VPN client connect to CISCO 887 VPN Server bat they stop at router!!

Similar Messages

• VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.1.4)
  |
  |
  CISCO-887 (192.168.1.254)
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on windows 7 machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
  I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Perhaps ACL problem?
  Building configuration...
  Current configuration : 4921 bytes
  ! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname TestLab
  boot-start-marker
  boot-end-marker
  enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3013130599
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3013130599
  revocation-check none
  rsakeypair TP-self-signed-3013130599
  crypto pki certificate chain TP-self-signed-3013130599
  certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
  33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
  9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
  8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
  C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
  AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
  03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
  2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
  AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
  B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
  B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
  CBB28E7A E91A090D 53DAD1A0 3F66A3
  quit
  no ip domain lookup
  ip cef
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn ***********
  username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key NetasTest
  dns 8.8.4.4
  pool VPN-Pool
  acl 120
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group EXTERNALS
  client authentication list ciscocp_vpn_xauth_ml_2
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  hold-queue 224 in
  pvc 8/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip address 192.168.2.1 255.255.255.0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ****
  ppp chap password 0 *********
  ppp pap sent-username ****** password 0 *******
  no cdp enable
  ip local pool VPN-Pool 192.168.2.210 192.168.2.215
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 100 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 100 remark
  access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 100 remark
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 120 remark
  access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  line con 0
  exec-timeout 5 30
  password ******
  no modem enable
  line aux 0
  line vty 0 4
  password ******
  transport input all
  end
  Best Regards,

  I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
  router#sh crypto session detail 
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Uptime: 00:40:37
  Session status: UP-ACTIVE     
  Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 192.168.1.100
        Desc: (none)
    IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
            Capabilities:(none) connid:2001 lifetime:07:19:22
    IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
          Active SAs: 4, origin: dynamic crypto map
          Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
          Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

• Remote access VPN clients connected to Internet from VPN

  Greetings,
  I need to let remote VPN clients to connect to Internet from the same ASA VPN server
  " client connects to ASA through VPN tunnel from outside interface then access Internet from the same ASA from outside interface again
  thanks

  you'll need to configure 'same-security-traffic permit intra-interface' on the ASA .
  Also, need to setup the corresponding nat statements for your clients pool range.
  i.e.
  global (outside) 1 interface
  nat (outside) 1 access-list anyconnectacl
  where anyconnectacl is the pool for your clients:
  access-list anyconnectacl permit ip 172.16.1.0 255.255.255.0 any

• Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?

  Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
  We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?

  Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
  I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
  My advise - Configure, TEST DEBUG TEST DEBUG!

• Which ports to open in PIX for outgoing Cisco VPN client connections ?

  I have Cisco vpn clients behind the PIX and i want them to connect to a vpn 3005 which i behind another PIX . Can anybody tell me which ports i have to open on both the PIX firewalls ?

  It depends on how you have deployed your VPN Remote Access users.
  By default, if you enable IPSec-Over-TCP or IPSec-over-UDP, then port 10000 is used for both, these methods are Cisco Proprietary and can be changed.
  If you use NAT-T (NAT Traversal), the Standards-based implementation, then it uses UDP-4500).
  either way, the operation of the VPN depends on:
  1) Whether these service have been enable on the VPN Concentrator
  2) Enabling the relevant transport settings on the VPN Client connection Properties.
  Regarding the PIX infront of the VPNC3005, you will need to allow these above ports inbound to your VPNC3005 Public interface.
  Locally, it depends if you filter outbound connections through your PIX. If you don't, then the PIX will allow the connection for the VPN Client attempting to access the remote VPNC3005

• Mac Lion VPN client connectivity

  We are looking to get VPN client connectivity from Mac Lion laptops to a Cisco ASA.  Windows users work ok, and Mac can connect but they will not resolve internal dns addresses so they will not pass any data. Is there any special configuration needed on the ASA or MAC?

  Hi
  Could you post the log from the client and the router please?

