Jump to content
Sadikhov IT Certification forums
Sign in to follow this  
putimir

[problem] Remote VPN client failing at Phase2 (IOS VPN,combined site-s

Recommended Posts

Hello all,

 

I've been busting my head for quite some time now trying to set up simultaneous site-to-site VPNs (with split tunneling over NAT), remote sw Cisco VPN clients and IOS EZVPN client connection (to my workplace) on my home router (C1812).

So far I've managed to set-up and got working site-to-site VPN tunnels using crypto maps and IOS EZVPN client, but I'm having problems trying to connect remotely using IPSEC VPN clients (Cisco VPN client - v3.6 and 5.0 and Nokia mobile VPN client) using dynamic crypto map:

The connection succesfully finishes PHASE1 (includind MODE config - IPs are assigned etc...), but then PHASE2 gets rejected for some reason...

Here is the relevant part of the debug from the server (I can post whole debug log if you think this part is not enough):

 

 

 

*Jan 21 09:34:16: ISAKMP:(2242):IKE_DPD is enabled, initializing timers

*Jan 21 09:34:16: ISAKMP:(2242):Input = IKE_MESG_INTERNAL, IKE_PHASE1_COMPLETE

*Jan 21 09:34:16: ISAKMP:(2242):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE

*Jan 21 09:34:16: ISAKMP (2242): received packet from xx.xxx.xxx.xx dport 4500 sport 4500 Global ® QM_IDLE

*Jan 21 09:34:16: ISAKMP: set new node 1388603735 to QM_IDLE

*Jan 21 09:34:16: ISAKMP:(2242): processing HASH payload. message ID = 1388603735

*Jan 21 09:34:16: ISAKMP:(2242): processing SA payload. message ID = 1388603735

*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 1

*Jan 21 09:34:16: ISAKMP: transform 1, ESP_AES

*Jan 21 09:34:16: ISAKMP: attributes in transform:

*Jan 21 09:34:16: ISAKMP: authenticator is HMAC-MD5

*Jan 21 09:34:16: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Jan 21 09:34:16: ISAKMP: key length is 256

*Jan 21 09:34:16: ISAKMP: SA life type in seconds

*Jan 21 09:34:16: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 21 09:34:16: ISAKMP:(2242):atts are acceptable.

*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 1

*Jan 21 09:34:16: ISAKMP:(2242):transform 1, IPPCP LZS

*Jan 21 09:34:16: ISAKMP: attributes in transform:

*Jan 21 09:34:16: ISAKMP: encaps is 61443 (Tunnel-UDP)

*Jan 21 09:34:16: ISAKMP: SA life type in seconds

*Jan 21 09:34:16: ISAKMP: SA life duration (VPI) of 0x0 0x20 0xC4 0x9B

*Jan 21 09:34:16: ISAKMP:(2242):atts are acceptable.

*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #1

*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #1,

(key eng. msg.) INBOUND local= xx.xxx.59.12, remote= xx.xx.230.37,

local_proxy= xx.xxx.59.12/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.10.47/255.255.255.255/0/0 (type=1),

protocol= ESP, transform= NONE (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 256, flags= 0x0

*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #2

*Jan 21 09:34:16: IPSEC(validate_proposal_request): proposal part #2,

(key eng. msg.) INBOUND local= xx.xxx.59.12, remote= xx.xxx.230.37,

local_proxy= xx.xxx3.59.12/255.255.255.255/0/0 (type=1),

remote_proxy= 192.168.10.47/255.255.255.255/0/0 (type=1),

protocol= PCP, transform= NONE (Tunnel-UDP),

lifedur= 0s and 0kb,

spi= 0x0(0), conn_id= 0, keysize= 0, flags= 0x0

*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match

*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match

*Jan 21 09:34:16: map_db_find_best did not find matching map

*Jan 21 09:34:16: IPSEC(ipsec_process_proposal): proxy identities not supported

*Jan 21 09:34:16: ISAKMP:(2242): IPSec policy invalidated proposal with error 32

*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 2

...

more proposals...(each with "ISAKMP:(2242):atts are acceptable." - ?!?

at the end I get this:

...

