Cisco 877 - issue crypto card
We have implemented a L2L VPN between a cisco 877 and an ASA 5505.
On the side of 877, we have:
Dialer 0: connect to the internet and has a dynamic IP given by ISP
Loopback1: has a static IP address of the public IP range assigned.
VLAN 1: has a static private IP address for the local network
FE3: Interface conencted to lan
We have the following problem.
We have applied the card encryption to the loopback interface and with this configuration we can reach the interface of the internal router (VLAN 1 IP) from the internal network of ASA, but except that we cannot reach any host inside the router's lan.
If we apply the encryption card to the interface of FE3 we can ping also lan internal but we lose half of the ping and the return is high (500-800 ms applies rather than 70 to 80 when only 1 Loopback)
So I need some help here. What should be the correct configuration to have it all works well?
Thanks in advance
In the first configuration (crypto-map applied to the loopback interface), you can try this:
no ip (on Cisco 877) cef
CEF in many versions have similar problems of your of
Tags: Cisco Security
Similar Questions
-
VPN ipsec Cisco 877 <>- iphone
Hi, I'm trying implement the vpn ipsec between my cisco 877 and his iphone/cisco vpn client. First of all, what is the difference between remote access vpn and vpn installation easy? The phase 1 and the phase2 are completed but I don't have much traffic between peers.
Maybe I missed something conf? Should I add the roadmap with acl 101?
Here is the configuration of isakmp/ipsec.
ISAKMP crypto enable
session of crypto consignmentcrypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
life 3600
ISAKMP crypto keepalive 10
ISAKMP crypto nat keepalive 20
ISAKMP xauth timeout 90 cryptoISAKMP crypto client configuration group to distance-vpn
key to past
DNS 212.216.112.112
cisco877.local field
10 Max-users
Max-connections 10
pool remotely
ACL 150
Save-passwordCrypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
Crypto ipsec security association idle time 3600distance from dyn-crypto-dynamic-map 10
transformation-VPN-CLI-SET gamecard crypto remotemap local-address dialer0
card crypto client remotemap of authentication list userauthen
card crypto isakmp authorization list groupauthor remotemap
client configuration address card crypto remotemap answer
remotemap 65535 ipsec-isakmp crypto map distance Dynamics-dyninterface dialer0
remotemap card cryptoIP local pool remote control-pool 192.168.69.0 192.168.69.20
IP route 192.168.69.0 255.255.255.0 dialer0
no access list 150
REM list 150 * ACL split tunnel access *.
access-list 150 permit ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255no access list 101
Note access-list 101 * ACL sheep *.
access-list 101 deny ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255
access-list 101 permit ip 10.0.77.0 0.0.0.255 anyShould I apply this acl 101 loopback? Ex:
overload of IP nat inside source list 101 interface Loopback0
Should I apply an acl to permit as access-list 169 allow ip 192.168.69.0 0.0.0.255 any in my Dialer interface 0?
Other tips? Best regards.
Hi Alessandro,.
The access tunnel split list is great!
If you are NAT on public and private interface that is ip nat inside and ip nat outside etc.
You must add the command ip nat inside source list 101 interface Dialer0 overload
+++++++++++++++++++++++++++++++++++++++
Or you can create a new roadmap
new route map permit 10
ACL #match 101
command: ip nat inside the interface Dialer0 overload route map
Thank you
Adama
-
Hello
I'm trying to set up a VPN site-to site on a cisco 877 that connects to an ISA Server.
It fails on Phase 2 with the following error:
000320: * apr 21 12:11:07.028 PCTime: IPSEC (validate_proposal_request): proposal
Part #1
(Eng. msg key.) Local INCOMING = 83.X.X.X, distance = 87.X.X.X,.
local_proxy = 172.16.25.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 87.x.x.x/255.255.255.255/0/0 (type = 1),
Protocol = ESP, transform = NONE (Tunnel),
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0
00323: * apr 21 12:11:07.028 PCTime: map_db_find_best found no corresponding card
00324: * apr 21 12:11:07.028 PCTime: IPSEC (ipsec_process_proposal): proxy identity
IES not supported
In accordance with the foregoing, it seems to be using the public IP address of the peer for the 'Remote_Proxy' and not the local network: 10.0.0.0, 255.0.0.0
In my definition of the crypto map, I have 'correspondence address 104", which is an access list which reads:
access-list 104. allow ip 172.16.25.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 104 deny ip 172.16.25.0 0.0.0.255 anyAnyone know what can be the problem?
