Easy VPN debugging?

Hi we have problems with a client that connects to our Cisco via EasyVPN 2800. I would like to know the exactly effective way to debug and resolve problems and the tunnel to the EasyVPN. Thank you.

No, you cannot filter debugging.

However, if you have problems with 1 single connection, only this one should be in debugging.

The work of VPN will give little or no debugging messages (only to generate a new key or termination).

Please rate if this helped.

Kind regards

Daniel

Tags: Cisco Security

Similar Questions

How to put all through traffic the easy vpn client VPN server

Hi people

I want to ask you, how to put all of the server the easy vpn client VPN traffic through.

I mean, I have a server vpn at home, and if I connect to the vpn from outside server, to be with an IP address of my home.

There is the configuration up to now. Where is the problem?

ROUTER1 #sh running-config

Building configuration...

Current configuration: 5744 bytes

!

! Last configuration change at 19:51:18 UTC Wed Sep 4 2013 by cska

!

version 15.1

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

ROUTER1 hostname

!

boot-start-marker

usbflash0:CVO boot-BOOT Setup. CFG

boot-end-marker

!

!

!

AAA new-model

!

!

AAA authentication login ciscocp_vpn_xauth_ml_1 local

AAA authorization ciscocp_vpn_group_ml_1 LAN

!

!

!

!

!

AAA - the id of the joint session

!

Service-module wlan-ap 0 autonomous bootimage

Crypto pki token removal timeout default 0

!

Crypto pki trustpoint TP-self-signed-1604488384

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1604488384

revocation checking no

!

!

TP-self-signed-1604488384 crypto pki certificate chain

certificate self-signed 01

3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 04050030 A0030201

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31363034 34383833 6174652D 3834301E 170 3133 30383239 31313539

32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36303434 65642D

38383338 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100CD 57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F

528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C 74 862C 2870 16E29F75

7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10

D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5

4 HAS 250203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355

551 2304 18301680 141B 1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 06 12301

03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300 D 0609

2A 864886 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE F70D0101

FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D D53D9A43 CB400B54 8006

CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 9EF7251B 19A 75403

211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F

E43934FA 3D62EC90 8F37590B 618B0C

quit smoking

IP source-route

!

!

!

!

CISCO dhcp IP pool

import all

network 192.168.1.0 255.255.255.0

DNS-server 195.34.133.21 212.186.211.21

default router 192.168.1.1

!

!

IP cef

No ipv6 cef

!

Authenticated MultiLink bundle-name Panel

license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209

!

!

username privilege 15 secret 5 cska $1$ $8j6G 2sMHqIxJX8MQU6vpr75gp1

!

!

!

!

!

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

Configuration group customer isakmp crypto VPNGR

vpngroup key

DNS 212.186.211.21 195.34.133.21

WINS 8.8.8.8

domain chello.at

pool SDM_POOL_1

ACL 120

netmask 255.255.255.0

ISAKMP crypto ciscocp-ike-profile-1 profile

match of group identity VPNGR

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-model 1

!

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

!

Profile of crypto ipsec CiscoCP_Profile1

security association idle time 86400 value

game of transformation-ESP-3DES-SHA

set of isakmp - profile ciscocp-ike-profile-1

!

!

Bridge IRB

!

!

!

!

interface Loopback0

192.168.4.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly in

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

Multidrop ISDN endpoint

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

FastEthernet6 interface

!

interface FastEthernet7

!

interface FastEthernet8

no ip address

Shutdown

automatic duplex

automatic speed

!

type of interface virtual-Template1 tunnel

IP unnumbered Loopback0

ipv4 ipsec tunnel mode

Tunnel CiscoCP_Profile1 ipsec protection profile

!

interface GigabitEthernet0

Description Internet

0023.5a03.b6a5 Mac address

customer_id GigabitEthernet0 dhcp IP address

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

!

wlan-ap0 interface

description of the Service interface module to manage the embedded AP

192.168.9.2 IP address 255.255.255.0

ARP timeout 0

!

interface GigabitEthernet0 Wlan

Description interface connecting to the AP the switch embedded internal

!

interface Vlan1

no ip address

Bridge-Group 1

Bridge-Group 1 covering-disabled people

!

interface BVI1

IP 192.168.1.1 255.255.255.0

IP nat inside

IP virtual-reassembly in

!

local IP SDM_POOL_1 192.168.4.3 pool 192.168.4.245

IP forward-Protocol ND

!

!

