Cisco 877 VPN router LAN access
I have spent much time already trying to figure out why I can't reach the LAN behind the router connecting through VPN, I thought it would be easier to ask people with more experience than me.
So, here he goes, this is the configuration of a router 877 adsl with some ACL defined for security and NAT/PAT, the VPN connects to customer VPN CIco however I don't see anything on the LAN to the remote computer (for example: cannot ping the router or server on the local network)
Also, since the router I can not ping the remote VPN computer when connected... I already tried a lot of different things, but my knowledge of cisco is limited, so I hope someone in this forum can sort it with little effort or change in this config... I replaced the ip addresses and passwords for security reasons.
In a Word, what is false or absent in this config which is not let me reach the LAN when docked hollow VPN?
Appreciate the help:
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec localtime
encryption password service
!
hostname My877Router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 XXXXXXXXXX
!
AAA new-model
!
!
AAA authentication login default local
connection of local AAA VPN authentication.
AAA authorization exec default local
local authorization AAA VPN network
!
!
AAA - the id of the joint session
clock timezone CST 9 30
!
Crypto pki trustpoint TP-self-signed-901674690
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 901674690
revocation checking no
rsakeypair TP-self-signed-901674690
!
!
TP-self-signed-901674690 crypto pki certificate chain
certificate self-signed 01
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
quit smoking
dot11 syslog
IP cef
!
!
inspect the IP router-traffic tcp name _OUTBOUND_
inspect the IP router traffic udp name _OUTBOUND_
inspect the name _OUTBOUND_ http IP
inspect the IP name _OUTBOUND_ https
inspect the IP dns _OUTBOUND_ name
inspect the IP router traffic icmp name _OUTBOUND_
no ip domain search
IP domain name mydomain.com.au
Name A.B.C.D IP-server
IP-name x.y.z.w Server
!
aes encryption password
!
!
username admin privilege 15 secret 5 #$% ^ & *.
Admin2 username privilege 15 secret 5 #$% ^ & *.
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
life 3600
!
ISAKMP crypto group configuration of VPN client
key 6 #$%^&_)(*&^%$%^&*(&^$
DNS 192.168.100.5
domain mydomain.com.au
pool VPN
ACL 100
Max-users 5
Max-Connections 1
netmask 255.255.255.0
!
86400 seconds, duration of life crypto ipsec security association
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn1
!
Crypto-map dynamic dynmap 11
Set transform-set vpn1
market arriere-route
!
!
list of card crypto dynmap customer VPN authentication
card crypto dynmap VPN isakmp authorization list
client configuration address card crypto dynmap initiate
client configuration address card crypto dynmap answer
dynmap 11 card crypto ipsec-isakmp dynamic dynmap
!
Archives
The config log
hidekeys
!
!
!
type of class-card inspect VPN-match-all traffic
game group-access 100
!
!
type of policy-card inspect PCB-pol-outToIn
class type inspect VPN traffic
inspect
!
!
!
!
ATM0 interface
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
route IP cache flow
No atm ilmi-keepalive
PVC 8/35
aal5mux encapsulation ppp Dialer
Dialer pool-member 1
!
DSL-automatic operation mode
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
Description LAN_INTERFACE
IP 192.168.100.1 address 255.255.255.0
no ip redirection
no ip proxy-arp
IP nat inside
IP virtual-reassembly
route IP cache flow
IP tcp adjust-mss 1452
!
interface Dialer0
ADSL description
the negotiated IP address
IP access-group 101 in
Check IP unicast reverse path
no ip redirection
no ip unreachable
no ip proxy-arp
inspect the _OUTBOUND_ over IP
NAT outside IP
IP virtual-reassembly
encapsulation ppp
route IP cache flow
Dialer pool 1
No cdp enable
Authentication callin PPP chap Protocol
PPP chap hostname [email protected] / * /
PPP chap 7 76478678786 password
card crypto dynmap
!
local pool IP VPN 192.168.200.1 192.168.200.10
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 Dialer0
!
no ip address of the http server
local IP http authentication
no ip http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
IP nat inside source static tcp 192.168.100.9 443 interface Dialer0 443
IP nat inside source static tcp 192.168.100.9 25 interface Dialer0 25
IP nat inside source static tcp 192.168.100.9 1352 Dialer0 1352 interface
IP nat inside source static tcp 192.168.100.6 3389 3389 Dialer0 interface
IP nat inside source static tcp 192.168.100.7 3389 interface Dialer0 3391
IP nat inside source static tcp 192.168.100.3 8443 interface Dialer0 8443
the IP nat inside source 1 interface Dialer0 overload list
!
access-list 1 permit 192.168.100.0 0.0.0.255
access-list 100 permit ip 192.168.200.0 0.0.0.255 any
access-list 101 permit tcp any any eq 443 newspaper
access-list 101 permit tcp any any eq smtp newspaper
access-list 101 permit tcp any any eq 1352 newspaper
access-list 101 permit tcp A.B.C.D host any newspaper
access-list 101 permit tcp host x.y.z.w any log
access-list 101 permit tcp host r.t.g.u any log
access-list 101 permit udp any host x.x.x.x eq isakmp newspaper
access-list 101 permit udp any host y.y.y.y eq non500-isakmp log
access-list 101 deny ip any any newspaper
access-list 102 deny ip 192.168.100.0 0.0.0.255 192.168.200.0 0.0.0.255 connect
access-list 102 permit ip 192.168.100.0 0.0.0.255 any what newspaper
Dialer-list 1 ip protocol allow
not run cdp
!
!
route allowed sheep 11 map
corresponds to the IP 102
!
!
control plan
!
Banner motd ^ C
Unauthorized access prohibited! ^ C
!
Line con 0
exec-timeout 20 0
no activation of the modem
line to 0
line vty 0 4
privilege level 15
entry ssh transport
!
max-task-time 5000 Planner
x.x.x.x SNTP server
y.y.y.y SNTP server
end
My877Router #.
Doesn't look like anything sent through the VPN tunnel. Decrypt the counter does not increase.
Can you please try to connect by a different ISP and see if that makes a difference?
You can also try to connect from another PC and see if that makes a difference?
The configuration on the router seems correct to me.
Tags: Cisco Security
Similar Questions
-
I have set up a cisco 861 as a vpn server. Could I help you if someone can tell what is the problem? Clients can connect, but cannot access local resources from lan for subnet 10.0.10.0
Building configuration...
Current configuration: 9770 bytes
!
version 12.4
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime msec localtimeShow time-zone
Log service timestamps datetime localtime show msec.time zone
encryption password service
sequence numbers service
!
hostname RT861W
!
boot-start-marker
start the flash c860-universalk9 - mz.124 - 24.T3.bin system
boot-end-marker
!
forest-meter operation of syslog messages
logging buffered 4096 warnings
recording console critical
enable secret 5 xxxxxxxx
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login userauthen local
AAA authorization groupauthor LAN
!
!
AAA - the id of the joint session
iomem 10 memory size
clock timezone IS - 4
clock save interval 24
!
Crypto pki trustpoint TP-self-signed-3796206546
enrollment selfsigned
name of the object cn = IOS-Self-signed-certificate-3796206546
revocation checking no
rsakeypair TP-self-signed-3796206546
!