• VPN client connected to VPN but can't ping or access to server

  HI ,
  i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
  Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
  This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
  VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
  Software itself shown connected but request time out when ping.
  Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
  aaa new-model
  aaa authentication login userauthen local
  aaa authorization network adminmap group VPNClient
  aaa authorization network groupauthor local
  aaa authorization network map-singapore local
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key emptyspace address 203.142.83.218 no-xauth
  crypto isakmp keepalive 15 periodic
  crypto isakmp client configuration address-pool local ippool
  crypto isakmp client configuration group map-singapore
  key cisco123
  dns 192.168.6.3
  domain cisco.com
  pool ippool
  acl 102
  crypto isakmp profile VPNclient
     match identity address 27.54.43.210 255.255.255.255
     match identity group vpnclient
     client authentication list userauthen
     client configuration address respond
  crypto ipsec security-association idle-time 86400
  crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
  crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
  crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set DYNSET
  set isakmp-profile VPNclient
  reverse-route
  crypto map VPNMAP client authentication list userauthen
  crypto map VPNMAP isakmp authorization list map-singapore
  crypto map VPNMAP client configuration address respond
  crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
  crypto map VPNMAP 11 ipsec-isakmp
  description VPN to ASA5520
  set peer 203.142.83.218
  set security-association lifetime kilobytes 14608000
  set security-association lifetime seconds 86400
  set transform-set REMSET
  match address 100
  interface GigabitEthernet0/0
  ip address 27.54.43.210 255.255.255.240
  ip nat outside
  no ip virtual-reassembly
  duplex full
  speed 100
  crypto map VPNMAP
  interface GigabitEthernet0/1
  ip address 192.168.6.1 255.255.255.0
  ip nat inside
  no ip virtual-reassembly
  duplex full
  speed 100
  interface GigabitEthernet0/2
  description $ES_LAN$
  no ip address
  shutdown
  duplex auto
  speed auto
  ip local pool ippool 10.20.1.0 10.20.1.100
  ip forward-protocol nd
  ip pim bidir-enable
  no ip http server
  ip http authentication local
  no ip http secure-server
  ip nat inside source list 1 interface GigabitEthernet0/0 overload
  ip nat inside source list 101 interface GigabitEthernet0/0 overload
  ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
  ip nat inside source static 192.168.6.3 27.54.43.212
  ip route 0.0.0.0 0.0.0.0 27.54.43.209
  ip route 192.168.1.0 255.255.255.0 27.54.43.209
  ip route 192.168.151.0 255.255.255.0 192.168.6.151
  ip route 192.168.208.0 255.255.255.0 27.54.43.209
  ip access-list extended RA_SING
  permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
  permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
  permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
  permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
  deny   ip any any log
  access-list 1 remark Local Network
  access-list 1 permit 192.168.6.0 0.0.0.255
  access-list 1 permit 192.168.102.0 0.0.0.255
  access-list 1 permit 192.168.151.0 0.0.0.255
  access-list 2 remark VPNClient-range
  access-list 2 permit 10.0.0.0 0.255.255.255
  access-list 10 permit 192.168.6.0 0.0.0.255
  access-list 10 permit 192.168.102.0 0.0.0.255
  access-list 10 permit 192.168.151.0 0.0.0.255
  access-list 10 permit 10.0.0.0 0.255.255.255
  access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
  access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
  access-list 101 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 101 permit ip 10.0.0.0 0.255.255.255 any
  access-list 101 permit ip 192.168.6.0 0.0.0.255 any
  access-list 102 permit ip 10.0.0.0 0.255.255.255 any
  access-list 120 deny   ip any any log
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 120 deny   ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
  no cdp run
  route-map nonat permit 10
  match ip address 120
  control-plane
  alias isakmp-profile sh crypto isakmp sa
  alias exec ipsec sh crypto ipsec sa
  banner motd ^CC^C

  I did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.

• Inside lan is not reachable even after cisco Remote access vpn client connected to router C1841 But can ping to the router inside interface and loop back interface but not able to ping even to the directly connected inside device..??