IP http server

local IP http authentication

IP http secure server

overload of IP nat inside source list 110 interface GigabitEthernet0

IP nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389

IP nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389

IP nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21

IP nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21

IP nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390

IP nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390

overload of IP nat inside source list 120 interface GigabitEthernet0

IP route 0.0.0.0 0.0.0.0 dhcp

!

exploitation forest esm config

access list 101 ip allow a whole

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access list 111 permit tcp any any eq 3389

access-list 120 allow ip 192.168.4.0 0.0.0.255 any

!

!

!

!

!

!

!

control plan

!

Bridge Protocol ieee 1

1 channel ip bridge

!

Line con 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin udptn ssh telnet

line to 0

line vty 0 4

privilege level 15

preferred transport ssh

entry ssh transport

transportation out all

!

Thanks in advance

To do this you must make the following changes:

(1) disable split Tunneling by deleting the ACL of your configuration of the client group.
(2) enable NAT for VPN traffic by adding 'ip nat inside' to your virtual model of the client network to the ACL that controls your PAT.

Edit: Theses are the changes to your config (also with a little cleaning):

Configuration group customer isakmp crypto VPNGR

No 120 LCD

!

type of interface virtual-Template1 tunnel

IP nat inside

!

no nat ip inside the source list 120 interface GigabitEthernet0 overload

!

access-list 110 permit ip 192.168.4.0 0.0.0.255 any

no access-list 120 allow ip 192.168.4.0 0.0.0.255 any

Sent by Cisco Support technique iPad App

PlayBook & cisco Easy VPN Server 831

I don't seem to be able to connect to my router 831 cisco easy vpn server is configured by using my Blackberry Playbook. Looking at the console of the router I can see Debugging but don't know what it means. I have attached debugging as well as glued my setup, if someone is able to help me at all it would be much appreciated. Thank you very much.

Current configuration: 2574 bytes
!
version 12.3
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
enable secret 5 $1$ FM71$ y4ejS2icnqX79b9gD92E81
enable password xxxx
!
username privilege 15 password 0 $1$ W1fA CRWS_Ritesh $ o1oSEpa163775446
username privilege 15 secret 5 shamilton wFLF $1$ $ 8eRxnrrgVHMXXC0bXdEGi1
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
AAA - the id of the joint session
IP subnet zero
no ip Routing
!
!
audit of IP notify Journal
Max-events of po verification IP 100
No ftp server enable write
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP xauth timeout 15 crypto

!
ISAKMP crypto client configuration group ciscogroup
(deleted) 0 key
DNS 172.16.60.246 172.16.60.237
pool SDM_POOL_3
ACL 100
Save-password
include-local-lan
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
game of transformation-ESP-3DES-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1 crypto
client configuration address map SDM_CMAP_1 crypto answer
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
!
!
!
interface Ethernet0
IP 172.16.60.241 255.255.255.0
IP nat inside
no ip route cache
!
interface Ethernet1
DHCP IP address
NAT outside IP
no ip route cache
automatic duplex
map SDM_CMAP_1 crypto
!
interface FastEthernet1
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet2
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet3
no ip address
Shutdown
automatic duplex
automatic speed
!
interface FastEthernet4
no ip address
automatic duplex
automatic speed
!
local IP SDM_POOL_1 172.16.60.190 pool 172.16.60.199
pool of local SDM_POOL_2 192.168.1.1 IP 192.168.1.100
local IP SDM_POOL_3 172.16.61.100 pool 172.16.61.150
IP nat inside source overload map route SDM_RMAP_1 interface Ethernet1
IP classless
!
IP http server
no ip http secure server
!
Remark SDM_ACL category of access list 1 = 2
access-list 1 permit 172.16.60.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
access-list 100 permit ip 172.16.60.0 0.0.0.255 any
public RO SNMP-server community
Enable SNMP-Server intercepts ATS
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
exec-timeout 120 0
password xxxxx
length 0
!
max-task-time 5000 Planner
!
end

Stace,
```
*Mar  1 06:40:15.258: ISAKMP: transform 1, ESP_AES
*Mar  1 06:40:15.258: ISAKMP:   attributes in transform:
*Mar  1 06:40:15.262: ISAKMP:      SA life type in seconds
*Mar  1 06:40:15.262: ISAKMP:      SA life duration (basic) of 10800
*Mar  1 06:40:15.262: ISAKMP:      encaps is 61443
*Mar  1 06:40:15.262: ISAKMP:      key length is 256
*Mar  1 06:40:15.262: ISAKMP:      authenticator is HMAC-SHA
*Mar  1 06:40:15.262: ISAKMP (0:14): atts are acceptable.
*Mar  1 06:40:15.262: ISAKMP (0:14): IPSec policy invalidated proposal
*Mar  1 06:40:15.262: ISAKMP (0:14): phase 2 SA policy not acceptable! (local 14
```
The other end offers AES 256 and SHA IPSec transform set.

