VPN OK on 1812 - not on 2811!

Hello

I'm losing my mind... I configured a remote access of the IPSec VPN client on 2 routers 1812. It works like charm.

I take the same configuration and apply it on a 2811, it does not work... Error during phase 2 of IPsec.

I re-re-re-re-double checked the config, it perfectly matches the config on the 1812. (and I use the same model for 876, 1841,...)

I tried 4 different IOS 12.2.24T3 Adventerprise, 12.2.15T13 adventerprise and Advipservices and 12.2.25c adventerprise. Nothing changes... still the same error...

I apply this config on an another 2811, the same question. Is there something wrong with this model for IPsec VPN client config? Or should I use a specific IOS?

Thanks for sharing your experience,

Kind regards

Olivier

Config is:

AAA new-model

AAA authentication login default local

AAA authentication login local userauth

AAA of authentication ppp default local

AAA authorization exec default local

AAA authorization groupauth LAN

crypto ISAKMP policy 1

BA 3des

md5 hash

preshared authentication

Group 2

lifetime 28800

ISAKMP crypto client configuration group mmrouter008

xxxxxxxxxxxxxxxx key

domain xxxxxxx.com

pool POOL_VPN

ACL 134

ISAKMP crypto profile mmrouter008

mmrouter008 group identity match

client authentication list userauth

ISAKMP authorization list groupauth

client configuration address respond

Crypto ipsec transform-set esp-3des esp-md5-hmac vpnuser_trans

Crypto-map dynamic mydynamicmap 10

Set transform-set vpnuser_trans

mmrouter008 Set isakmp-profile

market arriere-route

map MAPPP 100-isakmp ipsec crypto dynamic mydynamicmap

int fa0/0

MAPPP crypto card

local IP POOL_VPN 10.50.10.1 pool 10.50.10.254

access-list 134 allow ip 192.168.71.0 0.0.0.255 10.50.10.0 0.0.0.255

Oliver,

Should work as you said.

What is the error you're getting about the phase 2?

Federico.

Tags: Cisco Security

Similar Questions

Unable to connect to the Internet, the error message "Cisco AnyConnect VPN agent service is not responding. Please restart this application after a minute"

Original title: unable to connect to the internet

Whenever I connect to my computer and get it on my desk, it goes on to say that Cisco AnyConnect VPN Service not available. How can I fix? I am not connected to the internet and I can't connect to the internet as well. He said also Cisco AnyConnect VPN service agent is not an answer. Please restart this application after a minute. Also, I can't use my firewall for some reason, if I try to allow its loading and the greenbar's going that far - then stops and says that there is an error. I forgot where I tried to activate.

Oh thanks for the help but I fix it myself. I just did a system restore to a month before

VPN error 809 does not work

I have a windows vista, before my vpn network worked perfectly, but when the update sp2 vpn does not work again so could any body can help me with this sound like Windows have no clue at all to this subject, so far I try most of the answers

but none works

Support FREE from Microsoft for SP2:

https://support.Microsoft.com/OAS/default.aspx?PRID=13014&Gprid=582034&St=1

Free unlimited installation and compatibility support is available for Windows Vista, but only for Service Pack 2 (SP2). This support for SP2 is valid until August 30, 2010.

Microsoft free support for Vista SP2 at the link above.

See you soon.

Mick Murphy - Microsoft partner

Cisco Cisco IPSEC VPN to encrypt but not decrypt

Hello

I have a vpn ipsec problem.

packets are encapsulated and décapsulés but only in one direction. I don't understand why.

VPN is already mounted on another router, I want to change the router but can't get the vpn have the new router

Thank you for helping me

PS: Sorry for my English

Hello

I looked at the configuration of your router RT-897VA once again, and I don't know if static NAT statements in there are supposed to work or not, but they won't because you have not specified any inside and outside interfaces. Configuration changes below correspond to the configuration of your router RT, check if their implementation makes a difference (the changes are indicated in bold):

RT-897VA #show run
Building configuration...

Current configuration: 3933 bytes
!
! 11:56:34 configuration was last modified THIS Friday, November 4, 2016
!
version 15.4
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
RT-897VA host name
!
boot-start-marker
boot-end-marker
!
!
!
No aaa new-model
clock timezone THIS 1 0
!
!
!
!
!
!
!
!
!
!