!
chain pki crypto TP-self-signed certificates.3796206546
certificate self-signed 01
30820259 308201 2 A0030201 02020101 300 D 06092A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 31312F302 536967 6E65642D 43657274
69666963 33373936 32303635 6174652D 3436301E170 3130 30363130 32323534
33395A 17 0D 323030 31303130 30303030 305A 303106035504 03132649 312F302D
65642 43 65727469 5369676E 656C662D 4F532D5366696361 74652 33 37393632
3630819F 30363534 300 D 0609 2A 864886 F70D010101050003 818 0030 81890281
81009C 68 0509FEBA BA0D4251 52AA3F1C DBB7CACB138D0D3D 8017AB75 04AABD97
16DE7A44 31B18A6C 5DE8F289 CF5D71EA AF9BA2F6EB32858B 4385DE6C 3ED11616
2B997D14 C6C86431 9A 956161 2D0581F4 767D60E182FF426A 911D503E 8995A69B
6F7A4D9A 9AEA14DE 8A62570E C9C3A913 25E5E464E6DA7E06 44F94B16 3EA57809
5B 710203 010001 HAS 3 8180307E 300F0603 551D 130101FF0405 FF302B06 30030101
11 04243022 82205254 38363157 2E636F6C 03551D6C696E73 2E316661 6D696C79
756E6974 65642E63 6F6D301F 0603551D 230418301680142C 21E7314B D28AFE1A
26115A1B F53AFB03 1 060355 1D0E0416 0ED1A83004142C 21 E7314BD2 8AFE1A26
115A1BF5 3AFB030E D1A8300D A 06092, 86 4886F70D01010405 00038181 008CC48F
6A1BFB52 0F268B05 B977AE8E CA450936 8272 D 889B46DE9FB 5680782C 59DA2354
04CE6AD2 F280FB20 32B3897B CF0919F9 C0719F22C7BED922 73C35C32 54696F37
89E424C2 561FFF54 99573AC6 713E58D8 E3B67064295 4331 845FCDEC F6CD8017 D
58006 58 F94A8771 78217788 FE63AA11 0E5DF6B11A8D0111 CDD87A1D CC
quit smoking
no ip source route
no ip free-arps
chip-Relay IP dhcp
ignore the IP dhcp bootp
DHCP excluded-address IP 10.0.1.1 10.0.1.10
DHCP excluded-address IP 10.0.10.1 10.0.10.10
!
dhcp VLAN_10 IP pool
Network 10.0.10.0 255.255.255.224
router by default - 10.0.10.1
Domain xxxxxx
10.0.10.1 DNS server
!
dhcp VLAN_1 IP pool
Network 10.0.1.0 255.255.255.224
default router 10.0.1.1
Domain xxxxxx
10.0.1.1 DNS server
!
!
IP cef
inspect the IP log drop-pkt
IP inspect high 1100 max-incomplete
IP inspect 1100 max-incomplete bass
IP inspect a high minute 1100
IP inspect a minute low 1100
inspect the IP udp idle time 60
inspect the IP dns-timeout 10
inspect the name firewall tcp timeout IP 3600
inspect the name firewall udp timeout 15 IP
inspect the name firewall ftp queue time 3600 IP
inspect the name firewall rcmd timeout IP 3600
IP inspect alert firewall smtp name on timeout 3600
inspect the name firewall sqlnet timeout IP 3600
inspect the IP name firewall tftp timeout 30
inspect the name firewall icmp time 15 IP
inspect the name firewall ssh timeout 15 IP
IP inspect name Connection Firewall audit trail on
inspect the name webster firewall IP
IP inspect skinny firewall name
inspect the router IP firewall name
inspect the IP firewall cifs name
inspect the name cuseeme firewall IP
IP inspect the dns name of the firewall
inspect the name realaudio firewall IP
inspect the name firewall rtsp IP
inspect the name streamworks firewall IP
inspect the name vdolive firewall IP
inspect the IP sip firewall name
inspect the name firewall pop3 alert on reset IP
inspect the name ftps firewall IP
inspect the name isakmp firewall IP
inspect the IP name of firewall ipsec-msft
inspect the name ntp FIREWALL IP
inspect the IP name firewall imap
inspect the name imaps firewall IP
inspect the name imap3 FIREWALL IP
inspect the name pop3s firewall IP
no ip bootp Server
IP domain name xxxxxxxxx
8.8.8.8 IP name-server
IP-server names 8.8.4.4
name-server IP 208.67.222.222
IP-server names 208.67.220.220
name of the IP-server 74.128.19.102
name of the IP-server 74.128.17.114
!
!
notify licensing agenthttp://10.0.10.11:9710 / clm/servlet/HttpListenServlet
dummy dummy 2.0
!
!
username privilege 15 secret 5 xxxx xxxxxx
username xxxxx xxxxx secret 5
!
!
crypto ISAKMP policy 3
BA aes 256
preshared authentication
Group 2
ISAKMP crypto nat keepalive 3600
!
ISAKMP crypto client configuration group xxxxx
key xxxxxx
DNS 10.0.10.5
domain xxxxxxxx
pool vpnpool
include-local-lan
netmask 255.255.255.224
!
!
Crypto ipsec transform-set esp esp - aes 256 RIGHT-model of hmac-SHA-lzs
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client authenticationuserauthen
card crypto clientmap isakmp authorization listgroupauthor
client configuration address map clientmap cryptoinitiate
client configuration address map clientmap cryptoanswer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!
Crypto ctcp port 6000
Archives
The config log
hidekeys
!
!
synwait-time of tcp IP 10
property intellectual ssh time 60
property intellectual ssh authentication-2 retries
Bridge IRB
!
!
!
interface Loopback0
IP 10.100.100.1 255.255.255.0
IP nat inside
IP virtual-reassembly
!
Null0 interface
no ip unreachable
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
switchport mode trunk
!
interface FastEthernet4
WAN description $ FW_OUTSIDE$
address IP dhcp client id FastEthernet4
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
stream IP output
inspect the firewall on IP
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
clientmap card crypto
!
wlan-ap0 interface
description of the Service interface module to manage theEmbedded AP
IP unnumbered Vlan1
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP virtual-reassembly
ARP timeout 0
!
interface GigabitEthernet0 Wlan
description of the Service interface module to manage theEmbedded AP
switchport mode trunk
!
interface Vlan1
VLAN_1 description $ FW_INSIDE$
IP 10.0.1.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface Vlan10
VLAN_10 description $ FW_INSIDE$
IP 10.0.10.1 255.255.255.224
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
IP nat inside
IP virtual-reassembly
IP tcp adjust-mss 1452
!
interface BVI1
Description $FW_INSIDE$
in the form of address IP WAPB dhcp host name
no ip redirection
no ip unreachable
no ip proxy-arp
penetration of the IP stream
no ip-cache cef route
no ip route cache
!
router RIP
version 1
10.0.0.0 network
!
IP local pool vpnpool 197.0.0.1 197.0.0.5
no ip forward-Protocol nd
IP route 0.0.0.0 0.0.0.0 dhcp
IP route 0.0.0.0 0.0.0.0 FastEthernet4 dhcp
IP http server
access-class 2 IP http
local IP http authentication
IP http secure server
!