While you have configured:
```
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
```
Suggestion:

Add a new set of transofrm and apply it under crypto map.

HTH,

Marcin

Help with the easy VPN server with LDAP

Hello

I used to be able to set up our easy VPN server with local authentication.

But now, I'm trying to use LDAP authentication to match with our policies.

Can someone help me please to check the config and tell me what is wrong with him?

My router is a Cisco1941/K9.

Thank you in advance.

Ryan

Current configuration: 5128 bytes
!
! Last configuration change at 13:25:16 UTC Tuesday, August 28, 2012, by admin
! NVRAM config update at 05:03:14 UTC Monday, August 27, 2012, by admin
! NVRAM config update at 05:03:14 UTC Monday, August 27, 2012, by admin
version 15.2
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
!
AAA new-model
!
!
AAA group ASIA-LDAP ldap server
Server server1.domain.net
!
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authentication login ASIA-LDAP-AUTHENTIC ldap group ASIA-LDAP
local VPN_Cisco AAA authorization network
Group ldap AAA authorization network ASIA-LDAP-ASIA-LDAP group authorization
!
!
!
!
!
AAA - the id of the joint session
!
!
No ipv6 cef
!
!
!
!
!
IP domain name domaine.net
IP cef
!
Authenticated MultiLink bundle-name Panel
!
Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-765105936
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 765105936
revocation checking no
rsakeypair TP-self-signed-765105936
!
!
TP-self-signed-765105936 crypto pki certificate chain
certificate self-signed 01
30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
69666963 37363531 30353933 36301E17 313230 36323630 39323033 0D 6174652D
355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3736 35313035
06092A 86 4886F70D 01010105 39333630 819F300D 00308189 02818100 0003818D
C1B7E661 4893D83A EFE44B76 92BAA71A 6375 854 C 88 D 4533E51A 49791 551D8EF7
F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1 B 618390
EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 97270547 31 74270
4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D
02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
23041830 1680142E FF686472 569BCCF1 552B 1200 1 060355 5B660F30 D35060DB
1D0E0416 04142EFF 9BCCF155 68647256 2B1200D3 5060DB5B 660F300D 06092 HAS 86
01010505 00038181 00558F64 05207 D 35 AA4BD086 4579ACF6 BCF6A851 4886F70D
1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222
0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65
74D265DD 06251C7D 6EF39CE9 3 D FE03F795 692763 AE865885 CFF660A5 4C1FF603
3AF09B1E 243EA5ED 7E4C30B9 3A
quit smoking
license udi pid CISCO1941/K9 sn xxxxxxxxxxx

ISM HW-module 0
!
!
!
secret admin user name of privilege 15 5 $1 rVI4$ WIP5x6at0b1Vot5LbdlGN.
ryan privilege 0 0 pass1234 password username
!
redundancy
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
Configuration group customer isakmp crypto VPN_Group1
xxxxxxxxxxxx key
DNS 10.127.8.20
pool SDM_POOL_1
ACL 100
netmask 255.255.255.0
ISAKMP crypto ciscocp-ike-profile-1 profile
match of group identity VPN_Group1
authentication of LDAP-ASIA-AUTHENTIC customer list
whitelist ISAKMP ASIA-LDAP-authorization of THE
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-ESP-3DES-SHA
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
!
!
!
!
interface Loopback0
IP 10.127.15.1 255.255.255.0
!
the Embedded-Service-Engine0/0 interface
no ip address
Shutdown
!
interface GigabitEthernet0/0
IP xxx.xxx.xxx.xxx 255.255.255.224
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
IP 10.127.31.26 255.255.255.252
automatic duplex
automatic speed
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
local IP SDM_POOL_1 10.127.20.129 pool 10.127.20.254
IP forward-Protocol ND
!
IP http server
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
IP route 10.0.0.0 255.0.0.0 10.127.31.25
IP route 10.127.20.128 255.255.255.128 GigabitEthernet0/0
!
Note access-list 100 category CCP_ACL = 4
access-list 100 permit ip 10.0.0.0 0.255.255.255 everything
!
!
!
!
!
!
!
LDAP attribute-map ASIA-username-map
user name of card type sAMAccountName
!
Server1.domain.NET LDAP server
IPv4 10.127.8.20
map attribute username-ASIA-map
bind authenticates root-dn CN = xxx\, S1234567, OU = Service accounts, OR = Admin, OU = Acc
DC = domain, DC = net password password1
base-dn DC = domain, DC = net
bind authentication-first
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line 67
no activation-character
No exec
preferred no transport
transport of entry all
output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
transport telnet entry
!
Scheduler allocate 20000 1000
end

Router #.