*Jan 21 09:34:16: ISAKMP:(2242): phase 2 SA policy not acceptable! (local xx.xxx.59.12 remote xx.xxx.230.37)

*Jan 21 09:34:16: ISAKMP: set new node -1062817036 to QM_IDLE

*Jan 21 09:34:16: ISAKMP:(2242):Sending NOTIFY PROPOSAL_NOT_CHOSEN protocol 3

spi 2233179104, message ID = -1062817036

*Jan 21 09:34:16: ISAKMP:(2242): sending packet to xx.xxx.230.37 my_port 4500 peer_port 4500 ® QM_IDLE

*Jan 21 09:34:16: ISAKMP:(2242):Sending an IKE IPv4 Packet.

*Jan 21 09:34:16: ISAKMP:(2242):purging node -1062817036

*Jan 21 09:34:16: ISAKMP:(2242):deleting node 1388603735 error TRUE reason "QM rejected"

*Jan 21 09:34:16: ISAKMP:(2242):Node 1388603735, Input = IKE_MESG_FROM_PEER, IKE_QM_EXCH

*Jan 21 09:34:16: ISAKMP:(2242):Old State = IKE_QM_READY New State = IKE_QM_READY

*Jan 21 09:34:16: ISAKMP:(2210):purging node -579202533

*Jan 21 09:34:20: ISAKMP:(2241):purging node 1499311114

 

 

 

The thing that sticks out (at least to me) is: "remote_proxy= 192.168.10.47/255.255.255.255" - is this ok - is the remote proxy supposed to be a locally (internal) assigned address?

The complete config is attached...

I would be grateful for any hint....

 

 

Thanks a lot!!

Jure

Share this post


Link to post
Share on other sites

Hi,

 

I suggest you paste, your whole VPN config, and then we'll have a look for it.

Share this post


Link to post
Share on other sites

HI,

 

The debug output that you provided has several messages that can give a clue of where the problem may be, as:

 

Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match

*Jan 21 09:34:16: map_db_check_isakmp_profile profile did not match

*Jan 21 09:34:16: map_db_find_best did not find matching map

*Jan 21 09:34:16: IPSEC(ipsec_process_proposal): proxy identities not supported

*Jan 21 09:34:16: ISAKMP:(2242): IPSec policy invalidated proposal with error 32

*Jan 21 09:34:16: ISAKMP:(2242):Checking IPSec proposal 2

...

*Jan 21 09:34:16: ISAKMP:(2242): phase 2 SA policy not acceptable!

 

Your configuration for remote vpn clients is (for gaining time it is good to underline the important part of the configuration):

 

crypto isakmp client configuration group VPNCLIENT_CNFGROUP

key 6 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

domain xxx.net

pool vpnpool

acl ezvpn

include-local-lan

 

crypto isakmp profile VPNCLIENT_PROFILE ---> profile for remote vpn clients that must match VPNCLIENT_CNFGROUP

description VPN clients profile

match identity group VPNCLIENT_CNFGROUP

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

 

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP_AES_MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP_AES_SHA esp-aes esp-sha-hmac

 

crypto dynamic-map CRYPTO_DYNMAP_1 1

set transform-set ESP_AES_MD5 ESP_AES_SHA ESP-3DES-MD5 ESP-3DES-SHA

set isakmp-profile VPNCLIENT_PROFILE

reverse-route

 

crypto map CRYPTO_MAP_1 99 ipsec-isakmp dynamic CRYPTO_DYNMAP_1

 

ip local pool vpnpool 192.168.10.45 192.168.10.50

 

ip access-list extended ezvpn

remark ------- Split Tunnel ACL ------------------------------------

permit ip 192.168.1.0 0.0.0.255 any

permit ip 10.10.1.0 0.0.0.255 any

 

ip access-list extended ACL_NAT

remark ------- ACL_NAT ---------------------------------------------

deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

 

 

Please correct me if I forgot something.

 

I assume in the complete debug output, you have 4 IPSEC proposals that are negotiated.

 

Here is a clue that I found on Cisco site and it might help :

 

"Proxy Identities Not Supported

This message appears in debugs if the access list for IPsec traffic does not match.