!
!
!
!
domain IP XXXXX
IP-name 194.2.0.20 Server
IP-name 194.2.0.50 server
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
VPDN enable
!
VPDN-Group 1
! Default L2TP VPDN group
accept-dialin
L2tp Protocol
virtual-model 1
tunnel L2TP non-session timeout 15
!
!
default value for the field
!
!
!
!
!
!
!
CTS verbose logging
license udi pid C897VA-K9 sn FCZ2030DL
!
!
username password privilege 15 itef 0...
!
!
!
!
!
VDSL controller 0
!
property intellectual ssh rsa keypair-name XXX
property intellectual ssh version 2
!
!
crypto ISAKMP policy 1
BA aes
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes
preshared authentication
Group 2
ISAKMP crypto key cleidentique address IP-WAN-B
!
!
Crypto ipsec transform-set aes - esp esp-sha-hmac toto
tunnel mode
!
!
!
crypto map ipsec-isakmp TUNNEL 1
counterpart Set IP-WAN-B
Set transform-set toto
match address TUNNEL-DATA
crypto map ipsec-isakmp TUNNEL 2
counterpart Set IP-WAN-B
Set transform-set toto
match TUNNEL-TOIP address
!
!
!
!
!
!
ATM0 interface
no ip address
Shutdown
No atm ilmi-keepalive
!
interface BRI0
no ip address
encapsulation hdlc
Shutdown
Multidrop ISDN endpoint
!
interface Ethernet0
no ip address
Shutdown
!
interface GigabitEthernet0
Description BOX-SWITCH
switchport trunk vlan 101 native
switchport mode trunk
no ip address
spanning tree portfast
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
WAN description
IP address IP WAN - A 255.255.255.240
IP virtual-reassembly in
NAT outside IP
automatic duplex
automatic speed
card crypto TUNNEL
!
interface Vlan1
no ip address
!
interface Vlan101
VLAN-DATA description
IP 192.168.101.251 255.255.255.0
IP nat inside
IP virtual-reassembly in
!
interface Vlan111
VLAN-TOIP description
IP 192.168.111.251 255.255.255.0
IP virtual-reassembly in
!
IP forward-Protocol ND
no ip address of the http server
no ip http secure server
!
!
IP nat inside source static tcp IP 25 expandable 25 192.168.101.2
IP nat inside source static tcp IP 80 80 extensible 192.168.101.2
IP nat inside source static tcp 192.168.101.2 extensible IP 443 443
IP nat inside source static tcp 192.168.101.31 3201 IP extensible 3201
IP nat inside source static tcp 192.168.101.31 80 extensible IP 3280
IP nat inside source static tcp IP 443 33443 extensible 192.168.101.11
overload of IP nat inside source list NAT interface GigabitEthernet8
IP route 0.0.0.0 0.0.0.0 XXXX (ADSL router)
IP route 192.168.100.0 255.255.255.0 IP-WAN-B

NAT extended IP access list
deny ip 192.168.101.0 0.0.0.255 192.168.100.0 0.0.0.255
IP 192.168.101.0 allow 0.0.0.255 any
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
TUNNEL-TOIP extended IP access list
IP 192.168.110.0 allow 0.0.0.255 192.168.111.0 0.0.0.255
!
access list IP-TUNNEL-DATA extents
IP 192.168.101.0 allow 0.0.0.255 192.168.100.0 0.0.0.255
permit tcp host 192.168.101.3 192.168.0.0 0.0.0.255 established
TUNNEL-TOIP extended IP access list
IP 192.168.111.0 allow 0.0.0.255 192.168.110.0 0.0.0.255
!
!
!
control plan
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
password...
opening of session
transport input telnet ssh
line vty 5 15
privilege level 15
password...
opening of session
transport input telnet ssh
!
Scheduler allocate 20000 1000
!
!
!
end

VPN between ASA does not

Hello world

hope you can help us with a problem.

We try to create a tunnel vpn site-to-site between offices in different countries. We create 4 vpn tunnel, 3 of them are working right now, but there is an ASA which does not allow the connection.

