Cisco 877 using draytek 2600 VPN

Similar Questions

• Cisco 877 site to site VPN routers a DHCP end cannot get the tunnel

  Hello

  I have two 877 cisco routers with the static ip address and other (3 routers more) with ADSL DHCP using the no - IP.com.

  Currently I'm doing tests with only the static IP router and a DHCP router.

  I can't go up the tunnel and running, I can connect using Cisco VPN client, but a site that is the most important of them does not work

  I followed the example of configuration on this document http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

  But I have no session encryption of output as well as no ipsec or isakmp output using this command (it's on the static IP router)

  SH crypto ipsec his

  Crypto isakmp HS her

  SH encryption session

  on the dynamic ip on the router side, I exit that with the sh command its crypto ipsec

  This is the output

  R3 #sh crypto ipsec his

  Interface: Dialer1

  Tag crypto map: mymap, local addr xxx.xxx.xxx.xxx

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer xxx.xxx.xxx.xxx (Static ip of the router hub) port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  endpt local crypto. : xxx.xxx.xxx.xxx, remote Start crypto. : xxx.xxx.xxx.xxx

  Path mtu 1492 mtu 1492 ip, ip mtu BID Dialer1

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Interface: ATM0

  Tag crypto map: mymap, local addr 0.0.0.0

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer xxx.xxx.xxx.xxx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx

  Path mtu 1500, mtu 1500 ip, ip mtu IDB ATM0

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Interface: virtual Network1

  Tag crypto map: mymap, local addr 0.0.0.0

  protégé of the vrf: (none)

  local ident (addr, mask, prot, port): (192.168.5.0/255.255.255.0/0/0)

  Remote ident (addr, mask, prot, port): (192.168.1.0/255.255.255.0/0/0)

  current_peer xxx.xxx.xxx.xxx port 500

  LICENCE, flags is {origin_is_acl},

  #pkts program: encrypt 0, #pkts: 0, #pkts digest: 0

  #pkts decaps: 0, #pkts decrypt: 0, #pkts check: 0

  compressed #pkts: 0, unzipped #pkts: 0

  #pkts uncompressed: 0, #pkts compr. has failed: 0

  #pkts not unpacked: 0, #pkts decompress failed: 0

  Errors #send 0, #recv 0 errors

  endpt local crypto. : 0.0.0.0, remote Start crypto. : xxx.xxx.xxx.xxx

  Path mtu 1492 mtu 1492 ip, ip mtu IDB virtual Network1

  current outbound SPI: 0x0 (0)

  PFS (Y/N): N, Diffie-Hellman group: no

  SAS of the esp on arrival:

  the arrival ah sas:

  SAS of the CFP on arrival:

  outgoing esp sas:

  outgoing ah sas:

  outgoing CFP sas:

  Set the configuration is for both routers

  Thanks in advance

  Kind regards

  Hello

  Try the following changes:

  HUB

  NAT extended IP access list

  deny ip 192.168.1.0 0.0.0.255 192.168.5.0 0.0.0.255

  ip permit 192.168.1.0 0.0.0.255 any

  !

  TALK

  NAT extended IP access list

  deny ip 192.168.5.0 0.0.0.255 192.168.1.0 0.0.0.255

  ip licensing 192.168.5.0 0.0.0.255 any

  the example you mentioned was not using NAT while you are. Check following link:

  http://www.Cisco.com/en/us/products/HW/vpndevc/ps2030/products_configuration_example09186a00807ea936.shtml?referring_site=smartnavRD

  HTH

  Andy

• Cisco 877 as a VPN server

  Hello

  I try to configure my router ADSL cisco 877 as a vpn server, so that multiple site can connect to the ADSL cisco 877 router. Is it possible to achieve this goal. If yes what is the procedure and if possible, please copy the URL for documentation here.

  Thank you

  Siva.

  Here is the sample configuration for the client in network Extension mode and IOS Easy VPN server:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080808395.shtml

  The sample configuration uses local authentication, you can always change it to use radius authentication.

