Hi, I have used SDM v2.3.1 to configure my easy vpn server, I have a cisco 2811 with 12.4.6T enterprise IOS. My exchange server is internal, so I use nat to translate to the local ip address. When easy vpn server is setup, the sdm blocks outgoing packets from 192.168.102.11 (exchange) to outside but I fixed that ACL which is now allowing. But when I connect via VPN client I cant send information to port 25, If i do a portscans to 192.168.102.11 I can only see port 80 and 21 open, not 25.
Here is my running config:
no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers
hostname DE****
boot-start-marker boot-end-marker
security authentication failure rate 3 log no logging buffered enable secret 5 $1$oO4D$.JXhbtZVee6sJiMSC4NZ21
aaa new-model
aaa authentication login local_authen local aaa authentication login sdm_vpn_xauth_ml_1 group radius aaa authentication login sdm_vpn_xauth_ml_2 group radius local aaa authentication login sdm_vpn_xauth_ml_3 group radius local aaa authorization exec local_author local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! clock timezone PCTime 0 clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00 no ip source-route ip tcp synwait-time 10 ! ! ip cef ! ! no ip bootp server ip domain name darntonelgee.co.uk ip name-server 158.***.***.72 ip name-server 158.***.***.1 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name de-fw-policy1 appfw de-fw-policy1 ip inspect name de-fw-policy1 http ip inspect name de-fw-policy1 icmp ip inspect name de-fw-policy1 h323 ip inspect name de-fw-policy1 realaudio ip inspect name de-fw-policy1 vdolive ip inspect name de-fw-policy1 streamworks ip inspect name de-fw-policy1 rtsp ip inspect name de-fw-policy1 netshow ip inspect name de-fw-policy1 https ip inspect name de-fw-policy1 tcp timeout 3600 ip inspect name de-fw-policy1 udp timeout 15 ip inspect name de-fw-policy1 dns ip inspect name de-fw-policy1 irc alert on ip inspect name de-fw-policy1 telnet ip ips sdf location flash://256MB.sdf autosave ip ips sdf location flash://attack-drop.sdf autosave ip ips notify SDEE ip ips name sdm_ips_rule
appfw policy-name de-fw-policy1 application http strict-http action allow alarm port-misuse p2p action reset alarm audit-trail off timeout 3600
voice-card 0 no dspfarm
crypto pki trustpoint ***_Certificate enrollment selfsigned serial-number none ip-address none subject-name CN=**, OU=**, O=**, ST=**, C=** revocation-check crl rsakeypair ****_Certificate_RSAKey 512
crypto pki certificate chain DEgateway_Certificate .... username deadmin privilege 15 secret 5 $1$j845$7juTQtOfJYus7gvE2DD4w.
class-map match-any sdm_p2p_kazaa match protocol fasttrack class-map match-any sdm_p2p_edonkey match protocol edonkey class-map match-any sdm_p2p_gnutella match protocol gnutella class-map match-any sdm_p2p_bittorrent match protocol bittorrent
policy-map sdmappfwp2p_de-fw-policy1 class sdm_p2p_gnutella drop class sdm_p2p_bittorrent drop class sdm_p2p_edonkey drop class sdm_p2p_kazaa drop
crypto isakmp policy 1 encr 3des authentication pre-share group 2
crypto isakmp client configuration group de-vpn-staff-group key elg33 dns 192.168.102.10 wins 192.168.102.10 domain d*************** pool de-vpn-ip-pool acl 103
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route qos pre-classify
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
interface Null0 no ip unreachables
interface Loopback0 description Do not delete - SDM WebVPN generated interface ip address 192.168.1.1 255.255.255.252 ip nat inside ip virtual-reassembly
interface FastEthernet0/0 description LAN (inside)$FW_INSIDE$$ETH-LAN$ ip address 192.168.102.254 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat inside ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled
interface FastEthernet0/1 description WAN (outside)$FW_OUTSIDE$$ETH-WAN$ ip address 194.***.***.*** 255.255.255.240 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nbar protocol-discovery ip flow ingress ip flow egress ip nat outside ip inspect de-fw-policy1 in ip inspect de-fw-policy1 out ip ips sdm_ips_rule in ip ips sdm_ips_rule out no ip virtual-reassembly ip route-cache flow duplex auto speed auto no mop enabled crypto map SDM_CMAP_1 service-policy input sdmappfwp2p_de-fw-policy1 service-policy output sdmappfwp2p_de-fw-policy1 interface Serial0/0/0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown clock rate 2000000