Ryan,

It seems that you are facing the question where it is indicated in the section:

Problems with the help of "authentication bind first" with user-defined attribute maps:

* Then you are likely to see a failure in your authentication attempt. You will see the error message "Invalid credentials, result code = 49. The newspapers will look something like the journals below: *.

Which is the same error you see. Go ahead and replace in your attribute map and test again.

If you remove the command "bind-first authentication' configuration above, everything will work correctly.

https://supportforums.Cisco.com/docs/doc-17780

Tarik Admani
* Please note the useful messages *.

CANNOT ACCESS THE LAN WITH THE EASY VPN CONFIGURATION

Hello

I configured easy vpn server in cisco 1905 SRI using ccp. The router is already configured with zone based firewall. With the help of vpn client I can reach only up to the internal interface of the router, but cannot access the LAN from my company. I need to change any configuration of ZBF since it is configured as "deny everything" from outside to inside? If so that all protocols should I match? Also is there any exemption of NAT for VPN clients? Please help me! Thanks in advance.

Please see my full configuration:

Router #sh run
Building configuration...

Current configuration: 8150 bytes
!
! Last modification of the configuration at 05:40:32 UTC Wednesday, July 4, 2012 by
! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
version 15.1
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
Passwords security min-length 6
no set record in buffered memory
enable secret 5 xxxxxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login ciscocp_vpn_xauth_ml_1 local
AAA authorization exec default local
AAA authorization ciscocp_vpn_group_ml_1 LAN
!
!
!
!
!
AAA - the id of the joint session
!
!
No ipv6 cef
IP source-route
no ip free-arps
IP cef
!
Xxxxxxxxx name server IP
IP server name yyyyyyyyy
!
Authenticated MultiLink bundle-name Panel
!

parameter-map local urlfpolicy TSQ-URL-FILTER type
offshore alert
block-page message "Blocked according to policy"
parameter-card type urlf-glob FACEBOOK
model facebook.com
model *. Facebook.com

parameter-card type urlf-glob YOUTUBE
mires of youtube.com
model *. YouTube.com

parameter-card type urlf-glob CRICKET
model espncricinfo.com
model *. espncricinfo.com

parameter-card type urlf-glob CRICKET1
webcric.com model
model *. webcric.com

parameter-card type urlf-glob YAHOO
model *. Yahoo.com
model yapo

parameter-card type urlf-glob PERMITTEDSITES
model *.

parameter-card type urlf-glob HOTMAIL
model hotmail.com
model *. Hotmail.com

Crypto pki token removal timeout default 0
!
Crypto pki trustpoint TP-self-signed-2049533683
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2049533683
revocation checking no
rsakeypair TP-self-signed-2049533683
!
Crypto pki trustpoint tti
crl revocation checking
!
Crypto pki trustpoint test_trustpoint_config_created_for_sdm
name of the object [email protected] / * /
crl revocation checking
!
!
TP-self-signed-4966226213 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02111101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43647274 31312F30
69666963 32303439 35323236 6174652D 3833301E 170 3132 30363232 30363332