• Site to Site VPN Cisco 877

  Hello

  I'm trying to set up a VPN site-to site on a cisco 877 that connects to an ISA Server.

  It fails on Phase 2 with the following error:

  000320: * apr 21 12:11:07.028 PCTime: IPSEC (validate_proposal_request): proposal

  Part #1

  (Eng. msg key.) Local INCOMING = 83.X.X.X, distance = 87.X.X.X,.

  local_proxy = 172.16.25.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 87.x.x.x/255.255.255.255/0/0 (type = 1),

  Protocol = ESP, transform = NONE (Tunnel),

  lifedur = 0 and 0kb in

  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 0

  00323: * apr 21 12:11:07.028 PCTime: map_db_find_best found no corresponding card

  00324: * apr 21 12:11:07.028 PCTime: IPSEC (ipsec_process_proposal): proxy identity

  IES not supported

  In accordance with the foregoing, it seems to be using the public IP address of the peer for the 'Remote_Proxy' and not the local network: 10.0.0.0, 255.0.0.0

  In my definition of the crypto map, I have 'correspondence address 104", which is an access list which reads:

  access-list 104. allow ip 172.16.25.0 0.0.0.255 10.0.0.0 0.255.255.255
  access-list 104 deny ip 172.16.25.0 0.0.0.255 any

  Anyone know what can be the problem?

  Kind regards

  Simon

  If you can, try to ping from another device on the subnet 172.16.25.x.

• VPN ipsec Cisco 877 <>- iphone

  Hi, I'm trying implement the vpn ipsec between my cisco 877 and his iphone/cisco vpn client. First of all, what is the difference between remote access vpn and vpn installation easy? The phase 1 and the phase2 are completed but I don't have much traffic between peers.

  Maybe I missed something conf? Should I add the roadmap with acl 101?

  Here is the configuration of isakmp/ipsec.

  ISAKMP crypto enable
  session of crypto consignment

  crypto ISAKMP policy 10
  BA 3des
  md5 hash
  preshared authentication
  Group 2
  life 3600
  ISAKMP crypto keepalive 10
  ISAKMP crypto nat keepalive 20
  ISAKMP xauth timeout 90 crypto

  ISAKMP crypto client configuration group to distance-vpn
  key to past
  DNS 212.216.112.112
  cisco877.local field
  10 Max-users
  Max-connections 10
  pool remotely
  ACL 150
  Save-password

  Crypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
  Crypto ipsec security association idle time 3600

  distance from dyn-crypto-dynamic-map 10
  transformation-VPN-CLI-SET game

  card crypto remotemap local-address dialer0
  card crypto client remotemap of authentication list userauthen
  card crypto isakmp authorization list groupauthor remotemap
  client configuration address card crypto remotemap answer
  remotemap 65535 ipsec-isakmp crypto map distance Dynamics-dyn

  interface dialer0
  remotemap card crypto

  IP local pool remote control-pool 192.168.69.0 192.168.69.20

  IP route 192.168.69.0 255.255.255.0 dialer0

  no access list 150
  REM list 150 * ACL split tunnel access *.
  access-list 150 permit ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255

  no access list 101
  Note access-list 101 * ACL sheep *.
  access-list 101 deny ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255
  access-list 101 permit ip 10.0.77.0 0.0.0.255 any

  Should I apply this acl 101 loopback?  Ex:

  overload of IP nat inside source list 101 interface Loopback0

  Should I apply an acl to permit as access-list 169 allow ip 192.168.69.0 0.0.0.255 any in my Dialer interface 0?

  Other tips? Best regards.

  Hi Alessandro,.

  The access tunnel split list is great!

  If you are NAT on public and private interface that is ip nat inside and ip nat outside etc.

  You must add the command ip nat inside source list 101 interface Dialer0 overload

  +++++++++++++++++++++++++++++++++++++++

  Or you can create a new roadmap

  new route map permit 10

  ACL #match 101

  command: ip nat inside the interface Dialer0 overload route map

  Thank you

  Adama

• Cisco 877 + VPN Site to Site

  Hello

  I'm new im this forum.
  I've set up a Site VPN site with 2 Cisco 877.

