01-02-2018 11:41 AM - edited 03-08-2019 01:16 PM
Hi
i have build up a trainings network with a C891F Router
The Router have the internal IP 192.168.51.1 and Outside 192.168.50.216
The VPN Clients get an ip address from 192.168.52.100 - 192.168.52.150
this is all working.
now i want to set up access Lists.
i set up an access List
ip access-list extended OUTSIDE-IN
permit udp any any eq isakmp non500-isakmp
permit ip 192.168.52.0 0.0.0.255 any
deny ip any any
ip access-list extended INSIDE-OUT
permit ip any any
and on the WAN interface
interface GigabitEthernet8
ip address dhcp
ip access-group OUTSIDE-IN in
ip access-group INSIDE-OUT out
duplex auto
speed auto
crypto map map1
and now the clients can not ping the router
Where is my Error ??
Solved! Go to Solution.
01-02-2018 02:58 PM
You are still missing ESP in your ACL. This is the correct ACL:
ip access-list extended OUTSIDE-IN permit esp any any permit udp any any eq isakmp non500-isakmp deny ip any any
01-02-2018 02:31 PM
Is the rest of the VPN working? Can they ping internal systems? At least if there is no NAT between client and router, you also need to allow IP/50 (ESP). And the "permit ip 192.168.52.x ..." is not needed nowadays (it was needed a very long time ago).
01-02-2018 02:40 PM - edited 01-02-2018 02:42 PM
I can only Connect to the VPN but cannot ping anything . Here is the complete Config. I want to set up a easy VPN for Training . I have set now a acl in the crypto group but not working.
version 15.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login VPN1 local
aaa authorization network VPN2 local
!
!
!
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.51.1 192.168.51.10
ip dhcp excluded-address 192.168.51.100 192.168.51.254
!
ip dhcp pool LAN
network 192.168.51.0 255.255.255.0
default-router 192.168.51.1
dns-server 192.168.51.1
!
!
!
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FW-E-K9 sn xxxxxxxxxxxxx
!
!
username user secret 5 $1$mAfgfgfgfdgfdggfk4V0bDmw.
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key Key123
pool VPNPOOL
acl 120
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map map1 10
set transform-set set1
!
!
crypto map map1 client authentication list VPN1
crypto map map1 isakmp authorization list VPN2
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address dhcp
ip access-group OUTSIDE-IN in
ip inspect FW out
duplex auto
speed auto
crypto map map1
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
ip address 192.168.51.1 255.255.255.0
!
interface Vlan10
ip address 192.168.52.1 255.255.255.0
!
interface Async3
no ip address
encapsulation slip
!
ip local pool VPNPOOL 192.168.52.100 192.168.52.150
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list extended INSIDE-OUT
permit ip any any
ip access-list extended OUTSIDE-IN
permit udp any any eq isakmp non500-isakmp
deny ip any any
!
!
access-list 120 permit ip 192.168.51.0 0.0.0.255 192.168.52.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end
01-02-2018 02:49 PM - edited 01-02-2018 02:50 PM
No i cannot ping anything. and no - i don´t want NAT. i have set routes between the routers.
Here is the complete Config . Maybe you can help me to fix it
version 15.3
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
no logging console
!
aaa new-model
!
!
aaa authentication login VPN1 local
aaa authorization network VPN2 local
!
!
!
!
!
aaa session-id common
service-module wlan-ap 0 bootimage autonomous
!
!
!
!
!
!
!
ip dhcp excluded-address 192.168.51.1 192.168.51.10
ip dhcp excluded-address 192.168.51.100 192.168.51.254
!
ip dhcp pool LAN
network 192.168.51.0 255.255.255.0
default-router 192.168.51.1
dns-server 192.168.51.1
!
!
!
ip inspect name FW tcp router-traffic
ip inspect name FW udp router-traffic
ip inspect name FW icmp router-traffic
ip inspect name FW ftp
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C891FW-E-K9 sn xxxxxxxxxxxxx
!