quit smoking
encryption pki certificate chain tti
for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
license udi pid CISCO1905/K9 sn xxxxxx
licence start-up module c1900 technology-package datak9
username privilege 15 password 0 xxxxx xxxxxxx
!
redundancy
!
!
!
!
!
type of class-card inspect entire tsq-inspection-traffic game
dns protocol game
ftp protocol game
https protocol game
match icmp Protocol
match the imap Protocol
pop3 Protocol game
netshow Protocol game
Protocol shell game
match Protocol realmedia
match rtsp Protocol
smtp Protocol game
sql-net Protocol game
streamworks Protocol game
tftp Protocol game
vdolive Protocol game
tcp protocol match
udp Protocol game
match Protocol l2tp
class-card type match - all BLOCKEDSITES urlfilter
Server-domain urlf-glob FACEBOOK game
Server-domain urlf-glob YOUTUBE game
CRICKET urlf-glob-domain of the server match
game server-domain urlf-glob CRICKET1
game server-domain urlf-glob HOTMAIL
class-map type urlfilter match - all PERMITTEDSITES
Server-domain urlf-glob PERMITTEDSITES match
inspect the class-map match tsq-insp-traffic type
corresponds to the class-map tsq-inspection-traffic
type of class-card inspect correspondence tsq-http
http protocol game
type of class-card inspect all match tsq-icmp
match icmp Protocol
tcp protocol match
udp Protocol game
type of class-card inspect correspondence tsq-invalid-src
game group-access 100
type of class-card inspect correspondence tsq-icmp-access
corresponds to the class-map tsq-icmp
!
!
type of policy-card inspect urlfilter TSQBLOCKEDSITES
class type urlfilter BLOCKEDSITES
Journal
reset
class type urlfilter PERMITTEDSITES
allow
Journal
type of policy-card inspect SELF - AUX-OUT-policy
class type inspect tsq-icmp-access
inspect
class class by default
Pass
policy-card type check IN and OUT - POLICIES
class type inspect tsq-invalid-src
Drop newspaper
class type inspect tsq-http
inspect
service-policy urlfilter TSQBLOCKEDSITES
class type inspect tsq-insp-traffic
inspect
class class by default
drop
policy-card type check OUT IN-POLICY
class class by default
drop
!
area inside security
security of the OUTSIDE area
source of security OUT-OF-IN zone-pair outside the destination inside
type of service-strategy check OUT IN-POLICY
zone-pair IN-to-OUT DOMESTIC destination outside source security
type of service-strategy inspect IN and OUT - POLICIES
security of the FREE-to-OUT source destination free outdoors pair box
type of service-strategy inspect SELF - AUX-OUT-policy
!
Crypto ctcp port 10000
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 2
Group 2
!
ISAKMP crypto client configuration group vpntunnel
XXXXXXX key
pool SDM_POOL_1
include-local-lan
10 Max-users
ISAKMP crypto ciscocp-ike-profile-1 profile
vpntunnel group identity match
client authentication list ciscocp_vpn_xauth_ml_1
ISAKMP authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-model 1
!
!
Crypto ipsec transform-set TSQ-TRANSFORMATION des-esp esp-md5-hmac
!
Profile of crypto ipsec CiscoCP_Profile1
game of transformation-TRANSFORMATION TSQ
set of isakmp - profile ciscocp-ike-profile-1
!
!
!
!
!
!
the Embedded-Service-Engine0/0 interface
no ip address
response to IP mask
IP directed broadcast to the
Shutdown
!
interface GigabitEthernet0/0
Description LAN INTERFACE-FW-INSIDE
IP 172.17.0.71 255.255.0.0
IP nat inside
IP virtual-reassembly in
security of the inside members area
automatic duplex
automatic speed
!
interface GigabitEthernet0/1
Description WAN-INTERNET-INTERNET-FW-OUTSIDE
IP address xxxxxx yyyyyyy
NAT outside IP
IP virtual-reassembly in
security of the OUTSIDE member area
automatic duplex
automatic speed
!
interface Serial0/0/0
no ip address
response to IP mask
IP directed broadcast to the
Shutdown
no fair queue
2000000 clock frequency
!
type of interface virtual-Template1 tunnel
IP unnumbered GigabitEthernet0/0
ipv4 ipsec tunnel mode
Tunnel CiscoCP_Profile1 ipsec protection profile
!
local IP SDM_POOL_1 172.17.0.11 pool 172.17.0.20
IP forward-Protocol ND
!
no ip address of the http server
local IP http authentication
IP http secure server
!
IP nat inside source list 1 interface GigabitEthernet0/1 overload
IP route 0.0.0.0 0.0.0.0 yyyyyyyyy
IP route 192.168.1.0 255.255.255.0 172.17.0.6
IP route 192.168.4.0 255.255.255.0 172.17.0.6
!
access-list 1 permit 172.17.0.0 0.0.255.255
access-list 100 permit ip 255.255.255.255 host everything
access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
access-list 100 permit ip yyyyyy yyyyyy everything
!
!
!
!
!
!
!
!
control plan
!
!
!
Line con 0
line to 0
line 2
no activation-character
No exec
preferred no transport
transport of entry all
output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
StopBits 1
line vty 0 4
transport input ssh rlogin
!
Scheduler allocate 20000 1000
end

A few things to change:

(1) pool of IP must be a single subnet, it is not the same subnet as your subnet internal.