  SITE A:

  Address IP Adreess public: static
  Internal IP Adrees: 192.168.0.XXX
  Mask: 255.255.255.0

  SITE B:

  IP address public Adreess: Dynamics
  Internal IP address: 192.168.2.XXX
  Mask: 255.255.255.0

  I managed to do a ping on both sides, but I can't access file shares, and could rdp on any server in site A, by the internal IP address.

  Fix, is the SITES A and B SITE startup configs.

  Could you please someone help me?

  Hi Marcos,

  Really happy to know that the problem is solved. There is no need to apologize. Please mark this message as answered if there is nothing more.

  Rregards,

  Assia

• Cisco 877 - issue crypto card

  We have implemented a L2L VPN between a cisco 877 and an ASA 5505.

  On the side of 877, we have:

  Dialer 0: connect to the internet and has a dynamic IP given by ISP

  Loopback1: has a static IP address of the public IP range assigned.

  VLAN 1: has a static private IP address for the local network

  FE3: Interface conencted to lan

  We have the following problem.

  We have applied the card encryption to the loopback interface and with this configuration we can reach the interface of the internal router (VLAN 1 IP) from the internal network of ASA, but except that we cannot reach any host inside the router's lan.

  If we apply the encryption card to the interface of FE3 we can ping also lan internal but we lose half of the ping and the return is high (500-800 ms applies rather than 70 to 80 when only 1 Loopback)

  So I need some help here. What should be the correct configuration to have it all works well?

  Thanks in advance

  In the first configuration (crypto-map applied to the loopback interface), you can try this:

  no ip (on Cisco 877) cef

  CEF in many versions have similar problems of your of

• Use the client VPN tunnel to cross the LAN-to-LAN tunnel

  I have been troubleshooting an issue and cannot cross an obstacle. The ASA is running ASA running 1,0000 code 24. I am using a client VPN tunnel to connect to the ASA. The ASA has already a LAN-to-LAN tunnel, set up and operating and I need the VPN client to access the remote site over the LAN-to-LAN tunnel.

  The internal IP address of the local part is 192.168.0.0/24 and the IP address of the Remote LAN-to-LAN tunnel is 172.20.1.0/24. The clients are distributed 192.168.200.0/24 IPs. I have attached the relevant configuration for the SAA.

  When the VPN client on the network, I can access resources on the ASA network internal. On the internal network of the SAA, users can access resources through the LAN-to-LAN tunnel. Client VPN cannot access resources on the LAN-to-LAN tunnel. For the latter, there are no hits on the C-TEST access list.

  Thank you for your help.

  try adding...

  permit same-security-traffic intra-interface

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_guide_chapter09186a00806370f2.html#wp1042114

• Configuration of the Cisco ACS 5.3 AnyConnect VPN and management of a Cisco ASA 5500.

  We have configured a Cisco ASA 5505 as a VPN endpoint for one of our user groups.  It works, but it works too well.

  We have a group called XXX we need to have access to the Cisco AnyConnect Client.  We have selected this group of our Active Directory and added to our ACS configuration.  We've also added a group called YYY that will manage the ASA. However, this group has no need to access the VPN.

  We added XXX movies for the elements of the policy of access to the network-> authorization profiles.  We also have a profile of YYY.

  She continues to knock on our default Service rule that says allow all.

  We have also created a default network access rule. for this.

  I am at a loss.  I'm sure I missed a checkbox or something.

  Any help would be really appreciated.

  Dwane

  We use Protocol Management GANYMEDE ASA and Ray for VPN access?

  For administration, you must change the device by default admin access strategy and create a permission policy. Even by the way, you can change the network access by default for vpn access and create a respective policy for that too.

  On the SAA, you must configure Ganymede and Ray both as a server group.

  For the administration, you can set Ganymede as an external authentication under orders aaa Server

  AAA-server protocol Ganymede GANYMEDE +.

