2821 router connecting via vpn cllient

[seandandrews]

i have tried numerous different ACLs. i can connect via the vpn client but can only ping as far as the router (internal address). can someone review my ios code and assist? thx

version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname evocap-nyc0
!
boot-start-marker
boot-end-marker
!
logging buffered 50000 warnings
no logging rate-limit
no logging console
enable password netq
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
no ip dhcp conflict logging
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp-server 192.168.1.1
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username sean privilege 15 password 0 j^Mn0)*
username netq privilege 15 password 0 netq
username user password 0 cisco
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ClownToClown address 206.81.255.74
!
crypto isakmp client configuration group evo
key l3tm31n!
dns 192.168.1.5
domain evocapman.com
pool vpnusers
acl 104
!
!
crypto ipsec transform-set officeVPN esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
crypto map officeVPN 10 ipsec-isakmp
set peer 206.81.255.74
set transform-set officeVPN
match address 110
!
!
!
!
interface Loopback0
ip address 192.169.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
ip address 208.105.16.234 255.255.255.248
ip nat outside
ip virtual-reassembly
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
!
ip local pool vpnusers 10.10.10.100 10.10.10.199
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.105.16.233
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 103 interface GigabitEthernet0/0 overload
ip nat inside source static tcp 192.168.1.6 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.1.6 110 interface GigabitEthernet0/0 110
ip nat inside source static tcp 192.168.1.6 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.1.6 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.1.6 21 interface GigabitEthernet0/0 21
ip nat inside source static 192.168.1.6 208.105.16.237
ip nat inside source static 192.168.1.5 208.105.16.238
!
ip access-list extended sean
permit tcp any gt 1023 any eq smtp
permit tcp any gt 1023 any eq www
permit tcp any gt 1023 any eq pop3
!
access-list 102 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.0.0 0.0.255.255 any
access-list 154 permit ip any any
access-list 161 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CC
################################################## ########################
# #
# *** AUTHORIZED USERS ONLY *** #
# #
# This is a private network. #
# The unauthorized access, use or modification of this device, #
# network, the data contained herein, or in transit to and from #
# is a violation of federal, state, and local laws. #
# You must have explicit permission to configure the device or #
# or access the network. All activities on this device are #
# logged and the network is monitored. Persons violating the #
# system shall be prosecuted to the fullest extent permitted #
# by law. #
################################################## ########################
^C
!
line con 0
line aux 0
password frank
no flush-at-activation
line vty 0 4
exec-timeout 60 0
privilege level 15
password input ssh
no flush-at-activation
transport input telnet
!
scheduler allocate 20000 1000
ntp clock-period 17180871
ntp server 199.125.189.34
!
end

 

[burtsbees]

Get rid of this...

access-list 103 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255

and replace it with

access-list 103 deny ip any 10.10.10.0 0.0.0.255

route-map vpn permit 1
match address 103

no ip nat inside source list 103 interface GigabitEthernet0/0 overload
ip nat inside source route-map vpn int ge0/0 overload

Burt

 

[seandandrews]

thx muxh but having same problem: Internal IP is 192.168.1.0 ...