Kind regards
Simon
If you can, try to ping from another device on the subnet 172.16.25.x.
-
Hello
I wonder if it is possible to have a configuration in IPSEC tunnel, in which one side of the tunnel is configured with static VTI and the traditional second with crypto-map.
If so, how the configuration on the crypto-Map site should be configured.
Thank you in advance for an answer.
Concerning
Lukas
Lukasz,
This config is impractical for several reasons.
VTI dictates that a "any any" proxy set ID is negotiated. While this works well on a virtual interface, where routing can push traffic to a specific interface, it will make ALL traffic is encrypted on crypto maps side and expect all traffic is encrypted when it is recived (because crypto card is part of ECAS in the Lane exit).
A more practical approach in the world of Cisco is multi SA DVTI, where a DVTI can put end to any kind of insider tunnel (i.e. allow us DVTI to manage several SAs under a virtual interface) it works very well in some cases.
You can have DVTI on your end and allow the clients to use almost anything (from ASIT cryptographic maps).
I'll shoot you as an email at the same time, a bit stuck on something at the moment.M.
-
Cisco 877 using draytek 2600 VPN
First I want to apologize for my complete lack of knowledge of cisco, I had the problem of replacing our dumped in my lap draytek routers
Here's the background
I have a cisco 877 router connected to our adsl broadband to our headquarters. I got this set instead of Nat and DHCP all working for allow multiple users internet access through our unique static ip address provided by the ISP lets say ip 1.2.3.4 address.
Our internal network is 192.168.1.0 255.255.255.0
I have a draytek vigor 2600 in a branch set up the same thing with a static IP address provided by the ISP allows to say that the investigation period is 5.6.7.8.
The internal network is 192.168.4.0 255.255.255.0
Here's the problem (except me)
I'm trying to set up a VPN between the head office and branch so that branch office users to connect to our internal server (lets say ip is 192.168.1.2) to receive group policies, access files and also telnet on our database server (lets say ip 192.168.1.3).
I have attached a kind of running the config that I restored the little I've read on this site and others. I tried these settings and other permutations of these settings, but I can't seem to establish a tunnel even if when I show tunnel0 int on the router it says tunnel is up and line protocol is up, if I show ip route shows that there is an ip address for the tunnel and it's all (no vpn indicator light lit).
Could someone please take a look at the file and see if it makes sense and I got the right information. I highlighted the parts, I'm not sure in red (quite a bit and obviously not the exact settings, but I think it should be).
And
Once all the settings are correct on the cisco it will automatically establish vpn or what I have to deal since the draytek.
Hello
Can activate you ' debug cry isa ' and ' debug cry ips "and post ehre. Looks like the acl, transform set crypto or pfs settings might be incompatible. Ensure that all parameters of phase 2 are adapted to both ends.
Kind regards
Assia
-
'Crypto card' to the in-house/internal interface. Possible?
Hi, I have a two routers on a VPN to a point where the 'Crypto Map' statement is attributed to external as usual. It works fine but I need each router to a different IP address to the external interface.
For example:
crypto ISAKMP policy 1
BA 3des
preshared authentication
life 3600
privatekey key address 4.4.4.4 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des
!
crypto map 1 VPN ipsec-isakmp
defined peer 4.4.4.4
Set transform-set 3des
match the vpn address
!
interface FastEthernet0/0
IP 4.4.4.4 255.255.255.252
NAT outside IP
IP virtual-reassembly
10 speed
full-duplex
No cdp enable
VPN crypto card
!
interface FastEthernet0/1
IP 8.8.8.8 255.255.255.248
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
Instead of the "4.4.4.4" presented to the other side of the VPN, I need the 8.8.8.8 will be presented. I tried to change just the Crypto statements like below, but she always presents the 4.4.4.4 probably because of the interface that the Crypto map is applied
crypto ISAKMP policy 1
BA 3des
preshared authentication
life 3600
privatekey key address 8.8.8.8 crypto ISAKMP xauth No.
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac 3des
!
crypto map 1 VPN ipsec-isakmp
defined peer 8.8.8.8
Set transform-set 3des
match the vpn address
How can I make sure that 8.8.8.8 is what is presented on the other side?