  Console HTTP authentication AAA GANYMEDE

  Console Telnet AAA authentication RADIUS LOCAL

  authentication AAA ssh console LOCAL GANYMEDE

  Console to enable AAA authentication RADIUS LOCAL

  For VPN, you must set the authentication radius under the tunnel-group.

  I hope this helps.

  Kind regards

  Jousset

  The rate of useful messages-

• 4G the Z10T Portege - Win8 cannot connect using Sonicwall Global VPN

  Hello

  We have installed the latest version of the client to Sonicwall Global VPN on the Toshiba Portege z10t with a Telstra Sim card inside.

  When we connect to our office, in the step acquired IP, stopping the process there.
  If we use a Telstra 4 G Wireless router, it works perfectly.
  Apparently, there is something of the z10t that blocks the process.

  Someone had the same problem?
  We have upgraded the bios and drivers on the z10t, but without success.
  Kind regards

  It is not easy to say why this is happening. In my view it will be difficult to find someone here who can test for you or someone who has an identical machine and use the same VPN client.

  Missing important information: do you use original image recovery Toshiba or clean install of the OS?

• Update firmware on Cisco SF300 using CLI

  Hi all!

  How can I update the firmware on Cisco SF300 using CLI?

  I have download the new Sx300_FW_Boot_1.4.0.88 firmware on the Cisco site. Inside of the archive, I found two files sx300_boot - 13506.rfb and sx300_fw - 14088.ros. If I understand correctly, sx300_fw - 14088.ros is the firmware?

  Through the command #copy tftp://mytftp/image image I stored the current firmware in my TFTP

  And now I have to use theftp://mytftp/sx300_fw-14088.ros command #copy t for update, right?

  This is enough to update the firmware? How can I use another file sx300_boot - 13506.rfb?

  Hello Ivan,.

  Below are all the controls you need during the upgrade. Please note that switch stores the 2 images and new firmware would go to a non-active image so you need to position the active image.

  image offtp://mytftp/sx300_fw-14088.ros t #copy

  #show bootvar

  image-x 1.4.0.88

  image-y a.b.c.d.

  #boot image-x SYSTEM

  for the boot code however:

  t #copyftp://mytftp/sx300_fw-13506.rfb boot

  After all these commands, you can restart the switch and check the boot code and firmware:

  #show version

  I hope this helps.

  Aleksandra

• 9.0 can a dynamic nat be used via ipsec vpn?

  9.0 can a dynamic nat be used via ipsec vpn?

  We have a vpn and work between asa and when we run traffic through a static nat rule traffic goes over the vpn. When we use a dynamic nat traffic does not get picked up by the ACL vpn.

  We disable the nat rules to switch back and just so, even when we use the same destination to source the result is the same.

  Am I missing something with 9.0 versions of code? If I disable all the nats and pass traffic it goes via the vpn.

  So, it seems that when you use the dynamic nat statement, it pushes traffic to the external interface without looking at the acl of vpn. Please let me know if I'm crazy, I'm a newb on 8.3 zip code.

  Thank you

  Have you included in the ACL crytop natted ip address or range?

  You allowed natted ip address or range to the other end of the tunnel?

• Impossible to establish a VPN connection with a router configured as a Cisco server using client VPN 5.0.00.0340

  Hei guys,.

  Please help me on this one because I'm stuck enough on her...

  I am trying to connect to a Cisco 3700 router configured as a VPN server by using a VPN client and the VPN connection does not settle.

  This is an extract from the log:

  130 12:48:30.585 07/01/11 Sev = Info/5 IKE / 0 x 63000001
  Peer supports XAUTH
  131 12:48:30.585 07/01/11 Sev = WARNING/3 IKE/0xE3000057
  The HASH payload received cannot be verified
  132 12:48:30.600 07/01/11 Sev = WARNING/2 IKE/0xE300007E
  Failed the hash check... may be configured with password invalid group.
  133 12:48:30.600 07/01/11 Sev = WARNING/2 IKE/0xE300009B
  Impossible to authenticate peers (Navigator: 904)
  134 12:48:30.600 07/01/11 Sev = Info/4 IKE / 0 x 63000013
  SEND to > ISAKMP OAK INFO (NOTIFY: INVALID_HASH_INFO) for 200.100.50.173

  I enclose the whole journal extract... The message "BOLD" is quite obvious, you mean, but I'm 100% sure, in the login entry, I typed correctly the group password: pass

  My topology is very basic, as I am setting this up only to get a clue of the operation of the Cisco VPN. It is built in GNS3:
  -2 3700 routers: one of them holds the configuration of the VPN server and the other would be the ISP through which the remote worker would try to establish a VPN connection. I am also attaching the configuration file for the router configured as a VPN router.

