.0.15

access-list 1 permit 10.10.10.0 0.0.0.127

access-list 100 remark Auto generated by SDM Management Access feature

access-list 100 remark CCP_ACL Category=1

access-list 100 permit ip any host 10.10.10.2

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443

access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd

access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd

access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd

access-list 100 deny   tcp any host 10.10.10.2 eq telnet

access-list 100 deny   tcp any host 10.10.10.2 eq 22

access-list 100 deny   tcp any host 10.10.10.2 eq www

access-list 100 deny   tcp any host 10.10.10.2 eq 443

access-list 100 deny   tcp any host 10.10.10.2 eq cmd

access-list 100 deny   udp any host 10.10.10.2 eq snmp

access-list 100 permit udp any eq domain host 10.10.10.2

access-list 100 permit udp host 10.10.10.80 eq domain any

access-list 100 permit udp host 10.10.10.10 eq domain any

access-list 100 permit ip any any

access-list 101 remark Auto generated by SDM Management Access feature

access-list 101 remark CCP_ACL Category=1

access-list 101 permit ip 172.16.4.0 0.0.3.255 any

access-list 101 permit ip 10.10.10.128 0.0.0.31 any

access-list 101 permit ip 65.19.62.48 0.0.0.15 any

access-list 101 permit ip host 192.168.1.2 any

access-list 101 permit ip 10.10.10.0 0.0.0.127 any

access-list 102 remark Auto generated by SDM Management Access feature

access-list 102 remark CCP_ACL Category=1

access-list 102 permit ip 172.16.4.0 0.0.3.255 any

access-list 102 permit ip 10.10.10.128 0.0.0.31 any

access-list 102 permit ip 65.19.62.48 0.0.0.15 any

access-list 102 permit ip host 192.168.1.2 any

access-list 102 permit ip 10.10.10.0 0.0.0.127 any

access-list 103 remark Auto generated by SDM Management Access feature

access-list 103 remark CCP_ACL Category=1

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443

access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd

access-list 103 deny   tcp any host 172.16.0.1 eq telnet

access-list 103 deny   tcp any host 172.16.0.1 eq 22

access-list 103 deny   tcp any host 172.16.0.1 eq www

access-list 103 deny   tcp any host 172.16.0.1 eq 443

access-list 103 deny   tcp any host 172.16.0.1 eq cmd

access-list 103 deny   udp any host 172.16.0.1 eq snmp

access-list 103 permit ip any any

access-list 104 remark CCP_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255

access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 105 remark Auto generated by SDM Management Access feature

access-list 105 remark CCP_ACL Category=1

access-list 105 permit tcp any host 65.19.62.61 eq 443

access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255

access-list 105 permit udp any eq domain host 65.19.62.60

access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60

access-list 105 permit esp host 209.101.19.226 host 65.19.62.60

access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp

access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp

access-list 105 remark IPSec Rule

access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443

access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd

access-list 105 deny   tcp any host 65.19.62.60 eq telnet

access-list 105 deny   tcp any host 65.19.62.60 eq 22

access-list 105 deny   tcp any host 65.19.62.60 eq www

access-list 105 deny   tcp any host 65.19.62.60 eq 443

access-list 105 deny   tcp any host 65.19.62.60 eq cmd

access-list 105 deny   udp any host 65.19.62.60 eq snmp

access-list 105 permit ip any any

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127

access-list 106 permit ip 10.10.10.0 0.0.0.255 any

access-list 107 remark CCP_ACL Category=4

access-list 107 remark IPSec Rule

access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 108 remark CCP_ACL Category=2

access-list 108 remark IPSec Rule

access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 108 permit ip 70.56.215.0 0.0.0.255 any

access-list 109 remark CCP_ACL Category=2

access-list 109 remark IPSec Rule

access-list 109 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31

access-list 109 permit ip 172.16.0.0 0.0.3.255 any

!

!

!

!

route-map SDM_RMAP_4 permit 1

match ip address 109

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

route-map SDM_RMAP_2 permit 1

match ip address 108

!