1d00h: IPSec(validate_transform_proposal): proxy identities not supported

1d00h: ISAKMP: IPSec policy invalidated proposal

1d00h: ISAKMP (0:2): SA not acceptable!

 

 

If the crypto ACLs are not mirrored on the two peers, you'll see debug output from the debug crypto ipsec and debug crypto isakmp commands. The proxy identities not supported message indicates that the crypto ACLs (if routers, PIXs, or ASAs) or network lists (if concentrators) do not match (are not mirrored) on the two IPsec peers.

Share this post


Link to post
Share on other sites

As I said, I was having problems connecting with VPN clients, and there is nothing to be configured on the sw client, regarding crypto ACLs, there is only group and group preshared key / password to be configured and even that takes place in phase1 negotiation, which in my case was succesfull...

 

Anyways, in desperation, I tried the config, which according to a Cisco doc is explicitly wrong (EzVPN with Split tunnelling on the IOS Router Configuration Example):

 

RouterA has to be configured with IPsec profiles for the VPN Client connections. The use of a standard EzVPN server configuration on this router along with the EzVPN Client configuration does not work. The router fails Phase 1 negotiation.

 

You're supposed to use IPSEC profiles, which I did, but the whole setup didn't pass Phase 2 (see my previous post). When I used "classic" confiuguration:

 

crypto map CRYPTO_MAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map CRYPTO_MAP_1 client configuration address respond
crypto map CRYPTO_MAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map CRYPTO_MAP_1 99 ipsec-isakmp dynamic CRYPTO_DYNMAP_1

 

... the damn thing started working...

Edited by putimir

Share this post


Link to post
Share on other sites

Glad to hear this.

 

Can you post your VPN configs and bold them out. I'm sure many of us, will find this useful now or later.

Share this post


Link to post
Share on other sites

Here, I think this is about it...

 

Current configuration : 18056 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime localtime

service timestamps log datetime localtime

service password-encryption

!

hostname xxx

!

boot-start-marker

boot system flash c181x-adventerprisek9-mz.124-24.T1.bin

warm-reboot count 10

boot-end-marker

!

logging message-counter syslog

logging buffered 51200

no logging console

enable secret 5 $1$C62J$rO5AcxEcNyPrvkE9TW2RD/

!

aaa new-model

aaa local authentication attempts max-fail 3

!

!

!

aaa authentication login default local

aaa authentication login VPN_USERS local

aaa authentication login eap_methods group rad_eap

aaa authorization network VPN_GROUP local

!

!

aaa session-id common

clock timezone CET 1

clock summer-time CETDST recurring last Sun Mar 2:00 last Sun Oct 3:00

!

crypto pki trustpoint xxx.dyndns.org

enrollment selfsigned

fqdn xxx.dyndns.org

subject-name cn=xxx.dyndns.org

revocation-check none

rsakeypair xxx.dyndns.org 1024 1024

!

!

crypto pki certificate chain xxx.dyndns.org

certificate self-signed 01

30820268 308201D1 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

40311B30 19060355 04031312 70757469 6D69722E 64796E64 6E732E6F 72673121

301F0609 2A864886 F70D0109 02161270 7574696D 69722E64 796E646E 732E6F72

67301E17 0D303831 30313431 31323734 355A170D 32303031 30313030 30303030

5A304031 1B301906 03550403 13127075 74696D69 722E6479 6E646E73 2E6F7267

3121301F 06092A86 4886F70D 01090216 12707574 696D6972 2E64796E 646E732E

6F726730 819F300D 06092A86 ...

quit

dot11 mbssid

dot11 syslog

!

dot11 ssid xxx

vlan 1

authentication open

authentication key-management wpa

mbssid guest-mode

wpa-psk ascii 7 065359701E68001C170E2A58

!

dot11 ssid xxx_free

vlan 2

authentication open

mbssid guest-mode

!

no ip source-route

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.1.1 192.168.1.99

ip dhcp excluded-address 192.168.1.151 192.168.1.254

!

ip dhcp pool xxx

import all

network 192.168.1.0 255.255.255.0

domain-name xxx.dyndns.org

default-router 192.168.1.1

dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

lease 7

!

ip dhcp pool xxx

import all

network 192.168.2.0 255.255.255.0

domain-name xxx.dyndns.org

default-router 192.168.2.1

dns-server xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx

lease 7

!