  Hii frnds,
  here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
  Below is the out put from the router
  r1#sh run
  Building configuration...
  Current configuration : 3488 bytes
  ! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
  ! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
  version 15.1
  service config
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname r1
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
  aaa new-model
  aaa authentication login local-console local
  aaa authentication login userauth local
  aaa authorization network groupauth local
  aaa session-id common
  dot11 syslog
  ip source-route
  ip cef
  ip domain name r1.com
  multilink bundle-name authenticated
  license udi pid CISCO1841 sn FHK145171DM
  username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
  username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
  redundancy
  crypto isakmp policy 10
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group ra-vpn
  key xxxxxx
  domain r1.com
  pool vpn-pool
  acl 150
  save-password
    include-local-lan
  max-users 10
  crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
  crypto dynamic-map RA 1
  set transform-set my-vpn
  reverse-route
  crypto map ra-vpn client authentication list userauth
  crypto map ra-vpn isakmp authorization list groupauth
  crypto map ra-vpn client configuration address respond
  crypto map ra-vpn 1 ipsec-isakmp dynamic RA
  interface Loopback0
  ip address 10.2.2.2 255.255.255.255
  interface FastEthernet0/0
  bandwidth 8000000
  ip address 117.239.xx.xx 255.255.255.240
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map ra-vpn
  interface FastEthernet0/1
  description $ES_LAN$
  ip address 192.168.10.252 255.255.255.0 secondary
  ip address 10.10.10.1 255.255.252.0 secondary
  ip address 172.16.0.1 255.255.252.0 secondary
  ip address 10.10.7.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex auto
  speed auto
  ip local pool vpn-pool 172.18.1.1   172.18.1.100
  ip forward-protocol nd
  ip http server
  ip http authentication local
  no ip http secure-server
  ip dns server
  ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
  ip nat inside source list 100 pool INTERNETPOOL overload
  ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
  access-list 100 permit ip 10.10.7.0 0.0.0.255 any
  access-list 100 permit ip 10.10.10.0 0.0.1.255 any
  access-list 100 permit ip 172.16.0.0 0.0.3.255 any
  access-list 100 permit ip 192.168.10.0 0.0.0.255 any
  access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
  access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
  access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
  control-plane
  line con 0
  login authentication local-console
  line aux 0
  line vty 0 4
  login authentication local-console
  transport input telnet ssh
  scheduler allocate 20000 1000
  end
  r1>sh ip route
  Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
         D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
         N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
         E1 - OSPF external type 1, E2 - OSPF external type 2
         i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
         ia - IS-IS inter area, * - candidate default, U - per-user static route
         o - ODR, P - periodic downloaded static route, + - replicated route
  Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
  S*    0.0.0.0/0 [1/0] via 117.239.xx.xx
        10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
  C        10.2.2.2/32 is directly connected, Loopback0
  C        10.10.7.0/24 is directly connected, FastEthernet0/1
  L        10.10.7.1/32 is directly connected, FastEthernet0/1
  C        10.10.8.0/22 is directly connected, FastEthernet0/1
  L        10.10.10.1/32 is directly connected, FastEthernet0/1
        117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
  C        117.239.xx.xx/28 is directly connected, FastEthernet0/0
  L        117.239.xx.xx/32 is directly connected, FastEthernet0/0
        172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
  C        172.16.0.0/22 is directly connected, FastEthernet0/1
  L        172.16.0.1/32 is directly connected, FastEthernet0/1
        172.18.0.0/32 is subnetted, 1 subnets
  S        172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
        192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
  C        192.168.10.0/24 is directly connected, FastEthernet0/1
  L        192.168.10.252/32 is directly connected, FastEthernet0/1
  r1#sh crypto isakmp sa
  IPv4 Crypto ISAKMP SA
  dst             src             state          conn-id status
  117.239.xx.xx   49.206.59.86    QM_IDLE           1043 ACTIVE
  IPv6 Crypto ISAKMP SA
  r1 #sh crypto ipsec sa
  interface: FastEthernet0/0
      Crypto map tag: giet-vpn, local addr 117.239.xx.xx
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
     remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
     current_peer 49.206.59.86 port 50083
       PERMIT, flags={}
      #pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
      #pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 0, #recv errors 0
       local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
       path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
       current outbound spi: 0x550E70F9(1427009785)
       PFS (Y/N): N, DH group: none
       inbound esp sas:
        spi: 0x5668C75(90606709)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550169/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
        spi: 0x550E70F9(1427009785)
          transform: esp-3des esp-md5-hmac ,
          in use settings ={Tunnel UDP-Encaps, }
          conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
          sa timing: remaining key lifetime (k/sec): (4550170/3437)
          IV size: 8 bytes
          replay detection support: Y
          Status: ACTIVE
       outbound ah sas:
       outbound pcp sas:

  hi  Maximilian Schojohann..
  First i would like to Thank you for showing  interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF "  Router cpu processer goes to 99% and hangs...
  In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
  so plz give me an alternate solution ....thanks in advance....

• IOS VPN will not respond to Cisco VPN Client connections.