Current configuration : 5188 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
no service password-encryption
!
hostname evocap-nyc0
!
boot-start-marker
boot-end-marker
!
logging buffered 50000 warnings
no logging rate-limit
no logging console
enable password netq
!
aaa new-model
!
!
--More--  aaa authentication login userauthen local
aaa authorization network groupauthor local
!
aaa session-id common
clock timezone EST -5
clock summer-time EDT recurring
no ip source-route
!
!
ip cef
no ip dhcp conflict logging
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip dhcp-server 192.168.1.1
!
!
voice-card 0
no dspfarm
!
!
!
--More--  !
!
!
!
!
!
!
!
!
!
!
username sean privilege 15 password 0 j^Mn0)*
username netq privilege 15 password 0 netq
username user password 0 cisco
!
!
no ip ftp passive
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
--More--   group 2
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key ClownToClown address 206.81.255.74
!
crypto isakmp client configuration group evo
key l3tm31n!
dns 192.168.1.5
domain evocapman.com
pool vpnusers
acl 104
!
!
crypto ipsec transform-set officeVPN esp-des esp-md5-hmac
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 1
set transform-set myset
reverse-route
!
--More--  !
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 1 ipsec-isakmp dynamic dynmap
!
crypto map officeVPN 10 ipsec-isakmp
set peer 206.81.255.74
set transform-set officeVPN
match address 110
!
!
!
!
interface Loopback0
ip address 192.169.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface GigabitEthernet0/0
ip address 208.105.16.234 255.255.255.248
ip nat outside
ip virtual-reassembly
--More--   ip policy route-map VPN-Client
duplex auto
speed auto
crypto map clientmap
!
interface GigabitEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
duplex auto
speed auto
!
ip local pool vpnusers 10.10.10.100 10.10.10.199
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 208.105.16.233
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map vpn interface GigabitEthernet0/0 overload
--More--  ip nat inside source static tcp 192.168.1.6 3389 interface GigabitEthernet0/0 3389
ip nat inside source static tcp 192.168.1.6 110 interface GigabitEthernet0/0 110
ip nat inside source static tcp 192.168.1.6 80 interface GigabitEthernet0/0 80
ip nat inside source static tcp 192.168.1.6 25 interface GigabitEthernet0/0 25
ip nat inside source static tcp 192.168.1.6 21 interface GigabitEthernet0/0 21
ip nat inside source static 192.168.1.6 208.105.16.237
ip nat inside source static 192.168.1.5 208.105.16.238
!
ip access-list extended sean
permit tcp any gt 1023 any eq smtp
permit tcp any gt 1023 any eq www
permit tcp any gt 1023 any eq pop3
!
access-list 102 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 102 permit ip 192.168.0.0 0.0.255.255 any
access-list 103 deny ip any 10.10.10.0 0.0.0.255
access-list 103 permit ip 192.168.1.0 0.0.0.255 any
access-list 104 deny ip 192.168.1.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255
access-list 150 permit ip 192.168.0.0 0.0.255.255 any
access-list 154 permit ip any any
--More--  access-list 161 permit ip 192.168.1.0 0.0.0.255 192.168.100.0 0.0.0.255
!
route-map vpn permit 1
match ip address 103
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
banner login ^CC
##########################################################################
# #
# *** AUTHORIZED USERS ONLY *** #
# #
--More--  # This is a private network. #
# The unauthorized access, use or modification of this device, #
# network, the data contained herein, or in transit to and from #
# is a violation of federal, state, and local laws. #
# You must have explicit permission to configure the device or #
# or access the network. All activities on this device are #
# logged and the network is monitored. Persons violating the #
# system shall be prosecuted to the fullest extent permitted #
# by law. #
##########################################################################
^C
!
line con 0
line aux 0
password frank
no flush-at-activation
line vty 0 4
exec-timeout 60 0
privilege level 15
password input ssh
no flush-at-activation
transport input telnet
!
--More--  scheduler allocate 20000 1000
ntp clock-period 17180871
ntp server 199.125.189.34
!
end

 

[AceOmega]

Have you found the solution?

I am having the same problem with my router, granted it is a 2611 and yes I deleted the NAT deny for my group as the other Bert suggested and still no luck. Just to add one more item to the simtoms...

- Can Ping the router and connect to CDM.
- Can NOT Ping Domain Controler or any other computer on LAN
- Can Access Workgroup Shared Drives from the peer computer on one of the computers on the LAN.

Its like the the IP is only flowing one way. Its got to be either in the Firewall or in the NAT. I have tryed every thing with NO success.

Jim

 

[AceOmega]

p.s.

TYPO

- Can Ping the router and connect to SDM.

I also checked into the Deny range on the NAT and I think you need it to prevent the NAT policies from interfearing with the IPsec policies but in either case it does not work.

Here is my configuration.



************************************************************
Building configuration...

Current configuration : 15248 bytes
!
! Last configuration change at 15:27:07 PCTime Wed Jul 9 2008 by admin
! NVRAM config last updated at 14:19:55 PCTime Wed Jul 9 2008 by admin
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco2611
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5 ********.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -7
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
no ip bootp server
ip domain name AZDFBLS.local
ip name-server 159.87.*****
ip name-server 159.87.*****
!
!
!
crypto pki server DFBLS
database archive pem password 7 106A581C111442000945
issuer-name CN=Dept. of Fire Building and Life Safety
cdp-url