On our side, we have an ASA 5516 running firmware version 9.5 (1) that has this configuration:

ti_jamaica list of allowed ip extended access any object host_10.10.10.252

NAT (inside, outside) 1 dynamic source any destination host static 10.10.10.252 host_10.111.0.10 host_10.10.10.252

Crypto ipsec transform-set esp-aes-256 ikev1, esp-md5-hmac ts_jamaica

card crypto vpnpbs 1 match address ti_jamaica
card crypto vpnpbs 1 set of peer XXX.XXX.XXX.XXX
card crypto 1 ikev1 transform-set ts_jamaica set vpnpbs

tunnel-group, type ipsec-l2l XXX.XXX.XXX.XXX
tunnel-group ipsec-attributes XXX.XXX.XXX.XXX
IKEv1 pre-shared-key vpn1234

internal GroupPolicy_xxx group strategy
attributes of Group Policy GroupPolicy_xxx
Ikev1 VPN-tunnel-Protocol

Crypto ikev1 allow outside
IKEv1 crypto policy 11
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 86400

On the other side, our office has an ASA (don't know the model) running firmware version 8.2 with this configuration

permit access list extended ip host 10.10.10.252 Outside_21_cryptomap 10.111.0.10

Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac

crypto Outside_map 21 card matches the address Outside_21_cryptomap
card crypto Outside_map 21 set pfs
card crypto Outside_map 21 peer set XXX.XXX.XXX.XXX
card crypto Outside_map 21 the transform-set ESP-AES-256-MD5 value

tunnel-group, type ipsec-l2l XXX.XXX.XXX.XXX
tunnel-group ipsec-attributes XXX.XXX.XXX.XXX
pre-shared-key vpn1234

crypto ISAKMP policy 170
preshared authentication
aes-256 encryption
md5 hash
Group 2
life 86400

but I get this error on «See the ikev1 debugging»

11 February 15:32:06 [IKEv1] group = IP XXX.XXX.XXX.XXX XXX.XXX.XXX.XXX, Session = is to be demolished. Reason: The user has requested

11 February 15:32:11 [IKEv1] Group = XXX.XXX.XXX.XXX, IP = XXX.XXX.XXX.XXX, removal table correlator counterpart has failed, no match!

I already check that this error message, it indicates that there is a configuration issue between both sides of the VPN, according to the manual, it the encryption and hash does not match their topic, but we think we have the right configuration.

I appreciate any help or advice on your part.

Best regards

First of all your cryptographic domains do not match, correct so that the first. They are the same on both sides.

That's what they say.
```
access-list ti_jamaica extended permit ip any object host_10.10.10.252
```
And the other.
```
access-list Outside_21_cryptomap extended permit ip host 10.10.10.252 host 10.111.0.10
```

VPN access to the not directly connected networks

Hello

I have a 5510 which is used for Client VPN access and there is something simple that I can't work.

The VPN part works very well with AAA on a CBS.

But what does not is access to networks that are not directly connected to the inside interface.

That is to say the VPN users can connect to the network within the Interface (say 192.168.0.0/24) but not a 10.0.0.0/8 network which is connected through 192.168.0.1 router.

I have the static routes in Routing and firewall all showing the way back to the firewall on all the other networks, but I don't get more far the 192.168.0.1 router...

I use split tunneling and pass all of the private over the VPN - internet networks is used through the own local access to clients.

Can someone help me out here?

Thank you.

Fraser

PS: have the same type of access on a 7206VXR and soft, everything can be consulted and which is necessary - but I would like to move this service to the ASA.

Fraser

I don't understand the ASDM parts as you suggest. The code would be great.

I would also recommend control ACL applied to the inside interface (if any) that it allows traffic as

inside_access_in list of permitted access 10.0.0.0 255.0.0.0 vpnsubnet vpnnetmask

If still no joy, attach your config sanitized, would be useful for me to diagnose.

Concerning

PIX of VPN to Pix does not allow navigation from one end.

Hello

We went an office of a router to connect to the internet (do Nat) our Pix VNP company. Now from this office, I can go through all our corporate network, but I can't browse them from our corporate network. I read a few cisco docs and I installed WINS, still no luck.

Technicians from the isp for this office recommended disable Nat on this router (its doubly from). I have to change this Office Ip address external PIX and the default gateway to match any Ip subnet, they give me.

This change will affect our current VPN IKE and IPSEC policies and connection to that office?

Thank you

Mario Cabrejo

Network engineer

You will need to use an external (visible ip internet) on the external interface of the PIX and disable the NAT on the router. You have to re-create the tunnels they will point to a new ip address and not the router.

Hope this helps

Richard

AnyConnect VPN full tunnel could not access the site to site VPN

I have a set of AnyConnect VPN upward with no split tunneling (U-turning/crossed traffic), running 8.2.5 code.