  Behind the second router there is a virtual XP machine on which I have installed VPN client...

  My connection entry in the customer is to have the following parameters:
  Host: 200.100.50.173 , //which is the IP address of the VPNServer
  Authentication-> authentication-> name group: grup1 password: pass / / I'm quite positive that I typed the correct password... even if the log messages are linked to a misidentification.

  I use public addresses only, because I noticed there is a question about behind the NAT VPN connections and is not not very familiar to the NAT.

  Another aspect which can be of any importance is that "allow Tunneling of Transport" in the tab Transport to the input connection is disabled

  and the VPNServer router logs the following error message when you try to establish the connection:

  * 01:08:47.147 Mar 1: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE 200.100.50.34 package was not encrypted and it should have been.
  * 01:08:47.151 Mar 1: % CRYPTO-6-IKMP_NOT_ENCRYPTED: IKE 200.100.50.34 package was not encrypted and it should have been.
  

  You have no idea why I can't connect? Y at - it something wrong with my configuration of VPN server... or with the connection entry in the VPN client?

  Thank you

  Iulia

  Depending on the configuration of the router, the group name is grup1 and the password is baby.

  You also lack the ipsec processing game that you would need to apply to the dynamic map.

  Here is an example configuration for your reference:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080235197.shtml

  Hope that helps.

• Problem with ping VPN cisco 877

  Hi all!

  I have a working VPN between a fortigate and a Cisco.

  I have a problem with ping network behind the cisco of the network behind the forti.

  When I ping to vlan2 cisco without problem (192.168.252.1) interface, but I can't ping a server in the vlan2 (192.168.252.2) behind the cisco.

  However the Cisco I can ping the server. In the forti, I see that ping to the interface vlan2 and server in vlan2 take in the same way, and I can see package.

  I post my config could see it it as blocking the ping from 10.41.2.36 to 192.168.252.2 while 192.168.252.1 ping is OK?

  IPSEC #show run
  Building configuration...