http://159.87.*****

!
crypto pki trustpoint TP-self-signed-413735325
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-413735325
revocation-check none
rsakeypair TP-self-signed-413735325
!
crypto pki trustpoint DFBLS
revocation-check crl
rsakeypair DFBLS
!
!
crypto pki certificate chain TP-self-signed-413735325
certificate self-signed 01
****
quit
crypto pki certificate chain DFBLS
****
quit
username admin privilege 15 secret 5 $1$HLC/$AycUnHDPaqrCkF4wVh8GK.
!
!
!
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group DFBLS
key D1etc0ke!
pool SDM_POOL_2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SecureIP
set transform-set ESP-3DES-SHA
!
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$
ip address 10.100.100.2 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ES_WAN$$FW_OUTSIDE$
ip address 159.87.130.2 255.255.255.192
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
no mop enabled
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.100.100.200 10.100.100.254
ip local pool SDM_POOL_2 10.100.200.1 10.100.200.254
ip classless
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload
!
ip access-list extended Phoenix
remark Share
remark SDM_ACL Category=4
permit ip any 10.100.0.0 0.0.255.255
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.100.100.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp any host 10.100.100.2 eq www
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit ip 10.100.200.0 0.0.0.255 any
access-list 101 permit tcp any host 159.87.***** eq www
access-list 101 permit ip host 10.100.100.200 any
access-list 101 permit ip host 10.100.100.201 any
access-list 101 permit ip host 10.100.100.202 any
access-list 101 permit ip host 10.100.100.203 any
access-list 101 permit ip host 10.100.100.204 any
access-list 101 permit ip host 10.100.100.205 any
access-list 101 permit ip host 10.100.100.206 any
access-list 101 permit ip host 10.100.100.207 any
access-list 101 permit ip host 10.100.100.208 any
access-list 101 permit ip host 10.100.100.209 any
access-list 101 permit ip host 10.100.100.210 any
access-list 101 permit ip host 10.100.100.211 any
access-list 101 permit ip host 10.100.100.212 any
access-list 101 permit ip host 10.100.100.213 any
access-list 101 permit ip host 10.100.100.214 any
access-list 101 permit ip host 10.100.100.215 any
access-list 101 permit ip host 10.100.100.216 any
access-list 101 permit ip host 10.100.100.217 any
access-list 101 permit ip host 10.100.100.218 any
access-list 101 permit ip host 10.100.100.219 any
access-list 101 permit ip host 10.100.100.220 any
access-list 101 permit ip host 10.100.100.221 any
access-list 101 permit ip host 10.100.100.222 any
access-list 101 permit ip host 10.100.100.223 any
access-list 101 permit ip host 10.100.100.224 any
access-list 101 permit ip host 10.100.100.225 any
access-list 101 permit ip host 10.100.100.226 any
access-list 101 permit ip host 10.100.100.227 any
access-list 101 permit ip host 10.100.100.228 any
access-list 101 permit ip host 10.100.100.229 any
access-list 101 permit ip host 10.100.100.230 any
access-list 101 permit ip host 10.100.100.231 any
access-list 101 permit ip host 10.100.100.232 any
access-list 101 permit ip host 10.100.100.233 any
access-list 101 permit ip host 10.100.100.234 any
access-list 101 permit ip host 10.100.100.235 any
access-list 101 permit ip host 10.100.100.236 any
access-list 101 permit ip host 10.100.100.237 any
access-list 101 permit ip host 10.100.100.238 any
access-list 101 permit ip host 10.100.100.239 any
access-list 101 permit ip host 10.100.100.240 any
access-list 101 permit ip host 10.100.100.241 any
access-list 101 permit ip host 10.100.100.242 any
access-list 101 permit ip host 10.100.100.243 any
access-list 101 permit ip host 10.100.100.244 any
access-list 101 permit ip host 10.100.100.245 any
access-list 101 permit ip host 10.100.100.246 any
access-list 101 permit ip host 10.100.100.247 any
access-list 101 permit ip host 10.100.100.248 any
access-list 101 permit ip host 10.100.100.249 any
access-list 101 permit ip host 10.100.100.250 any
access-list 101 permit ip host 10.100.100.251 any
access-list 101 permit ip host 10.100.100.252 any
access-list 101 permit ip host 10.100.100.253 any
access-list 101 permit ip host 10.100.100.254 any