!

snmp-server community public RO

snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart

snmp-server enable traps vrrp

snmp-server enable traps transceiver all

snmp-server enable traps ds1

snmp-server enable traps call-home message-send-fail server-fail

snmp-server enable traps tty

snmp-server enable traps eigrp

snmp-server enable traps ospf state-change

snmp-server enable traps ospf errors

snmp-server enable traps ospf retransmit

snmp-server enable traps ospf lsa

snmp-server enable traps ospf cisco-specific state-change nssa-trans-change

snmp-server enable traps ospf cisco-specific state-change shamlink interface

snmp-server enable traps ospf cisco-specific state-change shamlink neighbor

snmp-server enable traps ospf cisco-specific errors

snmp-server enable traps ospf cisco-specific retransmit

snmp-server enable traps ospf cisco-specific lsa

snmp-server enable traps license

snmp-server enable traps envmon

snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config

snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up

snmp-server enable traps flash insertion removal

snmp-server enable traps c3g

snmp-server enable traps ds3

snmp-server enable traps adslline

snmp-server enable traps vdsl2line

snmp-server enable traps icsudsu

snmp-server enable traps isdn call-information

snmp-server enable traps isdn layer2

snmp-server enable traps isdn chan-not-avail

snmp-server enable traps isdn ietf

snmp-server enable traps ds0-busyout

snmp-server enable traps ds1-loopback

snmp-server enable traps energywise

snmp-server enable traps vstack

snmp-server enable traps mac-notification

snmp-server enable traps bgp

snmp-server enable traps isis

snmp-server enable traps rf

snmp-server enable traps aaa_server

snmp-server enable traps atm subif

snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency

snmp-server enable traps memory bufferpeak

snmp-server enable traps cnpd

snmp-server enable traps config-copy

snmp-server enable traps config

snmp-server enable traps config-ctid

snmp-server enable traps entity

snmp-server enable traps fru-ctrl

snmp-server enable traps resource-policy

snmp-server enable traps event-manager

snmp-server enable traps frame-relay multilink bundle-mismatch

snmp-server enable traps frame-relay

snmp-server enable traps frame-relay subif

snmp-server enable traps hsrp

snmp-server enable traps ipmulticast

snmp-server enable traps msdp

snmp-server enable traps mvpn

snmp-server enable traps nhrp nhs

snmp-server enable traps nhrp nhc

snmp-server enable traps nhrp nhp

snmp-server enable traps nhrp quota-exceeded

snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message

snmp-server enable traps pppoe

snmp-server enable traps cpu threshold

snmp-server enable traps rsvp

snmp-server enable traps syslog

snmp-server enable traps l2tun session

snmp-server enable traps l2tun pseudowire status

snmp-server enable traps vtp

snmp-server enable traps ipsla

snmp-server enable traps bfd

snmp-server enable traps firewall serverstatus

snmp-server enable traps isakmp policy add

snmp-server enable traps isakmp policy delete

snmp-server enable traps isakmp tunnel start

snmp-server enable traps isakmp tunnel stop

snmp-server enable traps ipsec cryptomap add

snmp-server enable traps ipsec cryptomap delete

snmp-server enable traps ipsec cryptomap attach

snmp-server enable traps ipsec cryptomap detach

snmp-server enable traps ipsec tunnel start

snmp-server enable traps ipsec tunnel stop

snmp-server enable traps ipsec too-many-sas

snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down

snmp-server host 10.10.10.107 public

!

!

!

control-plane

!

!

banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C

!

line con 0

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 102 in

transport input telnet

line vty 5 15

access-class 101 in

transport input telnet

!

scheduler allocate 20000 1000

!

webvpn gateway gateway_1

ip address 65.19.62.61 port 443

http-redirect port 80

ssl trustpoint SFGallery_Certificate

inservice

!

webvpn context SFGallery

secondary-color white

title-color #FF9900

text-color black

ssl authenticate verify all

!

nbns-list "nbns_list_1"

   nbns-server 10.10.10.10 master

   nbns-server 10.10.10.80

!

policy group policy_1

   nbns-list "nbns_list_1"

   functions file-access

   functions file-browse

   functions file-entry

   functions svc-enabled

   svc address-pool "SDM_POOL_1"

   svc rekey method new-tunnel

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_2

gateway gateway_1 domain gpgallery.com

max-users 25

inservice

!

end

4 REPLIES

SSL VPN trouble

Looks like you are mixing two things here SSL VPN and Eazy VPN.