  Hi all,
  I am about to set my routers on fire here.
  I have two 2921 ISRs both with Security licenses on separate leased lines. I have configured one to accept VPN connections from our Cisco VPN Client remote workers.
  I have followed the set up process I used on another site with an 1841/Sec router and the same clients and I have also checked against the config given in the latest IOS15 EasyVPN guide.
  With all debugs active, all I see is
  038062: Dec  8 14:03:04.519: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (N) NEW SA
  038063: Dec  8 14:03:04.519: ISAKMP: Created a peer struct for x.y.z.z, peer port 60225
  038064: Dec  8 14:03:04.519: ISAKMP: New peer created peer = 0x3972090C peer_handle = 0x8001D881
  038065: Dec  8 14:03:04.523: ISAKMP: Locking peer struct 0x3972090C, refcount 1 for crypto_isakmp_process_block
  038066: Dec  8 14:03:04.523: ISAKMP:(0):Setting client config settings 3E156D70
  038067: Dec  8 14:03:10.027: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE
  Below is the abridged config.
  System image file is "flash0:c2900-universalk9-mz.SPA.154-1.T1.bin"
  aaa new-model
  aaa authentication login default local
  aaa authentication login VPNAUTH local
  aaa authorization exec default local
  aaa authorization network VPN local
  aaa session-id common
  crypto isakmp policy 10
   encr aes
   authentication pre-share
   group 14
  crypto isakmp client configuration group VPN
   key ****-****-****-****
   dns 192.168.177.207 192.168.177.3
   domain xxx.local
   pool VPNADDRESSES
   acl REVERSEROUTE
  crypto ipsec transform-set HASH esp-aes esp-sha-hmac
   mode tunnel
  crypto ipsec profile IPSECPROFILE
   set transform-set HASH
  crypto dynamic-map VPN 1
   set transform-set HASH
   reverse-route
  crypto map VPN client authentication list VPNAUTH
  crypto map VPN isakmp authorization list VPN
  crypto map VPN client configuration address respond
  crypto map VPN 65535 ipsec-isakmp dynamic VPN
  ip local pool VPNADDRESSES 172.16.198.16 172.16.198.31
  ip access-list extended REVERSEROUTE
   permit ip 192.168.0.0 0.0.255.255 any
   permit ip 10.0.0.0 0.0.0.255 any
  ip access-list extended FIREWALL
   2 permit udp any host a.b.c.d eq non500-isakmp
   3 permit udp any host a.b.c.d eq isakmp
   4 permit ahp any host a.b.c.d
   5 permit esp any host a.b.c.d
  If anyone can see anything wrong, I would be so pleased and it would save the destruction of an ostensibly innocent router.
  Thanks,
  Paul

  > I actually love you. Thank you so much.
  Sorry, I'm married ... ;-)
  > Im not using a virtual template. Can I get away without the Crypto Map if I use one...? All my tunnels are VTIs
  oh yes, I could have seen that ...
  crypto isakmp profile VPN-RA
  match identity group VPN
  client authentication list VPNAUTH
  isakmp authorization list VPN
  client configuration address respond
  virtual-template 1
  interface Virtual-Template1 type tunnel
  description Tunnel fuer Cisco VPN-Client
  ip unnumbered GigabitEthernet0/0
  ip virtual-reassembly in
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile IPSECPROFILE
  Your isakmp-config and ipsec profile stays the same.

• No Internet access after cisco vpn client connection

  Hi Experts,
  Kindly check below config.the problem is  vpn is connected but no internet access
  on computer after connecting vpn
  ASA Version 8.0(2)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Ethernet0/0
   nameif outside
   security-level 0
   ip address 192.168.10.10 255.255.255.0
  interface Ethernet0/1
   nameif inside
   security-level 100
   ip address 192.168.14.12 255.255.255.0
  interface Ethernet0/2
   shutdown
   no nameif
   no security-level
   no ip address
  interface Ethernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   shutdown
   no nameif
   no security-level
   no ip address
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
  access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
  55.240
  pager lines 24
  mtu inside 1500
  mtu outside 1500
  ip local pool testpool 192.168.14.240-192.168.14.250
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list INSIDE_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.14.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
  crypto dynamic-map dyn1 1 set transform-set setFirstSet
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 43200
  crypto isakmp policy 65535
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  username testuser password IqY6lTColo8VIF24 encrypted
  username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
  tunnel-group mphone type remote-access
  tunnel-group mphone general-attributes
   address-pool testpool
  tunnel-group mphone ipsec-attributes
   pre-shared-key *
  prompt hostname context
  Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
  : end
  ciscoasa#