It works fine, but I want to allow customers to AnyConnect VPN site to site, which I was unable to access.

I checked the IP addresses of network anyconnect are part of the tunnel on both sides.

My logic tells me that I must not turn back traffic from the network anyconnect for the site to site VPN, but I don't know how to do this.

Any help would be appreciated.

Here are the relevant parts of my config:

(Domestic network is 192.168.0.0/24,

the AnyConnect network is 192.168.10.0/24,

site to site VPN network is 192.168.2.0/24)

--------------------------------------------------------------------------------------

permit same-security-traffic inter-interface
permit same-security-traffic intra-interface

the DM_INLINE_NETWORK_1 object-group network
object-network 192.168.0.0 255.255.255.0
object-network 192.168.10.0 255.255.255.0
inside_nat0_outbound list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0
permit access ip 192.168.0.0 scope list inside_nat0_outbound 255.255.255.0 192.168.10.0 255.255.255.0

outside_1_cryptomap list extended access allowed object-group ip DM_INLINE_NETWORK_1 192.168.2.0 255.255.255.0

mask 192.168.10.2 - 192.168.10.254 255.255.255.0 IP local pool AnyConnectPool
Global 1 interface (outside)
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
NAT (outside) 1 192.168.10.0 255.255.255.0
access-outside group access component software snap-in interface outside
Route outside 0.0.0.0 0.0.0.0 (the gateway IP) 1
WebVPN
allow outside
AnyConnect essentials
SVC disk0:/anyconnect-win-3.1.05152-k9.pkg 1 image
SVC profiles AnyConnectProfile disk0: / anyconnect_client.xml
enable SVC
tunnel-group-list activate
internal AnyConnectGrpPolicy group strategy
attributes of Group Policy AnyConnectGrpPolicy
WINS server no
value of 192.168.0.33 DNS server 192.168.2.33
VPN-session-timeout no
Protocol-tunnel-VPN l2tp ipsec svc
Split-tunnel-policy tunnelall
the address value AnyConnectPool pools
type tunnel-group AnyConnectGroup remote access
attributes global-tunnel-group AnyConnectGroup
address pool AnyConnectPool
authentication-server-group SERVER1_AD
Group Policy - by default-AnyConnectGrpPolicy
tunnel-group AnyConnectGroup webvpn-attributes
the aaa authentication certificate
activation of the Group _AnyConnect alias

Your dial-up VPN traffic as originating apears on the external interface, so I think you need to exonerate NAT pool PN traffic directed to the site to site VPN. Something like this:
```
 global (outside) 1 interface nat (inside) 0 access-list inside_nat0_outbound nat (inside) 1 0.0.0.0 0.0.0.0 nat (outside) 0 access-list outside_nat0 nat (outside) 1 192.168.10.0 255.255.255.0 access-list outside_nat0 extended permit ip any 192.168.10.0 255.255.255.0 access-list inside_nat0_outbound extended permit ip 192.168.0.0 255.255.255.0 192.168.10.0 255.255.255.0
```

How to set up VPN on the router via ASA5505 2811

Hello everyone

I apologize for the possible triviality of my question. The current configuration of our society considers appropriate for the edge, two ASA5505 below that are installed two routers configured with the CCME 2811 Express. When the two AS5505 is configured a VPN connection for the transmission of data in our network traffic. Given the presence of several public addresses available on our two sites, I was wondering if you could (and if so, how) to set up a VPN between two routers 2811, except that when existing data traffic, dedicated exclusively to the voice traffic. It give me a document that teach me how can I solve my problem?

Thank you very much

Damiano,

If you want an IPsec VPN for only separate voice and termination traffic on routers, there are several possibilities. Especially if you have a spare IP addresses:

IPsec VPN endpoints on the routers.

GRE over IPsec routers ending (gives you that soften what and where can be routed, in particular, identify voice traffic)

Termination of free WILL on the routers and unloading IPsec to ASAs. (Benefit of the foregoing + ASAs making encryption).

There is no problem to close the tunnels through the ASA, the only warning is that even in the case of static NAT you should probably use NAT-Traversal.

Marcin

VPN works locally but not remotely

I our ASA 5510 put in place to create a vpn for our users. When I test locally it works fine, but when I try to use it remotely, it will not work. In addition, port 500 is open locally but not remotely. What Miss me? I was told that there is no firewall in place that would affect me.

