Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

VPN connection works but VPN traffic is blocked

I have an 881w in a central site which remote users VPN into with desktop client then initiate RDP connection to machines at central site. I configured this mostly with the Easy VPN tool since I am a complete novice with Cisco equipment. We just upgraded to this from Linksys running DD-WRT since we were running the CPU on it at 100%.

Details

Remote clients can ping the gateway but nothing else and can't RDP to machines.

Clients cannot be pinged from central site. 

Configuration Professional shows active connections. 

The network at the central site is 192.168.10.0/24.

The network at the remote sites is unknown, but it is not the same as the central site. 

Can someone help me figure out what I'm doing wrong?

Thank you for looking. The config is posted below.

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 881w01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 $1$j49H$gGfj5TWFFbg/fc0sAc1rN/

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-2923777556

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-2923777556

revocation-check none

rsakeypair TP-self-signed-2923777556

!

!

crypto pki certificate chain TP-self-signed-2923777556

certificate self-signed 01

EDITED OUT

      quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.200

ip dhcp excluded-address 192.168.10.251 192.168.10.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.10.0 255.255.255.0

   dns-server 208.67.222.222 208.67.220.220

   default-router 192.168.10.2

   domain-name EDITED OUT

!

!

ip cef

no ip bootp server

ip domain name EDITED OUT

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip ddns update method ccp_ddns1

HTTP

  add http://EDITED OUT@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

  remove http://EDITED OUT@members.dyndns.org/nic/update?system=dyndns&hostname=<h>&myip=<a>

!

no ipv6 cef

!

!

license udi pid CISCO881W-GN-A-K9 sn FTX162683LX

!

!

username EDITED OUT privilege 15 secret 5 $1$BK.5$K7ODMYoskU8zBrozUoXj..

username EDITED OUT secret 5 $1$pG2b$aAEaz1JagmxNQHmqTMEBe0

username EDITED OUT secret 5 $1$ySKe$rqvLbt.LeSu83HKmCdaSN1

username EDITED OUT secret 5 $1$btT6$P24XxPBSQRrGD4BtvYJbo0

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EDITED OUT

key EDITED OUT

dns 208.67.222.222 208.67.220.220

domain accnet.com

pool SDM_POOL_2

acl 102

save-password

max-logins 5

crypto isakmp profile ciscocp-ike-profile-1

   match identity group EZVPNGroup

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN link$FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address dhcp client-id FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

description VPN virtual interface

ip unnumbered FastEthernet4

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.10.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 30.30.30.10 30.30.30.30

ip local pool SDM_POOL_2 192.168.10.10 192.168.10.29

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 1 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

Everyone's tags (5)
5 REPLIES
Cisco Employee

VPN connection works but VPN traffic is blocked

The VPN pool should be on a unique subnet, can't be in the same subnet as your internal network.

So you should use different subnet for the vpn pool, maybe 192.168.80.0/24 subnet.

Your PAT access-list 1 should also be changed to extended ACL and should deny translation 5between the VPN traffic as follows:

if you change your pool to 192.168.80.0/24, then the ACL should be as follows:

access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.80.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

ip nat inside source list 150 interface FastEthernet4 overload

no ip nat inside source list 1 interface FastEthernet4 overload

clear ip nat trans *

Community Member

Re: VPN connection works but VPN traffic is blocked

Thank you for the respnse Jennifer. I have made the suggested changes, but no change in behavior on either end.

Does anything else stand out as a potential problem? The current running-config is below:

I'll take a stab at what I think the problem could be, but this is an uneducated guess.

I think I need acl 150 instead of acl 102 under

"crypto isakmp client configuration group EZVPNGroup"

I also think I can get rid of SDM_POOL_1 since it appears to not be used, but I don't think this is actually causing any issue.

Building configuration...

Current configuration : 11362 bytes

!

! Last configuration change at 09:07:22 PCTime Sun Aug 5 2012 by 881wmin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 881w01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 EDITED

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-EDITED

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-EDITED

revocation-check none

rsakeypair TP-self-signed-EDITED

!

!

crypto pki certificate chain TP-self-signed-EDITED

certificate self-signed 01

  EDITED

      quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.200

ip dhcp excluded-address 192.168.10.251 192.168.10.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.10.0 255.255.255.0

   dns-server 208.67.222.222 208.67.220.220

   default-router 192.168.10.2

   domain-name EDITED

!

!

ip cef

no ip bootp server

ip domain name EDITED

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip ddns update method ccp_ddns1

HTTP

  add http:/EDITED@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=

  remove http://EDITED@members.dyndns.org/nic/update?system=dyndns&hostname=&myip=

!

no ipv6 cef

!

!

license udi pid CISCO881W-GN-A-K9 sn FTX162683LX

!

!

username EDITED

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPNGroup

key EDITED

dns 208.67.222.222 208.67.220.220

domain EDITED

pool SDM_POOL_2

acl 102

save-password

max-users 20

max-logins 5

crypto isakmp profile ciscocp-ike-profile-1

   match identity group EZVPNGroup

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN link$FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address dhcp client-id FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

description VPN virtual interface

ip unnumbered FastEthernet4

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.10.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 30.30.30.10 30.30.30.30

ip local pool SDM_POOL_2 192.168.80.10 192.168.80.29

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 150 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.80.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Cisco Employee

VPN connection works but VPN traffic is blocked

ACL 102 should be as follows:

access-list 102 permit ip 192.168.10.0 0.0.0.255 192.168.80.0 0.0.0.255

The zbfw should have action "inspect" instead of "pass":

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  inspect

Lastly, you forgot to apply the "ezvpn-zone" to the virtual template:

interface Virtual-Template1 type tunnel

  zone-member security ezvpn-zone

Community Member

Re: VPN connection works but VPN traffic is blocked

Hello Jennifer.