This cisco VPN client wont work you need to install SVC which seems to missing in your configuration.

webvpn install svc flash:/webvpn/svc.pkg

Then you can access https://vpngateway from browser.

Thanks
Ajay
New Member

SSL VPN trouble

Thanks, Ajay.

Are you saying that the Cisco VPN client works with "EasyVPN" but the SSL VPN requires "AnyConnect"?

I initially used the EasyVPN wizard in CCP, then deleted the EasyVPN. Were renants left in my config file? What do I need to delete to get rid of the EasyVPN completely?

SSL VPN trouble

Yes VPN client 5.0 if you want to use that Ezvpn config is required. There are things common between them like iskmp policy ,vpn pool if you can edit from CLI would be easy. adding no before command will do.

New Member

Re: SSL VPN trouble

Using CCP I deleted the SSL VPN. Instead I created an EasyVPN. Although my EasyVPN passed the "Test VPN", I still have inability to connect via VPN client 5.

I have a site to site VPN which is working properly.

I cannot see where I specify the internet IP address that the VPN client should connect to. I want to specify a different IP address (in my range of assigned outside IPs) than the main one assigned to Interface0/0.


Building configuration...

Current configuration : 17087 bytes
!
! Last configuration change at 12:11:17 PCTime Mon Nov 28 2011 by admin
! NVRAM config last updated at 11:53:24 PCTime Mon Nov 28 2011 by admin
! NVRAM config last updated at 11:53:24 PCTime Mon Nov 28 2011 by admin
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname SFGallery
!
boot-start-marker
boot-end-marker
!
!
no logging buffered
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
clock timezone PCTime -7 0
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
no ipv6 cef
ip source-route
ip cef
!
!
!
!
!
ip domain name gpgallery.com
ip name-server 10.10.10.10
ip name-server 8.8.8.8
ip name-server 8.8.4.4
ip name-server 10.10.10.80
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name e=sdmtest@sdmtest.com
revocation-check crl
!
crypto pki trustpoint SFGallery_Certificate
enrollment selfsigned
serial-number none
ip-address none
revocation-check crl
rsakeypair SFGallery_Certificate_RSAKey 512
!
!
crypto pki certificate chain test_trustpoint_config_created_for_sdm
crypto pki certificate chain SFGallery_Certificate
certificate self-signed 01
  xxxxxx

   quit
license udi pid CISCO2911/K9 sn FTX1542AKJ3
license boot module c2900 technology-package securityk9
license boot module c2900 technology-package datak9
!
!
username xxxx privilege 15 secret 5 xxx

username xxxx privilege 15 secret 5 xxxxxx

username xxxx privilege 15 secret 5 xxxxxx!
redundancy
!
!
!
!
no ip ftp passive
ip ssh version 1
!
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
!
!
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
  pass
!
zone security sslvpn-zone
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key xxxxxx address 209.101.19.226
!
crypto isakmp client configuration group SFGallery
key xxxxxxx