Thank you
Andy
Hi Andy,.
I suggest the following command:
card crypto-address
http://Tools.Cisco.com/Squish/9c85B
To specify and name an interface identify to be used by the encryption for IPSec traffic card, use the card crypto - local address in global configuration mode command. To remove this command from the configuration, don't use No form of this command.
card crypto map-name - address interface id
no card crypto name of the map address
Example:
interface loopback0
IP 4.2.2.2 255.255.255.252
!
mymap-address loopback0 crypto card
!
S0 interface
crypto mymap map
!
Of course, you need to make sure that the remote end can reach this additional IP address.
Let me know if you have any questions.
Please note any workstation that will be useful.
-
Multiple Crypto cards on simple external Interface
Hi, I got the following encryption card configured on my ASA5505 to allow Cisco IPSec VPN clients to connect from the outside:
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
I'm now trying to set up a map of additional encryption - a static configuration to establish a tunnel with Windows Azure services. The configuration, they gave me is:
Crypto map Azur-crypto-map 10 correspondence address azure-vpn-acl
crypto azure-crypto-card card game 10 peers XXX.XXX.XXX.XXX (hidden)
card crypto azure-crypto-map 10 set transform-set of Azur-ipsec-proposal-set
Azur-crypto-card interface card crypto outside
However, when I apply this configuration, my Cisco IPSec clients can connect is no longer. I think that my problem is that last line:
Azur-crypto-card interface card crypto outside
that blows away my original line:
outside_map interface card crypto outside
It seems that I'm stuck with just picking one of the maps to apply to the external interface. Is there a way to apply both of these cards to the external interface to allow the two IPSec tunnels to create? We lack ASA version 8.4 (7) 3.
Hello
You can use the same "crypto map"
Just add
card crypto outside_map 10 correspondence address azure-vpn-acl
crypto outside_map 10 card game peers XXX.XXX.XXX.XXX (hidden)
card crypto outside_map 10 set transform-set of Azur-ipsec-proposal-set
Your dynamic VPN Clients will continue to work very well that their statements "crypto map" are in the order of precedence / low in "crypto map" configurations (65535) and VPN L2L is higher (10)
And I want to say with the above is that, where a connection VPN L2L is formed from the remote end it will be naturally VPN L2L configurations you have with the number of configurations "crypto map" '10'. Then when a VPN Client connects it naturally will not match the specific configurations of the number "10" and will move to the next entry and the match (65535)
If you happen to set up a new connection VPN L2L then you might give him the number "11" for example and it would still be fine.
Hope this helps
-Jouni
-
Hello
I try to configure my router ADSL cisco 877 as a vpn server, so that multiple site can connect to the ADSL cisco 877 router. Is it possible to achieve this goal. If yes what is the procedure and if possible, please copy the URL for documentation here.
Thank you
Siva.
Here is the sample configuration for the client in network Extension mode and IOS Easy VPN server:
http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080808395.shtml
The sample configuration uses local authentication, you can always change it to use radius authentication.
-
Hello
I'm new im this forum.
I've set up a Site VPN site with 2 Cisco 877.SITE A:
Address IP Adreess public: static
Internal IP Adrees: 192.168.0.XXX
Mask: 255.255.255.0SITE B:
IP address public Adreess: Dynamics
Internal IP address: 192.168.2.XXX
Mask: 255.255.255.0I managed to do a ping on both sides, but I can't access file shares, and could rdp on any server in site A, by the internal IP address.
Fix, is the SITES A and B SITE startup configs.
Could you please someone help me?
Hi Marcos,
Really happy to know that the problem is solved. There is no need to apologize. Please mark this message as answered if there is nothing more.
Rregards,
Assia
-
Site to Site VPN working without Crypto Card (ASA 8.2 (1))
Hi all
Find a strange situation on our firewall to ASA5540:
We have a few Site to Site VPN and also activate on the ASA VPN cleint, all are working properly. But finding that a VPN from Site to Site is running without crypto map configuration. Is this possible?
I tried to erase isa his and claire ipsec his then VPN came once again. Tested too, it's the ping requests to a remote site through the VPN.
I saw there are config tunnel-group for VPN but saw no card crypto and ACL.
How is the firewall knows what traffic should be encrypted for this VPN tunnel without crypto card?
This is the bug?
Thanks in advance,
It can be an easy vpn configuration.