access-list 101 permit udp any host 159.87.***.*** eq non500-isakmp
access-list 101 permit udp any host 159.87.***.*** eq isakmp
access-list 101 permit esp any host 159.87.***.***
access-list 101 permit ahp any host 159.87.***.***
access-list 101 permit udp host 159.87.**** eq domain host 159.87.130.2
access-list 101 permit udp host 159.87.**** eq domain host 159.87.130.2
access-list 101 deny ip 10.100.100.0 0.0.0.255 any
access-list 101 permit icmp any host 159.87.***.*** echo-reply
access-list 101 permit icmp any host 159.87.***.*** time-exceeded
access-list 101 permit icmp any host 159.87.***.*** unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 10.100.100.200
access-list 102 deny ip any host 10.100.100.201
access-list 102 deny ip any host 10.100.100.202
access-list 102 deny ip any host 10.100.100.203
access-list 102 deny ip any host 10.100.100.204
access-list 102 deny ip any host 10.100.100.205
access-list 102 deny ip any host 10.100.100.206
access-list 102 deny ip any host 10.100.100.207
access-list 102 deny ip any host 10.100.100.208
access-list 102 deny ip any host 10.100.100.209
access-list 102 deny ip any host 10.100.100.210
access-list 102 deny ip any host 10.100.100.211
access-list 102 deny ip any host 10.100.100.212
access-list 102 deny ip any host 10.100.100.213
access-list 102 deny ip any host 10.100.100.214
access-list 102 deny ip any host 10.100.100.215
access-list 102 deny ip any host 10.100.100.216
access-list 102 deny ip any host 10.100.100.217
access-list 102 deny ip any host 10.100.100.218
access-list 102 deny ip any host 10.100.100.219
access-list 102 deny ip any host 10.100.100.220
access-list 102 deny ip any host 10.100.100.221
access-list 102 deny ip any host 10.100.100.222
access-list 102 deny ip any host 10.100.100.223
access-list 102 deny ip any host 10.100.100.224
access-list 102 deny ip any host 10.100.100.225
access-list 102 deny ip any host 10.100.100.226
access-list 102 deny ip any host 10.100.100.227
access-list 102 deny ip any host 10.100.100.228
access-list 102 deny ip any host 10.100.100.229
access-list 102 deny ip any host 10.100.100.230
access-list 102 deny ip any host 10.100.100.231
access-list 102 deny ip any host 10.100.100.232
access-list 102 deny ip any host 10.100.100.233
access-list 102 deny ip any host 10.100.100.234
access-list 102 deny ip any host 10.100.100.235
access-list 102 deny ip any host 10.100.100.236
access-list 102 deny ip any host 10.100.100.237
access-list 102 deny ip any host 10.100.100.238
access-list 102 deny ip any host 10.100.100.239
access-list 102 deny ip any host 10.100.100.240
access-list 102 deny ip any host 10.100.100.241
access-list 102 deny ip any host 10.100.100.242
access-list 102 deny ip any host 10.100.100.243
access-list 102 deny ip any host 10.100.100.244
access-list 102 deny ip any host 10.100.100.245
access-list 102 deny ip any host 10.100.100.246
access-list 102 deny ip any host 10.100.100.247
access-list 102 deny ip any host 10.100.100.248
access-list 102 deny ip any host 10.100.100.249
access-list 102 deny ip any host 10.100.100.250
access-list 102 deny ip any host 10.100.100.251
access-list 102 deny ip any host 10.100.100.252
access-list 102 deny ip any host 10.100.100.253
access-list 102 deny ip any host 10.100.100.254
access-list 102 permit ip 10.100.100.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
I hid my publics with *s.

 

[burtsbees]

Quick note on passwords, crypto key and group name...hide them! The password that's encrypted can easily be cracked...see this link

http://www.ifm.net.nz/cookbooks/passwordcracker.html

I will try and weed through all those acl's tomorrow...what happens if you shut the firewall off (no ip inspect DEFAULT100 out on fa0/0)? Also, try and remove acl 101 from fa0/0, just to narrow it down. That's the first thing I do when troubleshooting connectivity issues like this---remove acl's from the interface, and if that fixes it, then I can weed through it...so try those suggestions first and post back. Thanks.

Burt

 

[AceOmega]

Not sure if you found a solution to this problem or not but my solution was that I had two routers and I was not seeing the severs because I needed to add the gateway address for the CISCO router to the NICs on the server.