  Hi Harish,
  Please check the o/ps below and route print in attached file
  Latest ASA Config
  ASA Version 8.0(2)
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  names
  interface Ethernet0/0
   nameif outside
   security-level 0
   ip address 192.168.10.10 255.255.255.0
  interface Ethernet0/1
   nameif inside
   security-level 100
   ip address 192.168.14.12 255.255.255.0
  interface Ethernet0/2
   shutdown
   no nameif
   no security-level
   no ip address
  interface Ethernet0/3
   shutdown
   no nameif
   no security-level
   no ip address
  interface Management0/0
   shutdown
   no nameif
   no security-level
   no ip address
  passwd 2KFQnbNIdI.2KYOU encrypted
  ftp mode passive
  access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
  access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.0 255.255.255
  .0
  pager lines 24
  mtu outside 1500
  mtu inside 1500
  ip local pool testpool 192.168.15.240-192.168.15.250
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout uauth 0:05:00 absolute
  dynamic-access-policy-record DfltAccessPolicy
  http server enable
  http 192.168.14.0 255.255.255.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
  crypto dynamic-map dyn1 1 set transform-set setFirstSet
  crypto dynamic-map dyn1 1 set reverse-route
  crypto map mymap 1 ipsec-isakmp dynamic dyn1
  crypto map mymap interface outside
  crypto isakmp enable outside
  crypto isakmp policy 1
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 43200
  crypto isakmp policy 65535
   authentication pre-share
   encryption 3des
   hash sha
   group 2
   lifetime 86400
  no crypto isakmp nat-traversal
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  class-map inspection_default
   match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
   parameters
    message-length maximum 512
  policy-map global_policy
   class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
  service-policy global_policy global
  group-policy mphone internal
  group-policy mphone attributes
   split-tunnel-policy tunnelspecified
   split-tunnel-network-list value dubai_splitTunnelAcl
  username testuser password IqY6lTColo8VIF24 encrypted privilege 15
  username testuser attributes
   vpn-group-policy mphone
  username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
  username khans attributes
   vpn-group-policy mphone
  tunnel-group mphone type remote-access
  tunnel-group mphone general-attributes
   address-pool testpool
  tunnel-group mphone ipsec-attributes
   pre-shared-key *
  prompt hostname context
  Cryptochecksum:12308d7ff6c6df3d71181248e8d38ba8
  : end
  ciscoasa#
  Route Print after vpn connection 
  C:\>route print
  ===========================================================================
  Interface List
  0x1 ........................... MS TCP Loopback interface
  0x40003 ...00 24 01 a2 e6 f1 ...... D-Link DFE-520TX PCI Fast Ethernet Adapter -
   Packet Scheduler Miniport
  0x250004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
  r Miniport
  ===========================================================================
  ===========================================================================
  Active Routes:
  Network Destination        Netmask          Gateway       Interface  Metric
            0.0.0.0          0.0.0.0     192.168.10.1  192.168.10.211       20
          127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1       1
       192.168.10.0    255.255.255.0   192.168.10.211  192.168.10.211       20
     192.168.10.211  255.255.255.255        127.0.0.1       127.0.0.1       20
     192.168.10.255  255.255.255.255   192.168.10.211  192.168.10.211       20
       192.168.14.0    255.255.255.0     192.168.15.1  192.168.15.240       1
       192.168.15.0    255.255.255.0   192.168.15.240  192.168.15.240       20
     192.168.15.240  255.255.255.255        127.0.0.1       127.0.0.1       20
     192.168.15.255  255.255.255.255   192.168.15.240  192.168.15.240       20
      213.42.233.97  255.255.255.255     192.168.10.1  192.168.10.211       1
          224.0.0.0        240.0.0.0   192.168.10.211  192.168.10.211       20
          224.0.0.0        240.0.0.0   192.168.15.240  192.168.15.240       20
    255.255.255.255  255.255.255.255   192.168.10.211  192.168.10.211       1
    255.255.255.255  255.255.255.255   192.168.15.240  192.168.15.240       1
  Default Gateway:      192.168.10.1
  ===========================================================================
  Persistent Routes:
    None
  C:\>
  C:\>ipconfig /all
  Windows IP Configuration
          Host Name . . . . . . . . . . . . : asu
          Primary Dns Suffix  . . . . . . . :
          Node Type . . . . . . . . . . . . : Unknown
          IP Routing Enabled. . . . . . . . : No
          WINS Proxy Enabled. . . . . . . . : No
  Ethernet adapter Local Area Connection 7:
          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : D-Link DFE-520TX PCI Fast Ethernet A
  dapter
          Physical Address. . . . . . . . . : 00-24-01-A2-E6-F1
          Dhcp Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 192.168.10.211
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . : 192.168.10.1
          DNS Servers . . . . . . . . . . . : 213.42.20.20
                                              195.229.241.222
  Ethernet adapter Local Area Connection 8:
          Connection-specific DNS Suffix  . :
          Description . . . . . . . . . . . : Cisco Systems VPN Adapter
          Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
          Dhcp Enabled. . . . . . . . . . . : No
          IP Address. . . . . . . . . . . . : 192.168.15.240
          Subnet Mask . . . . . . . . . . . : 255.255.255.0
          Default Gateway . . . . . . . . . :

