Question : Cisco Easy-VPN config problem cannot connect with VPN client

Hi O Helpfull ones

I am having trouble with a Cisco 875w Easy VPN server configuration.
 
The machine is being configured with CCP 1.3
I previously had the VPN running but there was a problem when the config was written to flash so that when the power went out, the VPN disappeared.

I have reset the machine to factory defaults and reloaded it using CP express.
I backed up the files from flash to a TFTP server before doing all of this.

In the previous config, the firewall was not running, only NAT was configured.
This time I set up a firewall and then went on to run the Easy VPN config.

Can anyone tell me what is wrong with this configuration please?

^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

TB_BB_Advantage#show running
Building configuration...

Current configuration : 11616 bytes
!
! Last configuration change at 15:26:20 PCTime Fri Jul 9 2010 by advantage
! NVRAM config last updated at 14:48:05 PCTime Fri Jul 9 2010 by advantage
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname TB_BB_Advantage
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$QWRA$tLQ71Vy4cDshOQiNJKVfS/
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authentication login ciscocp_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa authorization network ciscocp_vpn_group_ml_3 local
!
!
aaa session-id common
clock timezone PCTime 10
clock summer-time PCTime date Mar 30 2003 3:00 Oct 26 2003 2:00
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1 10.10.10.99
!
ip dhcp pool ccp-pool1
   import all
   network 10.10.10.0 255.255.255.0
   dns-server 203.50.2.71 139.130.4.4
   default-router 10.10.10.1
!
!
ip cef
ip inspect log drop-pkt
ip inspect name CCP_MEDIUM appfw CCP_MEDIUM
ip inspect name CCP_MEDIUM cuseeme
ip inspect name CCP_MEDIUM dns
ip inspect name CCP_MEDIUM ftp
ip inspect name CCP_MEDIUM h323
ip inspect name CCP_MEDIUM https
ip inspect name CCP_MEDIUM icmp
ip inspect name CCP_MEDIUM imap reset
ip inspect name CCP_MEDIUM pop3 reset
ip inspect name CCP_MEDIUM rcmd
ip inspect name CCP_MEDIUM realaudio
ip inspect name CCP_MEDIUM rtsp
ip inspect name CCP_MEDIUM esmtp
ip inspect name CCP_MEDIUM sqlnet
ip inspect name CCP_MEDIUM streamworks
ip inspect name CCP_MEDIUM tftp
ip inspect name CCP_MEDIUM tcp
ip inspect name CCP_MEDIUM udp
ip inspect name CCP_MEDIUM vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 139.130.4.4
ip name-server 203.50.2.71
!
appfw policy-name CCP_MEDIUM
  application im aol
    service default action allow alarm
    service text-chat action allow alarm
    server permit name login.oscar.aol.com
    server permit name toc.oscar.aol.com
    server permit name oam-d09a.blue.aol.com
  application im msn
    service default action allow alarm
    service text-chat action allow alarm
    server permit name messenger.hotmail.com
    server permit name gateway.messenger.hotmail.com
    server permit name webmessenger.msn.com
  application http
    strict-http action allow alarm
    port-misuse im action reset alarm
    port-misuse p2p action reset alarm
    port-misuse tunneling action allow alarm
  application im yahoo
    service default action allow alarm
    service text-chat action allow alarm
    server permit name scs.msg.yahoo.com
    server permit name scsa.msg.yahoo.com
    server permit name scsb.msg.yahoo.com
    server permit name scsc.msg.yahoo.com
    server permit name scsd.msg.yahoo.com
    server permit name cs16.msg.dcn.yahoo.com
    server permit name cs19.msg.dcn.yahoo.com
    server permit name cs42.msg.dcn.yahoo.com
    server permit name cs53.msg.dcn.yahoo.com
    server permit name cs54.msg.dcn.yahoo.com
    server permit name ads1.vip.scd.yahoo.com
    server permit name radio1.launch.vip.dal.yahoo.com
    server permit name in1.msg.vip.re2.yahoo.com
    server permit name data1.my.vip.sc5.yahoo.com
    server permit name address1.pim.vip.mud.yahoo.com
    server permit name edit.messenger.yahoo.com
    server permit name messenger.yahoo.com
    server permit name http.pager.yahoo.com
    server permit name privacy.yahoo.com
    server permit name csa.yahoo.com
    server permit name csb.yahoo.com
    server permit name csc.yahoo.com
!
!
crypto pki trustpoint TP-self-signed-4106303059
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-4106303059
 revocation-check none
 rsakeypair TP-self-signed-4106303059
!
!
crypto pki certificate chain TP-self-signed-4106303059
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 34313036 33303330 3539301E 170D3032 30333232 30333333
  32395A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31303633