(2) your NAT ACL 1 must be changed to ACL extended for you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:

access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255

access-list 120 allow ip 172.17.0.0 0.0.255.255 everything

overload of IP nat inside source list 120 interface GigabitEthernet0/1

No inside source list 1 interface GigabitEthernet0/1 ip nat overload

(3) OUT POLICY need to include VPN traffic:

access-list 121 allow ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255

type of class-card inspect correspondence vpn-access

game group-access 121

policy-card type check OUT IN-POLICY

vpn-access class

inspect

Cisco easy VPN + loopback interface. static ip address for the client

Good day people.

I have a couple a question and answer on which I can't google for a period. BTW I maybe simly use bad aproach to choose keywords.

Thus,.

(1) is it possible to assign the same IP to the same customer every time that it authenticated, preferably without using DHCP? Definely im sure it is possible, but can't find match configuration examples (my camera's 1921 Cisco IOS 15.0.1).

(2) is it possible to assign the dynamic crypto map to the loopback interface (to make EASY VPN Server accessible through two interfaces - maybe you recommend another approach instead?) - that I move the map workingcrypto of int phy loopback - I can not connect with reason "SA Phace1 policy proposal" not accepted

Hello

(1) you can attach to the same IP to the same username using RADIUS

(2) If you have 2 outside interfaces

Then, you would use

mymap-address loop0 crypto card

int gig0/0

crypto mymap map

int g0/1

cryptp map mymap

By doing so, the local address would actually be the loop0 but Cryptography card HAS to be applied on physical output interfaces

See you soon

OLivier

Easy vpn remote

I have a router 2611 with ios:c2600 - I - mz.120 - 10, DRAM/FLASH is 26624 K / 6144 K

and the compact flash is 4966520.

It would support the easy vpn remote feature? If this isn't the case, what IOS/DRAM/FLASH might be appropriate?

Hello

Use feature Navigator find IOS appropriate for different platforms:

http://Tools.Cisco.com/ITDIT/CFN/JSP/index.jsp

HTH

Sangaré

Cannot access the internal network with Cisco easy vpn client RV320

I have a cisco RV320 (firmware v1.1.1.06) and created a tunnel easy vpn (= split tunnel tunnel mode), then I installed the cisco client vpn v5.0.07.0290 in Windows 7 64 bit, I can connect to the vpn, but I do not see the other pc ping nor them, no idea?

Thank you

Hello

1. is the firewall on the active Windows 7 computer? If so, please disable it

2. can you check that you get a correct IP address in the range of the POOL of IP configured?

3. When you perform the tracert command to access an internal server, it crosses the VPN¨?

4. is the tunnel of split giving you access to internal IP subnets defined?

5. on the RV320 you see the user connected and sending and receiving bytes?

Don t forget to rate and score as correct the helpful post!

David Castro,

Kind regards

With an interface easy VPN client only

Hi guys,.

I have an ASA 5505 configuration as simple Client VPN. Current configuration uses two interfaces: inside and outside. I tested the connection to the server and works very well.

For reasons of site specific I'm limited to a single interface, you can call it inside, lan, whatever. So I need to connect clients to the remote site behind this interface and also use it to reach the easy VPN server. Is it possible in the first place?

Of course, I will put the default route through the Interior of interface and another router will provide the Internet connection.

It's so hard to make it work you should consider the answer is no.

Specifically, you need to have one inside and outside interface or EasyVPN will not come to the top.

Easy VPN between two ASA 9.5 - Split tunnel does not

Hi guys,.

We have set up a site to site vpn using easy configuration vpn between ver 9.5 race (1) two ASA. The tunnels are up and ping is reached between sites. I also configured split tunnel for internet traffic under the overall strategy of the ASA easy vpn server. But for some unknown reason all the customer same internet traffic is sent to the primary site. I have configured NAT to relieve on the side of server and client-side. Please advise if no limitation so that the installation program.

Thank you and best regards,

Arjun T P

I have the same question and open a support case.

It's a bug in the software 9.5.1. See the bug: CSCuw22886

Easy VPN

Hi all

I configured easy VPN on my ASA, but when I type the following command, it gives me this error as indicated:

SA - Gate (config) # crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
3DES/AES algorithms require an activation key for VPN-3DES-AES.
ASA - Gate (config) # crypto AMFM dynamic-map transform 100-set RIGHT
ERROR: there is no set of transformation with the "RIGHT" tag.

