How to put all through traffic the easy vpn client VPN server

Hi people

I want to ask you, how to put all of the server the easy vpn client VPN traffic through.

I mean, I have a server vpn at home, and if I connect to the vpn from outside server, to be with an IP address of my home.

There is the configuration up to now. Where is the problem?

ROUTER1 #sh running-config

Building configuration...

Current configuration: 5744 bytes

!

! Last configuration change at 19:51:18 UTC Wed Sep 4 2013 by cska

!

version 15.1

horodateurs service debug datetime msec

Log service timestamps datetime msec

no password encryption service

!

ROUTER1 hostname

!

boot-start-marker

usbflash0:CVO boot-BOOT Setup. CFG

boot-end-marker

!

!

!

AAA new-model

!

!

AAA authentication login ciscocp_vpn_xauth_ml_1 local

AAA authorization ciscocp_vpn_group_ml_1 LAN

!

!

!

!

!

AAA - the id of the joint session

!

Service-module wlan-ap 0 autonomous bootimage

Crypto pki token removal timeout default 0

!

Crypto pki trustpoint TP-self-signed-1604488384

enrollment selfsigned

name of the object cn = IOS - Self - signed - certificate - 1604488384

revocation checking no

!

!

TP-self-signed-1604488384 crypto pki certificate chain

certificate self-signed 01

3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 04050030 A0030201

2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

69666963 31363034 34383833 6174652D 3834301E 170 3133 30383239 31313539

32395A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 36303434 65642D

38383338 3430819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

8100CD 57 F1436ED2 8D9E8B99 B6A76D45 FE56716D D99765A9 1722937C F5603F9F

528E27AF 87A24C3D 276FBA1C A5E7C580 CE99748E 39458C 74 862C 2870 16E29F75

7A7930E1 15FA5644 D7ECF257 BF46C470 A3A17AEB 7AB56194 68BFB803 144B7B10

D3722BDD D1FD5E99 8068B77D A1703059 9F0578C7 F7473811 0421490D 627F25C5

4 HAS 250203 010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355

551 2304 18301680 141B 1326 C111DF7F 9F4ED888 EFE2999A 4C50CDD8 06 12301

03551D0E 04160414 1B1326C1 11DF7F9F 4ED888EF E2999A4C 50CDD812 300 D 0609

2A 864886 04050003 81810096 BD0C2B16 799DB6EE E2C9B7C4 72FEAAAE F70D0101

FF87465C FB7C5248 CFA08E68 522EA08A 4B18BF15 488D D53D9A43 CB400B54 8006

CB21BDFB AA27DA9C C79310B6 BC594A7E D6EDF81D 0DB7D2C1 9EF7251B 19A 75403

211B1E6B 840FE226 48656E9F 67DB4A93 CE75045B A986F0AD 691EE188 7FB86D3F

E43934FA 3D62EC90 8F37590B 618B0C

quit smoking

IP source-route

!

!

!

!

CISCO dhcp IP pool

import all

network 192.168.1.0 255.255.255.0

DNS-server 195.34.133.21 212.186.211.21

default router 192.168.1.1

!

!

IP cef

No ipv6 cef

!

Authenticated MultiLink bundle-name Panel

license udi pid CISCO892W-AGN-E-K9 sn FCZ1530C209

!

!

username privilege 15 secret 5 cska $1$ $8j6G 2sMHqIxJX8MQU6vpr75gp1

!

!

!

!

!

!

crypto ISAKMP policy 1

BA 3des

preshared authentication

Group 2

!

Configuration group customer isakmp crypto VPNGR

vpngroup key

DNS 212.186.211.21 195.34.133.21

WINS 8.8.8.8

domain chello.at

pool SDM_POOL_1

ACL 120

netmask 255.255.255.0

ISAKMP crypto ciscocp-ike-profile-1 profile

match of group identity VPNGR

client authentication list ciscocp_vpn_xauth_ml_1

ISAKMP authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-model 1

!

!

Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

!

Profile of crypto ipsec CiscoCP_Profile1

security association idle time 86400 value

game of transformation-ESP-3DES-SHA

set of isakmp - profile ciscocp-ike-profile-1

!

!

Bridge IRB

!

!

!