The dns server IP
IP nat inside source list 1 interface FastEthernet4Overload
IP nat inside source list 2 interface FastEthernet4Overload
IP nat inside source static tcp 10.0.10.3 3389interface FastEthernet4 3389
IP nat inside source static tcp 10.0.10.3 1723interface FastEthernet4 1723
IP nat inside source static tcp 10.0.10.3 80interface FastEthernet4 80
!
record 10.0.10.1
access-list 1 permit 10.0.1.0 0.0.0.31
access-list 2 permit 10.0.10.0 0.0.0.31
access-list 199 permit any one
access-list 199 permit tcp any any eq 1723
access-list 199 permit tcp a whole Workbench
access-list 199 permit udp any any eq 3389
access-list 199 permit udp any any eq ntp
access-list 199 permit udp any any gt 1023
access-list 199 tcp refuse a whole
access-list 199 tcp 10.0.0.0 refuse 0.255.255.255 everything
access-list 199 tcp 172.16.0.0 refuse 0.15.255.255any
access-list 199 tcp 192.168.0.0 refuse 0.0.0.255 any
access-list 199 refuse udp 10.0.0.0 0.255.255.255 everything
access-list 199 refuse udp 172.16.0.0 0.15.255.255any
access-list 199 refuse udp 192.168.0.0 0.0.0.255 any
access-list 199 refuse icmp no echo
access-list 199 deny udp any how any eq 135
access-list 199 deny udp any any eq netbios-ns
access-list 199 deny udp any any eq netbios-ss
access-list 199 deny udp any any eq isakmp
access-list 199 tcp refuse any any eq telnet
access-list 199 tcp refuse any any eq smtp
access-list 199 tcp refuse any any eq nntp
access-list 199 tcp refuse any any eq 135
access-list 199 tcp refuse any any eq 137
access-list 199 tcp refuse any any eq 139
access-list 199 tcp refuse any any eq www
access-list 199 tcp refuse any any eq 443
access-list 199 tcp refuse any any eq 445
access-list 199 refuse an entire ip
not run cdp!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
bridge 10 Protocol ieee
IP route 10 bridge
connection of the banner ^ CAuthorized access only!
Unplug IMMEDIATELY if you are not authorizeduser! ^ C
!
Line con 0
no activation of the modem
telnet output transport
line to 0
telnet output transport
line 2
no activation-character
No exec
preferred no transport
transport of entry all
transportation out all
line vty 0 4
access-class 104 in
transport input telnet ssh
!
max-task-time 5000 Planner
Scheduler allocate 4000 1000
Scheduler interval 500
Server NTP 192.43.244.18
endHello
The problem is due to NAT configurations. Please, try the following:
no nat ip within the source list 1 interface FastEthernet4 overload
no nat ip inside the source list 2 interface FastEthernet4 overload
access-list 101 deny ip 10.0.0.0 0.0.255.31 197.0.0.0 0.0.0.7
access-list 101 deny ip 10.0.0.0 0.0.255.31 10.0.0.0 0.0.255.255
access-list 101 permit ip 10.0.0.0 0.0.255.31 all
Internet route map
corresponds to the IP 101
output
IP nat inside source overload map route Internet interface FastEthernet4
This will ensure that the VPN clients can access all internal
resources. However, they will not be able to access to the 10.0.10.3 Server
using its private IP address that you can not use the roadmap, when you use the
keyword "interface." If you have a static IP address assigned to your FastEthernet4
You can then use the interface by the ISP, the configuration below:
access-list 102 refuse host ip 10.0.10.3 197.0.0.0 0.0.0.7
access-list 102 refuse 10.0.10.3 ip host 10.0.0.0 0.0.255.255
access-list 102 permit ip 10.0.10.3 host everything
route server map
corresponds to the IP 101
output
no nat ip inside source static tcp 10.0.10.3 interface FastEthernet4 3389
3389
no nat ip inside the source static tcp 10.0.10.3 1723 interface FastEthernet4
1723
no nat ip inside the 80 tcp static 10.0.10.3 source FastEthernet4 80 interface
IP nat inside source static tcp 10.0.10.3 3389 "FastEthernet4 IP" 3389
route server map
IP nat inside source static tcp 10.0.10.3 1723 "FastEthernet4 ip" 1723
route server map
IP nat inside source static tcp 10.0.10.3 80 'FastEthernet4 ip' 80-route map
Server
I hope this helps.
Kind regards
NT
-
When remote users to connect to the Cisco ASA VPN and authenticate with Cisco AnyConnect client, they then full access to the environment internal of LAN of business as if they were sitting at their desks in the Office of the Corporation.
Right?
After that the remote client authenticates to the AnyConnect VPN, it is sensible to then run remote users of traffic through the corporate firewall (outside to inside) before allowing LAN access full corporate?
Remote_User - vpn - ANYCONNECT-(outside) (inside) firewall - CORP_LAN
Thank you
Frank
Hello
Yes, by default, all traffic will be sent through the tunnel.
If there are users VPN shouldn't be able to reach the resources, you need to establish rules for access to it. The best way to do this is by using VPN filter.
-
Hello
I'm new im this forum.
I've set up a Site VPN site with 2 Cisco 877.SITE A:
Address IP Adreess public: static
Internal IP Adrees: 192.168.0.XXX
Mask: 255.255.255.0SITE B:
IP address public Adreess: Dynamics
Internal IP address: 192.168.2.XXX
Mask: 255.255.255.0I managed to do a ping on both sides, but I can't access file shares, and could rdp on any server in site A, by the internal IP address.
Fix, is the SITES A and B SITE startup configs.
Could you please someone help me?
Hi Marcos,
Really happy to know that the problem is solved. There is no need to apologize. Please mark this message as answered if there is nothing more.
Rregards,
Assia
-
PIX 501 for Cisco 3640 VPN router
-Start ciscomoderator note - the following message has been changed to remove potentially sensitive information. Please refrain from publishing confidential information about the site to reduce the risk to the security of your network. -end of the note ciscomoderator-
Have a 501 PIX and Cisco 3640 router. The 3640 is configured for dynamic map for VPN. The PIX 501 is set to pointing to the 3640 router static map. I can establish a tunnel linking the PIX to the router and telnet to a machine AIX on the inside network to the router. When I try to print on the network of the PIX 501 inside it fails.
What Miss me? I added the configuration for the PIX and the router.
Here are the PIX config:
PIX Version 6.1 (1)
ethernet0 nameif outside security0
nameif ethernet1 inside the security100
enable encrypted password xxxxxxxxxxxxxxxx
xxxxxxxxxxxxx encrypted passwd
pixfirewall hostname
fixup protocol ftp 21
fixup protocol http 80
fixup protocol h323 1720
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol sip 5060
fixup protocol 2000 skinny
names of
pager lines 24
interface ethernet0 10baset
interface ethernet1 10full
Outside 1500 MTU
Within 1500 MTU
IP address outside dhcp setroute
IP address inside 192.168.1.1 255.255.255.0
alarm action IP verification of information
alarm action attack IP audit
PDM logging 100 information
history of PDM activate
ARP timeout 14400
Global 1 interface (outside)
NAT (inside) 1 0.0.0.0 0.0.0.0 0 0
Timeout xlate 0:05:00
Timeout conn 01:00 half-closed 0: 10:00 udp 0:02:00 CPP 0: h323 from 10:00 0:05:00 sip 0:30:00 sip_media 0:02:00
Timeout, uauth 0:05:00 absolute
GANYMEDE + Protocol Ganymede + AAA-server
RADIUS Protocol RADIUS AAA server
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
SNMP-Server Community public
No trap to activate snmp Server
enable floodguard
No sysopt route dnat
Telnet timeout 5
SSH timeout 5
dhcpd address 192.168.1.2 - 192.168.1.33 inside
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd outside auto_config
dhcpd allow inside
Terminal width 80
Cryptochecksum:XXXXXXXXXXXXXXXXXXX
: end
Here is the router config
Router #sh runn
Building configuration...