Dan

You say port 500 (UDP) is not open remotely.

How do you as a customer to connect if UDP 500 is not open on the client side?

Federico.

Remote VPN Error 797 (modem not found)

I get an error 797 (modem not found) error when I try to connect to my DSL connection. It started recently and I don't know what else to try, I uninstalled the modem and reinstalled without effect. I have Windows 7 and the only thing that has changed is an update of Windows. Help, please.

Hello

Thank you for writing to Microsoft Community Forums.

The question you have posted is related to the VPN Dialup Network and would be better suited to the TechNet community. Please visit the link below to find a community that will provide the support you want.
http://social.technet.Microsoft.com/forums/en-us/w7itpronetworking/threads

VPN Site to Site not upward Tunel on a router

Hello

First time I try to configure the VPN Site to Site on the two routers X and Y. I use cisco SDM

X router that I have set up on this path http://www.tekkom.dk/mediawiki/images/e/ee/IP_sec_site-to-site_sdm.pdf

Then I create a mirror and spent on router Y I tunel up VPN router Y.

But I have problem with router X. When I try to the top of Tunel, I have two problems:

The peer must be routed through the crypto map interface. The following host is routed through the non-crypto map interface. (1) 79.*. * **. **

(79.* *-it is the WLAN router address Y)

Destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) is routed through non-crypto map interface. (1) 10.*. * **. **

(10.* *. *-is router LAN address Y)

Configuration of routers in the files.

Apologies for the lack of your answer.

You have the same card encryption applied to the physical interface and dialer0 interface. You can try removing it from the dialer0 interface and a new test.

If it does not can try you backwards IE. remove physical and apply to the dialer0 only.

Jon

Return VPN traffic flows do not on the tunnel

Hello.

I tried to find something on the internet for this problem, but am fails miserably. I guess I don't really understand how the cisco decides on the road.

In any case, I have a Cisco 837 which I use for internet access and to which I would like to be able to complete a VPN on. When I vpn (using vpnc in a Solaris box as it happens which is connected to the cisco ethernet interface), I can establish a VPN and when I ping a host on the inside, I see this package ping happen, however, the return package, the cisco 837 is trying to send via the public internet facing interface Dialer1 without encryption. I can't work for the life of me why.

(Also note: I can also establish a tunnel to the public internet, but again, I don't can not all traffic through the tunnel.) I guess I'm having the same problem, IE back of packages are not going where it should be, but I do know that for some, on the host being ping well, I can see the ping arriving packets and the host responds with a response to ICMP echo).

Here is the version of cisco:

version ADSL #show
Cisco IOS software, software C850 (C850-ADVSECURITYK9-M), Version 12.4 (15) T5, VERSION of the SOFTWARE (fc4)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Updated Friday 1 May 08 02:07 by prod_rel_team

ROM: System Bootstrap, Version 12.3 (8r) YI4, VERSION of the SOFTWARE

ADSL availability is 1 day, 19 hours, 27 minutes
System to regain the power ROM
System restarted at 17:20:56 CEST Sunday, October 10, 2010
System image file is "flash: c850-advsecurityk9 - mz.124 - 15.T5.bin".

Cisco 857 (MPC8272) processor (revision 0 x 300) with 59392K / 6144K bytes of memory.
Card processor ID FCZ122391F5
MPC8272 CPU Rev: Part Number 0xC, mask number 0 x 10
4 interfaces FastEthernet
1 ATM interface
128 KB of non-volatile configuration memory.
20480 bytes K of on board flash system (Intel Strataflash) processor

Configuration register is 0 x 2102

And here is the cisco configuration (IP address, etc. changed of course):