So this question about the features permitted on SAA and if so, what is required to complete the easy VPN configuration.

N.B.: sh version of ASA is attached.

EBIC-2007 a écrit :

Bonjour à tous,

J’ai configuré le VPN facile sur mon ASA, mais, quand je tape la commande suivante, il me donne cette erreur comme indiqué :

SA-Gate(config) # crypto ipsec transform-set MONJEU esp-3des esp-md5-hmac
Les algorithmes 3DES/AES nécessitent une clé d’activation de VPN-3DES-AES.
ASA-Gate(config) # MONJEU crypto dmap dynamique-carte 100 transform-set
ERREUR : ensemble de transformation avec le tag « MONJEU » n’existe pas.

Donc, cette question concernant les fonctionnalités autorisées sur ASA et si donc, ce qui est requis pour terminer la configuration VPN facile.

N.B. : sh version d’ASA est jointe.

The anyconnect vpn easy vpn Remote communication problem

Hi team,

I have a problem of communication of the anyconnect vpn easy vpn Remote I´ll explain better below and see the attachment
topology:

(1) VPN Tunnel between branch HQ - That´s OK
(2) VPN Tunnel between Client AnyConnect to HQ - that s OK

The idea is that the Anyconnect Client is reaching the local Branch Office network, but has not reached.
Communication is established just when I begin a session (icmp or rdp) branch to the AnyConnect Client,.
in this way, the communication is OK, but just for a few minutes.

Could you help me?
Below the IOS version and configurations

ASA5505 Version 8.4 (7) 23 (Headquarters)
ASA5505 Version 7.0000 23 (branch)

Configuration of the server easy VPN (HQ) *.

Crypto dynamic-map DYNAMIC - map 5 set transform-set ESP-AES-256-SHA ikev1
Crypto card outside-link-2_map 1 ipsec-isakmp DYNAMIC-map Dynamics
Crypto map link-outside-2_map-65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
Crypto map interface outside-link-2_map outside-link-2

ACL_EZVPN list standard access allowed 10.0.0.0 255.255.255.0
ACL_EZVPN list standard access allowed 192.168.1.0 255.255.255.0
ACL_EZVPN list standard access allowed 192.168.50.0 255.255.255.0
ACL_EZVPN list standard access allowed 10.10.0.0 255.255.255.0

internal EZVPN_GP group policy
EZVPN_GP group policy attributes
Split-tunnel-policy tunnelspecified
value of Split-tunnel-network-list ACL_EZVPN
allow to NEM
type tunnel-group EZVPN_TG remote access
attributes global-tunnel-group EZVPN_TG
Group Policy - by default-EZVPN_GP
IPSec-attributes tunnel-group EZVPN_TG
IKEv1 pre-shared-key *.

object-group network Obj_VPN_anyconnect-local
object-network 192.168.1.0 255.255.255.0
object-network 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
object-network 192.168.50.0 255.255.255.0
the NAT_EZVPN_Source object-group network
object-network 192.168.1.0 255.255.255.0
object-network 10.10.0.0 255.255.255.0
the NAT_EZVPN_Destination object-group network
object-network 10.0.0.0 255.255.255.0

destination of Obj_VPN_anyconnect local Obj_VPN_anyconnect-local static NAT (inside, outside-link-2) Obj - VPN static source -.

Remote AnyConnect VPN - Obj anyconnect-remote non-proxy-arp-search to itinerary
destination NAT (inside, outside-link-2) static source NAT_EZVPN_Source NAT_EZVPN_Source NAT_EZVPN_Destination static

NAT_EZVPN_Destination no-proxy-arp-search to itinerary
NAT (outside-link-2, outside-link-2) static source Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote static destination

NAT_EZVPN_Destination NAT_EZVPN_Destination non-proxy-arp-search route

Configuration VPN AnyConnect (HQ) *.

WebVPN
Select the outside link 2
by default-idle-timeout 60
AnyConnect essentials
AnyConnect image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
AnyConnect profiles Remote_Connection_for_TS_Users disk0: / remote_connection_for_ts_users.xml
AnyConnect enable
tunnel-group-list activate

tunnel of splitting allowed access list standard 192.168.1.0 255.255.255.0
tunnel of splitting allowed access list standard 192.168.15.0 255.255.255.0
tunnel of splitting allowed access list standard 10.0.0.0 255.255.255.0