!

interface Loopback0

192.168.4.1 IP address 255.255.255.0

IP nat inside

IP virtual-reassembly in

!

interface BRI0

no ip address

encapsulation hdlc

Shutdown

Multidrop ISDN endpoint

!

interface FastEthernet0

!

interface FastEthernet1

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

FastEthernet6 interface

!

interface FastEthernet7

!

interface FastEthernet8

no ip address

Shutdown

automatic duplex

automatic speed

!

type of interface virtual-Template1 tunnel

IP unnumbered Loopback0

ipv4 ipsec tunnel mode

Tunnel CiscoCP_Profile1 ipsec protection profile

!

interface GigabitEthernet0

Description Internet

0023.5a03.b6a5 Mac address

customer_id GigabitEthernet0 dhcp IP address

NAT outside IP

IP virtual-reassembly in

automatic duplex

automatic speed

!

wlan-ap0 interface

description of the Service interface module to manage the embedded AP

192.168.9.2 IP address 255.255.255.0

ARP timeout 0

!

interface GigabitEthernet0 Wlan

Description interface connecting to the AP the switch embedded internal

!

interface Vlan1

no ip address

Bridge-Group 1

Bridge-Group 1 covering-disabled people

!

interface BVI1

IP 192.168.1.1 255.255.255.0

IP nat inside

IP virtual-reassembly in

!

local IP SDM_POOL_1 192.168.4.3 pool 192.168.4.245

IP forward-Protocol ND

!

!

IP http server

local IP http authentication

IP http secure server

overload of IP nat inside source list 110 interface GigabitEthernet0

IP nat inside source static tcp 192.168.1.5 3389 interface GigabitEthernet0 3389

IP nat inside source static udp 192.168.1.5 3389 interface GigabitEthernet0 3389

IP nat inside source static tcp 192.168.1.5 21 interface GigabitEthernet0 21

IP nat inside source static udp 192.168.1.5 21 interface GigabitEthernet0 21

IP nat inside source static tcp 192.168.1.4 3389 interface GigabitEthernet0 3390

IP nat inside source static udp 192.168.1.4 3389 interface GigabitEthernet0 3390

overload of IP nat inside source list 120 interface GigabitEthernet0

IP route 0.0.0.0 0.0.0.0 dhcp

!

exploitation forest esm config

access list 101 ip allow a whole

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access list 111 permit tcp any any eq 3389

access-list 120 allow ip 192.168.4.0 0.0.0.255 any

!

!

!

!

!

!

!

control plan

!

Bridge Protocol ieee 1

1 channel ip bridge

!

Line con 0

line 2

no activation-character

No exec

preferred no transport

transport of entry all

transport output pad rlogin udptn ssh telnet

line to 0

line vty 0 4

privilege level 15

preferred transport ssh

entry ssh transport

transportation out all

!

Thanks in advance

To do this you must make the following changes:

(1) disable split Tunneling by deleting the ACL of your configuration of the client group.
(2) enable NAT for VPN traffic by adding 'ip nat inside' to your virtual model of the client network to the ACL that controls your PAT.

Edit: Theses are the changes to your config (also with a little cleaning):

Configuration group customer isakmp crypto VPNGR

No 120 LCD

!

type of interface virtual-Template1 tunnel

IP nat inside

!

no nat ip inside the source list 120 interface GigabitEthernet0 overload

!

access-list 110 permit ip 192.168.4.0 0.0.0.255 any

no access-list 120 allow ip 192.168.4.0 0.0.0.255 any

Sent by Cisco Support technique iPad App

Tags: Cisco Security

Similar Questions

  • Cannot connect to the easy VPN server

    Hi *.

    I have a stupid problem with my easy VPN server. I took the following configuration to configure the VPN: click on

    Successfully, I can ping 192.168.99.1 but when I start AnyConnect (enter this IP address as serveraddress) on my IPhone, it first says that the server certificate is not valid (I ignore because it is self-signed..) and when I press continue it says that no link could be established.

    What can be the problem?

    It is very likely that you have a configured PAT-pool and simply use the Word key "overload" when from your external interface. In this command, you reference an ACL (or an ACL in a road map) where we need to ensure that your VPN-pool in included in the traffic using a NAT.

    --
    Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
    http://www.Kiva.org/invitedBy/karsteni

  • Help with the easy VPN server with LDAP

    Hello

    I used to be able to set up our easy VPN server with local authentication.

    But now, I'm trying to use LDAP authentication to match with our policies.

    Can someone help me please to check the config and tell me what is wrong with him?

    My router is a Cisco1941/K9.

    Thank you in advance.