dns 10.10.10.10 10.10.10.80
wins 10.10.10.10 10.10.10.80
domain gpgallery.com
pool SDM_POOL_1
acl 111
split-dns gpgallery.com
max-users 25
netmask 255.255.252.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group SFGallery
   client authentication list ciscocp_vpn_xauth_ml_3
   isakmp authorization list ciscocp_vpn_group_ml_2
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set security-association idle-time 43200
set transform-set ESP-3DES-SHA3
set isakmp-profile ciscocp-ike-profile-1
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to209.101.19.226
set peer 209.101.19.226
set transform-set ESP-3DES-SHA1
match address 107
!
!
!
!
!
interface Loopback1
ip address 192.168.5.1 255.255.255.0
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description T1 Cybermesa$ETH-WAN$
ip address 65.19.62.60 255.255.255.240
ip access-group 105 in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface GigabitEthernet0/1
description LANOverloadNet$ETH-WAN$
ip address 172.16.0.1 255.255.252.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/2
description LAN$ETH-LAN$
ip address 10.10.10.2 255.255.255.128
ip access-group 100 in
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback1
!
interface Virtual-Template2
ip unnumbered Loopback1
zone-member security sslvpn-zone
!
interface Virtual-Template3 type tunnel
ip unnumbered Loopback1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
!
ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254
ip forward-protocol nd
!
ip http server
ip http access-class 1
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 10
sort-by bytes
cache-timeout 60000
!
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload
ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent
ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent
ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent
ip route 172.16.0.0 255.255.252.0 GigabitEthernet0/1 permanent
ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent
!
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
!
no logging trap
logging 10.10.10.107
access-list 1 permit 192.168.1.2
access-list 1 remark CCP_ACL Category=1
access-list 1 permit 172.16.4.0 0.0.3.255
access-list 1 permit 10.10.10.128 0.0.0.31
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 permit 65.19.62.48 0.0.0.15
access-list 1 permit 10.10.10.0 0.0.0.127
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark CCP_ACL Category=1
access-list 100 permit ip any host 10.10.10.2
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443
access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd
access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd
access-list 100 deny   tcp any host 10.10.10.2 eq telnet
access-list 100 deny   tcp any host 10.10.10.2 eq 22
access-list 100 deny   tcp any host 10.10.10.2 eq www
access-list 100 deny   tcp any host 10.10.10.2 eq 443
access-list 100 deny   tcp any host 10.10.10.2 eq cmd
access-list 100 deny   udp any host 10.10.10.2 eq snmp
access-list 100 permit udp any eq domain host 10.10.10.2
access-list 100 permit udp host 10.10.10.80 eq domain any
access-list 100 permit udp host 10.10.10.10 eq domain any
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark CCP_ACL Category=1
access-list 101 permit ip 172.16.4.0 0.0.3.255 any
access-list 101 permit ip 10.10.10.128 0.0.0.31 any
access-list 101 permit ip 65.19.62.48 0.0.0.15 any
access-list 101 permit ip host 192.168.1.2 any
access-list 101 permit ip 10.10.10.0 0.0.0.127 any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark CCP_ACL Category=1
access-list 102 permit ip 172.16.4.0 0.0.3.255 any
access-list 102 permit ip 10.10.10.128 0.0.0.31 any
access-list 102 permit ip 65.19.62.48 0.0.0.15 any
access-list 102 permit ip host 192.168.1.2 any
access-list 102 permit ip 10.10.10.0 0.0.0.127 any
access-list 103 remark Auto generated by SDM Management Access feature
access-list 103 remark CCP_ACL Category=1
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443
access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd
access-list 103 deny   tcp any host 172.16.0.1 eq telnet
access-list 103 deny   tcp any host 172.16.0.1 eq 22
access-list 103 deny   tcp any host 172.16.0.1 eq www
access-list 103 deny   tcp any host 172.16.0.1 eq 443
access-list 103 deny   tcp any host 172.16.0.1 eq cmd
access-list 103 deny   udp any host 172.16.0.1 eq snmp
access-list 103 permit ip any any
access-list 104 remark CCP_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 105 remark Auto generated by SDM Management Access feature
access-list 105 remark CCP_ACL Category=1
access-list 105 permit tcp any host 65.19.62.61 eq 443
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255
access-list 105 permit udp any eq domain host 65.19.62.60
access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60
access-list 105 permit esp host 209.101.19.226 host 65.19.62.60