!
username user secret 5 $1$mfgdgrhrrfsgR2k4V0bDmw.
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cisco
key Key123
pool VPNPOOL
acl 120
!
!
crypto ipsec transform-set set1 esp-3des esp-md5-hmac
mode tunnel
!
!
!
crypto dynamic-map map1 10
set transform-set set1
!
!
crypto map map1 client authentication list VPN1
crypto map map1 isakmp authorization list VPN2
crypto map map1 client configuration address respond
crypto map map1 10 ipsec-isakmp dynamic map1
!
!
!
!
!
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
!
interface FastEthernet0
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0
no ip address
!
interface GigabitEthernet1
no ip address
!
interface GigabitEthernet2
no ip address
!
interface GigabitEthernet3
no ip address
!
interface GigabitEthernet4
no ip address
!
interface GigabitEthernet5
no ip address
!
interface GigabitEthernet6
no ip address
!
interface GigabitEthernet7
no ip address
!
interface GigabitEthernet8
ip address dhcp
ip access-group OUTSIDE-IN in
ip inspect FW out
duplex auto
speed auto
crypto map map1
!
interface Wlan-GigabitEthernet8
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!
interface Vlan1
ip address 192.168.51.1 255.255.255.0
!
interface Vlan10
ip address 192.168.52.1 255.255.255.0
!
interface Async3
no ip address
encapsulation slip
!
ip local pool VPNPOOL 192.168.52.100 192.168.52.150
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip route 0.0.0.0 0.0.0.0 192.168.50.1
ip route 0.0.0.0 0.0.0.0 GigabitEthernet8
!
ip access-list extended INSIDE-OUT
permit ip any any
ip access-list extended OUTSIDE-IN
permit udp any any eq isakmp non500-isakmp
deny ip any any
!
!
access-list 120 permit ip 192.168.51.0 0.0.0.255 192.168.52.0 0.0.0.255
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line 3
modem InOut
speed 115200
flowcontrol hardware
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end
01-02-2018 02:58 PM
You are still missing ESP in your ACL. This is the correct ACL:
ip access-list extended OUTSIDE-IN permit esp any any permit udp any any eq isakmp non500-isakmp deny ip any any
01-02-2018 03:05 PM
Wow thank you - now it works ;o))
Is it possible to connect with a any Connect Client to this kind of VPN ??
01-02-2018 03:11 PM
In general yes, but not with that config. And you need to license the AnyConnect client.
01-02-2018 03:14 PM
Ok thank you for your Help
01-02-2018 03:39 PM
How i can get information about the any Connect Licence ??
01-03-2018 12:01 AM
AnyConnect Licensing Frequently Asked Questions (FAQ)
Here is a guide for configuring the router for AnyConnect. A little bit older, but should still work:
AnyConnect: Configure Basic SSLVPN for IOS Router Headend With the Use of CLI
01-03-2018 01:21 AM
Perfect thank you. I have orderd a FL-WEBVPN-10-K9 pack for my C891F Router. I have also a C891FW for testing. Is it possible to activate a Demo WebVPN licence on the Test Router for Testing it first ??
01-03-2018 01:49 AM
Not sure how you ordered that, as this license is EOS. And if you could buy it, I expect that it won't give you any download-rights on the AnyConnect software. As pointed out in the ordering guide and FAQ, you need the AnyConnect PLUS-License.
01-09-2018 04:14 AM
I have bought it at a dealer by EBay. I got the Licence but there is no PAK code included. Only a Letter . "This Letter serves as a feature license that entitles you to activate WebVPN in one Cisco IOS Device...."How i can activate now the licence in my Router ??
01-09-2018 09:16 AM
Ok it was a RTU (right to use)license. The dealer give me now a FL-SSLVPN10-K9 which it was a license with a PAK code. I hope i can activate it. It is also EOL but i need it only for Privat Training. Licensing is very complicated witch Cisco ;o))
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide