Customer Cisco IPSec vpn cisco ios router <>==
Hello
I need to implement ipsec vpn for all users of 10-15. They all use the vpn cisco 5.x client and we have a router for cisco ios at the office. We already have a situation of work for these users. However, it has become a necessity which known only devices (laptops company) are allowed to install a virtual private network.
I think that the only way to achieve this is to use certificates. But we don't won't to buy certificates if there is a free way to implement. So my question is
(1) what are the options I have to configure vpn ipsec, where only known devices can properly configure a vpn and all unknown devices are blocked?
(2) if the certificate is the only way. Can I somehow produce these certificates myself using cisco router ios?
(3) someone at - it an example of a similar installation/configuration?
Thanks in advance.
Kind regards
M.
Unfortunately if you connect to the router IOS, there is no other way except using the certificate. If you connect to a Cisco ASA firewall, then you can identify the laptop company using DAP (Dynamic Access Policy).
Tags: Cisco Security
Similar Questions
-
Cisco IOS router 837 - configure DDNS / dynamic DNS
I have an Internet, connected to my Cisco router link. The package that I subscribed comes with a dynamic IP address. I said me, if I need remote access in the Cisco router, I need to enable the DDNS function. Is this possible on a Cisco router? I have been informed that this feature is not supported. Please help me
Hi Bro
Yes, Cisco ASA and Cisco IOS router supported DDNS. Just make sure you have the right version of IOS, which you could refer to this URL of Cisco http://www.cisco.com/en/US/docs/ios/12_3/12_3y/12_3ya8/gt_ddns.html#wp1202953.
Please refer to the config below made with dyndns.org.
!
hostname INT-RTR1
!
IP domain name dyndns.org
8.8.8.8 IP name-server
!
IP ddns update DynDNS method
HTTP
Add http://ramraj: [email protected] / * //nic/update?system=dyndns&hostname=&myip=>
maximum interval of 30 0 0 0
minimum interval 30 0 0 0
!
interface Dialer1
IP ddns update hostname INT - RTR1.dyndns.org
IP ddns update DynDNS
!Note: hostname = INT - RTR1.dyndns.org was the host added/registered in the dyndns.org site.
Note: Press Ctrl + V, then just type the symbol? When to add the CLI adds http://___ above.
Note: ramraj:cisco123 is simply an example of an IDs in dyndns.org.
You can also refer to this URL for more details http://www.petri.co.il/csc_configuring_dynamic_dns_in_cisco_ios.htm
P/S: If you cela this comment is useful, please rate well :-)
-
PPTP VPN Cisco IOS router through
Hi all
I was wondering if there is a trick to get PPTP to work through a Cisco router. He was in fact at some point, but I don't remember what has been changed over time... However, it no longer works.
Current configuration includes:
* CBAC applied inbound and outbound on the Internet interface (I needed to add incoming to fix a problem with the mode passive FTP doesn't work is not on a FTP server hosted behind this router)
* CBAC inspects, among other things, PPTP
* ACL applied inbound on interface Internet, GRE and TCP 1723 admitted any intellectual property
* No other ACL on the router
* IOS 15.0 (1)
* Inbound configuration NAT for TCP 1723 (currently using the WAN IP address)
One thing I saw was so Troubleshooting "IKE Dispatcher: IKEv2 version detected 2, Dropping package! - but I think that it is a wrong journal (router as the Cisco VPN configuration example).
The server is definitely okay - we are able to connect over PPTP VPN from the local network to the server. So I think it's a sort of NAT problem, because I don't see anything dropped by the firewall.
Anyone able to point me in the right direction?
Thank you
Hello
Thanks for fix the "sh run". Could you change the following:
IP nat inside source static tcp 10.77.99.11 1723 1723 road-map repeating sheep ccc.ccc.ccc.ccc
to do this:
IP nat inside source static tcp 10.77.99.11 1723 1723 extensible ccc.ccc.ccc.ccc
It would be prudent to proceed with this change in the removal of the map of the route if no one connects to the server via the PPTP VPN.
Let me know.
Kind regards
ANU
P.S. Please mark this question as answered if it was resolved. Note the useful messages. Thank you!
-
Remote access VPN for IOS router
Hi all
I'm trying to implement remote access with Split tunneling to a Cisco 2801. I can connect to the VPN profile and access to the internet, but I am unable to ping/scope of devices (10.10.10.X) inside. Vpn users receive assignments to correct addresses in the 172.15.10.X range. I see that my PC remotely is sending packets to devices but receives nothing in return. Here's what my Config looks like... any ideas on things to look at would be great!
Thank you
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
ISAKMP crypto key address x.x.x.x cisco123
ISAKMP crypto key address x.x.x.x cisco123
!
Configuration group customer isakmp crypto VPN_Client
key *.
DNS 64.89.70.2 64.89.74.2
pool SDM_POOL_1
ACL 120
Max-users 25
netmask 255.255.255.0
!
!
ISAKMP crypto sdm-ike-profile-1 profile
match of group identity VPN_Client
client authentication list sdm_vpn_xauth_ml_1
ISAKMP authorization list sdm_vpn_group_ml_1
client configuration address respond
virtual-model 1
Crypto isakmp SiteA profile
Keychain myring
function identity address 1.1.1.1 255.255.255.255
address FastEthernet0/0
Profile of crypto isakmp Site2
key-Atlanta
function identity address 2.2.2.2 255.255.255.255
address FastEthernet0/0
!
!
Crypto ipsec transform-set esp - aes 192 esp-sha-hmac AES192
Crypto ipsec transform-set esp-3des esp-sha-hmac SDM_TRANSFORMSET_1
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
Crypto ipsec transform-set esp-3des esp-md5-hmac 3DES-MD5
Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
Profile of crypto ipsec SDM_Profile1
game of transformation-ESP-3DES-SHA1
isakmp-profile sdm-ike-profile-1 game
!
!
dynamic-map crypto RA - 10 card
the value of the transform-set AES192 ESP - 3DES - SHA1 ESP - 3DES - SHA SDM_TRANSFORMSET_1 3DES-MD5
market arriere-route
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to 3.3.3.3
defined peer 3.3.3.3
the value of the transform-set AES192 ESP - 3DES - SHA1 ESP - 3DES - SHA SDM_TRANSFORMSET_1 3DES-MD5
PFS group2 Set
SiteA Set isakmp-profile
match address 105
map SDM_CMAP_1 2 ipsec-isakmp crypto
Description Tunnel to 4.4.4.4
defined peer 4.4.4.4
the value of the transform-set AES192 ESP - 3DES - SHA1 ESP - 3DES - SHA SDM_TRANSFORMSET_1 3DES-MD5
PFS group2 Set
Set the SiteB isakmp-profile
match address 106
map SDM_CMAP_1 isakmp ipsec dynamic map RA 10 crypto
!
!
!
!
!
interface FastEthernet0/0
Description * Outside ETH - LAN *.
IP 174.1.1.2 255.255.255.224
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
!
interface FastEthernet0/1
Description * inside the ETH - LAN *.
10.10.10.254 IP address 255.255.255.0
IP nat inside
IP virtual-reassembly
automatic duplex
automatic speed
!
!
interface Serial0/1/0
no ip address
Shutdown
!
!
type of interface virtual-Template1 tunnel
IP unnumbered FastEthernet0/0
ipv4 ipsec tunnel mode
Tunnel SDM_Profile1 ipsec protection profile
!
!
local IP SDM_POOL_1 172.15.10.1 pool 172.15.10.50
IP forward-Protocol ND
!
IP high speed-flyers
Top 10
Sorting bytes
!
IP http server
IP http secure server
IP nat source list 110 interface FastEthernet0/0 overload
overload of IP nat inside source list 110 interface FastEthernet0/0
IP route 0.0.0.0 0.0.0.0 174.1.1.1
!
access-list 105 allow ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 105 allow ip 172.15.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 106 allow ip 10.10.10.0 0.0.0.255 192.168.42.0 0.0.0.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 172.15.10.0 0.0.0.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 172.20.0.0 0.0.255.255
access-list 110 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 110 permit ip 172.15.10.0 0.0.0.255 any
access-list 110 permit ip 10.10.10.0 0.0.0.255 any
access-list 111 allow ip 10.10.10.0 0.0.0.255 any
access-list 120 allow ip 10.10.10.0 0.0.0.255 172.15.10.0 0.0.0.255
access-list 120 allow ip 172.20.0.0 0.0.255.255 172.15.10.0 0.0.0.255
Note access-list 130 SDM_ACL category = 17
access-list 130 permit udp host 4.2.2.2 eq field all
access-list 130 allow esp 65.79.168.6 host 174.141.59.195
access-list 130 allow ip host 65.79.168.6 174.141.59.195
access-list 130 ip allow a whole
VPN clients connecting to the F0/0 interface (where the card encryption is applied) or to the
interface virtual-template?
What happens if you do the following:
ISAKMP crypto sdm-ike-profile-1 profile
No virtual-model 1
Disconnection/reconnection.
Federico.
-
ASA IPSEC VPN BEHIND A ROUTER WITH AN INVALID IP ADDRESS
HY guys,.
I have a question.
I need to build a VPN IPSec using the ASA 5500 firewall, but I only have an invalid ip address on my 192.168.x.y external interface. This interface is connected to the Ethernet router, the supplier making a single default address route valid 200.140.x.y through the interface outside of the
ASA-5500.
How can I publish this valid address of 200.140.xy for access to my VPN users?
The topology is attached.
Please help me... /.
Thank you very much
Anderson
Hello
First of all, it's not Miss... It is Mr.
For your question, the configuration, your ISP is to translate the
public IP address of your ASA within intellectual property. So, I don't see any problems there.
I noticed one thing is your default gateway of firewall vers.1
When inside the interface of router ISP est.4. To check connectivity, try
What follows:
on the firewall:
SSH 0.0.0.0 0.0.0.0 outdoors
generate crypto module rsa keys 1024
Once the above commands are entered, try to ssh to the public IP address. If you
are able to connect to the ASA using the public IP address, which means that the public IP address
is directly translates to the ASA and you shouldn't have a problem
using this IP address to the VPN.
I hope this helps.
Kind regards
NT
-
Hello
I want to know can I use the Cisco IOS SSL VPN on the use of mobile client Anyconnect. If yes what is the prerequisite, is there any kind of additional license required.
Thank you
In the following article:
http://www.Cisco.com/c/en/us/support/docs/security/AnyConnect-VPN-client...
Q. is possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router?
A. No. it is not possible to connect the iPad, iPod or iPhone AnyConnect VPN Client to a Cisco IOS router. AnyConnect on iPad/iPhone can connect only to an ASA that is running version 3,0000.1 or a later version. Cisco IOS is not supported by the AnyConnect VPN Client for Apple iOS. For more information, refer to the section security devices and software support to the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.
--
Please do not forget to rate and choose a good answer
-
Hello
I'll get an ASA 5520, and put it in our main office as a VPN router. also, we have 20 to 25 remote users who need VPN access to HQ. some of them have already Sonicwall TZ-100 and some are already using VPN client. I get a Cisco router for remote users. Could you please let me know which device cisco (Hardware) is better for end users? also, most of them have dynamic IP on their DSL lines. is this ok with Cisco to establish a tunnel with a device that has a dynamic IP address?
Thank you
Mike
Hello
To find out which platform would be ideal, please check that:
http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html
Usually for small offices a 5505 works very well, but it depends on your needs.
On the other hand, it does not matter if the remote end has a dynamic IP address, please check that:
Thank you.
Portu.
Please note any workstation that will be useful.
-
Create safer self-signed certificates on IOS router?
I use a router in 1921 and use partially as an AnyConnect (WebVPN) server for remote access in the location. The certificate I used was a self-signed certificate & trustpoint generated on the router. I am running as the last IOS available track to ensure that it has all the latest features.
Do a quick check of SSL against her of Qualys, he seems to have a lot of weaknesses and known vulnerabilities.
* Poodle TLS
* TLS 1.0 only
* SHA1
* Diffie-Hellman 1024 bits
* Some algorithms of older encryption which seem to be available (but I've never specified), as TLS RC4_128_MD5
The encryption mechanism and controls to create the cert don't give me much choice in the matter.
Is there a new or better way to create a more secure certificate chain on an IOS router? I couldn't find the instructions anywhere.
Robert
Take a look at my guide to private networks virtual Suite-B. It creates more secure certificates. Note my comment about the minimum software version to use.
https://www.IFM.NET.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-crypto.html
-
Hello.
Could you please tell me, how to create the second IPSec VPN on my router if crypto card is already set to the interface, and there is no other. This interface is also the NHRP\DMVPN interface. Router is a hub.
Hey, Nikolay.
For new dmvpn cloud you don't don't have set up a crmap to the interface. You can create a new tunnel interface and link a different transfer for her.
If you want to add an IPsec-l2l connection or a new EasyVPN you can look at this example:
Crypto ipsec transform-set esp-3des esp-md5-hmac trset1
transport mode
outputCrypto ipsec transform-set trset2 aes - esp esp-sha-hmac
map CRNAME 1 ipsec-isakmp crypto
Description - VPN - 1
defined peer IP_1
Set transform-set trset1
match address ACL_1
outputmap CRNAME 2 ipsec-isakmp crypto
Description - VPN - 2
defined peer IP_1
Set transform-set trset2
match address ACL_2
outputinterface FastEthernet0/0
Description - outdoors-
card crypto CRNAME
outputFor an EasyVPN (or any other dynamic encryption card), you can use this example:
crypto dynamic-map DYNMAP 1
transform-set Set feat
market arriere-route
outputcard crypto crmap 3 - isakmp dynamic ipsec DYNMAP
And example for DmVPN clouds to the 1 Router 2:
Crypto ipsec transform-set esp-3des esp-sha-hmac trset_1
tunnel mode
output
Crypto ipsec transform-set esp-3des esp-md5-hmac trset_2
transport mode
outputCrypto ipsec Dmvpn-Profile1 profile
Set transform-set trset_1
output
Crypto ipsec profile Profil2 dmvpn
Set transform-set trset_2
outputTunnel1 interface
[network] IP address
dynamic multicast of IP PNDH map
PNDH network IP-1 id
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
key 1 tunnel
Tunnel protection ipsec Dmvpn-Profile1 profile
outputinterface tunnels2
[network] IP address
dynamic multicast of IP PNDH map
PNDH network IP-2 id
source of tunnel FastEthernet0/0
multipoint gre tunnel mode
tunnel key 2
Profile of tunnel dmvpn Profil2 ipsec protection
outputBest regards.
-
Hello
I would like if it is possible to make the IPsec VPN connection as a customer.
ISP router (VDSL connection)
<--->Cisco 887 <---->pc more with conditional redirection
VPN router (as strongVPN)
Thank you for your help.
Best regards
Hi Bruno.
Yes the IOS router may be a VPN client, it is called easy VPN:
How to configure Easy VPN Cisco IOS (server and client)
* The server must be a Cisco device such as another router or an ASA.
Keep me posted.
Thank you.
Portu.
Please note all useful messages.
---->---> -
Router Cisco 1941 - crypto isakmp policy command missing - IPSEC VPN
Hi all
I was looking around and I can't find the command 'crypto isakmp policy' on this router Cisco 1941. I wanted to just a regular Lan IPSEC to surprise and Lan installation tunnel, the command isn't here. Have I not IOS bad? I thought that a picture of K9 would do the trick.
Any suggestions are appreciated
That's what I get:
Router (config) #crypto?
CA Certification Authority
main activities key long-term
public key PKI componentsSEE THE WORM
Cisco IOS software, software C1900 (C1900-UNIVERSALK9-M), Version 15.0 (1) M2, VERSION of the SOFTWARE (fc2)
Technical support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Updated Thursday, March 10, 10 22:27 by prod_rel_teamROM: System Bootstrap, Version 15.0 M6 (1r), RELEASE SOFTWARE (fc1)
The availability of router is 52 minutes
System returned to ROM by reload at 02:43:40 UTC Thursday, April 21, 2011
System image file is "flash0:c1900 - universalk9-mz.» Spa. 150 - 1.M2.bin.
Last reload type: normal charging
Reload last reason: reload commandThis product contains cryptographic features...
Cisco CISCO1941/K9 (revision 1.0) with 487424K / 36864K bytes of memory.
Card processor ID FTX142281F4
2 gigabit Ethernet interfaces
2 interfaces Serial (sync/async)
Configuration of DRAM is 64 bits wide with disabled parity.
255K bytes of non-volatile configuration memory.
254464K bytes of system CompactFlash ATA 0 (read/write)License info:
License IDU:
-------------------------------------------------
Device SN # PID
-------------------------------------------------
* 0 FTX142281F4 CISCO1941/K9Technology for the Module package license information: "c1900".
----------------------------------------------------------------
Technology-technology-package technology
Course Type next reboot
-----------------------------------------------------------------
IPBase ipbasek9 ipbasek9 Permanent
security, none none none
given none none noneConfiguration register is 0 x 2102
You need get the license of security feature to configure the IPSec VPN.
Currently, you have 'none' for the security feature:
----------------------------------------------------------------
Technology-technology-package technology
Course Type next reboot
-----------------------------------------------------------------
IPBase ipbasek9 ipbasek9 Permanent
security, none none none
given none none noneHere is the information about the licenses on router 1900 series:
-
IPsec VPN site to site between router problem Cisco ASA. Help, please
Hello community,
I'm stuck in configuring VPN site to site between ASA (OS 9.1) and router Cisco IOS (IOS 15, 2 - 4.M4)
Attachment is router configuration and ASA. I also include the router debug output.
It seems that the two parties must isakmp missmatch configuration, but I have already disabled the KeepAlive parameters. I also turn off PFS setting on both sides. But it does not work. I have no idea on this problem.
Please help me. Any help appreciated.
Thank you
I didn't look any further, but this may be a reason:
crypto map mymap 1 ipsec-isakmp dynamic dyn1
The dynamic CM must always be the last sequence in a card encryption:
no crypto map mymap 1 ipsec-isakmp dynamic dyn1 crypto map mymap 65000 ipsec-isakmp dynamic dyn1
Try this first, then we can look further.
-
client ipSec VPN and NAT on the router Cisco = FAIL
I have a Cisco 3825 router that I have set up for a Cisco VPN ipSec client. The same router is NAT.
ipSec logs, but can not reach the internal network unless NAT is disabled on the inside interface. But I need both at the same time.
Suggestions?
crypto ISAKMP policy 3
BA 3des
preshared authentication
Group 2
!
ISAKMP crypto client configuration group myclient
key password!
DNS 1.1.1.1
Domain name
pool myVPN
ACL 111
!
!
Crypto ipsec transform-set esp-3des esp-md5-hmac RIGHT
!
Crypto-map dynamic dynmap 10
Set transform-set RIGHT
market arriere-route
!
!
list of card crypto clientmap client VPN - AAA authentication
card crypto clientmap AAA - VPN isakmp authorization list
client configuration address map clientmap crypto answer
10 ipsec-isakmp crypto map clientmap Dynamics dynmap
!interface Loopback0
IP 10.88.0.1 255.255.255.0
!
interface GigabitEthernet0/0
/ / DESC it's external interfaceIP 192.168.168.5 255.255.255.0
NAT outside IP
IP virtual-reassembly
automatic duplex
automatic speed
media type rj45
clientmap card crypto
!
interface GigabitEthernet0/1/ / DESC it comes from inside interface
10.0.1.10 IP address 255.255.255.0
IP nat inside<=================ipSec client="" connects,="" but="" cannot="" reach="" interior="" network="" unless="" this="" is="">=================ipSec>
IP virtual-reassembly
the route cache same-interface IP
automatic duplex
automatic speed
media type rj45!
IP local pool myVPN 10.88.0.2 10.88.0.10
p route 0.0.0.0 0.0.0.0 192.168.168.1
IP route 10.0.0.0 255.255.0.0 10.0.1.4
!IP nat inside source list 1 interface GigabitEthernet0/0 overload
!
access-list 1 permit 10.0.0.0 0.0.255.255
access-list 111 allow ip 10.0.0.0 0.0.255.255 10.88.0.0 0.0.0.255
access-list 111 allow ip 10.88.0.0 0.0.0.255 10.0.0.0 0.0.255.255Hello
I think that you need to configure the ACL default PAT so there first statemts 'decline' for traffic that is NOT supposed to be coordinated between the local network and VPN pool
For example, to do this kind of configuration, ACL and NAT
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.0.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.0.255 ay
overload of IP nat inside source list 100 interface GigabitEthernet0/0
EDIT: seem to actually you could have more than 10 networks behind the routerThen you could modify the ACL on this
Note access-list 100 NAT0 customer VPN
access-list 100 deny ip 10.0.1.0 0.0.255.255 10.88.0.0 0.0.0.255
Note access-list 100 default PAT for Internet traffic
access-list 100 permit ip 10.0.1.0 0.0.255.255 ay
Don't forget to mark the answers correct/replys and/or useful answers to rate
-Jouni
-
Router configuration Cisco for the IPSec VPN with VPN in Windows 7 builtin client
Where can I find an example config for IPSec VPN where Windows 7 native client to connect to the Cisco routers. I use the cisco 881w, in this case.
Thomas McLeod
Native Client Windows supports only L2TP over IPSec. Example at the end of this doc may be enough for you:
I've not personally configured L2TP/IPSec on IOS, only on ASA, so cannot be 100% sure that the config in the link works, but the general idea should be ok.
-
Problem with IPsec VPN between ASA and router Cisco - ping is not response
Hello
I don't know because the IPsec VPN does not work. This is my setup (IPsec VPN between ASA and R2):
my network topology data:
LAN 1 connect ASA - 1 (inside the LAN)
PC - 10.0.1.3 255.255.255.0 10.0.1.1
ASA - GigabitEthernet 1: 10.0.1.1 255.255.255.0
-----------------------------------------------------------------
ASA - 1 Connect (LAN outide) R1
ASA - GigabitEthernet 0: 172.30.1.2 255.255.255.252
R1 - FastEthernet 0/0: 172.30.1.1 255.255.255.252
---------------------------------------------------------------------
R1 R2 to connect
R1 - FastEthernet 0/1: 172.30.2.1 255.255.255.252
R2 - FastEthernet 0/1: 172.30.2.2 255.255.255.252
R2 for lan connection 2
--------------------------------------------------------------------
R2 to connect LAN2
R2 - FastEthernet 0/0: 10.0.2.1 255.255.255.0
PC - 10.0.2.3 255.255.255.0 10.0.2.1
ASA configuration:
1 GigabitEthernet interface
nameif inside
security-level 100
IP 10.0.1.1 255.255.255.0
no downtime
interface GigabitEthernet 0
nameif outside
security-level 0
IP 172.30.1.2 255.255.255.252
no downtime
Route outside 0.0.0.0 0.0.0.0 172.30.1.1------------------------------------------------------------
access-list scope LAN1 to LAN2 ip 10.0.1.0 allow 255.255.255.0 10.0.2.0 255.255.255.0
object obj LAN
subnet 10.0.1.0 255.255.255.0
object obj remote network
10.0.2.0 subnet 255.255.255.0
NAT (inside, outside) 1 static source obj-local obj-local destination obj-remote control remote obj non-proxy-arp static-----------------------------------------------------------
IKEv1 crypto policy 10
preshared authentication
aes encryption
sha hash
Group 2
life 3600
Crypto ikev1 allow outside
crypto isakmp identity address------------------------------------------------------------
tunnel-group 172.30.2.2 type ipsec-l2l
tunnel-group 172.30.2.2 ipsec-attributes
IKEv1 pre-shared-key cisco123
Crypto ipsec transform-set esp-aes-192 ASA1TS, esp-sha-hmac ikev1-------------------------------------------------------------
card crypto ASA1VPN 10 is the LAN1 to LAN2 address
card crypto ASA1VPN 10 set peer 172.30.2.2
card crypto ASA1VPN 10 set transform-set ASA1TS ikev1
card crypto ASA1VPN set 10 security-association life seconds 3600
ASA1VPN interface card crypto outsideR2 configuration:
interface fastEthernet 0/0
IP 10.0.2.1 255.255.255.0
no downtime
interface fastEthernet 0/1
IP 172.30.2.2 255.255.255.252
no downtime-----------------------------------------------------
router RIP
version 2
Network 10.0.2.0
network 172.30.2.0------------------------------------------------------
access-list 102 permit ahp 172.30.1.2 host 172.30.2.2
access-list 102 permit esp 172.30.1.2 host 172.30.2.2
access-list 102 permit udp host 172.30.1.2 host 172.30.2.2 eq isakmp
interface fastEthernet 0/1
IP access-group 102 to------------------------------------------------------
crypto ISAKMP policy 110
preshared authentication
aes encryption
sha hash
Group 2
life 42300------------------------------------------------------
ISAKMP crypto key cisco123 address 172.30.1.2-----------------------------------------------------
Crypto ipsec transform-set esp - aes 128 R2TS------------------------------------------------------
access-list 101 permit tcp 10.0.2.0 0.0.0.255 10.0.1.0 0.0.0.255
------------------------------------------------------
R2VPN 10 ipsec-isakmp crypto map
match address 101
defined by peer 172.30.1.2
PFS Group1 Set
R2TS transformation game
86400 seconds, life of security association set
interface fastEthernet 0/1
card crypto R2VPNI don't know what the problem
Thank you
If the RIP is not absolutely necessary for you, try adding the default route to R2:
IP route 0.0.0.0 0.0.0.0 172.16.2.1
If you want to use RIP much, add permissions ACL 102:
access-list 102 permit udp any any eq 520
Maybe you are looking for
-
iTunes 12.5.1.21 (September 2016) always forgets settings
Since the installation of iTunes 12.5.1.21 I agree license and give/refuse Apple permission to share the details of my library every time I start up iTunes. He forget also all my settings as Shuffle/Albums. I am running Windows 7, perfectly up-to-da
-
Satellite C850 does not stop but standby extended
Satellite C850 stops not but hibernation.No idea why I changed the settings to stop but when I start closing anything
-
Boot Toshiba 320 GB EXT HDD fault
Hi all I am new here just subscribed, because you guys seem to know your stuf! I am rather im pc literate, a music video producer and use TWO Ext HD to save most of my work. Ive had this Toshiba 320 GB for about a year now, without any problems, neve
-
A few questions on the upgrade of the Satellite M30x 154
Hi all I plan on upgrading my Satellite M30x-154.I was wondering if you guys would like to know before upgrading if the things I want to buy this would work. I would change my Hitachi 60 GB for a Seagate 100 g (link following) would this work?http://
-
I have had this printer for about 5 years, running on an XP system. I recently bought a new computer running Windows 7. Windows 7 found the drivers to operate the printer and it is high and fine. However, I lost the ability to scan with the printe