• Cisco VPN Client connects, but doesn't....

  Have an issue where the workstation connects to the remote router using Cisco VPN Client successfully, but cannot receive traffic, but can...... I can see the connection with sh cry isa sa, and can see the packets encrypt/decrypt via sh cry ipse sa, as well as see the encrypt/decrypt in the VPN Client status, these numbers match up with the number of pings that are sent across the tunne.  I can also see the ougoing and incoming packets with wireshark on the Cisco adapter on the workstation that is connected over the tunnel, icmp to:x.x.x.37 from:x.x.x.100, icmp from:x.x.x.100 to:x.x.x.37. Even with wireshark seeing the traffic, the requests time out. Any ideas?

  Matthew,
  If you are seeing packets encrypted/decrypted on both sites, but not getting an actual response, it sounds like tough one.
  Have you tried disabling the client's firewall?
  Also, you to discard a possible problem with the VPN virtual adapter have you tried to uninstall/reinstall the VPN Client?
  Sorry, the suggetions I'm giving you are very basic but it definetely sounds kind of a weird problem...
  Let me know how it goes.
  Raga

• Cisco VPN Client - Connects but no shares

  My Windows IT folks configured Cisco VPN Client 4.9.0.1 (0100) on both the XP and Mac side of my MacBook Pro.
  Authentication works fine from both sides but none of the shared drives or folders mount on the Mac side. They do mount via Windows Explorer from the XP side. The configurations are exactly the same.
  From the Mac side using Terminal I am able to ping the various shared drives on the company server. How can I get them to mount.

  Hi KW and Welcome to Apple Discussions...
  You will receive more "views" to your post if you reposted in the Leopard forum... go here: http://discussions.apple.com/category.jspa?categoryID=235
  Carolyn

• Mavericks Server VPN client connection won't work

  I have read many of the problems regarding remote clients not being able to connect to Mavericks Server 3.0 via L2TP outside of the network.
  My understanding that Apple has fixed this with 3.02 update.
  Since the update, I tried to setup my first time VPN connection and am having similar problems to the noted prior issues.
  Mavericks Server has DNS, OD, and VPN setup and running with most current update as of 2/4/14.
  My Airport Extreme router is managed via Server App and has VPN ports opened.  Have shutoff Back to My Mac and Find my Mac also on the server.  I have also put in my hostname miniserver."example".com into the DNS on my Fatcow registrar pointing to my public IP address.   "example" obviously being my domain name.
  My Mavericks Macbook Pro has been setup with VPN client/shared secret and the public ip address of my router.  The Macbook will connect to the VPN inside the network, but will not connect outside of the local network.  Have tried setting up my home Mavericks iMac with the same result.
  Have read other discussions regarding copying the old racoon vpn from mountain lion server, but understand that shouldn't be necessary as Apple has allegedly fixed the problem.  Also do not want to have to redo everytime Apple pushes out a Server update.
  First time I have ever setup VPN and seems close, but not quite, to working.
  Thanks.....

  Select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
  Allow incoming IPSec authentication
  if it's not already checked, and save the change.