Could you post output config operation remove any sensitive information. This could help us answer your question more specifically.
-
Cisco 877 VPN router LAN access
I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.
So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)
Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.
In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?
Appreciate the help:
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec localtime
encryption password service
!
hostname My877Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
clock timezone CST 9 30
!
Crypto pki trustpoint TP-self-signed-901674690
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 901674690
revocation checking no
rsakeypair TP-self-signed-901674690
!
!
TP-self-signed-901674690 crypto pki certificate chain
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
IP cef
!
!
inspect the IP router-traffic tcp name _OUTBOUND_
inspect the IP router traffic udp name _OUTBOUND_
inspect the name _OUTBOUND_ http IP
inspect the IP name _OUTBOUND_ https
inspect the IP dns _OUTBOUND_ name
inspect the IP router traffic icmp name _OUTBOUND_
no ip domain search
IP domain name mydomain.com.au
Name A.B.C.D IP-server
IP-name x.y.z.w Server
!
aes encryption password
!
!
username admin privilege 15 secret 5 #$% ^ & *.
Admin2 username privilege 15 secret 5 #$% ^ & *.
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600
!
ISAKMP crypto group configuration of VPN client
key 6 #$%^&_)(*&^%$%^&*(&^$
DNS 192.168.100.5
domain mydomain.com.au
pool VPN
ACL 100
Max-users 5
Max-Connections 1
netmask 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
!
Crypto-map dynamic dynmap 11
Set transform-set vpn1
market arriere-route
!
!
list of card crypto dynmap customer VPN authentication
card crypto dynmap VPN isakmp authorization list
client configuration address card crypto dynmap initiate
client configuration address card crypto dynmap answer
dynmap 11 card crypto ipsec-isakmp dynamic dynmap
!
Archives
The config log
hidekeys
!
!
!
type of class-card inspect VPN-match-all traffic
game group-access 100
!
!
type of policy-card inspect PCB-pol-outToIn
class type inspect VPN traffic
inspect
!
!
!
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description LAN_INTERFACE
IP 192.168.100.1 address 255.255.255.0
no ip redirection
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
interface Dialer0
ADSL description
the negotiated IP address
IP access-group 101 in
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the _OUTBOUND_ over IP
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap 7 76478678786 password
card crypto dynmap
!
local pool IP VPN 192.168.200.1 192.168.200.10
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
the IP nat inside source 1 interface Dialer0 overload list
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any eq 443 newspaper
access-list 101 permit tcp any any eq smtp newspaper
access-list 101 permit tcp any any eq 1352 newspaper
access-list 101 permit tcp A.B.C.D host any newspaper
access-list 101 permit tcp host x.y.z.w any log
access-list 101 permit tcp host r.t.g.u any log
access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
Dialer-list 1 ip protocol allow
not run cdp
!
!
route allowed sheep 11 map
corresponds to the IP 102
!
!
control plan
!
Banner motd ^ C
Unauthorized access prohibited! ^ C
!
Line con 0
exec-timeout 20 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
entry ssh transport
!
max-task-time 5000 Planner
x.x.x.x SNTP server
y.y.y.y SNTP server
endMy877Router #.
Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.
Can you please try to connect by a different ISP and see if that makes a difference?
You can also try to connect from another PC and see if that makes a difference?
The configuration on the router seems correct to me.
-
Multiple Crypto cards on a single Interface of ASA
Hello
I work with a TAC support engineer, and while troubleshooting it suggests to assign two different cryptographic cards on a single interface.
It is technically possible to have multiple Crypto maps on a single Interface ASA?
PS: I know have several sequences in a single encryption card would work, but it is a case that I must address multiple Crypto maps on a single ASA.
Hi Ali,
The rule is by interface, a single card encryption is supported. You cannot assign more than one encryption on a single interface card.
Documentation: -.
"You can only assign a single encryption card defined on an interface. If multiple crypto map entries with the same name of card but a sequence number different, they are part of the same series and are applied to the interface. ASA first assesses the entry card crypto with sequence number low. »http://www.Cisco.com/c/en/us/TD/docs/security/ASA/ASA-command-reference/A-H/cmdref1/C6.html
Kind regards
Dinesh MoudgilPS Please rate helpful messages.
-
Problem with ping VPN cisco 877
Hi all!
I have a working VPN between a fortigate and a Cisco.