    Ryan

    Current configuration: 5128 bytes
    !
    ! Last configuration change at 13:25:16 UTC Tuesday, August 28, 2012, by admin
    ! NVRAM config update at 05:03:14 UTC Monday, August 27, 2012, by admin
    ! NVRAM config update at 05:03:14 UTC Monday, August 27, 2012, by admin
    version 15.2
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    router host name
    !
    boot-start-marker
    boot-end-marker
    !
    !
    !
    AAA new-model
    !
    !
    AAA group ASIA-LDAP ldap server
    Server server1.domain.net
    !
    AAA authentication login ciscocp_vpn_xauth_ml_1 local
    AAA authentication login ASIA-LDAP-AUTHENTIC ldap group ASIA-LDAP
    local VPN_Cisco AAA authorization network
    Group ldap AAA authorization network ASIA-LDAP-ASIA-LDAP group authorization
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    !
    !
    No ipv6 cef
    !
    !
    !
    !
    !
    IP domain name domaine.net
    IP cef
    !
    Authenticated MultiLink bundle-name Panel
    !
    Crypto pki token removal timeout default 0
    !
    Crypto pki trustpoint TP-self-signed-765105936
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 765105936
    revocation checking no
    rsakeypair TP-self-signed-765105936
    !
    !
    TP-self-signed-765105936 crypto pki certificate chain
    certificate self-signed 01
    30820229 30820192 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
    2 060355 04031325 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 30312E30
    69666963 37363531 30353933 36301E17 313230 36323630 39323033 0D 6174652D
    355A170D 2E302C06 1325494F 03550403 32303031 30313030 30303030 5A 303031
    532D 5365 6C662D53 69676E65 642D 4365 72746966 69636174 652 3736 35313035
    06092A 86 4886F70D 01010105 39333630 819F300D 00308189 02818100 0003818D
    C1B7E661 4893D83A EFE44B76 92BAA71A 6375 854 C 88 D 4533E51A 49791 551D8EF7
    F82E2432 E65B401D 27FE4896 2105B38A CB1908C1 9AE2FC19 8A9393C3 1 B 618390
    EE6CB1CC 5C8B8811 04FA198E 16F3297B 6B15F974 13EE4897 97270547 31 74270
    4590ACA6 68606596 97C5D4D5 462CACA0 CDDAC35A 17415302 CFD4E329 8E7E542D
    02030100 01A 35330 03551 D 13 51300F06 0101FF04 05300301 01FF301F 0603551D
    23041830 1680142E FF686472 569BCCF1 552B 1200 1 060355 5B660F30 D35060DB
    1D0E0416 04142EFF 9BCCF155 68647256 2B1200D3 5060DB5B 660F300D 06092 HAS 86
    01010505 00038181 00558F64 05207 D 35 AA4BD086 4579ACF6 BCF6A851 4886F70D
    1D0EA15B 75DBFA45 E01FBA5C 6F827C42 1A50DD11 8922F1E5 3384B8D8 8DD6C222
    0187E501 82C1C557 8AD3445C A4450241 75D771CF 3A6428A6 7E1FC7E5 8B418E65
    74D265DD 06251C7D 6EF39CE9 3 D FE03F795 692763 AE865885 CFF660A5 4C1FF603
    3AF09B1E 243EA5ED 7E4C30B9 3A
    quit smoking
    license udi pid CISCO1941/K9 sn xxxxxxxxxxx

    ISM HW-module 0
    !
    !
    !
    secret admin user name of privilege 15 5 $1 rVI4$ WIP5x6at0b1Vot5LbdlGN.
    ryan privilege 0 0 pass1234 password username
    !
    redundancy
    !
    !
    !
    !
    !
    !
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    Configuration group customer isakmp crypto VPN_Group1
    xxxxxxxxxxxx key
    DNS 10.127.8.20
    pool SDM_POOL_1
    ACL 100
    netmask 255.255.255.0
    ISAKMP crypto ciscocp-ike-profile-1 profile
    match of group identity VPN_Group1
    authentication of LDAP-ASIA-AUTHENTIC customer list
    whitelist ISAKMP ASIA-LDAP-authorization of THE
    client configuration address respond
    virtual-model 1
    !
    !
    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
    !
    Profile of crypto ipsec CiscoCP_Profile1
    game of transformation-ESP-3DES-SHA
    set of isakmp - profile ciscocp-ike-profile-1
    !
    !
    !
    !
    !
    !
    !
    interface Loopback0
    IP 10.127.15.1 255.255.255.0
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    Shutdown
    !
    interface GigabitEthernet0/0
    IP xxx.xxx.xxx.xxx 255.255.255.224
    automatic duplex
    automatic speed
    !
    interface GigabitEthernet0/1
    IP 10.127.31.26 255.255.255.252
    automatic duplex
    automatic speed
    !
    type of interface virtual-Template1 tunnel
    IP unnumbered Loopback0
    ipv4 ipsec tunnel mode
    Tunnel CiscoCP_Profile1 ipsec protection profile
    !
    local IP SDM_POOL_1 10.127.20.129 pool 10.127.20.254
    IP forward-Protocol ND
    !
    IP http server
    local IP http authentication
    IP http secure server
    IP http timeout policy slowed down 60 life 86400 request 10000
    !
    IP route 0.0.0.0 0.0.0.0 GigabitEthernet0/0
    IP route 10.0.0.0 255.0.0.0 10.127.31.25
    IP route 10.127.20.128 255.255.255.128 GigabitEthernet0/0
    !
    Note access-list 100 category CCP_ACL = 4
    access-list 100 permit ip 10.0.0.0 0.255.255.255 everything
    !
    !
    !
    !
    !
    !
    !
    LDAP attribute-map ASIA-username-map
    user name of card type sAMAccountName
    !
    Server1.domain.NET LDAP server
    IPv4 10.127.8.20
    map attribute username-ASIA-map
    bind authenticates root-dn CN = xxx\, S1234567, OU = Service accounts, OR = Admin, OU = Acc
    DC = domain, DC = net password password1
    base-dn DC = domain, DC = net
    bind authentication-first
    !
    !
    control plan
    !
    !
    !
    Line con 0
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line 67
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    transport telnet entry
    !
    Scheduler allocate 20000 1000
    end