  Current configuration: 3302 bytes
  !
  ! Last modification of the configuration at 14:42:17 CEDT Friday, June 25, 2010
  ! NVRAM config update at 14:42:23 CEDT Friday, June 25, 2010
  !
  version 12.4
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime localtime show-time zone
  encryption password service
  !
  IPSEC host name
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 1000000
  enable secret 5 abdellah
  !
  No aaa new-model
  clock timezone GMT 1
  clock to summer time CEDT recurring last Sun Mar 02:00 last Sun Oct 03:00
  !
  !
  dot11 syslog
  IP cef
  No dhcp use connected vrf ip
  DHCP excluded-address IP 192.168.254.0 192.168.254.99
  DHCP excluded-address IP 192.168.254.128 192.168.254.255
  !
  IP dhcp DHCP pool
  network 192.168.254.0 255.255.255.0
  router by default - 192.168.254.254
  Server DNS A.A.A.A B.B.B.B
  !
  !
  no ip domain search
  name of the IP-server A.A.A.A
  name of the IP-server B.B.B.B
  !
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA aes 256
  preshared authentication
  Group 5
  ISAKMP crypto key ciscokey address IP_forti
  !
  !
  Crypto ipsec transform-set esp - aes 256 esp-sha-hmac vpntest
  !
  myvpn 10 ipsec-isakmp crypto map
  defined by peer IP_forti
  Set transform-set vpntest
  match address 101
  !
  Archives
  The config log
  hidekeys
  !
  !
  !
  !
  !
  interface Tunnel0
  IP 2.2.2.1 255.255.255.252
  source of Dialer0 tunnel
  destination of IP_forti tunnel
  myvpn card crypto
  !
  ATM0 interface
  bandwidth 320
  no ip address
  load-interval 30
  No atm ilmi-keepalive
  DSL-automatic operation mode
  !
  point-to-point interface ATM0.1
  MTU 1492
  bandwidth 160
  PVC 8/35
  VBR - nrt 160 160
  PPPoE-client dial-pool-number 1
  !
  !
  interface FastEthernet0
  switchport access vlan 2
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  switchport access vlan 2
  !
  interface Vlan1
  IP 192.168.20.253 255.255.255.0
  IP nat inside
  no ip virtual-reassembly
  !
  interface Vlan2
  IP 192.168.252.1 255.255.255.0
  IP nat inside
  IP virtual-reassembly
  !
  interface Dialer0
  bandwidth 128
  the negotiated IP address
  NAT outside IP
  no ip virtual-reassembly
  encapsulation ppp
  load-interval 30
  Dialer pool 1
  Dialer-Group 1
  KeepAlive 1 2
  Authentication callin PPP chap Protocol
  PPP chap hostname [email protected] / * /
  PPP chap password 7 abdelkrim
  myvpn card crypto
  !
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 Dialer0
  IP route 10.41.2.32 Tunnel0 255.255.255.240
  !
  no ip address of the http server
  no ip http secure server
  The dns server IP
  translation of nat IP tcp-timeout 5400
  no ip nat service sip 5060 udp port
  overload of IP nat inside source list NAT interface Dialer0
  !
  IP access-list standard BROADCAST
  permit of 0.0.0.0
  deny all
  !
  NAT extended IP access list
  IP enable any host IP_cisco
  deny ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
  !
  access-list 101 permit ip 192.168.252.0 0.0.0.255 10.41.2.32 0.0.0.31
  public RO SNMP-server community
  3 RW 99 SNMP-server community
  SNMP-server community a RO
  SNMP-Server RO community oneCommunityRead
  not run cdp
  !
  !
  !
  control plan
  !
  !
  Line con 0
  password 7 abdelkrim
  opening of session
  no activation of the modem
  line to 0
  line vty 0 4
  password 7 aaaaa
  opening of session
  escape character 5
  !
  max-task-time 5000 Planner
  NTP-period clock 17175037
  Server NTP B.B.B.B
  Server NTP A.A.A.A

  end

  Alex,

  It's your GRE tunnel:

  interface Tunnel0
  IP 2.2.2.1 255.255.255.252
  source of Dialer0 tunnel
  destination of IP_forti tunnel
  myvpn card crypto

  You also have routing set by it.

  You don't need a GRE tunnel, nor do you need the road to tunnel if you want just IPsec tunnel.

• Cisco 877 VPN router LAN access

  I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.

  So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)

  Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.

  In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?

  Appreciate the help:

  version 12.4
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec localtime
  encryption password service
  !
  hostname My877Router
  !
  boot-start-marker
  boot-end-marker
  !
  logging buffered 51200 warnings
  enable secret 5 XXXXXXXXXX
  !
  AAA new-model
  !
  !
  AAA authentication login default local
  connection of local AAA VPN authentication.
  AAA authorization exec default local
  local authorization AAA VPN network
  !
  !
  AAA - the id of the joint session
  clock timezone CST 9 30
  !
  Crypto pki trustpoint TP-self-signed-901674690
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 901674690
  revocation checking no
  rsakeypair TP-self-signed-901674690
  !
  !
  TP-self-signed-901674690 crypto pki certificate chain
  certificate self-signed 01
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  quit smoking
  dot11 syslog
  IP cef
  !
  !
  inspect the IP router-traffic tcp name _OUTBOUND_
  inspect the IP router traffic udp name _OUTBOUND_
  inspect the name _OUTBOUND_ http IP
  inspect the IP name _OUTBOUND_ https
  inspect the IP dns _OUTBOUND_ name
  inspect the IP router traffic icmp name _OUTBOUND_
  no ip domain search
  IP domain name mydomain.com.au
  Name A.B.C.D IP-server
  IP-name x.y.z.w Server
  !
  aes encryption password
  !
  !
  username admin privilege 15 secret 5 #$% ^ & *.
  Admin2 username privilege 15 secret 5 #$% ^ & *.
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  life 3600
  !
  ISAKMP crypto group configuration of VPN client
  key 6 #$%^&_)(*&^%$%^&*(&^$
  DNS 192.168.100.5
  domain mydomain.com.au
  pool VPN
  ACL 100
  Max-users 5
  Max-Connections 1
  netmask 255.255.255.0
  !
  86400 seconds, duration of life crypto ipsec security association
  !
  Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
  !
  Crypto-map dynamic dynmap 11
  Set transform-set vpn1
  market arriere-route
  !
  !
  list of card crypto dynmap customer VPN authentication
  card crypto dynmap VPN isakmp authorization list
  client configuration address card crypto dynmap initiate
  client configuration address card crypto dynmap answer
  dynmap 11 card crypto ipsec-isakmp dynamic dynmap
  !
  Archives
  The config log
  hidekeys
  !
  !
  !
  type of class-card inspect VPN-match-all traffic
  game group-access 100
  !
  !
  type of policy-card inspect PCB-pol-outToIn
  class type inspect VPN traffic
  inspect
  !
  !
  !
  !
  ATM0 interface
  no ip address
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  route IP cache flow
  No atm ilmi-keepalive
  PVC 8/35
  aal5mux encapsulation ppp Dialer
  Dialer pool-member 1
  !
  DSL-automatic operation mode
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface Vlan1
  Description LAN_INTERFACE
  IP 192.168.100.1 address 255.255.255.0
  no ip redirection
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  route IP cache flow
  IP tcp adjust-mss 1452
  !
  interface Dialer0
  ADSL description
  the negotiated IP address
  IP access-group 101 in
  Check IP unicast reverse path
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  inspect the _OUTBOUND_ over IP
  NAT outside IP
  IP virtual-reassembly
  encapsulation ppp
  route IP cache flow
  Dialer pool 1
  No cdp enable
  Authentication callin PPP chap Protocol
  PPP chap hostname [email protected] / * /
  PPP chap 7 76478678786 password
  card crypto dynmap
  !
  local pool IP VPN 192.168.200.1 192.168.200.10
  IP forward-Protocol ND
  IP route 0.0.0.0 0.0.0.0 Dialer0
  !
  no ip address of the http server
  local IP http authentication
  no ip http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
  IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
  IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
  IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
  IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
  IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
  the IP nat inside source 1 interface Dialer0 overload list
  !
  access-list 1 permit 192.168.100.0 0.0.0.255
  access-list 100 permit ip 192.168.200.0 0.0.0.255 any
  access-list 101 permit tcp any any eq 443 newspaper
  access-list 101 permit tcp any any eq smtp newspaper
  access-list 101 permit tcp any any eq 1352 newspaper
  access-list 101 permit tcp A.B.C.D host any newspaper
  access-list 101 permit tcp host x.y.z.w any log
  access-list 101 permit tcp host r.t.g.u any log
  access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
  access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
  access-list 101 deny ip any any newspaper
  access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
  access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
  Dialer-list 1 ip protocol allow
  not run cdp
  !
  !
  route allowed sheep 11 map
  corresponds to the IP 102
  !
  !
  control plan
  !
  Banner motd ^ C
  Unauthorized access prohibited! ^ C
  !
  Line con 0
  exec-timeout 20 0
  no activation of the modem
  line to 0
  line vty 0 4
  privilege level 15
  entry ssh transport
  !
  max-task-time 5000 Planner
  x.x.x.x SNTP server
  y.y.y.y SNTP server
  end

  My877Router #.

  Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.

  Can you please try to connect by a different ISP and see if that makes a difference?

  You can also try to connect from another PC and see if that makes a difference?

  The configuration on the router seems correct to me.