Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Vpn Pass Through Cisco 871

Hi, I've got a problem with a VPN CLIENT conecction.

I've a 871 Cisco Router in the office.

We have e VLAN (private network) with ips 192.168.18.0 / 24, this user must connect to a VPN server (public) through the internet. The structure is:

Private Network --- > Router Cisco ---> Internet ---> Server VPN (129.106.242.4)

I configure GRE and TCP port 1723 in the cisco. I active the firewall to let this traffica pass. Also try to change MTU (1400 to 1500 and vicevesa).

I don't know whats it's bad. We are using NAT to the change de IP for the private Network to the Public (interface from Router to Internet) with ip 190.136.44.30.

The problem is that the clients can't connect to the vpn server (is public, anybody can connect, with the username and the password), and we know that the vpn is working, we connect without the router in the middle and it works. So, there is something in the router that is blocking or failing to connect. The clients take to much time in the exchange of username and password.

We have anthers VPN Tunnel too, for example with another office with ip 192.168.100.0/ 24 (with other router, in that router the vpn pass through works fine, i try to imitate the config but doesn't work). Everything works fine, except that connection to the vpn server.


I post my config, can anybody help me?, thanks.

-----------------------------

!This is the running config of the router: 192.168.18.18
!----------------------------------------------------------------------------
!version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname c8stf
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$XZkh$rGfiNi2FVzbyfE/F/enSd1
!
aaa new-model
!
!
aaa authentication login local_authen local
aaa authorization exec local_author local 
!
!
aaa session-id common
clock timezone NST -3 30
clock summer-time NDT recurring 2 Sun Mar 0:01 1 Sun Nov 0:01