ip local pool de-vpn-ip-pool 192.168.101.0 192.168.101.10 ip route 0.0.0.0 0.0.0.0 194.***.***.142 permanent
ip flow-top-talkers top 10 sort-by bytes
ip http server ip http access-class 2 ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/1 overload ip nat inside source static tcp 192.168.1.1 443 194.***.***.129 4443 route-map SDM_RMAP_2 extendable ip nat inside source static tcp 192.168.102.11 25 194.***.***.135 25 extendable
access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.102.0 0.0.0.255 access-list 2 remark HTTP Access-class list access-list 2 remark SDM_ACL Category=1 access-list 2 permit 192.168.102.0 0.0.0.255 access-list 2 deny any access-list 100 remark auto generated by SDM firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp host 192.168.102.11 eq smtp any access-list 100 permit udp host 192.168.102.10 eq domain any access-list 100 permit ip any host 192.168.102.254 access-list 100 permit udp host 192.168.102.10 eq 1645 host
192.168.102.254 access-list 100 permit udp host 192.168.102.10 eq 1646 host 192.168.102.254 access-list 100 deny ip 194.***.***.128 0.0.0.15 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by SDM firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit ip 192.168.101.0 0.0.0.255 192.168.102.0 0.0.0.255 access-list 101 permit udp any host 194.***.***.129 eq non500-isakmp access-list 101 permit udp any host 194.****.***.129 eq isakmp access-list 101 permit esp any host 194.***.***.129 access-list 101 permit ahp any host 194.***.***.129 access-list 101 permit udp host 158.43.12.1 eq domain any access-list 101 permit udp host 158.43.128.72 eq domain any access-list 101 permit tcp any host 194.***.***.129 eq www access-list 101 permit tcp any host 194.***.****.129 eq 4443 access-list 101 permit tcp any host 194.***.***.129 eq 443 access-list 101 permit tcp any host 194.***.***.135 eq smtp access-list 101 deny ip 192.168.102.0 0.0.0.255 any log access-list 101 permit icmp any host 194.***.***.129 echo-reply access-list 101 permit icmp any host 194.***.***.129 time-exceeded access-list 101 permit icmp any host 194.***.***.129 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any log access-list 102 remark VTY Access-class list access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 192.168.102.0 0.0.0.255 any access-list 102 deny ip any any access-list 103 remark SDM_ACL Category=4 access-list 103 permit ip 192.168.102.0 0.0.0.255 any access-list 104 remark SDM_ACL Category=2 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.0 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.1 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.2 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.3 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.4 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.5 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.6 log access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.7 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.8 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.9 access-list 104 deny ip 192.168.102.0 0.0.0.255 host 192.168.101.10 access-list 104 deny ip host 192.168.1.1 any log access-list 104 permit ip 192.168.102.0 0.0.0.255 any access-list 105 remark SDM_ACL Category=2 access-list 105 deny ip host 192.168.1.1 host 192.168.101.10 access-list 105 deny ip host 192.168.1.1 host 192.168.101.9 access-list 105 deny ip host 192.168.1.1 host 192.168.101.8 access-list 105 deny ip host 192.168.1.1 host 192.168.101.7 access-list 105 deny ip host 192.168.1.1 host 192.168.101.6 log access-list 105 deny ip host 192.168.1.1 host 192.168.101.5 access-list 105 deny ip host 192.168.1.1 host 192.168.101.4 access-list 105 deny ip host 192.168.1.1 host 192.168.101.3 access-list 105 deny ip host 192.168.1.1 host 192.168.101.2 access-list 105 deny ip host 192.168.1.1 host 192.168.101.1 access-list 105 deny ip host 192.168.1.1 host 192.168.101.0 access-list 105 permit ip host 192.168.1.1 any log access-list 106 remark SDM_ACL Category=2 access-list 106 permit ip any any no cdp runroute-map SDM_RMAP_1 permit 1 match ip address 104
route-map SDM_RMAP_2 permit 1 match ip address 105
route-map SDM_RMAP_3 permit 1 match ip address 106
radius-server host 192.168.102.10 auth-port 1645 acct-port 1646 key 7 control-plane