internal clientgroup group policy
attributes of the strategy of group clientgroup
WINS server no
value of server DNS 192.168.1.41
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value split tunnel
ipconnection.com.br value by default-field
WebVPN
AnyConnect Dungeon-Installer installed
time to generate a new key 30 AnyConnect ssl
AnyConnect ssl generate a new method ssl key
AnyConnect value Remote_Connection_for_TS_Users type user profiles
AnyConnect ask flawless anyconnect

type tunnel-group sslgroup remote access
tunnel-group sslgroup General-attributes
address vpnpool pool
authentication-server-group DC03
Group Policy - by default-clientgroup
tunnel-group sslgroup webvpn-attributes
enable IPConnection-vpn-anyconnect group-alias

object-group network Obj_VPN_anyconnect-local
object-network 192.168.1.0 255.255.255.0
object-network 192.168.15.0 255.255.255.0
object-group network Obj-VPN-anyconnect-remote
object-network 192.168.50.0 255.255.255.0
the NAT_EZVPN_Source object-group network
object-network 192.168.1.0 255.255.255.0
object-network 10.10.0.0 255.255.255.0
the NAT_EZVPN_Destination object-group network
object-network 10.0.0.0 255.255.255.0

destination of Obj_VPN_anyconnect local Obj_VPN_anyconnect-local static NAT (inside, outside-link-2) Obj - VPN static source -.

Remote AnyConnect VPN - Obj anyconnect-remote non-proxy-arp-search to itinerary
destination NAT (inside, outside-link-2) static source NAT_EZVPN_Source NAT_EZVPN_Source NAT_EZVPN_Destination static

NAT_EZVPN_Destination no-proxy-arp-search to itinerary
NAT (outside-link-2, outside-link-2) static source Obj-VPN-anyconnect-remote Obj-VPN-anyconnect-remote static destination

NAT_EZVPN_Destination NAT_EZVPN_Destination non-proxy-arp-search route

Hello

communication works when you send the traffic of easyvpn derivation because it froms the IPSEC SA to pool local subnet and anyconnect HQ. The SA formed only when the branch initiates the connection as it's dynamic peer connection to HQ ASA.

When there no SA between branch and HQ for this traffic, HQ ASA has no idea on where to send the anyconnect to network traffic.

I hope this explains the cause.

Kind regards

Averroès.

Easy VPN configuration problems

Hello

I have 6.2 (2) Version PIX PIX 515E. I am trying to setup the easy VPN server to this topic. This pix not recognized the next line of the comand.

1.

Crypto-map dynamic 70 outside_dyn_map Road opposite value

2.

Crypto isakmp nat-traversal 70

or isakmp nat-traversal 70

3 tunnel-group

is there a command line I can use inplace of them. I have also attached my config so I would be very grateful if someone could check and advice me what to do to raise this connection.

Thank you

Take a look at this:

http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml

Yes nat - t is available on 6.3.x and above and no it is not enabled by default on the PIX / ASA. It is IOS.

Please note if useful, cordially

Farrukh

Easy VPN server on 1811 configuration

I'm trying to configure easy VPN server on my router from 1811 to allow remote users to access resources on our corporate network. I used the wizard to perform the configuration for the easy VPN, but when I test the VPN it fails to check the dependent components. He said to me that AAA authentication, authorization and Global Address Pool are all "not configured." I have configured AAA on MDS under additional tasks, so I don't know where I am going wrong. Any help is greatly appreciated.

Brandon,

the below URL - provide almost all the examples of configuration for the 18xx series.

http://conft.com/en/us/products/ps5853/prod_configuration_examples_list.html

HTH.

Cisco 831 - easy VPN server

Hello

I am trying to create an easy VPN server on Cisco 831. When I "test" the easy VPN he said that it tested successfully, but when I try to VPN in the router of the built in Windows XP VPN client, I'm unable to connect.

Does anyone have recommendations for how to configure easy VPN? I basically just selected all the default options. I was not able to find tutorials in the Cisco online documentation.

Do I need to have the Cisco VPN client to connect to the Cisco router?

Other thoughts?

Your IP address pool you are trying to assign to remote users is part of your local network, which is not the best way to assign the ip address to the VPN Clients, and I've seen a lot of problems in the past were route it not forwards the packets to the client. This allows you to change the POOL of something other than your LAN. E.g. 192.168.1.0/24.

Also, make sure that you re - configure your 102 ACL accordingly.

Once you make changes, try to connect again and let me know how it goes.

Kind regards

Arul

* Please note all useful messages *.

Easy VPN debugging?

Similar Questions

Hi all

Bonjour à tous,

Maybe you are looking for