I think I applied all the commands correctly, but am still having the same issue. Additionally, now it appears that split tunnel has been eliminated.  I am testing the VPN connection by using LogMeIn to access a computer at a remote site. Then I initiate the VPN connection from remote conputer. As soon as it connects (confirmed in Configuration Professional), my LogMeIn connection is killed.  I still can't ping the remote host (or presumably vice-versa)

Any further ideas? My confiig is below.

Building configuration...

Current configuration : 11362 bytes

!

! Last configuration change at 12:34:45 PCTime Sun Aug 5 2012 by 881wmin

!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname 881w01

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging buffered 51200

logging console critical

enable secret 5 **SCRUBBED**

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authentication login ciscocp_vpn_xauth_ml_2 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

aaa authorization network ciscocp_vpn_group_ml_2 local

!

!

!

!

!

aaa session-id common

memory-size iomem 10

clock timezone PCTime -6

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-**SCRUBBED**

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-**SCRUBBED**

revocation-check none

rsakeypair TP-self-signed-**SCRUBBED**

!

!

crypto pki certificate chain TP-self-signed-**SCRUBBED**

certificate self-signed 01

**SCRUBBED**

      quit

no ip source-route

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.200

ip dhcp excluded-address 192.168.10.251 192.168.10.254

!

ip dhcp pool ccp-pool1

   import all

   network 192.168.10.0 255.255.255.0

   dns-server 208.67.222.222 208.67.220.220

   default-router 192.168.10.2

   domain-name accnet.com

!

!

ip cef

no ip bootp server

ip domain name **SCRUBBED**

ip name-server 208.67.222.222

ip name-server 208.67.220.220

ip ddns update method ccp_ddns1

HTTP

  **SCRUBBED**

!

no ipv6 cef

!

!

license udi pid **SCRUBBED**

!

!

username **SCRUBBED**

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any SDM_IP

match access-group name SDM_IP

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_EASY_VPN_SERVER_PT

match class-map SDM_EASY_VPN_SERVER_TRAFFIC

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

  pass

class type inspect ccp-icmp-access

  inspect

class class-default

  pass

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

  drop log

class type inspect ccp-protocol-http

  inspect

class type inspect ccp-insp-traffic

  inspect

class class-default

  drop

policy-map type inspect ccp-permit

class type inspect SDM_EASY_VPN_SERVER_PT

  pass

class type inspect SDM_DHCP_CLIENT_PT

  pass

class class-default

  drop

policy-map type inspect sdm-permit-ip

class type inspect SDM_IP

  pass

class class-default

  drop log

!

zone security out-zone

zone security in-zone

zone security ezvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone

service-policy type inspect sdm-permit-ip

zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone

service-policy type inspect sdm-permit-ip

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group EZVPNGroup

key **SCRUBBED**

dns 208.67.222.222 208.67.220.220

domain **SCRUBBED**

pool SDM_POOL_2

acl 102

save-password

max-users 20

max-logins 5

crypto isakmp profile ciscocp-ike-profile-1

   match identity group EZVPNGroup

   client authentication list ciscocp_vpn_xauth_ml_2

   isakmp authorization list ciscocp_vpn_group_ml_2

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac

!

crypto ipsec profile CiscoCP_Profile1

set transform-set ESP-3DES-SHA1

set isakmp-profile ciscocp-ike-profile-1

!

!

!

!

!

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

description WAN link$FW_OUTSIDE$$ES_WAN$$ETH-WAN$

ip address dhcp client-id FastEthernet4

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

description VPN virtual interface

ip unnumbered FastEthernet4

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface wlan-ap0

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

arp timeout 0

!

interface Wlan-GigabitEthernet0

description Internal switch interface connecting to the embedded AP

switchport mode trunk

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$

ip address 192.168.10.2 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

ip local pool SDM_POOL_1 30.30.30.10 30.30.30.30

ip local pool SDM_POOL_2 192.168.80.10 192.168.80.29

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 150 interface FastEthernet4 overload

!

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_IP

remark CCP_ACL Category=1

permit ip any any

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 192.168.10.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=4

access-list 101 permit ip 192.168.10.0 0.0.0.255 any

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 192.168.10.0 0.0.0.255 any

access-list 150 deny   ip 192.168.10.0 0.0.0.255 192.168.80.0 0.0.0.255

access-list 150 permit ip 192.168.10.0 0.0.0.255 any

no cdp run

!

!

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for  one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you

want to use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

no modem enable

transport output telnet

line aux 0

transport output telnet

line 2

no activation-character

no exec

transport preferred none

transport input all

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

scheduler allocate 4000 1000

scheduler interval 500

end

Cisco Employee

Re: VPN connection works but VPN traffic is blocked

You won't be able to logmein and vpn from the logmein session as it will definitely drop the logmein session.

Please try the VPN when you are in the pc/laptop itself, not through a remote connection.

1818
Views
0
Helpful
5
Replies
CreatePlease to create content