  30333035 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100C3B1 01F7BAD8 47014BB5 2B055481 D710F6B7 422D36E4 BB7881E9 F0B3D1B7
  6FA0D672 98095CCE 879B5666 DB629723 A9EB6CE3 240FD42A C6AC5EDB 58A940D9
  8481FEF6 BDFE272E 21B11907 530D01F8 906E298A 50217DE5 13C27E03 BCC7D26D
  CD503FBA 25B2549E 8C08CEF8 A1B0B2C9 C0E29138 2CE7FCA3 07B06F93 B75D46A8
  09170203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14A2AFC9 22D1D272 88D60050 9B00E327 AE232294
  20301D06 03551D0E 04160414 A2AFC922 D1D27288 D600509B 00E327AE 23229420
  300D0609 2A864886 F70D0101 04050003 8181000B A73796B2 F1C4C976 B259D5AE
  A4078D8B 03267732 38CF3FA9 B534095D 67575438 6CDB4EC9 EDD776BB 2D0C099E
  EFA2D665 6337D85D 1ADDCDF6 ED9595E0 B2467A34 37BEE9FB 45FB596D 3B8C6526
  AD3B476E B6B6DD4A C943C75A E161C361 2190C6B4 DC913F13 D20CCCDB 0D9C35F7
  16A500E0 24671C51 538EA787 500AD6AD D611CB
  quit
!
!
username ************* privilege 15 secret 5 **********************
username *********** privilege 14 secret 5 **********************
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group melb
 key vfr345tgb
 pool SDM_POOL_2
crypto isakmp profile ciscocp-ike-profile-1
   match identity group melb
   client authentication list ciscocp_vpn_xauth_ml_3
   isakmp authorization list ciscocp_vpn_group_ml_3
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
 set transform-set ESP-3DES-SHA2
 set isakmp-profile ciscocp-ike-profile-1
!
!
!
!
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 description $ES_WAN$$FW_OUTSIDE$
 no snmp trap link-status
 pvc 8/35
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template3 type tunnel
 ip unnumbered Vlan1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 shutdown
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.10.10.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
!
interface Dialer0
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 102 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip mtu 1452
 ip inspect CCP_MEDIUM out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 ip route-cache flow
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication chap callin
 ppp chap hostname *******************************
 ppp chap password 7 **************************
!
ip local pool SDM_POOL_1 10.10.10.95 10.10.10.99
ip local pool SDM_POOL_2 10.10.10.200 10.10.10.205
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 100 remark CCP_ACL Category=1
access-list 100 permit udp any host 10.10.10.1 eq non500-isakmp
access-list 100 permit udp any host 10.10.10.1 eq isakmp
access-list 100 permit esp any host 10.10.10.1
access-list 100 permit ahp any host 10.10.10.1
access-list 100 deny   ip host 255.255.255.255 any
access-list 100 deny   ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuratio
n
access-list 101 remark CCP_ACL Category=1
access-list 101 permit udp host 139.130.4.4 eq domain any
access-list 101 permit udp host 203.50.2.71 eq domain any
access-list 101 deny   ip 10.10.10.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny   ip 10.0.0.0 0.255.255.255 any
access-list 101 deny   ip 172.16.0.0 0.15.255.255 any
access-list 101 deny   ip 192.168.0.0 0.0.255.255 any
access-list 101 deny   ip 127.0.0.0 0.255.255.255 any
access-list 101 deny   ip host 255.255.255.255 any
access-list 101 deny   ip host 0.0.0.0 any
access-list 101 deny   ip any any
access-list 102 remark auto generated by CCP firewall configuration
access-list 102 remark CCP_ACL Category=1
access-list 102 permit udp host 139.130.4.4 eq domain any
access-list 102 permit udp host 203.50.2.71 eq domain any
access-list 102 deny   ip 10.10.10.0 0.0.0.255 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 deny   ip 10.0.0.0 0.255.255.255 any
access-list 102 deny   ip 172.16.0.0 0.15.255.255 any
access-list 102 deny   ip 192.168.0.0 0.0.255.255 any
access-list 102 deny   ip 127.0.0.0 0.255.255.255 any
access-list 102 deny   ip host 255.255.255.255 any
access-list 102 deny   ip host 0.0.0.0 any
access-list 102 deny   ip any any log
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner exec ^C




Hardware and software

Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(11)T2, RE
LEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Tue 01-May-07 08:56 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

TB_BB_Advantage uptime is 2 hours, 34 minutes
System returned to ROM by power-on
System restarted at 13:05:29 PCTime Fri Jul 9 2010
System image file is "flash:c850-advsecurityk9-mz.124-11.T2.bin"

Answer : Cisco Easy-VPN config problem cannot connect with VPN client

Hi,

ACL 102 is not permitting vpn
you need to add:

ip access-list extended 102
 1 permit udp any any eq isakmp
 2 permit udp any any eq non500-isakmp