    Router #.

    Ryan,

    It seems that you are facing the question where it is indicated in the section:

    Problems with the help of "authentication bind first" with user-defined attribute maps:

    * Then you are likely to see a failure in your authentication attempt. You will see the error message "Invalid credentials, result code = 49.  The newspapers will look something like the journals below: *.

    Which is the same error you see. Go ahead and replace in your attribute map and test again.

    If you remove the command "bind-first authentication' configuration above, everything will work correctly.

    https://supportforums.Cisco.com/docs/doc-17780

    Tarik Admani
    * Please note the useful messages *.

  • Problems with the easy VPN server

    I have configured my 1841 with IOS 1841-advsecurityk9 - mz.124 - 4.T.bin.

    It is a piece of config:

    AAA authentication login userauthen local

    AAA authentication login sdm_vpn_xauth_ml_1 local

    crypto ISAKMP policy 1

    BA 3des

    md5 hash

    preshared authentication

    Group 2

    life 300

    !

    ISAKMP crypto client configuration group vpnipsec

    Cisco key

    XXXXX of the DNS

    pool ippool

    !

    Crypto ipsec transform-set xxxxx

    !

    crypto dynamic-map SDM_DYNMAP_1 1

    security-association the value idle time 300

    game of transformation-ESP-3DES-MD5

    market arriere-route

    !

    card crypto SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

    map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto

    client configuration address map SDM_CMAP_1 crypto answer

    map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto

    point-to-point interface ATM0/0/0.1

    Description ConnessioneADSL

    IP address 82.185.xx.xx 255.255.255.248 secondary

    IP address 88.33.xx.xx 255.255.255.252

    NAT outside IP

    IP virtual-reassembly

    map SDM_CMAP_1 crypto

    PVC 8/35

    !

    Is the error I get via the CVPN Client

    52 10:46:41.936 01/31/06 Sev = Info/4 IKE / 0 x 63000014

    RECEIVING< isakmp="" oak="" info="" *(hash,="" notify:no_proposal_chosen)="" from="">

    And what fails.

    Any sugestion?

    Thank you

    Hello

    You can try to connect to 88.33.x.x instead of 88.185.x.x ip ip?

    We had similar problems a bit when we were trying to establish the same thing with the secondary ip address and has resolved once we changed it to the primary ip address...

    regds

  • Easy vpn server issues of Cisco 800 series.

    Hello.

    I want to deploy the easy vpn server on cisco 876 and 877 10 routers and access from a remote location (company headquarters). When I leave the firewall of the router off the vpn server works. When I turn it on it doesn't.

    Although I allow all traffic to my ip for example 80.76.61.158 I can't access the vpn server.

    I tried a place to let the firewall off and it worked fine.

    I use SDM to configure the vpn server. Any ideas what I can do with the cause of firewall I really can't leave it "open."

    Thanks in advance.

    It would be a good idea to paste the configuration of the VPN server to the firewall.

    Kind regards

    Kamal

  • Outlook express 6 - How to put all the unread messages in "BOLD"?

    How to put all the unread messages in "BOLD" with outlook express 6?

    Are you referring to messages unread, displayed in the preview pane?

    If a message is unread, it should be in bold by default.

    ========================================

    * Moved to appropriate forum. *

  • How to put Windows 7 on the new hard drive without boot cd? How will I know if 32 or 64 bits? This computer yourself running windows 10?

    * Original title: windows 7 download

    I have a laptop dell M4400 with windows 7 pro OA. HARD drive crashed and I replaced with a new one. How to put Windows 7 on the new hard drive without boot cd? How will I know if 32 or 64 bits? This computer yourself running windows 10?

    It has probably comes with Windows 7 Professional 64 bit.

    You can download a copy of Windows 7 Professional using the following instructions (update of Microsoft recovery software supports downloads with the COA key):

    How to: What are my options for Windows 7 reinstall media?

    Make sure you scroll down and read the section:

    What to do if you cannot get your manufacturer recovery media, refuse to use or to buy it or the Microsoft Software Recovery Website does not work?

    You can also use Windows 10 too as you have the right to it as a free upgrade:

    • Turn off (preferably uninstall) your Antivirus utility before you perform the upgrade.
    • Reboot several times, and then try again.
    • Disable the general USB peripherals (for example - smart card reader).
    • If you are using a SCSI drive, make sure you have the drivers available for your storage on a thumdrive device and it is connected. During the installation of Windows 10, click on the advanced custom Option and use the command load driver to load the driver for the SCSI drive. If this does not work and the installer still fails, consider switching to an IDE based hard drive.
    • Perform a clean boot, restart, and then try again.
    • If you upgrade to the. ISO file, disconnect from the Internet during the installation, if you are connected in LAN (Ethernet) or wireless, disable both, then try to install.
    • If you are updated through Windows Update, when download reaches 100% disconnect from the LAN (Ethernet) Internet or Wi - Fi, then proceed with the installation.
    • If this does not work, try using the. ISO file to upgrade if possible.
    • If you are connected to a domain, go to a local account.
    • If you have an external equipment, attached to the machine, unplug them (example, game controllers, USB sticks, external hard drive, printers, peripherals not essential).
  • How to put an application on the dock icon without the arrow shortcut showing at 07:00

    Whenever I try to place an application icon in the dock icon get a tiny arrow shortcut to as for the 07:00 click the newly created and connected position.

    None of my icons for other applications in the dock has this small arrow on its icon.

    So, how to put an icon on the dock without the shortcut arrow display at the 07:00 position?

    If I understand you correctly, simply drag the application in the dock. No need to create an alias first.

  • How to remove all information from the computer so I can sell it?

    How to remove all information from the computer so I can sell it?

    Hello

    You will want to format the hard disk:

    1. you can use DBAN - http://www.dban.org/

    or

    2. you can follow this tutorial to clean install up to the step where you format the disk, in which you would then STOP (because you just want to get rid of the files on the hard drive, do not install Windows) - http://www.sevenforums.com/tutorials/1649-clean-install-windows-7-a.html

    Kind regards

    Patrick

  • instead of the lower left corner and I don't know how to put it back on the bottom

    Somehow, my son moved my taskbar to the bottom of the screen of my laptop on the left side of the screen. My STARTUP icon is now in the upper left corner instead of the bottom left corner and I don't know how to put it back on the bottom. How do come back on the bottom where it goes?

    Right-click on thew start button | Properties | Tab taskbar | Location of the taskbar on the screen. Back at bottom.
     
     
  • How to put more contrast in the menus

    How to put more contrast in the menus

    Try adjusting the settings in Edit > accessibility. In my view, there is a specific setting for it.

  • Can someone tell me how I put a hiperlink in the new Adobe Muse CC 2014...

    Can someone tell me how I put a hiperlink in the new Adobe Muse CC 2014... ?

    See: http://helpx.adobe.com/muse/using/creating-hyperlinks.html

    See you soon,.

    Vikas

  • CANNOT ACCESS THE LAN WITH THE EASY VPN CONFIGURATION

    Hello

    I configured easy vpn server in cisco 1905 SRI using ccp. The router is already configured with zone based firewall. With the help of vpn client I can reach only up to the internal interface of the router, but cannot access the LAN from my company. I need to change any configuration of ZBF since it is configured as "deny everything" from outside to inside? If so that all protocols should I match?   Also is there any exemption of NAT for VPN clients? Please help me! Thanks in advance.

    Please see my full configuration:

    Router #sh run
    Building configuration...

    Current configuration: 8150 bytes
    !
    ! Last modification of the configuration at 05:40:32 UTC Wednesday, July 4, 2012 by
    ! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
    ! NVRAM config updated 06:04 UTC Tuesday, July 3, 2012 by
    version 15.1
    horodateurs service debug datetime msec
    Log service timestamps datetime msec
    no password encryption service
    !
    router host name
    !
    boot-start-marker
    boot-end-marker
    !
    !
    Passwords security min-length 6
    no set record in buffered memory
    enable secret 5 xxxxxxxxxxx
    !
    AAA new-model
    !
    !
    AAA authentication login default local
    AAA authentication login ciscocp_vpn_xauth_ml_1 local
    AAA authorization exec default local
    AAA authorization ciscocp_vpn_group_ml_1 LAN
    !
    !
    !
    !
    !
    AAA - the id of the joint session
    !
    !
    No ipv6 cef
    IP source-route
    no ip free-arps
    IP cef
    !
    Xxxxxxxxx name server IP
    IP server name yyyyyyyyy
    !
    Authenticated MultiLink bundle-name Panel
    !

    parameter-map local urlfpolicy TSQ-URL-FILTER type
    offshore alert
    block-page message "Blocked according to policy"
    parameter-card type urlf-glob FACEBOOK
    model facebook.com
    model *. Facebook.com

    parameter-card type urlf-glob YOUTUBE
    mires of youtube.com
    model *. YouTube.com

    parameter-card type urlf-glob CRICKET
    model espncricinfo.com
    model *. espncricinfo.com

    parameter-card type urlf-glob CRICKET1
    webcric.com model
    model *. webcric.com

    parameter-card type urlf-glob YAHOO
    model *. Yahoo.com
    model yapo

    parameter-card type urlf-glob PERMITTEDSITES
    model *.

    parameter-card type urlf-glob HOTMAIL
    model hotmail.com
    model *. Hotmail.com

    Crypto pki token removal timeout default 0
    !
    Crypto pki trustpoint TP-self-signed-2049533683
    enrollment selfsigned
    name of the object cn = IOS - Self - signed - certificate - 2049533683
    revocation checking no
    rsakeypair TP-self-signed-2049533683
    !
    Crypto pki trustpoint tti
    crl revocation checking
    !
    Crypto pki trustpoint test_trustpoint_config_created_for_sdm
    name of the object [email protected] / * /
    crl revocation checking
    !
    !
    TP-self-signed-4966226213 crypto pki certificate chain
    certificate self-signed 01
    3082022B 30820194 02111101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
    2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43647274 31312F30
    69666963 32303439 35323236 6174652D 3833301E 170 3132 30363232 30363332

    quit smoking
    encryption pki certificate chain tti
    for the crypto pki certificate chain test_trustpoint_config_created_for_sdm
    license udi pid CISCO1905/K9 sn xxxxxx
    licence start-up module c1900 technology-package datak9
    username privilege 15 password 0 xxxxx xxxxxxx
    !
    redundancy
    !
    !
    !
    !
    !
    type of class-card inspect entire tsq-inspection-traffic game
    dns protocol game
    ftp protocol game
    https protocol game
    match icmp Protocol
    match the imap Protocol
    pop3 Protocol game
    netshow Protocol game
    Protocol shell game
    match Protocol realmedia
    match rtsp Protocol
    smtp Protocol game
    sql-net Protocol game
    streamworks Protocol game
    tftp Protocol game
    vdolive Protocol game
    tcp protocol match
    udp Protocol game
    match Protocol l2tp
    class-card type match - all BLOCKEDSITES urlfilter
    Server-domain urlf-glob FACEBOOK game
    Server-domain urlf-glob YOUTUBE game
    CRICKET urlf-glob-domain of the server match
    game server-domain urlf-glob CRICKET1
    game server-domain urlf-glob HOTMAIL
    class-map type urlfilter match - all PERMITTEDSITES
    Server-domain urlf-glob PERMITTEDSITES match
    inspect the class-map match tsq-insp-traffic type
    corresponds to the class-map tsq-inspection-traffic
    type of class-card inspect correspondence tsq-http
    http protocol game
    type of class-card inspect all match tsq-icmp
    match icmp Protocol
    tcp protocol match
    udp Protocol game
    type of class-card inspect correspondence tsq-invalid-src
    game group-access 100
    type of class-card inspect correspondence tsq-icmp-access
    corresponds to the class-map tsq-icmp
    !
    !
    type of policy-card inspect urlfilter TSQBLOCKEDSITES
    class type urlfilter BLOCKEDSITES
    Journal
    reset
    class type urlfilter PERMITTEDSITES
    allow
    Journal
    type of policy-card inspect SELF - AUX-OUT-policy
    class type inspect tsq-icmp-access
    inspect
    class class by default
    Pass
    policy-card type check IN and OUT - POLICIES
    class type inspect tsq-invalid-src
    Drop newspaper
    class type inspect tsq-http
    inspect
    service-policy urlfilter TSQBLOCKEDSITES
    class type inspect tsq-insp-traffic
    inspect
    class class by default
    drop
    policy-card type check OUT IN-POLICY
    class class by default
    drop
    !
    area inside security
    security of the OUTSIDE area
    source of security OUT-OF-IN zone-pair outside the destination inside
    type of service-strategy check OUT IN-POLICY
    zone-pair IN-to-OUT DOMESTIC destination outside source security
    type of service-strategy inspect IN and OUT - POLICIES
    security of the FREE-to-OUT source destination free outdoors pair box
    type of service-strategy inspect SELF - AUX-OUT-policy
    !
    Crypto ctcp port 10000
    !
    crypto ISAKMP policy 1
    BA 3des
    preshared authentication
    Group 2
    !
    crypto ISAKMP policy 2
    Group 2
    !
    ISAKMP crypto client configuration group vpntunnel
    XXXXXXX key
    pool SDM_POOL_1
    include-local-lan
    10 Max-users
    ISAKMP crypto ciscocp-ike-profile-1 profile
    vpntunnel group identity match
    client authentication list ciscocp_vpn_xauth_ml_1
    ISAKMP authorization list ciscocp_vpn_group_ml_1
    client configuration address respond
    virtual-model 1
    !
    !
    Crypto ipsec transform-set TSQ-TRANSFORMATION des-esp esp-md5-hmac
    !
    Profile of crypto ipsec CiscoCP_Profile1
    game of transformation-TRANSFORMATION TSQ
    set of isakmp - profile ciscocp-ike-profile-1
    !
    !
    !
    !
    !
    !
    the Embedded-Service-Engine0/0 interface
    no ip address
    response to IP mask
    IP directed broadcast to the
    Shutdown
    !
    interface GigabitEthernet0/0
    Description LAN INTERFACE-FW-INSIDE
    IP 172.17.0.71 255.255.0.0
    IP nat inside
    IP virtual-reassembly in
    security of the inside members area
    automatic duplex
    automatic speed
    !
    interface GigabitEthernet0/1
    Description WAN-INTERNET-INTERNET-FW-OUTSIDE
    IP address xxxxxx yyyyyyy
    NAT outside IP
    IP virtual-reassembly in
    security of the OUTSIDE member area
    automatic duplex
    automatic speed
    !
    interface Serial0/0/0
    no ip address
    response to IP mask
    IP directed broadcast to the
    Shutdown
    no fair queue
    2000000 clock frequency
    !
    type of interface virtual-Template1 tunnel
    IP unnumbered GigabitEthernet0/0
    ipv4 ipsec tunnel mode
    Tunnel CiscoCP_Profile1 ipsec protection profile
    !
    local IP SDM_POOL_1 172.17.0.11 pool 172.17.0.20
    IP forward-Protocol ND
    !
    no ip address of the http server
    local IP http authentication
    IP http secure server
    !
    IP nat inside source list 1 interface GigabitEthernet0/1 overload
    IP route 0.0.0.0 0.0.0.0 yyyyyyyyy
    IP route 192.168.1.0 255.255.255.0 172.17.0.6
    IP route 192.168.4.0 255.255.255.0 172.17.0.6
    !
    access-list 1 permit 172.17.0.0 0.0.255.255
    access-list 100 permit ip 255.255.255.255 host everything
    access-list 100 permit ip 127.0.0.0 0.255.255.255 everything
    access-list 100 permit ip yyyyyy yyyyyy everything
    !
    !
    !
    !
    !
    !
    !
    !
    control plan
    !
    !
    !
    Line con 0
    line to 0
    line 2
    no activation-character
    No exec
    preferred no transport
    transport of entry all
    output transport lat pad rlogin lapb - your MOP v120 udptn ssh telnet
    StopBits 1
    line vty 0 4
    transport input ssh rlogin
    !
    Scheduler allocate 20000 1000
    end

    A few things to change:

    (1) pool of IP must be a single subnet, it is not the same subnet as your subnet internal.

    (2) your NAT ACL 1 must be changed to ACL extended for you can configure NAT exemption, so if your pool is reconfigured to be 10.10.10.0/24:

    access-list 120 deny ip 172.17.0.0 0.0.255.255 10.10.10.0 0.0.0.255

    access-list 120 allow ip 172.17.0.0 0.0.255.255 everything

    overload of IP nat inside source list 120 interface GigabitEthernet0/1

    No inside source list 1 interface GigabitEthernet0/1 ip nat overload

    (3) OUT POLICY need to include VPN traffic:

    access-list 121 allow ip 10.10.10.0 0.0.0.255 172.17.0.0 0.0.255.255

    type of class-card inspect correspondence vpn-access

    game group-access 121

    policy-card type check OUT IN-POLICY

    vpn-access class

    inspect

  • How can I restore and recover the database to a different server using RMAN?