Current configuration: 6500 bytes
!
version 12.2
no service button
tcp KeepAlive-component snap-in service
a tcp-KeepAlive-quick service
horodateurs service debug datetime localtime
Log service timestamps datetime localtime
no password encryption service
!
router host name
!
start the flash slot1:c3640 - ik9o3s - mz.122 - 16.bin system
queue logging limit 100
activate the password xxxxxxxxxxxxxxxxx
!
clock TimeZone Central - 6
clock summer-time recurring CENTRAL
IP subnet zero
no ip source route
!
!
no ip domain-lookup
!
no ip bootp Server
inspect the name smtp Internet IP
inspect the name Internet ftp IP
inspect the name Internet tftp IP
inspect the IP udp Internet name
inspect the tcp IP Internet name
inspect the name DMZ smtp IP
inspect the name ftp DMZ IP
inspect the name DMZ tftp IP
inspect the name DMZ udp IP
inspect the name DMZ tcp IP
audit of IP notify Journal
Max-events of po verification IP 100
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
crypto ISAKMP policy 20
BA 3des
preshared authentication
Group 2
ISAKMP crypto key address x.x.180.133 xxxxxxxxxxx
ISAKMP crypto keys xxxxxxxxxxx address 0.0.0.0 0.0.0.0
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac vpn test
Crypto ipsec transform-set esp-3des esp-sha-hmac PIXRMT
!
dynamic-map crypto dny - Sai 25
game of transformation-PIXRMT
match static address PIX1
!
!
static-card 10 map ipsec-isakmp crypto
the value of x.x.180.133 peer
the transform-set vpn-test value
match static address of Hunt
!
map ISCMAP 15-isakmp ipsec crypto dynamic dny - isc
!
call the rsvp-sync
!
!
!
controller T1 0/0
framing ESF
linecode b8zs
Slots 1-12 channels-group 0 64 speed
Description controller to the remote frame relay
!
controller T1 0/1
framing ESF
linecode b8zs
Timeslots 1-24 of channel-group 0 64 speed
Description controller for internet link SBIS
!
interface Serial0/0:0
Description CKT ID 14.HXGK.785129 Frame Relay to Remote Sites
bandwidth 768
no ip address
no ip redirection
no ip unreachable
no ip proxy-arp
encapsulation frame-relay
frame-relay lmi-type ansi
!
interface Serial0 / point to point 0:0.17
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 17 frame relay interface
!
interface Serial0 / point to point 0:0.18
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 18 frame relay interface
!
interface Serial0 / point to point 0:0.19
Description Frame Relay to xxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 19 frame relay interface
!
interface Serial0 / point to point 0:0.20
Description Frame Relay to xxxxxxxxxxxxx location
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 20 frame relay interface
!
interface Serial0 / point to point 0:0.21
Description Frame Relay to xxxxxxxxxxxx
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 21 frame relay interface
!
interface Serial0 / point to point 0:0.101
Description Frame Relay to xxxxxxxxxxx
IP unnumbered Ethernet1/0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
No arp frame relay
dlci 101 frame relay interface
!
interface Serial0/1:0
CKT ID 14.HCGS.785383 T1 to ITT description
bandwidth 1536
IP address x.x.76.14 255.255.255.252
no ip redirection
no ip unreachable
no ip proxy-arp
NAT outside IP
inspect the Internet IP on
no ip route cache
card crypto ISCMAP
!
interface Ethernet1/0
IP 10.1.1.1 255.255.0.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
no ip route cache
no ip mroute-cache
Half duplex
!
interface Ethernet2/0
IP 10.100.1.1 255.255.0.0
no ip redirection
no ip unreachable
no ip proxy-arp
IP nat inside
no ip route cache
no ip mroute-cache
Half duplex
!
router RIP
10.0.0.0 network
network 192.168.1.0
!
IP nat inside source list 112 interface Serial0/1: 0 overload
IP nat inside source static tcp 10.1.3.4 443 209.184.71.138 443 extensible
IP nat inside source static tcp 10.1.3.4 9869 209.184.71.138 9869 extensible
IP nat inside source 10.1.3.2 static 209.184.71.140
IP nat inside source static 10.1.3.6 209.184.71.139
IP nat inside source static 10.1.3.8 209.184.71.136
IP nat inside source static tcp 10.1.3.10 80 209.184.71.137 80 extensible
IP classless
IP route 0.0.0.0 0.0.0.0 x.x.76.13
IP route 10.2.0.0 255.255.0.0 Serial0 / 0:0.19
IP route 10.3.0.0 255.255.0.0 Serial0 / 0:0.18
IP route 10.4.0.0 255.255.0.0 Serial0 / 0:0.17
IP route 10.5.0.0 255.255.0.0 Serial0 / 0:0.20
IP route 10.6.0.0 255.255.0.0 Serial0 / 0:0.21
IP route 10.7.0.0 255.255.0.0 Serial0 / 0:0.101
no ip address of the http server
!
!
PIX1 static extended IP access list
IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255
IP access-list extended hunting-static
IP 10.1.0.0 allow 0.0.255.255 192.168.1.0 0.0.0.255
extended IP access vpn-static list
ip permit 192.168.1.0 0.0.0.255 10.1.0.0 0.0.255.255
IP 192.0.0.0 allow 0.255.255.255 10.1.0.0 0.0.255.255
access-list 1 refuse 10.0.0.0 0.255.255.255
access-list 1 permit one
access-list 12 refuse 10.1.3.2
access-list 12 allow 10.1.0.0 0.0.255.255
access-list 12 allow 10.2.0.0 0.0.255.255
access-list 12 allow 10.3.0.0 0.0.255.255
access-list 12 allow 10.4.0.0 0.0.255.255
access-list 12 allow 10.5.0.0 0.0.255.255
access-list 12 allow 10.6.0.0 0.0.255.255
access-list 12 allow 10.7.0.0 0.0.255.255
access-list 112 deny ip host 10.1.3.2 everything
access-list 112 refuse ip 10.1.0.0 0.0.255.255 192.168.1.0 0.0.0.255
access-list 112 allow ip 10.1.0.0 0.0.255.255 everything
access-list 112 allow ip 10.2.0.0 0.0.255.255 everything
access-list 112 allow ip 10.3.0.0 0.0.255.255 everything
access-list 112 allow ip 10.4.0.0 0.0.255.255 everything
access-list 112 allow ip 10.5.0.0 0.0.255.255 everything
access-list 112 allow ip 10.6.0.0 0.0.255.255 everything
access-list 112 allow ip 10.7.0.0 0.0.255.255 everything
access-list 120 allow ip host 10.100.1.10 10.1.3.7
not run cdp
!
Dial-peer cor custom
!
!
!
!
connection of the banner ^ CCC
******************************************************************
WARNING - Unauthorized USE strictly PROHIBITED!
******************************************************************
^ C
!
Line con 0
line to 0
password xxxxxxxxxxxx
local connection
Modem InOut
StopBits 1
FlowControl hardware
line vty 0 4
exec-timeout 15 0
password xxxxxxxxxxxxxx
opening of session
!
end
Router #.
Add the following to the PIX:
> permitted connection ipsec sysopt
This indicates the PIX around all ACLs for IPsec traffic. Now that your IPSec traffic is still subject to the standard rules of PIX, so launched inside the traffic is allowed to go in, but off-initiated traffic is not.
-
Cisco 877 VPN - two routers remote connection to the head office
Hi all.
Our headquarters has a 877.
Our two remote sites also have 877 and they have a permanent tunnel in 877 headquarters which works OK.
My problem is that two remote sites cannot talk to each other - but they can talk to the seat of fines.
I guess I sort of NAT problem - so I'll post the relevant configs and if someone could take a look and point me in the right direction, I had to be very happy!
