Microsoft
Software
Hardware
Network
Question : Cisco Easy-VPN config problem cannot connect with VPN client
Hi O Helpfull ones
I am having trouble with a Cisco 875w Easy VPN server configuration.
The machine is being configured with CCP 1.3
I previously had the VPN running but there was a problem when the config was written to flash so that when the power went out, the VPN disappeared.
I have reset the machine to factory defaults and reloaded it using CP express.
I backed up the files from flash to a TFTP server before doing all of this.
In the previous config, the firewall was not running, only NAT was configured.
This time I set up a firewall and then went on to run the Easy VPN config.
Can anyone tell me what is wrong with this configuration please?
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
TB_BB_Advantage#show running
Building configuration...
Current configuration : 11616 bytes
!
! Last configuration change at 15:26:20 PCTime Fri Jul 9 2010 by advantage
! NVRAM config last updated at 14:48:05 PCTime Fri Jul 9 2010 by advantage
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TB_BB_Advantage
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$QWRA$tLQ71Vy4cDshOQiNJK
VfS/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_3 local
!
!
aaa session-id common
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool ccp-pool1
import all
network 10.10.10.0 255.255.255.0
dns-server 203.50.2.71 139.130.4.4
default-router 10.10.10.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM cuseeme
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 139.130.4.4
ip name-server 203.50.2.71
!
appfw policy-name CCP_MEDIUM
application im aol
service default action allow alarm
service text-chat action allow alarm
server permit name login.oscar.aol.com
server permit name toc.oscar.aol.com
server permit name oam-d09a.blue.aol.com
application im msn
service default action allow alarm
service text-chat action allow alarm
server permit name messenger.hotmail.com
server permit name gateway.messenger.hotmail.
com
server permit name webmessenger.msn.com
application http
strict-http action allow alarm
port-misuse im action reset alarm
port-misuse p2p action reset alarm
port-misuse tunneling action allow alarm
application im yahoo
service default action allow alarm
service text-chat action allow alarm
server permit name scs.msg.yahoo.com
server permit name scsa.msg.yahoo.com
server permit name scsb.msg.yahoo.com
server permit name scsc.msg.yahoo.com
server permit name scsd.msg.yahoo.com
server permit name cs16.msg.dcn.yahoo.com
server permit name cs19.msg.dcn.yahoo.com
server permit name cs42.msg.dcn.yahoo.com
server permit name cs53.msg.dcn.yahoo.com
server permit name cs54.msg.dcn.yahoo.com
server permit name ads1.vip.scd.yahoo.com
server permit name radio1.launch.vip.dal.yaho
o.com
server permit name in1.msg.vip.re2.yahoo.com
server permit name data1.my.vip.sc5.yahoo.com
server permit name address1.pim.vip.mud.yahoo
.com
server permit name edit.messenger.yahoo.com
server permit name messenger.yahoo.com
server permit name http.pager.yahoo.com
server permit name privacy.yahoo.com
server permit name csa.yahoo.com
server permit name csb.yahoo.com
server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-4106303059
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certifi
cate-41063
03059
revocation-check none
rsakeypair TP-self-signed-4106303059
!
!
crypto pki certificate chain TP-self-signed-4106303059
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313036 33303330 3539301E 170D3032 30333232 30333333
32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303633
30333035 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C3B1 01F7BAD8 47014BB5 2B055481 D710F6B7 422D36E4 BB7881E9 F0B3D1B7
6FA0D672 98095CCE 879B5666 DB629723 A9EB6CE3 240FD42A C6AC5EDB 58A940D9
8481FEF6 BDFE272E 21B11907 530D01F8 906E298A 50217DE5 13C27E03 BCC7D26D
CD503FBA 25B2549E 8C08CEF8 A1B0B2C9 C0E29138 2CE7FCA3 07B06F93 B75D46A8
09170203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 14A2AFC9 22D1D272 88D60050 9B00E327 AE232294
20301D06 03551D0E 04160414 A2AFC922 D1D27288 D600509B 00E327AE 23229420
300D0609 2A864886 F70D0101 04050003 8181000B A73796B2 F1C4C976 B259D5AE
A4078D8B 03267732 38CF3FA9 B534095D 67575438 6CDB4EC9 EDD776BB 2D0C099E
EFA2D665 6337D85D 1ADDCDF6 ED9595E0 B2467A34 37BEE9FB 45FB596D 3B8C6526
AD3B476E B6B6DD4A C943C75A E161C361 2190C6B4 DC913F13 D20CCCDB 0D9C35F7
16A500E0 24671C51 538EA787 500AD6AD D611CB
quit
!
!
username ************* privilege 15 secret 5 **********************
username *********** privilege 14 secret 5 **********************
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group melb
key vfr345tgb
pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
match identity group melb
client authentication list ciscocp_vpn_xauth_ml_3
isakmp authorization list ciscocp_vpn_group_ml_3
client configuration address respond
virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA2
set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
no snmp trap link-status
pvc 8/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template3 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-
HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.10.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
!
interface Dialer0
description $FW_OUTSIDE$
ip address negotiated
ip access-group 102 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip inspect CCP_MEDIUM out
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname **************************
*****
ppp chap password 7 **************************
!
ip local pool SDM_POOL_1 10.10.10.95 10.10.10.99
ip local pool SDM_POOL_2 10.10.10.200 10.10.10.205
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark CCP_ACL Category=1
access-list 100 permit udp any host 10.10.10.1 eq non500-isakmp
access-list 100 permit udp any host 10.10.10.1 eq isakmp
access-list 100 permit esp any host 10.10.10.1
access-list 100 permit ahp any host 10.10.10.1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark CCP_ACL Category=1
access-list 101 permit udp host 139.130.4.4 eq domain any
access-list 101 permit udp host 203.50.2.71 eq domain any
access-list 101 deny ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 permit udp host 139.130.4.4 eq domain any
access-list 102 permit udp host 203.50.2.71 eq domain any
access-list 102 deny ip 10.10.10.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 deny ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner exec ^C
Hardware and software
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(11)T2, RE
LEASE SOFTWARE (fc4)
Technical Support:
http://www.cisco.com/techs
upport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 08:56 by prod_rel_team
ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE
TB_BB_Advantage uptime is 2 hours, 34 minutes
System returned to ROM by power-on
System restarted at 13:05:29 PCTime Fri Jul 9 2010
System image file is "flash:c850-advsecurityk9-
mz.124-11.
T2.bin"
Answer : Cisco Easy-VPN config problem cannot connect with VPN client
Hi,
ACL 102 is not permitting vpn
you need to add:
ip access-list extended 102
1 permit udp any any eq isakmp
2 permit udp any any eq non500-isakmp
Random Solutions
CRM 4.0 - Contracts Expiring at a specific time?
combo box won't hold default value
Fortigate 60 - Webfiltering - allow some users
Cisco VPN Client 5.0.07.0290 on Windows 7 64 bit
Dell Inspiron 1012 - Multimedia Controller Driver
memory
Solaris 10 zone fails to start up
epson tm-p2.01
SSRS - configure https for Report Manager built-in links to Home | My Subscriptions | Site Settings | Help
GPO Software Installation Based Upon Hardware