• I can connect my cisco mobile vpn but can't ping & access internal IP

  Hi somebody,
  i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
  My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
  Your advise will be appreciate.
  here is my configuration with cisco 7200 in GNS 3,
  OfficeVPN_Router#sh run
  Building configuration...
  Current configuration : 2186 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname OfficeVPN_Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
  aaa new-model
  aaa authentication login userlist local
  aaa authorization network grouplist local
  aaa session-id common
  ip cef
  no ip domain lookup
  username asm privilege 15 password 0 pncsadmin
  username user privilege 15 password 0 pncsadmin
  username user1 privilege 15 password 0 pncsadmin
  username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  crypto isakmp client configuration group MWG
  key cisco
  dns 165.21.83.88
  pool vpnpool
  acl 101
  netmask 255.255.0.0
  crypto ipsec transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map mymap client authentication list userlist
  crypto map mymap isakmp authorization list grouplist
  crypto map mymap client configuration address initiate
  crypto map mymap client configuration address respond
  crypto map mymap 10 ipsec-isakmp dynamic dynmap
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex half
  interface FastEthernet1/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex full
  speed 100
  interface FastEthernet1/1
  ip address 200.200.200.200 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map mymap
  ip local pool vpnpool 172.60.1.10 172.60.1.100
  no ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 200.200.200.201
  no ip http server
  no ip http secure-server
  ip nat inside source list 111 interface FastEthernet1/1 overload
  access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 permit ip any any
  control-plane
  gatekeeper
  shutdown
  line con 0
  exec-timeout 0 0
  password cisco123
  logging synchronous
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  password cisco123
  end
  OfficeVPN_Router#sh ver
  Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
  Technical Support: http://www.cisco.com/techsupport
  Copyright (c) 1986-2009 by Cisco Systems, Inc.
  Compiled Tue 21-Apr-09 18:50 by prod_rel_team
  ROM: ROMMON Emulation Microcode
  BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
  OfficeVPN_Router uptime is 30 minutes
  System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
  System image file is "tftp://255.255.255.255/unknown"
  This product contains cryptographic features and is subject to United
  States and local country laws governing import, export, transfer and
  use. Delivery of Cisco cryptographic products does not imply
  third-party authority to import, export, distribute or use encryption.
  Importers, exporters, distributors and users are responsible for
  compliance with U.S. and local country laws. By using this product you
  agree to comply with applicable laws and regulations. If you are unable
  to comply with U.S. and local laws, return this product immediately.
  A summary of U.S. laws governing Cisco cryptographic products may be found at:
  http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
  If you require further assistance please contact us by sending email to
  [email protected].
  Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
  Processor board ID 4279256517
  R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
  6 slot VXR midplane, Version 2.1
  Last reset from power-on
  PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
  Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
  This configuration is within the PCI bus capacity and is supported.
  PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
  Current configuration on bus mb2 has a total of 0 bandwidth points
  This configuration is within the PCI bus capacity and is supported.
  Please refer to the following document "Cisco 7200 Series Port Adaptor
  Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
  for c7200 bandwidth points oversubscription and usage guidelines.
  3 FastEthernet interfaces
  125K bytes of NVRAM.
  65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
  8192K bytes of Flash internal SIMM (Sector size 256K).
  Configuration register is 0x2102
  OfficeVPN_Router#

  Dear Javier ,
  Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
  OfficeVPN_Router(config)#ip access-list resequence 111 10 10
  OfficeVPN_Router(config)#do sh run
  Building configuration...
  Current configuration : 2201 bytes
  version 12.4
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname OfficeVPN_Router
  boot-start-marker
  boot-end-marker
  enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
  aaa new-model
  aaa authentication login userlist local
  aaa authorization network grouplist local
  aaa session-id common
  ip cef
  no ip domain lookup
  username asm privilege 15 password 0 pncsadmin
  username user privilege 15 password 0 pncsadmin
  username user1 privilege 15 password 0 pncsadmin
  username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
  crypto isakmp policy 10
  encr aes
  authentication pre-share
  group 2
  crypto isakmp client configuration group MWG
  key cisco
  dns 165.21.83.88
  pool vpnpool
  acl 101
  netmask 255.255.0.0
  crypto ipsec transform-set myset esp-aes esp-sha-hmac
  crypto dynamic-map dynmap 10
  set transform-set myset
  reverse-route
  crypto map mymap client authentication list userlist
  crypto map mymap isakmp authorization list grouplist
  crypto map mymap client configuration address initiate
  crypto map mymap client configuration address respond
  crypto map mymap 10 ipsec-isakmp dynamic dynmap
  interface FastEthernet0/0
  no ip address
  shutdown
  duplex half
  interface FastEthernet1/0
  ip address 192.168.1.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  duplex full
  speed 100
  interface FastEthernet1/1
  ip address 200.200.200.200 255.255.255.0
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  crypto map mymap
  ip local pool vpnpool 172.60.1.10 172.60.1.100
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 200.200.200.201
  no ip http server
  no ip http secure-server
  ip nat inside source list 111 interface FastEthernet1/1 overload
  access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 deny   ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
  access-list 111 permit ip 192.168.1.0 0.0.0.255 any
  control-plane
  gatekeeper
  shutdown
  line con 0
  exec-timeout 0 0
  password cisco123
  logging synchronous
  stopbits 1
  line aux 0
  stopbits 1
  line vty 0 4
  password cisco123
  end