Head office config is a txt 192.168.16.5 file
Remote site 'Riversdale' is the 192.168.17.1 text file
Remote site 'Tynewydd' is the 192.168.18.1 text file
How have you checked with pings? Is this an internal host to internal host?
You can check with pings between rays? Please use the internal interface of rays for both source and destination addresses. And send me 'Show details crypto session' of all the routers both before and after the sending of pings.
One thing I forgot in your rays (both) config file is on NAT. Please reorganize both deny entries followed first allow entry.
access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.16.0 0.0.0.255
access-list 100 permit ip 192.168.17.0 0.0.0.255 any
access-list 100 deny ip 192.168.17.0 0.0.0.255 192.168.18.0 0.0.0.255
-
Cisco IOS - access remote VPN - route unwanted problem
Hello
I recently ran into a problematic scenario: I am trying to connect to a remote LAN (using a Cisco VPN client on my windows xp machine) my office LAN and access a server there. The problem is that I need a remote local network access at the same time.
Remote LAN: 172.16.0.0/16
LAN office: 172.16.45.0/24
Topology:
(ME: 172.16.10.138/25) - (several subnets form 172.16.0.0/16) - (Internet cloud) - (VPN-Gateway) - (172.16.45.0/24) - (TARGET: 172.16.45.100)
To provide access, I configured a VPN to access simple distance on a 1700 series router. It's the relevant part:
(...)
crypto ISAKMP client config group group-remote access
my-key group
VPN-address-pool
ACL 100
IP local pool pool of addresses-vpn - 172.16.55.1 172.16.55.30
access-list 100 permit ip 172.16.45.100 host 172.16.55.0 0.0.0.31
(...)
The configuration works fine, I can access the 172.16.45.100 server every time I need to. However, the problem is that when the VPN connection is connected, Windows wants to somehow rout the packets intended for 172.16.0.0/16 through the VPN tunnel. This is apparently due to a static route that added by the Cisco VPN Client and all other specific VPN routes.
I suspect that the culprit is the IP LOCAL POOL, since when the VPN is connected, debugging of Client VPN log shows something like "adapter connected, address 172.16.55.1/16. Focus on the part "/ 16". I checked the VPN status page and the only road indicated there was "172.16.45.100 255.255.255.255" under remote routes. Local routes was empty.
Is this a known problem I missed the obvious solution for? Is there no workaround apart from the pool local vpn penetrating high-end 10.x.x.x or 192.168.x.x? Thank you in advance for advice or tips!
Hello
The best way is to avoid any overlap between the local network and VPN pool.
Try 172.17.0.0/16, is also private IP address space:
http://en.Wikipedia.org/wiki/Private_network
Please rate if this helped.
Kind regards
Daniel
-
Ipad Cisco ipsec VPN connects but not access to the local network
Hi guys,.
I am trying to connect our ipads to vpn to access network resources. IPSec cisco ipad connects but not lan access and cannot ping anything not even not the interfaces of the router.
If I configure the vpn from cisco on a laptop, it works perfectly, I can ping all and can access resources on the local network if my guess is that the traffic is not going in the tunnel vpn between ipad and desktop.
Cisco 877.
My config is attached.
Any ideas?
Thank you
Build-in iPad-client is not useful to your configuration.
You have three options:
(1) remove the ACL of your vpn group. Without split tunneling client will work.
2) migrate legacy config crypto-map style. Here, you can use split tunneling
3) migrate AnyConnect.
The root of the problem is that the iPad Gets the split tunneling-information. But instead of control with routing traffic should pass through the window / the tunnel and which traffic is allowed without the VPN of the iPad tries to build a set of SAs for each line in your split-tunnel-ACL. But with the model-virtual, SA only is allowed.
-
Client VPN connects but not internal LAN access or Ping
Hi all.
I'm new on this forum and kindly asking for your help because I'm stuck.
I have an ADSL router cisco 877 which I configured easy VPN server.
Now the Cisco VPN client ver 5.0 to connect successfully to the VPN server, but when you try to access/ping computers on the internal network, there is no response.The configuration is below. Please let know us where I was going or what I missed.
[code]Building configuration...
Current configuration: 4574 bytes
!
version 12.4
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
encryption password service
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$ $86dn J8HrK9kCQ8G9aPAm6xe4o1
enable password 7 13151601181B54382F
!
AAA new-model
!
!
AAA authentication login default local
AAA authentication login internal_affairs_vpn_1 local
AAA authorization exec default local
AAA authorization internal_affairs_vpn_group_1 LAN
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-2122144568
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2122144568
revocation checking no
rsakeypair TP-self-signed-2122144568
!
!
TP-self-signed-2122144568 crypto pki certificate chain
self-signed certificate 03
30820248 308201B 1 A0030201 02020103 300 D 0609 2A 864886 F70D0101 04050030
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 32313232 31343435 6174652D 3638301E 170 3032 30333032 32303537
31375A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 32 31323231 65642D
34343536 3830819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100D3EA 07EC5D66 F4DD8ACC 5540BDBE 009B3C26 598EC99C D99D935A 51292F96
F495E5A9 8D012B0E 73EA7639 3B 586799 187993F5 ED9CA31C 788756DD 6BDB1B2B
4D7AA7F0 B07CF82F F2A29E86 E18B442C 550E22D2 E92D9914 105B7D59 253BBEA1
D84636B4 A4B4B300 7946CE84 E9A63D2E 7789B03A 6ADDB04E B21EC207 CCFEAE0B
30 HAS A 50203 010001, 3 1 130101 301B 0603 030101FF FF040530 0F060355 70306E30
551 1104 14301282 10494E54 45524E41 4C5F4146 46414952 53301F06 03551D 23
04183016 8014FA0F B3C9C651 7FD91EFA 3F63EAE8 6C83C80D 8AE2301D 0603551D
0E041604 14FA0FB3 C9C6517F D91EFA3F 63EAE86C 83C80D8A E2300D06 092A 8648
86F70D01 01040500 03818100 A1026DDC C91CAEB2 3C62AF92 D6B25EB2 CA 950, 920
313BCF26 4A35B039 A4F806A0 8CB54D11 6AF1ABAA A770604B 4403F345 0351361B
E2CF2950 26974F4A 95951862 401A4F76 C816590C 2FFCB115 9A8B3E96 4373FFE1
33D744F7 E0FDDE61 B5B48497 9516C3C6 A3157957 C621668E A83B5E33 2420F962
9142DD9E B6E9D74A 899A 9653
quit smoking
dot11 syslog
IP cef
No dhcp use connected vrf ip
DHCP excluded-address IP 10.10.10.1
!
IP dhcp pool dhcplan
Network 10.0.0.0 255.0.0.0
DNS-server 196.0.50.50 81.199.21.94
default router 10.10.10.1
Rental 7
!
!
property intellectual auth-proxy max-nodata-& 3
property intellectual admission max-nodata-& 3
name of the IP-server 81.199.21.94
!
!
!
VPN username password 7 095A5E07
username fred privilege 15 password 7 1411000E08
username ciscovpn password 7 01100F175804101F2F
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group internal_affairs_vpn
key *.
DNS 196.0.50.50 81.199.21.94
pool ippool
ACL 108
!
!
Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT
!
Crypto-map dynamic internal_affairs_DYNMAP_1 10
Set transform-set RIGHT
market arriere-route
!
!
card crypto client internal_affairs_CMAP_1 of authentication list internal_affairs_vpn
card crypto isakmp authorization list internal_affairs_vpn_group_1 internal_affairs_CMAP_1
client configuration address card crypto internal_affairs_CMAP_1 answer
ipsec 10-isakmp crypto map internal_affairs_CMAP_1 Dynamics internal_affairs_DYNMAP_1
!