!

ip cef

no ip bootp server

ip domain name dyndns.org

ip ddns update method DynDNS

HTTP

add http://xxx:xxx@members.dyndns.org/nic/update?hostname=<h>&myip=<a>

interval maximum 2 0 0 0

!

ip reflexive-list timeout 60

login block-for 100 attempts 5 within 60

login on-failure log

login on-success log

no ipv6 cef

!

multilink bundle-name authenticated

!

password encryption aes

!

!

username vpnclient privilege 5 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

username root privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

crypto logging session

crypto logging ezvpn

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp policy 2

encr 3des

hash md5

authentication pre-share

group 2

crypto isakmp key 6 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth

crypto isakmp key 6 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address xxx.xxx.xxx.xxx no-xauth

crypto isakmp keepalive 300 10

!

crypto isakmp client configuration group VPNCLIENT_CNFGROUP

key 6 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

domain xxx.net

pool vpnpool

acl ezvpn

include-local-lan

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec transform-set ESP_AES_MD5 esp-aes esp-md5-hmac

crypto ipsec transform-set ESP_AES_SHA esp-aes esp-sha-hmac

!

!

!

crypto ipsec client ezvpn HKOM

connect manual

group INTERNET key 6 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

mode client

peer xxx.xxx.xxx.xxx default

peer xxx.xxx.xxx.xxx

nat allow

nat acl ACL_VPN_1

xauth userid mode interactive

!

!

crypto dynamic-map CRYPTO_DYNMAP_1 1

set transform-set ESP_AES_MD5 ESP_AES_SHA ESP-3DES-MD5 ESP-3DES-SHA

reverse-route

!

!

!

crypto map CRYPTO_MAP_1 client authentication list VPN_USERS

crypto map CRYPTO_MAP_1 isakmp authorization list VPN_GROUP

crypto map CRYPTO_MAP_1 client configuration address respond

crypto map CRYPTO_MAP_1 10 ipsec-isakmp

description VPN xx

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address ACL_VPN_3

reverse-route

crypto map CRYPTO_MAP_1 20 ipsec-isakmp

description VPN xx

set peer xxx.xxx.xxx.xxx

set transform-set ESP-3DES-SHA

match address ACL_VPN_2

reverse-route

crypto map CRYPTO_MAP_1 99 ipsec-isakmp dynamic CRYPTO_DYNMAP_1

!

!

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh rsa keypair-name xxx.dyndns.org

ip ssh logging events

ip ssh version 2

!

class-map match-all cmap_freenet

match access-group name qos_freenet

!

!

policy-map pmap_freenet

class cmap_freenet

police 1000000 35000

!

bridge irb

!

!

!

interface Loopback0

ip address 192.168.10.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

!

interface Null0

no ip unreachables

!

interface BRI0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

encapsulation hdlc

shutdown

!

interface Dot11Radio0

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

!

encryption vlan 1 mode ciphers aes-ccm tkip

!

!

broadcast-key vlan 1 change 600

!

broadcast-key vlan 2 change 600

!

!

ssid xxx

!

ssid xxx_free

!

speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0

station-role root

!

interface Dot11Radio0.1

encapsulation dot1Q 1 native

no ip redirects

no ip unreachables

ip flow ingress

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

interface Dot11Radio0.2

encapsulation dot1Q 2

no ip redirects

no ip unreachables

ip flow ingress

no cdp enable

bridge-group 2

bridge-group 2 subscriber-loop-control

bridge-group 2 spanning-disabled

bridge-group 2 block-unknown-source

no bridge-group 2 source-learning

no bridge-group 2 unicast-flooding

!

interface Dot11Radio1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

no mbssid

speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0

station-role root

!