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 2dn address 200.49.156.212
crypto isakmp key miabupiano address 66.170.196.93
crypto isakmp key R0magnoaK address 190.7.27.198
crypto isakmp key miabuelpno address 0.0.0.0 0.0.0.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA4 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA5 esp-3des esp-sha-hmac 
crypto ipsec transform-set ESP-3DES-SHA6 esp-3des esp-sha-hmac 
!
crypto map SDM_CMAP_1 1 ipsec-isakmp 
description Tunnel to66.170.196.93
set peer 66.170.196.93
set transform-set ESP-3DES-SHA3 
match address 108
crypto map SDM_CMAP_1 2 ipsec-isakmp 
description Tunnel to200.49.156.212
set peer 200.49.156.212
set transform-set ESP-3DES-SHA5 
match address 116
crypto map SDM_CMAP_1 3 ipsec-isakmp 
description Tunnel to190.7.27.198
set peer 190.7.27.198
set transform-set ESP-3DES-SHA6 
match address 118
!
!
crypto pki trustpoint TP-self-signed-877673570
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-877673570
revocation-check none
rsakeypair TP-self-signed-877673570
!
!
crypto pki certificate chain TP-self-signed-877673570
certificate self-signed 01
  30820247 308201B0 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 
  69666963 6174652D 38373736 37333537 30301E17 0D303230 33303130 34313834 
  365A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3837 37363733 
  35373030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 
  CACEDAE8 8090998F EAC94FE0 F65C69F3 D719B5E7 49FE50AC F0753C7E AF0FEACB 
  F7001A24 15931E61 EFBAB132 FE61B6B6 329AE054 49137208 2F461D0A A1AB7BF2 
  F9C22D50 4BE90806 4D80704C 535F6F71 D3A5510B 930E3C76 CA28FCE7 B7438490 
  3296D1FB 33BEB5C2 4F3DD333 C41B832E 5AC7BECD 718DC9FC CEAF5A6F E14DA485 
  02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C 0603551D 
  11041530 13821163 38737466 2E736F74 65696361 2E636F6D 301F0603 551D2304 
  18301680 144FB53B D9742550 BB35AD08 CBAB1DE2 ED0CF9F4 6C301D06 03551D0E 
  04160414 4FB53BD9 742550BB 35AD08CB AB1DE2ED 0CF9F46C 300D0609 2A864886 
  F70D0101 04050003 8181007D 1B0AF327 AF4DCA05 88F36F78 D4285188 19C7F6E3 
  E95600E3 3B672E76 45DA75C6 4A901DE1 2423EB30 2C5A5FA5 5FA9795E EB81EEA3 
  F6BDEB47 15B5BD6C 98908101 0E59F312 18FC6150 6D4BA686 84B153B3 FC2579AA 
  E230E995 6829B3A0 307AD60C 4F0DD7D6 49A04ED9 40A990EE 0F72CCEF CE077C46 
  2E1E5D1C AA3F4489 B2C1DD
      quit
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.18.1 192.168.18.19
!
ip dhcp pool sdm-pool1
   import all
   network 192.168.18.0 255.255.255.0
   dns-server 200.45.191.35 200.45.191.40 
   default-router 192.168.18.18 
   domain-name soteica_sf
!
!
ip cef
no ip bootp server
ip domain name soteica.com
ip name-server 200.45.191.35
ip name-server 200.45.191.40
!
!
!
username admin_stf privilege 15 secret 5 $1$KB
archive
log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-3
match access-group 111
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
match access-group 109
class-map type inspect match-all sdm-cls-VPNOutsideToInside-5
match access-group 119
class-map type inspect match-all sdm-cls-VPNOutsideToInside-4
match access-group 117
class-map type inspect match-any SDM_SHELL
match access-group name SDM_SHELL
class-map type inspect match-any SDM_SSH
match access-group name SDM_SSH
class-map type inspect match-any SDM_HTTPS
match access-group name SDM_HTTPS
class-map type inspect match-any sdm-mgmt-cls-0
match class-map SDM_SHELL
match class-map SDM_SSH
match class-map SDM_HTTPS
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any apache
match protocol icmp
class-map type inspect match-all sdm-cls-sdm-permit-icmpreply-1
match class-map apache
match access-group 103
class-map type inspect match-any sdm-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all sdm-insp-traffic
match class-map sdm-cls-insp-traffic
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 102
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any sdm-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-any SDM_GRE
match access-group name SDM_GRE
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-1
match class-map sdm-mgmt-cls-0
match access-group 115
class-map type inspect match-all sdm-mgmt-cls-sdm-permit-0
match class-map sdm-mgmt-cls-0
match access-group 113
class-map type inspect match-all sdm-invalid-src
match access-group 100
class-map type inspect match-all sdm-icmp-access
match class-map sdm-cls-icmp-access
class-map type inspect match-all sdm-protocol-http
match protocol http
!
!
policy-map type inspect sdm-permit-icmpreply
class type inspect sdm-icmp-access
  inspect
class type inspect sdm-cls-sdm-permit-icmpreply-1
  inspect