access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp
access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp
access-list 105 remark IPSec Rule
access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet
access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22
access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www
access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443
access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd
access-list 105 deny   tcp any host 65.19.62.60 eq telnet
access-list 105 deny   tcp any host 65.19.62.60 eq 22
access-list 105 deny   tcp any host 65.19.62.60 eq www
access-list 105 deny   tcp any host 65.19.62.60 eq 443
access-list 105 deny   tcp any host 65.19.62.60 eq cmd
access-list 105 deny   udp any host 65.19.62.60 eq snmp
access-list 105 permit ip any any
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31
access-list 106 remark IPSec Rule
access-list 106 deny   ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127
access-list 106 permit ip 10.10.10.0 0.0.0.255 any
access-list 107 remark CCP_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 108 remark CCP_ACL Category=2
access-list 108 remark IPSec Rule
access-list 108 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 108 permit ip 70.56.215.0 0.0.0.255 any
access-list 109 remark CCP_ACL Category=2
access-list 109 remark IPSec Rule
access-list 109 deny   ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31
access-list 109 permit ip 172.16.0.0 0.0.3.255 any
access-list 111 remark CCP_ACL Category=4
access-list 111 permit ip 10.10.10.0 0.0.0.127 any
access-list 111 permit ip 10.10.10.128 0.0.0.31 any
access-list 111 permit ip 172.16.0.0 0.0.3.255 any
access-list 111 permit ip 172.16.4.0 0.0.3.255 any
!
!
!
!
route-map SDM_RMAP_4 permit 1
match ip address 109
!
route-map SDM_RMAP_1 permit 1
match ip address 106
!
route-map SDM_RMAP_2 permit 1
match ip address 108
!
!
snmp-server community public RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps vrrp
snmp-server enable traps transceiver all
snmp-server enable traps ds1
snmp-server enable traps call-home message-send-fail server-fail
snmp-server enable traps tty
snmp-server enable traps eigrp
snmp-server enable traps ospf state-change
snmp-server enable traps ospf errors
snmp-server enable traps ospf retransmit
snmp-server enable traps ospf lsa
snmp-server enable traps ospf cisco-specific state-change nssa-trans-change
snmp-server enable traps ospf cisco-specific state-change shamlink interface
snmp-server enable traps ospf cisco-specific state-change shamlink neighbor
snmp-server enable traps ospf cisco-specific errors
snmp-server enable traps ospf cisco-specific retransmit
snmp-server enable traps ospf cisco-specific lsa
snmp-server enable traps license
snmp-server enable traps envmon
snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config
snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up
snmp-server enable traps flash insertion removal
snmp-server enable traps c3g
snmp-server enable traps ds3
snmp-server enable traps adslline
snmp-server enable traps vdsl2line
snmp-server enable traps icsudsu
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps ds0-busyout
snmp-server enable traps ds1-loopback
snmp-server enable traps energywise
snmp-server enable traps vstack
snmp-server enable traps mac-notification
snmp-server enable traps bgp
snmp-server enable traps isis
snmp-server enable traps rf
snmp-server enable traps aaa_server
snmp-server enable traps atm subif
snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency
snmp-server enable traps memory bufferpeak
snmp-server enable traps cnpd
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps config-ctid
snmp-server enable traps entity
snmp-server enable traps fru-ctrl
snmp-server enable traps resource-policy
snmp-server enable traps event-manager
snmp-server enable traps frame-relay multilink bundle-mismatch
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps mvpn
snmp-server enable traps nhrp nhs
snmp-server enable traps nhrp nhc
snmp-server enable traps nhrp nhp
snmp-server enable traps nhrp quota-exceeded
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps cpu threshold
snmp-server enable traps rsvp
snmp-server enable traps syslog
snmp-server enable traps l2tun session
snmp-server enable traps l2tun pseudowire status
snmp-server enable traps vtp
snmp-server enable traps ipsla
snmp-server enable traps bfd
snmp-server enable traps firewall serverstatus
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down
snmp-server host 10.10.10.107 public
!
!
!
control-plane
!
!
banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C
!
line con 0
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 102 in
transport input telnet
line vty 5 15
access-class 101 in
transport input telnet
!
scheduler allocate 20000 1000
end

620
Views
0
Helpful
4
Replies