interface FastEthernet0

description WAN

mac-address 0019.3011.ba44

ip ddns update hostname xxx.dyndns.org

ip address dhcp

ip access-group wan_inbound in

ip access-group wan_outbound out

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

duplex auto

speed auto

crypto map CRYPTO_MAP_1

crypto ipsec client ezvpn HKOM

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

!

interface Vlan1

no ip address

bridge-group 1

!

interface Vlan2

no ip address

bridge-group 2

!

interface BVI1

description LAN

ip address 192.168.1.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

crypto ipsec client ezvpn HKOM inside

!

interface BVI2

description LAN_free_net

ip address 192.168.2.1 255.255.255.0

ip access-group freenet in

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

service-policy output pmap_freenet

!

ip local pool sslpool 192.168.10.51 192.168.10.60

ip local pool vpnpool 192.168.10.45 192.168.10.50

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 xx.xxx.xx.xx

no ip http server

no ip http secure-server

!

!

ip nat inside source static tcp 192.168.1.10 3306 interface FastEthernet0 3306

ip nat inside source static tcp 192.168.1.10 222 interface FastEthernet0 222

ip nat inside source static tcp 192.168.1.10 80 interface FastEthernet0 80

ip nat inside source static tcp 192.168.1.6 21 interface FastEthernet0 21

ip nat inside source static tcp 192.168.1.6 20 interface FastEthernet0 20

ip nat inside source route-map RMAP_NAT interface FastEthernet0 overload

!

ip access-list extended ACL_NAT

remark ------- ACL_NAT ---------------------------------------------

deny ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 10.40.245.0 0.0.0.255

deny ip 192.168.1.0 0.0.0.255 10.4.16.0 0.0.7.255

deny ip 192.168.10.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 any

permit ip 192.168.2.0 0.0.0.255 any

ip access-list extended ACL_VPN_1

permit ip 192.168.1.0 0.0.0.255 10.4.16.0 0.0.7.255

ip access-list extended ACL_VPN_2

permit ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

permit ip 192.168.1.0 0.0.0.255 10.40.245.0 0.0.0.255

ip access-list extended ACL_VPN_3

permit ip 192.168.1.0 0.0.0.255 10.10.1.0 0.0.0.255

permit ip 192.168.10.0 0.0.0.255 10.10.1.0 0.0.0.255

ip access-list extended ezvpn

remark ------- Split Tunnel ACL ------------------------------------

permit ip 192.168.1.0 0.0.0.255 any

permit ip 10.10.1.0 0.0.0.255 any

ip access-list extended freenet

deny ip any 192.168.1.0 0.0.0.255

permit ip any any

ip access-list extended qos_freenet

permit ip any any

ip access-list extended wan_inbound

remark ======= Incoming traffic RuLeZ ==============================

permit tcp any any established

remark ------- DHCP -----------------------------------------------

permit udp any eq bootps any eq bootpc log

remark ------- Drop RuLeZ ------------------------------------------

deny ip 192.168.0.0 0.0.255.255 any log

deny ip 172.16.0.0 0.15.255.255 any log

deny ip 10.0.0.0 0.255.255.255 any log

deny ip 127.0.0.0 0.255.255.255 any log

deny ip 255.0.0.0 0.255.255.255 any log

deny ip 224.0.0.0 31.255.255.255 any log

deny tcp any any eq 445

remark ------- IPSEC -----------------------------------------------

permit ahp any any

permit esp any any

permit gre any any

permit udp any any eq 10000

permit tcp any any eq 10000

permit tcp any any eq 4500

permit udp any any eq non500-isakmp

permit udp any any eq isakmp

permit udp any any eq domain

remark ------- Permit SSL VPN --------------------------------------

permit tcp any any eq www

permit tcp any any eq 443

remark ------- Permit DNS --------------------------------------

permit udp host xxx.x.xx.xx eq domain any

permit udp host xxx.x.xx.xx eq domain any

remark ------- SNTP time server ------------------------------------

permit udp host xxx.x.xx.xx eq ntp any

permit udp host xxx.x.xx.xx eq ntp any

evaluate udptraffic

remark ------- ICMP ------------------------------------------------

permit icmp any any echo

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit icmp any any packet-too-big

permit icmp any any redirect

remark ------- Cleanup ---------------------------------------------

deny ip any any log

ip access-list extended wan_outbound

permit udp any eq 14672 any

permit udp any eq 16881 any

permit udp any any reflect udptraffic timeout 300

permit ip any any

!

logging trap debugging

logging 192.168.1.6

access-list 10 permit 192.168.10.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

no cdp run

 

arp 192.168.1.200 0019.3011.ba44 ARPA

!