class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
class type inspect sdm-cls-VPNOutsideToInside-3
  inspect
class type inspect sdm-cls-VPNOutsideToInside-4
  inspect
class type inspect sdm-cls-VPNOutsideToInside-5
  inspect
class class-default
  drop
policy-map type inspect sdm-inspect
class type inspect sdm-insp-traffic
  inspect
class type inspect sdm-protocol-http
  inspect
class type inspect sdm-invalid-src
  inspect
class class-default
  drop
policy-map type inspect sdm-permit
class type inspect SDM_VPN_PT
  pass
class type inspect sdm-mgmt-cls-sdm-permit-0
  inspect
class type inspect sdm-mgmt-cls-sdm-permit-1
  inspect
class class-default
  drop
!
zone security out-zone
zone security in-zone
zone-pair security sdm-zp-self-out source self destination out-zone
service-policy type inspect sdm-permit-icmpreply
zone-pair security sdm-zp-out-self source out-zone destination self
service-policy type inspect sdm-permit
zone-pair security sdm-zp-in-out source in-zone destination out-zone
service-policy type inspect sdm-inspect
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface Null0
no ip unreachables
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
ip address 190.136.44.30 255.255.255.248
ip access-group 112 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.18.18 255.255.255.0
ip access-group 114 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 190.136.44.25
!
ip http server
ip http access-class 5
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
ip access-list extended SDM_AH
remark SDM_ACL Category=1
permit ahp any any
ip access-list extended SDM_ESP
remark SDM_ACL Category=1
permit esp any any
ip access-list extended SDM_GRE
remark SDM_ACL Category=0
permit gre any any
ip access-list extended SDM_HTTPS
remark SDM_ACL Category=0
permit tcp any any eq 443
ip access-list extended SDM_SHELL
remark SDM_ACL Category=0
permit tcp any any eq cmd
ip access-list extended SDM_SSH
remark SDM_ACL Category=0
permit tcp any any eq 22
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 2 remark HTTP Access-class list
access-list 2 remark SDM_ACL Category=1
access-list 2 permit 192.168.18.0 0.0.0.255
access-list 2 permit any
access-list 3 remark HTTP Access-class list
access-list 3 remark SDM_ACL Category=1
access-list 3 permit 192.168.18.0 0.0.0.255
access-list 3 permit any
access-list 4 remark HTTP Access-class list
access-list 4 remark SDM_ACL Category=1
access-list 4 permit 192.168.18.0 0.0.0.255
access-list 4 permit any
access-list 5 remark SDM_ACL Category=1
access-list 5 remark Auto generated by SDM Management Access feature
access-list 5 permit 64.92.52.235
access-list 5 permit 192.168.18.0 0.0.0.255
access-list 5 permit 200.49.156.0 0.0.0.15
access-list 100 remark SDM_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 190.136.44.24 0.0.0.6 any
access-list 100 permit ip any any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.18.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 200.49.156.212 any
access-list 102 permit ip host 66.170.196.93 any
access-list 102 permit ip host 190.7.27.198 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.100.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.18.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.18.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.18.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 104 permit ip 192.168.18.0 0.0.0.255 any
access-list 105 remark VTY Access-class list
access-list 105 remark SDM_ACL Category=1
access-list 105 permit ip host 64.92.52.235 any
access-list 105 permit ip 200.49.156.0 0.0.0.15 any
access-list 105 permit ip 192.168.18.0 0.0.0.255 any
access-list 105 permit ip any any log
access-list 106 remark SDM_ACL Category=4
access-list 106 remark IPSec Rule
access-list 106 permit ip 192.168.18.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 107 remark SDM_ACL Category=4
access-list 107 remark IPSec Rule
access-list 107 permit ip 192.168.18.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 108 remark SDM_ACL Category=4
access-list 108 remark IPSec Rule
access-list 108 permit ip 192.168.18.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 109 remark SDM_ACL Category=0
access-list 109 remark IPSec Rule
access-list 109 permit ip 192.168.8.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 110 remark SDM_ACL Category=4
access-list 110 remark IPSec Rule
access-list 110 permit ip 192.168.18.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 111 remark SDM_ACL Category=0
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.100.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 111 remark IPSec Rule