Archives
The config log
hidekeys
!
!
!
Bridge IRB
!
!
interface Loopback0
2.2.2.2 the IP 255.255.255.255
!
ATM0 interface
no ip address
ATM vc-per-vp 512
No atm ilmi-keepalive
PVC 0/32
aal5snap encapsulation
Protocol ip inarp
!
DSL-automatic operation mode
Bridge-Group 1
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
description of the local lan interface
IP 10.10.10.1 255.0.0.0
IP nat inside
IP virtual-reassembly
!
interface BVI1
internet interface Description
IP 197.0.4.174 255.255.255.252
NAT outside IP
IP virtual-reassembly
internal_affairs_CMAP_1 card crypto
!
IP local pool ippool 192.168.192.1 192.168.192.200
IP forward-Protocol ND
IP route 0.0.0.0 0.0.0.0 196.0.4.173
!
IP http server
local IP http authentication
IP http secure server
IP nat inside source list interface BVI1 NAT overload
IP nat inside source static tcp 2.2.2.2 23 23 BVI1 interface
!
NAT extended IP access list
allow an ip
!
access-list 108 allow ip 10.0.0.0 0.255.255.255 192.168.192.0 0.0.0.255
!
!
!
control plan
!
Bridge Protocol ieee 1
1 channel ip bridge
!
Line con 0
password 7 0216054818115F3348
no activation of the modem
line to 0
line vty 0 4
password 7 06160E325F59590B01
!
max-task-time 5000 Planner
endSince this is a named ACL, you need to change ACL configuration mode:
NAT extended IP access list
Then, make the changes.
Federico.
-
VPN ipsec Cisco 877 <>- iphone
Hi, I'm trying implement the vpn ipsec between my cisco 877 and his iphone/cisco vpn client. First of all, what is the difference between remote access vpn and vpn installation easy? The phase 1 and the phase2 are completed but I don't have much traffic between peers.
Maybe I missed something conf? Should I add the roadmap with acl 101?
Here is the configuration of isakmp/ipsec.
ISAKMP crypto enable
session of crypto consignmentcrypto ISAKMP policy 10
BA 3des
md5 hash
preshared authentication
Group 2
life 3600
ISAKMP crypto keepalive 10
ISAKMP crypto nat keepalive 20
ISAKMP xauth timeout 90 cryptoISAKMP crypto client configuration group to distance-vpn
key to past
DNS 212.216.112.112
cisco877.local field
10 Max-users
Max-connections 10
pool remotely
ACL 150
Save-passwordCrypto ipsec transform-set VPN-CLI-SET esp-3des esp-md5-hmac
Crypto ipsec security association idle time 3600distance from dyn-crypto-dynamic-map 10
transformation-VPN-CLI-SET gamecard crypto remotemap local-address dialer0
card crypto client remotemap of authentication list userauthen
card crypto isakmp authorization list groupauthor remotemap
client configuration address card crypto remotemap answer
remotemap 65535 ipsec-isakmp crypto map distance Dynamics-dyninterface dialer0
remotemap card cryptoIP local pool remote control-pool 192.168.69.0 192.168.69.20
IP route 192.168.69.0 255.255.255.0 dialer0
no access list 150
REM list 150 * ACL split tunnel access *.
access-list 150 permit ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255no access list 101
Note access-list 101 * ACL sheep *.
access-list 101 deny ip 10.0.77.0 0.0.0.255 192.168.69.0 0.0.0.255
access-list 101 permit ip 10.0.77.0 0.0.0.255 anyShould I apply this acl 101 loopback? Ex:
overload of IP nat inside source list 101 interface Loopback0
Should I apply an acl to permit as access-list 169 allow ip 192.168.69.0 0.0.0.255 any in my Dialer interface 0?
Other tips? Best regards.
Hi Alessandro,.
The access tunnel split list is great!
If you are NAT on public and private interface that is ip nat inside and ip nat outside etc.
You must add the command ip nat inside source list 101 interface Dialer0 overload
+++++++++++++++++++++++++++++++++++++++
Or you can create a new roadmap
new route map permit 10
ACL #match 101
command: ip nat inside the interface Dialer0 overload route map
Thank you
Adama
-
Cisco ASA vpn site to site with access internet, error
Hello
I have two offises, Central and removed, with the external IP addresses. They are connected to the site to site vpn, LAN works fine, then NAT is disable, but then there is no internet access, then I Internet in NAT is working well, but then there is no access to the local network.
Where would be the problem?There's config:
ASA Version 8.4(4)1
!
hostname SalSK-ASA
domain-name ld.lt
enable password xxx encrypted
passwd xxx encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
ip address 81.X.X.X 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.204.254 255.255.255.0
!
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone EET 2
dns server-group DefaultDNS
domain-name lietuvosdujos.lt
object network LAN
subnet 192.168.204.0 255.255.255.0
description Local Area Network
object network LD_Lanai
subnet 192.168.0.0 255.255.0.0
description LD lanai
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit ip any any
access-list vpn extended permit ip any 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 any
access-list vpn extended permit ip object LD_Lanai 192.168.204.0 255.255.255.0
access-list vpn extended permit ip 192.168.204.0 255.255.255.0 object LD_Lanai
access-list outside_cryptomap_1 extended permit ip object LAN any
access-list outside extended permit ip any any
pager lines 24
logging enable
logging list VPN_events level informational class auth
logging list VPN_events level informational class vpdn
logging list VPN_events level informational class vpn
logging list VPN_events level informational class vpnc
logging list VPN_events_ID message 713120
logging list VPN_events_ID message 713167
logging list VPN_events_ID message 602303
logging list VPN_events_ID message 713228
logging list VPN_events_ID message 113012
logging list VPN_events_ID message 113015
logging list VPN_events_ID message 713184
logging list VPN_events_ID message 713119
logging list VPN_events_ID message 602304
logging monitor debugging
logging buffered debugging
logging trap VPN_events_ID
logging asdm informational
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic LAN interface inactive
access-group outside in interface outside
access-group inside_access_in in interface inside
route outside 0.0.0.0 0.0.0.0 81.7.77.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server ISE protocol radius
aaa-server ISE (inside) host 192.168.200.48
key *****
user-identity default-domain LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication serial console ISE LOCAL
aaa authentication ssh console ISE LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set tripledes esp-3des esp-sha-hmac
crypto map outside_map 1 match address outside_cryptomap_1
crypto map outside_map 1 set peer 213.X.X.X
crypto map outside_map 1 set ikev1 transform-set tripledes
crypto map outside_map interface outside
crypto isakmp identity address
crypto ikev1 enable outside
crypto ikev1 policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 192.168.201.200 source inside prefer
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
group-policy SalGP internal
group-policy SalGP attributes
vpn-filter value vpn
vpn-tunnel-protocol ikev1 l2tp-ipsec
username Admin password LVPpyc4ATztEAWtq encrypted privilege 15
tunnel-group 213.X.X.X type ipsec-l2l
tunnel-group 213.X.X.X general-attributes
default-group-policy SalGP
tunnel-group 213.X.X.X ipsec-attributes
ikev1 pre-shared-key *****
!
class-map global-class
match default-inspection-traffic
!
!
policy-map global-policy
class global-class
inspect dns
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect sip
inspect skinny
inspect sqlnet
inspect sunrpc
inspect tftp
inspect xdmcp
inspect icmp
class class-default
user-statistics accounting
!
service-policy global-policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]/* */
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d8c29755eff807b1530e38b9ead9edd5
: endTwo things are here according to you needs.