I have a problem with ping network behind the cisco of the network behind the forti.
When I ping to vlan2 cisco without problem (192.168.252.1) interface, but I can't ping a server in the vlan2 (192.168.252.2) behind the cisco.
However the Cisco I can ping the server. In the forti, I see that ping to the interface vlan2 and server in vlan2 take in the same way, and I can see package.
I post my config could see it it as blocking the ping from 10.41.2.36 to 192.168.252.2 while 192.168.252.1 ping is OK?
IPSEC #show run
Building configuration...Current configuration: 3302 bytes
!
! Last modification of the configuration at 14:42:17 CEDT Friday, June 25, 2010
! NVRAM config update at 14:42:23 CEDT Friday, June 25, 2010
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime localtime show-time zone
encryption password service
!
IPSEC host name
!
boot-start-marker
boot-end-marker
!
logging buffered 1000000
enable secret 5 abdellah
!
No aaa new-model
clock timezone GMT 1
clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
!
!
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 192.168.254.0 192.168.254.99
DHCP excluded-address IP 192.168.254.128 192.168.254.255
!
IP dhcp DHCP pool
network 192.168.254.0 255.255.255.0
router by default - 192.168.254.254
Server DNS A.A.A.A B.B.B.B
!
!
no ip domain search
name of the IP-server A.A.A.A
name of the IP-server B.B.B.B
!
!
!
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 5
ISAKMP crypto key ciscokey address IP_forti
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpntest
!
myvpn 10 ipsec-isakmp crypto map
defined by peer IP_forti
Set transform-set vpntest
match address 101
!
Archives
The config log
hidekeys
!
!
!
!
!
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card crypto
!
ATM0 interface
bandwidth 320
no ip address
load-interval 30
No atm ilmi-keepalive
DSL-automatic operation mode
!
point-to-point interface ATM0.1
MTU 1492
bandwidth 160
PVC 8/35
VBR - nrt 160 160
PPPoE-client dial-pool-number 1
!
!
interface FastEthernet0
switchport access vlan 2
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
switchport access vlan 2
!
interface Vlan1
IP 192.168.20.253 255.255.255.0
IP nat inside
no ip virtual-reassembly
!
interface Vlan2
IP 192.168.252.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
interface Dialer0
bandwidth 128
the negotiated IP address
NAT outside IP
no ip virtual-reassembly
encapsulation ppp
load-interval 30
Dialer pool 1
Dialer-Group 1
KeepAlive 1 2
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap password 7 abdelkrim
myvpn card crypto
!
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
IP route 10.41.2.32 Tunnel0 255.255.255.240
!
no ip address of the http server
no ip http secure server
The dns server IP
translation of nat IP tcp-timeout 5400
no ip nat service sip 5060 udp port
overload of IP nat inside source list NAT interface Dialer0
!
IP access-list standard BROADCAST
permit of 0.0.0.0
deny all
!
NAT extended IP access list
IP enable any host IP_cisco
deny ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
!
access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
public RO SNMP-server community
3 RW 99 SNMP-server community
SNMP-server community a RO
SNMP-Server RO community oneCommunityRead
not run cdp
!
!
!
control plan
!
!
Line con 0
password 7 abdelkrim
opening of session
no activation of the modem
line to 0
line vty 0 4
password 7 aaaaa
opening of session
escape character 5
!
max-task-time 5000 Planner
NTP-period clock 17175037
Server NTP B.B.B.B
Server NTP A.A.A.Aend
Alex,
It's your GRE tunnel:
interface Tunnel0
IP 2.2.2.1 255.255.255.252
source of Dialer0 tunnel
destination of IP_forti tunnel
myvpn card cryptoYou also have routing set by it.
You don't need a GRE tunnel, nor do you need the road to tunnel if you want just IPsec tunnel.
-
Supported IOS 12.3 for Stateful Crypto cards
I try to understand which version of IOS 12.3 to support 7206 and 2651 crypto with card condition. All the docs I found on cisco.com regarding emissions recommended by the 12.3 train are deferred. I thought because this feature was added in 12.2; then it would be available in 12.3. I tried business, IP Plus, IPSEC, 3DES packages in several releases of 12.3, but none understand the dynamic command at the end of the crypto map command applied to an interface.