Current configuration: 7782 bytes
!
! Last configuration change at 11:57:21 CEST Monday, October 11, 2010 by bautsche
! NVRAM config updated at 11:57:22 CEST Monday, October 11, 2010 by bautsche
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime show-timezone msec
Log service timestamps datetime localtime show-timezone msec
encryption password service
sequence numbers service
!
hostname adsl
!
boot-start-marker
boot-end-marker
!
logging buffered 4096
enable secret 5
!
AAA new-model
!
!
AAA authentication login local_authen local
AAA authentication login sdm_vpn_xauth_ml_1 local
AAA authorization exec local local_author
AAA authorization sdm_vpn_group_ml_1 LAN
!
!
AAA - the id of the joint session
clock timezone gmt 0
clock daylight saving time UTC recurring last Sun Mar 01:00 last Sun Oct 01:00
!
!
dot11 syslog
no ip source route
dhcp IP database dhcpinternal
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.7.1 10.10.7.99
DHCP excluded-address IP 10.10.7.151 10.10.7.255
!
IP dhcp pool dhcpinternal
import all
Network 10.10.7.0 255.255.255.0
router by default - 10.10.7.1
Server DNS 212.159.6.9 212.159.6.10 212.159.13.49 212.159.13.50
!
!
IP cef
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
no ip bootp Server
nfs1 host IP 10.10.140.207
name of the IP-server 212.159.11.150
name of the IP-server 212.159.13.150
!
!
!
username password cable 7
username password bautsche 7
vpnuser password username 7
!
!
crypto ISAKMP policy 1
BA 3des
md5 hash
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 3
BA 3des
Prior authentication group part 2
the local address SDM_POOL_1 pool-crypto isakmp client configuration
!
ISAKMP crypto client configuration group groupname2
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
!
ISAKMP crypto client configuration group groupname1
key
DNS 10.10.140.201 10.10.140.202
swangage.co.uk field
pool SDM_POOL_1
users of max - 3
netmask 255.255.255.0
ISAKMP crypto sdm-ike-profile-1 profile
groupname2 group identity match
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
ISAKMP crypto profile sdm-ike-profile-2
groupname1 group identity match
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac ESP_MD5_3DES
Crypto ipsec transform-set ESP-AES-256-SHA aes - esp esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
crypto dynamic-map SDM_DYNMAP_1 2
Set the security association idle time 3600
game of transformation-ESP-AES-256-SHA
market arriere-route
!
!
card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto
map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
!
Crypto ctcp port 10000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
!
!
!
Null0 interface
no ip unreachable
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 0/38
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
waiting-224 in
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description $FW_INSIDE$
10.10.7.1 IP address 255.255.255.0
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
map SDM_CMAP_1 crypto
Hold-queue 100 on
!
interface Dialer1
Description $FW_OUTSIDE$
the negotiated IP address
IP access-group 121 to
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
No cutting of the ip horizon
Dialer pool 1
Dialer idle-timeout 0
persistent Dialer
Dialer-Group 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname
PPP chap password 7
map SDM_CMAP_1 crypto
!
local IP SDM_POOL_1 10.10.148.11 pool 10.10.148.20
IP local pool public_184 123.12.12.184
IP local pool public_186 123.12.12.186
IP local pool public_187 123.12.12.187
IP local pool internal_9 10.10.7.9
IP local pool internal_8 10.10.7.8
IP local pool internal_223 10.10.7.223
IP local pool internal_47 10.10.7.47
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer1
IP route 10.10.140.0 255.255.255.0 10.10.7.2
!
no ip address of the http server
no ip http secure server
IP nat inside source overload map route SDM_RMAP_1 interface Dialer1
IP nat inside source static 10.10.7.9 123.12.12.184
IP nat inside source static tcp 10.10.7.8 22 123.12.12.185 22 Expandable
IP nat inside source static tcp 10.10.7.8 25 123.12.12.185 25 expandable
IP nat inside source static tcp 10.10.7.8 80 123.12.12.185 80 extensible
IP nat inside source static tcp 10.10.7.8 443 123.12.12.185 443 extensible
IP nat inside source static tcp 10.10.7.8 993 123.12.12.185 993 extensible
IP nat inside source static tcp 10.10.7.8 123.12.12.185 1587 1587 extensible
IP nat inside source static tcp 10.10.7.8 8443 123.12.12.185 8443 extensible
IP nat inside source static 10.10.7.223 123.12.12.186
IP nat inside source static 10.10.7.47 123.12.12.187
!
record 10.10.140.213
access-list 18 allow one
access-list 23 permit 10.10.140.0 0.0.0.255
access-list 23 permit 10.10.7.0 0.0.0.255
Access-list 100 category SDM_ACL = 2 Note
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole
Note access-list 121 SDM_ACL category = 17
access-list 121 deny udp any eq netbios-dgm all
access-list 121 deny udp any eq netbios-ns everything
access-list 121 deny udp any eq netbios-ss all
access-list 121 tcp refuse any eq 137 everything
access-list 121 tcp refuse any eq 138 everything
access-list 121 tcp refuse any eq 139 all
access ip-list 121 allow a whole
access-list 125 permit tcp any any eq www
access-list 125 permit udp any eq isakmp everything
access-list 125 permit udp any any eq isakmp
access-list 194 deny udp any eq isakmp everything
access-list 194 deny udp any any eq isakmp
access-list 194 allow the host ip 123.12.12.184 all
IP access-list 194 allow any host 123.12.12.184
access-list 194 allow the host ip 10.10.7.9 all
IP access-list 194 allow any host 10.10.7.9
access-list 195 deny udp any eq isakmp everything
access-list 195 deny udp any any eq isakmp
access-list 195 allow the host ip 123.12.12.185 all
IP access-list 195 allow any host 123.12.12.185
access-list 195 allow the host ip 10.10.7.8 all
IP access-list 195 allow any host 10.10.7.8
not run cdp
public_185 allowed 10 route map
corresponds to the IP 195
!
public_184 allowed 10 route map
corresponds to the IP 194
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 100
!
!
control plan
!
!
Line con 0
connection of authentication local_authen
no activation of the modem
preferred no transport
telnet output transport
StopBits 1
line to 0
connection of authentication local_authen
telnet output transport
StopBits 1
line vty 0 4
access-class 23 in
privilege level 15
authorization exec local_author
connection of authentication local_authen
length 0
preferred no transport
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
130.88.202.49 SNTP server
130.88.200.98 SNTP server
130.88.200.6 SNTP server
130.88.203.64 SNTP server
end