• WLC 5508 7.0.98.0 has vpn client connection issues

  Hi
  my guest ssid is set to L2 security none and L3 Web policy and authentication local. clients that need to connect to some vpn server (internet) are reporting disconnection issues with the vpn session but not the wireless network. as soon as they get connected via another wireless internet connection the vpn connection gets stable. that makes me thing is in deed the my wireless network the one causing issues.  is there a know issues with the web authentication WLAN and vpn clients?  no firewall in the middle.
  Exclusionlist.................................... Disabled
  Session Timeout.................................. Infinity
  CHD per WLAN..................................... Enabled
  Webauth DHCP exclusion........................... Disabled
  Interface........................................ xxxxxxxxxxxxxxxx
  WLAN ACL......................................... unconfigured
  DHCP Server...................................... Default
  DHCP Address Assignment Required................. Disabled
  --More or (q)uit current module or <ctrl-z> to abort
  Quality of Service............................... Bronze (background)
  Scan Defer Priority.............................. 4,5,6
  Scan Defer Time.................................. 100 milliseconds
  WMM.............................................. Allowed
  Media Stream Multicast-direct.................... Disabled
  CCX - AironetIe Support.......................... Enabled
  CCX - Gratuitous ProbeResponse (GPR)............. Disabled
  CCX - Diagnostics Channel Capability............. Disabled
  Dot11-Phone Mode (7920).......................... Disabled
  Wired Protocol................................... None
  IPv6 Support..................................... Disabled
  Passive Client Feature........................... Disabled
  Peer-to-Peer Blocking Action..................... Disabled
  Radio Policy..................................... All
  DTIM period for 802.11a radio.................... 1
  DTIM period for 802.11b radio.................... 1
  Radius Servers
     Authentication................................ Disabled
     Accounting.................................... Disabled
     Dynamic Interface............................. Disabled
  Local EAP Authentication......................... Disabled
  Security
     802.11 Authentication:........................ Open System
     Static WEP Keys............................... Disabled
     802.1X........................................ Disabled
     Wi-Fi Protected Access (WPA/WPA2)............. Disabled
     CKIP ......................................... Disabled
     Web Based Authentication...................... Enabled
          ACL............................................. Unconfigured
          Web Authentication server precedence:
          1............................................... local
     Web-Passthrough............................... Disabled
     Conditional Web Redirect...................... Disabled
     Splash-Page Web Redirect...................... Disabled
     Auto Anchor................................... Disabled
     H-REAP Local Switching........................ Disabled
     H-REAP Learn IP Address....................... Enabled
     Client MFP.................................... Optional but inactive (WPA2 not configured)
     Tkip MIC Countermeasure Hold-down Timer....... 60
  Call Snooping.................................... Disabled
  Roamed Call Re-Anchor Policy..................... Disabled
  Band Select...................................... Disabled
  Load Balancing................................... Disabled

  Thanks Scott,
  We have two controllers and all the APs (50) are associated with the primary Controller,what is the best path to follow for the upgrade.
  we don't have Field recoversy image installed on our controller, do we have to do the FSU upgrade?
  (Cisco Controller) >show sysinfo
  Manufacturer's Name.............................. Cisco Systems Inc.
  Product Name..................................... Cisco Controller
  Product Version.................................. 7.0.98.0
  Bootloader Version............................... 1.0.1
  Field Recovery Image Version..................... N/A
  Firmware Version................................. FPGA 1.3, Env 1.6, USB console                                                        1.27
  Build Type....................................... DATA + WPS
  System Name...................................... Airespace_01
  System Location..................................
  System Contact...................................
  System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
  IP Address....................................... 10.0.0.201
  Last Reset....................................... Power on reset
  System Up Time................................... 9 days 2 hrs 57 mins 21 secs
  System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)
  Current Boot License Level....................... base
  Current Boot License Type........................ Permanent
  Next Boot License Level.......................... base
  Next Boot License Type........................... Permanent
  Configured Country............................... Multiple Countries:US,CN,DE,TW,HK
  Is the below Upgrade Path make sense ?
  1. Upgrade the Primary controller and reboot- wait till all APs associate with primary controller and download the new image
  2. Upgrade the secondary controller and reboot
  3. Failover the APs to secondary controller and test
  Siddhartha