!

!

!

route-map RMAP_NAT permit 10

match ip address ACL_NAT

!

!

!

control-plane

!

bridge 1 protocol ieee

bridge 1 route ip

bridge 2 protocol ieee

bridge 2 route ip

alias exec acl sh ip acce

alias exec mem sh proc mem

alias exec webuser show webvpn session user vpnclient context all | inc IP | STC

alias exec ul cop run tftp://192.168.1.2/

alias exec dl cop tftp://192.168.1.2/

alias exec sip sh ip int brie | e unass

alias exec cpu sh proc cpu his

alias exec sri sh run | i

alias exec hkom crypto ipsec client ezvpn connect HKOM

alias exec crypt sh cry ips cli ez ; sh cry se

alias exec auth crypto ipsec client ezvpn xauth

!

line con 0

line aux 0

line vty 0 4

session-timeout 240

exec-timeout 240 0

access-class 23 in

privilege level 15

transport preferred ssh

transport input ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet ssh

!

exception memory minimum 1048576

scheduler max-task-time 5000

scheduler interval 500

no process cpu extended

no process cpu autoprofile hog

!

webvpn gateway c1812w

hostname xxx.dyndns.org

ip address xx.xx.xx.xx port 443

ssl trustpoint xxx.dyndns.org

logging enable

inservice

!

webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1

!

webvpn context webvpn

title "xxx.net"

logo file flash:webvpn/xxx.gif

color #004c4c

secondary-color #004c4c

title-color #004c4c

ssl authenticate verify all

!

url-list "webs"

heading "Webs"

url-text "xxx" url-value "http://192.168.1.6"

url-text "xxx" url-value "http://192.168.1.10/Simple/index.htm"

url-text "xxx" url-value "http://192.168.1.6:81/gui"

!

nbns-list "Win$"

nbns-server 192.168.1.2

nbns-server 192.168.1.6 master

!

cifs-url-list "Kompjutri"

heading "Kompjutri"

url-text "JUR-DL (C$)" url-value "//192.168.1.6/c$"

url-text "JUR (C$)" url-value "//192.168.1.2/c$"

url-text "JUR (D$)" url-value "//192.168.1.2/d$"

url-text "JUR (E$)" url-value "//192.168.1.2/e$"

url-text "JUR (F$)" url-value "//192.168.1.2/f$"

url-text "JUR (G$)" url-value "//192.168.1.2/g$"

url-text "JUR (H$)" url-value "//192.168.1.2/h$"

url-text "JUR (I$)" url-value "//192.168.1.2/i$"

url-text "JUR (T$)" url-value "//192.168.1.2/t$"

!

port-forward "Applications"

local-port 1974 remote-server "192.168.1.10" remote-port 80 description "xxx"

local-port 81 remote-server "192.168.1.6" remote-port 81 description "xxx"

local-port 82 remote-server "192.168.1.6" remote-port 80 description "xxx"

local-port 3390 remote-server "192.168.1.6" remote-port 3389 description "xxx"

local-port 22 remote-server "192.168.1.1" remote-port 22 description "xxx"

!

policy group policy_1

url-list "webs"

cifs-url-list "xxx"

port-forward "xxx"

nbns-list "xxx$"

functions file-access

functions file-browse

functions file-entry

functions svc-enabled

timeout idle 3600

timeout session 1209600

svc address-pool "sslpool"

svc keep-client-installed

svc keepalive 300

svc rekey time 14400

svc rekey method new-tunnel

svc split include 192.168.1.0 255.255.255.0

svc split include 10.10.1.0 255.255.255.0

default-group-policy policy_1

aaa authentication list VPN_USERS

gateway c1812w

user-profile location flash:/webvpn

logging enable

inservice

!

end

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

×