Any help would be appreciated.

Thank you very much.

Ciao,.

Eric

Hi Eric,.

(Sorry for the late reply - needed some holidays)

So I see that you have a few steps away now. I think that there are 2 things we can try:

1)

I guess you have provided that:

IP nat inside source overload map route SDM_RMAP_1 interface Dialer1

Since the routemap refers to ACL 100 to define the traffic to be translated, we can exclude traffic that initiates the router:

Access-list 100 category SDM_ACL = 2 Note

access-list 100 deny ip 123.12.12.185 host everything
access-list 100 deny ip any 10.10.148.0 0.0.0.255
access ip-list 100 permit a whole

Which should prevent the source udp 4500 to 1029 changing port

OR

2)

If you prefer to use a different ip address for VPN,

Then, you can use a loop like this:

loopback interface 0

123.12.12.187 the IP 255.255.255.255

No tap

map SDM_CMAP_1 crypto local-address loopback 0

I don't think you should apply card encryption to the loopback interface, but it's been a while since I have configured something like that, so if you have problems first try and if still does not get the crypto debugs new (isakmp + ipsec on the vpn, nat router on the router of the client package).

HTH

Herbert

Authentication of VPN 3000 Client does not

Get the following error trying to authenticate on VPN 3020: Xauth required but winning proposal does not support xauth, of audit priorities of the xauth list proposal ike ike proposals

Not really sure what it means.

Find the proposals on the VPN3020 IKE (location varies depending on the version, so I can't tell you where). You will find some are active, others do not. Make sure that one is active when the authentication method is "pre-shared keys (xuauth)" with something like MD5, 3DES, DH group2.

If you see a proposal named "CiscoVPNClient-3DES-MD5" that will do the trick.

Help: Customer Cisco VPN & Split Tunnel but not Internet

Hi Forum.

We are faced with this problem: after having successfully open a VPN connection with the Cisco VPN Client to a router Cisco, the rest of the world are not properly available more.

This is what has been verified / so far attempted to identify the problem on a Windows Vista computer:

-Router: Split Tunneling is allowed according to sysop

-On the VPN-Client: "allow Local Lan access" is checked

-On the Client (statistics): only STI VPN-rout configured listed unter "guarantee routes." "Local Lan routes" is empty.

-Calling 'http://www.google.com' in IE fails

-Call ' 74.125.232.116' (IE IP) IE works / ping the IP works.

-nslookup properly lists the current DNS server

-nslookup www.google.com resolves correctly the name of intellectual property

It seems that it is not that the connection with the rest of the Internet is deleted, but DNS resolution fails somehow, even though all signs point to the appropriate DNS server is in force and although the command line can resolve the name.

does anyone have a tip how to debug this correctly?

No worries Pat...

Sent by Cisco Support technique iPhone App

-Please evaluate solutions

VPN OK on 1812 - not on 2811!

Similar Questions

Maybe you are looking for