Erik,
2651 routers are end of sale and 12.3 Mainline is the last mainline support. This is the reason why you see no T or Mainline 12.4 12.3 for routers 2651. Please see the below URL for more details.
http://www.Cisco.com/en/us/products/HW/routers/ps259/prod_eol_notice09186a008032d4c2.html
You must use a different chassis that supports T 12.3 or 12.4 mainline to test IPSEC Stateful.
Kind regards
Arul
* Please note all useful messages *.
-
Cisco 877 site to site VPN routers a DHCP end cannot get the tunnel
Hello
I have two 877 cisco routers with the static ip address and other (3 routers more) with ADSL DHCP using the no - IP.com.
Currently I'm doing tests with only the static IP router and a DHCP router.
I can't go up the tunnel and running, I can connect using Cisco VPN client, but a site that is the most important of them does not work
I followed the example of configuration on this document http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
But I have no session encryption of output as well as no ipsec or isakmp output using this command (it's on the static IP router)
SH crypto ipsec his
Crypto isakmp HS her
SH encryption session
on the dynamic ip on the router side, I exit that with the sh command its crypto ipsec
This is the output
R3 #sh crypto ipsec his
Interface: Dialer1
Tag crypto map: mymap, local addr xxx.xxx.xxx.xxx
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx (Static ip of the router hub) port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
endpt local crypto. : xxx.xxx.xxx.xxx, remote Start crypto. : xxx.xxx.xxx.xxx
Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Interface: ATM0
Tag crypto map: mymap, local addr 0.0.0.0
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx
Path mtu 1500, mtu 1500 ip, ip mtu IDB ATM0
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Interface: virtual Network1
Tag crypto map: mymap, local addr 0.0.0.0
protégé of the vrf: (none)
local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)
Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)
current_peer xxx.xxx.xxx.xxx port 500
LICENCE, flags is {origin_is_acl},
#pkts program: encrypt 0, #pkts: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0
compressed #pkts: 0, unzipped #pkts: 0
#pkts uncompressed: 0, #pkts compr. has failed: 0
#pkts not unpacked: 0, #pkts decompress failed: 0
Errors #send 0, #recv 0 errors
endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx
Path mtu 1492 mtu 1492 ip, ip mtu IDB virtual Network1
current outbound SPI: 0x0 (0)
PFS (Y/N): N, Diffie-Hellman group: no
SAS of the esp on arrival:
the arrival ah sas:
SAS of the CFP on arrival:
outgoing esp sas:
outgoing ah sas:
outgoing CFP sas:
Set the configuration is for both routers
Thanks in advance
Kind regards
Hello
Try the following changes:
HUB
NAT extended IP access list
deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255
ip permit 192.168.1.0 0.0.0.255 any
!
TALK
NAT extended IP access list
deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255
ip licensing 192.168.5.0 0.0.0.255 any
the example you mentioned was not using NAT while you are. Check following link:
HTH
Andy
Maybe you are looking for
-
I bought a new laptop and the new iPhone 6sPlus, I loaded the iTunes store, but it will not open on the laptop and when I plug in the iPhone through the USB port of the app does not automatically open. How can I fix it, I can't sync my phone or uploa
-
Problem with Windows startup with Toshiba HDD external
HelloWhen I'm away from windows (xp) and I got my external drive connected, the computer can´t departure, he collapsed in "windows start". When I mount the laptop without a disc, it starts good. Do you know a solution?Thank you and sorry for my bad E
-
HP 15-fo18dx: sudden ethernet wireless is not connecting on hp 15 fo18dx
Hi, my daughters hp 15 suddenly ceased to connect to internet. At worked earlier in the day at the school, shut down normally and now only connects to the wifi at home with limited connection. Have you tried stop/restart x 3 Reset the modem/router x
-
Smartphones blackBerry AppWorld icon disappear
Hello everyone, since I have updated my OS with the official v5.5.5.593, my AppWorld icon has disappeared! I downloaded it again on the blackberry site, but it doesn't matter! can see it in my list of requests, but I have not found the icon!could you
-
XSD validation fails on a regular expression for valid data
Hello For some reason the following regex expression is down for 5095.0000 < value pattern = "[0-9] {1,4} [..]" [0-9] {4} "/ >" Please notify. This is the XML code: <?xml version="1.0" encoding="iso-8859-1"?> <root DataFeedDate="2013-02-11" xmlns="ht