    Hello Friend:

    How can I restore and recover the database to a different server using RMAN? I want to implement an enviroument which has a different enviroument and different directories.

    That's the two servers. different stored different on each server and a single link, a table library where backup set.

    I can only restore and recover the database of the Rman command. Could you give me a demo?

    Thank you

    How can I restore and recover the database to a different server using RMAN? I want to implement an enviroument which has a different enviroument and different directories.

    That's the two servers. different stored different on each server and a single link, a table library where backup set.

    I can only restore and recover the database of the Rman command. Could you give me a demo?

    Check this box
    * How to restore Rman backups on a different node when the Directory Structures are different [ID 419137.1] *.

  • SDM &amp; easy VPN server problem

    I'm having a problem setting up an easy VPN server using Cisco Security

    Device Manager Version 2. 0a on a router in 1711 with IOS 12.3 (7) XR3.

    I have reset the router to the factory defects since the opening screen of SDM.

    Connect to 10.10.10.1

    User: cisco

    Password: Cisco

    Start SDM for the initial router configuration dialog box.

    Don't use CNS

    On basic configuration screen:

    Hostname set to router

    Domain: test.com

    Synchronize time with local PC

    Change the user name

    New user name: root

    password: xyzzy123

    password: xyzzy1234

    The LAN Interface Setup screen

    IP address set to 10.1.1.1

    Subnet: 255.255.255.0

    Active DHCP server

    Start IP: 10.1.1.50

    End IP: 10.1.1.70

    DNS Configuration screen

    Primary: 45.45.45.45

    Secondary: 45.45.45.46

    Use for DHCP Clients

    WAN Configuration screen

    Ethernet selected without Encapsulation PPOE

    No dynamic (DHCP Client) host name

    Advanced options screen

    Selected for VLAN1 port address translation

    After reading the summary, I chose the FINISH. Asked if dialog box I have

    you want to set up a basic firewall, I selected YES. I left all the

    secure by default items selected. I clicked FINISH. SDM detected that the

    DHCP client on the untrusted external interface and asked if I wanted to

    allow DHCP traffic through the firewall. I selected YES. The configuration

    has been delivered.

    Save the running-config startup-config and reloaded the router.

    Released and renewed my ip address and then reconnected in 1711 from new

    user name and password. SDM restarted.

    Has begun the task of configuration and choose to set up an easy VPN server.

    The opening screen had a command prompt to enable AAA. I launched the selected task

    After that the AAA commands have been delivered to the router.

    I chose the interface FastEthernet0 menu drop-down

    IKE proposals - selected default all the

    Transform set - selected default all the

    Group authorization / policy research - Selected Local only

    Add the user name: User1

    Password: local1

    Encrypt with MD5

    Privilege: 2

    Group permission/User Group Policies

    Add political group: tunnel

    Preshared key: sharedkey

    Selected new address Pool: 10.1.1.80 to 10.1.1.90

    Test after you have configured the selected button.

    Exit this screen, there was a warning SDM on the NAT with ACL rules

    have to be converted into NAT rules with course maps. I clicked YES to let

    SDM convert rules.

    Tests successful Easy VPN Server and client screen displays a warning

    on the "crypto ipsec df - bit clear' needing to be defined." He was not a

    way to put it in SDM and the search function had no success.

    I copied the running-config to the startup-config and tested the router from a

    connect remotely using a different ISP.

    The results:

    The SDM monitor shows the client connection, but the client cannot ping

    any host on the LAN of the router. No one on the LAN can easy ping of VPN client

    Assigned IP of VPN, but they can ping the client using the asigned IP ISP

    address.

    It seems that SDM not correctly configures the 1711 to route of the

    VPN interface to the local network.

    I enclose my 1711 Running Configuration generated by SDM.

    Hello

    I think that the reason why the ping is not successful is that your LAN IP address (connected to the VLAN interface) and the pool of IP addresses assigned to the client are in the same network.

    You can try assigning a pool of IP addresses for VPn clients that is in another subnet (say 10.1.2.80 to 10.1.2.90) and then try to ping?

    You can change the pool by means of configure-> additional tasks-> local swimming pools.

    You can then disconnect the client on the Monitoring page and connect again.

    Kind regards

    Ravikumar

Maybe you are looking for