First you encrypt all the traffic on the network 192.168.204.0/24... do you intend to send all traffic on that subnet via the VPN? If this isn't the case, specify the remote subnet instead of using all the crypto ACL.
object network LAN
subnet 192.168.204.0 255.255.255.0access-list outside_cryptomap_1 extended permit ip object LAN anySecond, you have not an exempt statement NAT so that encrypted traffic should not be translated. This statement would look like the following:
the object of the LAN network
192.168.204.0 subnet 255.255.255.0being REMOTE-LAN network
255.255.255.0 subnet 192.168.100.0Static NAT LAN LAN (inside, outside) destination static REMOTE - LAN LAN
--
Please do not forget to choose a good response and the rate
-
Cisco 877 using draytek 2600 VPN
First I want to apologize for my complete lack of knowledge of cisco, I had the problem of replacing our dumped in my lap draytek routers
Here's the background
I have a cisco 877 router connected to our adsl broadband to our headquarters. I got this set instead of Nat and DHCP all working for allow multiple users internet access through our unique static ip address provided by the ISP lets say ip 1.2.3.4 address.
Our internal network is 192.168.1.0 255.255.255.0
I have a draytek vigor 2600 in a branch set up the same thing with a static IP address provided by the ISP allows to say that the investigation period is 5.6.7.8.
The internal network is 192.168.4.0 255.255.255.0
Here's the problem (except me)
I'm trying to set up a VPN between the head office and branch so that branch office users to connect to our internal server (lets say ip is 192.168.1.2) to receive group policies, access files and also telnet on our database server (lets say ip 192.168.1.3).
I have attached a kind of running the config that I restored the little I've read on this site and others. I tried these settings and other permutations of these settings, but I can't seem to establish a tunnel even if when I show tunnel0 int on the router it says tunnel is up and line protocol is up, if I show ip route shows that there is an ip address for the tunnel and it's all (no vpn indicator light lit).
Could someone please take a look at the file and see if it makes sense and I got the right information. I highlighted the parts, I'm not sure in red (quite a bit and obviously not the exact settings, but I think it should be).
And
Once all the settings are correct on the cisco it will automatically establish vpn or what I have to deal since the draytek.
Hello
Can activate you ' debug cry isa ' and ' debug cry ips "and post ehre. Looks like the acl, transform set crypto or pfs settings might be incompatible. Ensure that all parameters of phase 2 are adapted to both ends.
Kind regards
Assia
-
Cisco easy VPN access Internet without Split Tunnel
Hey guys
IM wondering if anyone has a config that can help me get access to internet via an easy vpn tunnel on a cisco 877 router.
Basically, we are traveling to be users able to use the internet through vpn, rather than using split tunneling. The reason for this is that we have several sites that are attached by lists of external IP access for some services.
We hope that mobile users to interact with these sites through the central router and use external IP of access routers secure sites.
I hope that makes sense. I know that we can use a proxy but we also use other services of bases no proxy on these sites, it would be rather routed direct access.
Thank you
Luke
Hi Luke,.
Please use the installation of the client VPN (complete tunnel) link below.
Note the useful message.
Thank you
Kasi
-
Cisco ASA Anyconnect LAN access problem
I have very simple network at home with the WAN IP address, ASA uses DHCP and gateway. plain of network of all no complications.
X.X.X.X like a WAN
192.168.1.0/24 as a LAN
IP Pool 192.168.6.0/24 (VPN Pool)
I am trying to configure AnyConnect (AC) so that I can connect remotely and get my resources on the LAN while out. I am to connect with AC and when you use split tunnel I'm browsing the web very well, but I have no access to the local network (without ICMP or TCP/UDP)
Route looks good in customer AC
unsecured network 0.0.0.0/0
secure network 192.168.1.0/24What I'm missing for LAN access?, nat statement, list of access...?
_____________________________
Output of the command: "show run".
: Saved
:
ASA Version 9.1 (5)
!
hostname asa01
domain name asanames of
192.168.6.2 mask - 192.168.6.100 local pool Pool VPN IP 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
switchport access vlan 5
!
interface Vlan1
nameif inside
security-level 100
IP 192.168.1.1 255.255.255.0
!
interface Vlan2
Outside description
nameif outside
security-level 0
IP address XXXX
!
interface Vlan5
nameif dmz
security-level 50
IP 192.168.100.1 address 255.255.255.0
!
boot system Disk0: / asa915 - k8.bin
passive FTP mode
clock timezone PST - 8
clock summer-time recurring PDT
DNS lookup field inside
DNS domain-lookup outside
DNS domain-lookup dmz
DNS server-group DefaultDNS
domain naisus.local
permit same-security-traffic intra-interface
network of the NETWORK_OBJ_192.168.1.0_24 object
subnet 192.168.1.0 255.255.255.0
network of the NETWORK_OBJ_192.168.6.0_25 object
subnet 192.168.6.0 255.255.255.128
object-group Protocol DM_INLINE_PROTOCOL_1
icmp protocol object
icmp6 protocol-object
outside_access_in list extended access permit icmp any any idle state
outside_access_in extended access list allow icmp6 all all idle state
outside_access_in_1 list extended access allow DM_INLINE_PROTOCOL_1 of object-group a
list of access allowed standard LAN 192.168.1.0 255.255.255.0
pager lines 24
Enable logging
asdm of logging of information
host of logging inside 192.168.1.99
forest-hostdown operating permits
Within 1500 MTU
Outside 1500 MTU
MTU 1500 dmz
no failover
ICMP unreachable rate-limit 1 burst-size 1
ASDM image disk0: / asdm - 741.bin
don't allow no asdm history
ARP timeout 14400
no permit-nonconnected arp
NAT (inside, outside) static source NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.1.0_24 NETWORK_OBJ_192.168.6.0_25 NETWORK_OBJ_192.168.6.0_25 non-proxy-arp-search of route static destination
!
NAT source auto after (indoor, outdoor) dynamic one interface
Access-group outside_access_in_1 in interface outside
Route outside 0.0.0.0 0.0.0.0 X > X > X >
Timeout xlate 03:00
Pat-xlate timeout 0:00:30
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
identity of the user by default-domain LOCAL
Enable http server
http 192.168.1.0 255.255.255.0 inside
No snmp server location
No snmp Server contact
Crypto ipsec ikev2 ipsec-proposal OF
encryption protocol esp
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 proposal ipsec 3DES
Esp 3des encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES
Esp aes encryption protocol
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 ipsec-proposal AES192
Protocol esp encryption aes-192
Esp integrity sha - 1, md5 Protocol
Crypto ipsec ikev2 AES256 ipsec-proposal
Protocol esp encryption aes-256
Esp integrity sha - 1, md5 Protocol
Crypto ipsec pmtu aging infinite - the security association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 define ikev2 AES256 AES192 AES 3DES ipsec-proposal OF
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
Crypto ca trustpoint ASDM_Launcher_Access_TrustPoint_0
registration auto
full domain name no
name of the object CN = asa01, CN = 192.168.1.1
ASDM_LAUNCHER key pair
Configure CRL
trustpool crypto ca policy
string encryption ca ASDM_Launcher_Access_TrustPoint_0 certificates
certificate 8b541b55
308201c 3 c 3082012 a0030201 0202048b 0d06092a 864886f7 0d 010105 541b 5530
XXXX
quit smoking
IKEv2 crypto policy 1
aes-256 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 10
aes-192 encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 20
aes encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 30
3des encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
IKEv2 crypto policy 40
the Encryption
integrity sha
Group 2 of 5
FRP sha
second life 86400
Crypto ikev2 access remote trustpoint ASDM_Launcher_Access_TrustPoint_0
Telnet 192.168.1.0 255.255.255.0 inside
Telnet timeout 5
SSH stricthostkeycheck
SSH 192.168.1.0 255.255.255.0 inside
SSH timeout 5
SSH group dh-Group1-sha1 key exchange
Console timeout 0dhcpd outside auto_config
!
dhcpd address 192.168.1.100 - 192.168.1.199 inside
dhcpd dns 8.8.8.8 75.75.75.75 interface inside
dhcpd naisus.home area inside interface
dhcpd allow inside
!