access-list 111 permit ip 192.168.8.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 112 remark Auto generated by SDM Management Access feature
access-list 112 remark SDM_ACL Category=1
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.9.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 112 permit udp host 190.7.27.198 host 190.136.44.30 eq non500-isakmp
access-list 112 permit udp host 190.7.27.198 host 190.136.44.30 eq isakmp
access-list 112 permit esp host 190.7.27.198 host 190.136.44.30
access-list 112 permit ahp host 190.7.27.198 host 190.136.44.30
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.8.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 112 permit udp host 66.170.196.93 host 190.136.44.30 eq non500-isakmp
access-list 112 permit udp host 66.170.196.93 host 190.136.44.30 eq isakmp
access-list 112 permit esp host 66.170.196.93 host 190.136.44.30
access-list 112 permit ahp host 66.170.196.93 host 190.136.44.30
access-list 112 remark IPSec Rule
access-list 112 permit ip 192.168.100.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 112 permit udp host 200.49.156.212 host 190.136.44.30 eq non500-isakmp
access-list 112 permit udp host 200.49.156.212 host 190.136.44.30 eq isakmp
access-list 112 permit esp host 200.49.156.212 host 190.136.44.30
access-list 112 permit ahp host 200.49.156.212 host 190.136.44.30
access-list 112 permit tcp host 64.92.52.235 host 190.136.44.30 eq 22
access-list 112 permit tcp 200.49.156.0 0.0.0.15 host 190.136.44.30 eq 22
access-list 112 permit tcp host 64.92.52.235 host 190.136.44.30 eq 443
access-list 112 permit tcp 200.49.156.0 0.0.0.15 host 190.136.44.30 eq 443
access-list 112 permit tcp host 64.92.52.235 host 190.136.44.30 eq cmd
access-list 112 permit tcp 200.49.156.0 0.0.0.15 host 190.136.44.30 eq cmd
access-list 112 deny   tcp any host 190.136.44.30 eq telnet
access-list 112 deny   tcp any host 190.136.44.30 eq 22
access-list 112 deny   tcp any host 190.136.44.30 eq www
access-list 112 deny   tcp any host 190.136.44.30 eq 443
access-list 112 deny   tcp any host 190.136.44.30 eq cmd
access-list 112 deny   udp any host 190.136.44.30 eq snmp
access-list 112 permit ip any any
access-list 113 remark Auto generated by SDM Management Access feature
access-list 113 remark SDM_ACL Category=1
access-list 113 permit ip 200.49.156.0 0.0.0.15 host 190.136.44.30
access-list 114 remark Auto generated by SDM Management Access feature
access-list 114 remark SDM_ACL Category=1
access-list 114 permit tcp 192.168.18.0 0.0.0.255 host 192.168.18.18 eq telnet
access-list 114 permit tcp 192.168.18.0 0.0.0.255 host 192.168.18.18 eq 22
access-list 114 permit tcp 192.168.18.0 0.0.0.255 host 192.168.18.18 eq www
access-list 114 permit tcp 192.168.18.0 0.0.0.255 host 192.168.18.18 eq 443
access-list 114 permit tcp 192.168.18.0 0.0.0.255 host 192.168.18.18 eq cmd
access-list 114 deny   tcp any host 192.168.18.18 eq telnet
access-list 114 deny   tcp any host 192.168.18.18 eq 22
access-list 114 deny   tcp any host 192.168.18.18 eq www
access-list 114 deny   tcp any host 192.168.18.18 eq 443
access-list 114 deny   tcp any host 192.168.18.18 eq cmd
access-list 114 deny   udp any host 192.168.18.18 eq snmp
access-list 114 permit ip any any
access-list 115 remark Auto generated by SDM Management Access feature
access-list 115 remark SDM_ACL Category=1
access-list 115 permit ip host 64.92.52.235 host 190.136.44.30
access-list 116 remark SDM_ACL Category=4
access-list 116 remark IPSec Rule
access-list 116 permit ip 192.168.18.0 0.0.0.255 192.168.100.0 0.0.0.255
access-list 117 remark SDM_ACL Category=0
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.100.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 117 remark IPSec Rule
access-list 117 permit ip 192.168.8.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 118 remark SDM_ACL Category=4
access-list 118 remark IPSec Rule
access-list 118 permit ip 192.168.18.0 0.0.0.255 192.168.9.0 0.0.0.255
access-list 119 remark SDM_ACL Category=0
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.9.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.100.0 0.0.0.255 192.168.18.0 0.0.0.255
access-list 119 remark IPSec Rule
access-list 119 permit ip 192.168.8.0 0.0.0.255 192.168.18.0 0.0.0.255
no cdp run

!
!
route-map SDM_RMAP_1 permit 1
match ip address 104
!
!
control-plane
!
banner exec ^CCCCCCCCC
% Password expiration warning.
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
access-class 105 in
authorization exec local_author
login authentication local_authen
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500

!
webvpn cef
end

1551
Views
0
Helpful
0
Replies
CreatePlease to create content