Statistics-list of access threat detection
no statistical threat detection tcp-interception
NTP server 50.116.56.17 source outdoors
NTP server 108.61.73.243 source outdoors
NTP server 208.75.89.4 prefer external source
SSL-trust outside ASDM_Launcher_Access_TrustPoint_0 point
Trust ASDM_Launcher_Access_TrustPoint_0 inside the vpnlb-ip SSL-point
SSL-trust ASDM_Launcher_Access_TrustPoint_0 inside point
WebVPN
allow outside
AnyConnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1 regex 'Windows NT'
AnyConnect image disk0:/anyconnect-macosx-i386-3.1.07021-k9.pkg 2 regex "Intel Mac OS X.
AnyConnect image disk0:/anyconnect-linux-64-3.1.07021-k9.pkg 3 regex "Linux".
AnyConnect enable
tunnel-group-list activate
attributes of Group Policy DfltGrpPolicy
VPN - connections 30
VPN-idle-timeout 5
internal GroupPolicy_AC_Profile group strategy
attributes of Group Policy GroupPolicy_AC_Profile
WINS server no
4.2.2.2 DNS server value
client ssl-VPN-tunnel-Protocol
Split-tunnel-policy tunnelspecified
Split-tunnel-network-list value LAN
naisus.local value by default-field
XX XX encrypted privilege 15 password username
name of user XX attributes
WebVPN
chip-tunnel tunnel-policy tunnelall
type tunnel-group AC_Profile remote access
attributes global-tunnel-group AC_Profile
address pool VPN-pool
Group Policy - by default-GroupPolicy_AC_Profile
tunnel-group AC_Profile webvpn-attributes
enable AC_Profile group-alias
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:xxx
: endI'm not positive that's causing the problem, but I noticed that you have defined incoherent poolside VPN as a 24 (in the command name and that name is associated with the tunnel group) and 25 (in the command object on the network that is also referenced in the statement of NAT exempting NAT to that object). True your pool assigns addresses from the lower half of the 24, but still...
I try to simplify things by using a single object for something like that, which is used in several places. With the help of objects the way they are intended, and which allows to avoid any discrepancies.
-
Hello
I'm having a problem on the VPN routing.
The VPN client is connected correctly to ASA5510, but cannot access inside ASA and the Internet or another network. What I want to achieve is.
[email protected] / * / -> ASA5520 (public IP)-> Inside (172.16.1.0)
The VPN address pool uses 172.168.10.0 (I also tried 172.16.1.100 - 120 with the same network from the inside).
interface GigabitEthernet0/0
nameif outside
security-level 0
IP address a.a.a.a 255.255.255.0
!
interface GigabitEthernet0/1
nameif inside
security-level 100
IP 172.16.1.1 255.255.255.0
IP local pool vpnpool 192.168.10.1 - 192.168.10.254 mask 255.255.255.0
access extensive list ip 172.16.1.0 inside_nat0_outbound allow 255.255.255.0 192.168.10.0 255.255.255.0
NAT (inside) 0-list of access inside_nat0_outbound
NAT (inside) 1 0.0.0.0 0.0.0.0
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac
Crypto ipsec transform-set ESP-DES-MD5 esp - esp-md5-hmac
Crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
Crypto ipsec transform-set ESP-3DES-MD5-esp-3des esp-md5-hmac
Crypto ipsec transform-set ESP-AES-256-SHA 256 - aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-SHA aes - esp esp-sha-hmac
Crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
Crypto ipsec transform-set ESP-AES-128-MD5-esp - aes esp-md5-hmac
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 pfs Group1 set
Crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 value transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA MD5-ESP-3DES ESP-DES-SHA ESP-DES-MD5
outside_map card crypto 65535-isakmp dynamic ipsec SYSTEM_DEFAULT_CRYPTO_MAP
outside_map interface card crypto outside
crypto ISAKMP allow outside
crypto ISAKMP policy 10
preshared authentication
3des encryption
sha hash
Group 2
life 86400
internal VPNstaff group strategy
attributes of Group Policy VPNstaff
4.2.2.2 DNS server value
Protocol-tunnel-VPN IPSec
type tunnel-group VPNstaff remote access
attributes global-tunnel-group VPNstaff
address vpnpool pool
Group Policy - by default-VPNstaff
IPSec-attributes tunnel-group VPNstaff
pre-shared-key *.
Hello
A quick test, try this.
-Turn on nat - t (if its disable)
Command: crypto isakmp nat-traversal 20
see if it helps.
If not,
-Run a continuous ping from the client to the ASA inside the interface, make sure that you run the command 'management-access to inside' before you start with the ping.
-Time our RESPONSE ICMP or inside the interface... ?
If time-out, then
-Check the number of decrypts using the command "show crypto ipsec his"
If ICMP response to inside interface is received by the VPN client.
-Ping to an internal host behind the ASA.
-"Show crypto ipsec his"
IF you have received responses if first test then here you should see decrypts number increases.
-Apply the catches on the inside of the interface
You can consult the document below
http://www.Cisco.com/en/us/products/ps6120/products_tech_note09186a0080a9edd6.shtml
-If you see the package source as VPN client interface to reach the inside interface for the destination of the host behind the ASA, then its a problem with your routing internal.
In case you have an L3 device connected to the ASA inside the interface, make sure that you have a route for GW subnet 192.168.1.x as ASA inside the interface i.e. 172.16.1.1 score
If his L2 or a dumb device, then as a quic test, make the following statement of the road using the command-line in windows on the host computer behind the asa participant in this test.
route add 192.168.1.0 mask 255.255.255.0 172.16.1.1
Please let me know if it helps.
Concerning
M
Maybe you are looking for
-
Cropping multiple pictures on different pages at the same time
Can I culture several images on different pages at the same time. In my french version of software Photos 1.5, this option is called "the photo to the frame adapter". I'm able to select this image of an option at a time, but could not find a way to m
-
So for what I need to do the FPGA is send fixed point numbers ± 20, 5 to a chassis of 9146 OR ethernet with an analog voltage NI 9264 as modual output 2, he sends - 10-10 m Volts out in a thread. I create an FPGA VI and have problems, so I said dele
-
Hello I want to migrate my application LabView 8.6 3D-heavy for Windows7 64 bit. MathScript does not appear in the version of 64-bit LabView. Do you think the best way to proceed is to register my only required 2 MathScript functions as the dll creat
-
Laptop freezes when I watch videos or play music.
Original title: salvation My Dungeon laptop freeze a few minutes or two, whenever I watch videos or play music, it occurs usually when I watch videos on youtube, please help me, what can I do? I can't watch movies because this problem!
-
I installed the LIP in hindi. Now, I want to go back to English. How can I change it?
Recently, I changed my language in hindi using language pack (LIP). Now, I want to change my screen English back. How can I do?