Router Cisco 871 as a VPN server

Similar Questions

• Cisco 877 as a VPN server

  Hello

  I try to configure my router ADSL cisco 877 as a vpn server, so that multiple site can connect to the ADSL cisco 877 router. Is it possible to achieve this goal. If yes what is the procedure and if possible, please copy the URL for documentation here.

  Thank you

  Siva.

  Here is the sample configuration for the client in network Extension mode and IOS Easy VPN server:

  http://www.Cisco.com/en/us/Tech/tk583/TK372/technologies_configuration_example09186a0080808395.shtml

  The sample configuration uses local authentication, you can always change it to use radius authentication.

• router Cisco 871 no internet no access

  I am studying and practicing fo my ccnent and I am very new to cisco routers and so far have done well until I tried to access the internet. I have a router 871 which has a switch catalyst 2950 branch above. connected to the switch, is this computer, a router cascading and an external network drive. connected to router cascading is an xbox, ps3 and another computer. on both computers I ping the router and the switch but I can't reach beyond the router to lynksis router that I used to connect to my network. also pingin one computer on the other give me "destination host unreachable".

  This is my config running. Thanks to SD for any advice

  Building configuration...

  Current configuration: 3045 bytes

  !

  ! Last modification of the configuration at 11:25:35 UTC Wednesday, January 1, 2014

  ! NVRAM config updated 11:25:45 UTC Wednesday, January 1, 2014

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname VanRouter

  !

  boot-start-marker

  boot-end-marker

  !

  forest-meter operation of syslog messages

  enable secret 5 $1$ $0tzK iA3tCXqYHVOHPrM1N2yig0

  !

  No aaa new-model

  !

  Crypto pki trustpoint TP-self-signed-3288281326

  enrollment selfsigned

  name of the object cn = IOS - Self - signed - certificate - 3288281326

  revocation checking no

  rsakeypair TP-self-signed-3288281326

  !

  !

  TP-self-signed-3288281326 crypto pki certificate chain

  self-signed certificate 02

  30820241 308201AA A0030201 02020102 300 D 0609 2A 864886 F70D0101 04050030

  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30

  69666963 33323838 32383133 6174652D 3236301E 170 3134 30313031 31313232

  33365A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D

  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 33 32383832 65642D

  38313332 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101

  8100CD3C D7B45599 C442BB9F 7C407C6F 4443DE93 C266494F 5DEE207B 66C9E95A

  A6D99B5F 2880A97E DBB0FB69 745870BA BF29BEE6 23242 HAS 17 A271AAAE 48349CCA

  91 66093 86663331 BA816DB4 6029C7FF 6229F2F3 FE81F9AE 5E4EACBB 1541878C

  A0C89C66 DEAE6AE5 BF372DB7 C8F3E6D5 ED28DC8E C06B60BD 06EC0985 DDF58C07

  010001A 3 69306730 1 130101 FF040530 030101FF 30140603 0F060355 AC8D0203

  551D 1104 0956616E 0D300B82 526F7574 6572301F 23041830 16801483 0603551D

  05465 D 05 D3C5E672 1 060355 1D0E0416 0414836B 91CEBC30 D7B0841A 6BC919AF

  C919AF05 465D05D3 C5E672D7 B0841A91 CEBC300D 4886F70D 01010405 A 06092, 86

  002F41E8 BA660122 148D3F06 8CADBD62 7E26F5A6 506A60EC 00038181 36B 37541

  58F5C139 B8DE5B32 CC1B258B 57988841 3123227F B69D432D 52CC836F 5E51DE5C

  C4B01B53 16F4CC5A BEC27BC0 83AD91B5 1F56181C E3901360 32 54 C 95549 HAS 14551

  18F92BB0 2000BFB9 E29536AF 223F032A 683B8E66 9E554E02 D1E7F631 704A66F6

  222590DC B5

  quit smoking

  dot11 syslog

  IP source-route

  !

  !

  DHCP excluded-address IP 192.168.100.1 192.168.100.10

  !

  van pool dhcp IP

  network 192.168.100.0 255.255.255.0

  default router 192.168.100.1

  Server DNS 8.8.8.8 8.8.4.4

  !

  !

  IP cef

  no ip domain search

  8.8.8.8 IP name-server

  No ipv6 cef

  !

  Authenticated MultiLink bundle-name Panel

  !

  !

  !

  username 0 privilege 15 password van van

  !

  !

  !

  Archives

  The config log

  hidekeys

  !

  !

  !

  !

  !

  interface FastEthernet0

  !

  interface FastEthernet1

  !

  interface FastEthernet2

  !

  interface FastEthernet3

  !

  interface FastEthernet4

  DHCP IP address

  automatic duplex

  automatic speed

  !

  interface Vlan1

  IP 192.168.100.1 address 255.255.255.0

  !

  IP forward-Protocol ND

  IP http server

  local IP http authentication

  IP http secure server

  !

  !

  !

  !

  !

  !

  !

  !

  control plan

  !

  !

  Line con 0

  Van password

  Synchronous recording

  no activation of the modem

  line to 0

  line vty 0 4

  privilege level 15

  vantel password

  Synchronous recording

  local connection

  transport input telnet ssh

  !

  max-task-time 5000 Planner

  end

  VanRouter #.

  If you can ping the router on then you should be able to ping from the PC on. Try searching for the source of your ping to the IP Address of the VLAN 1 interface on your router and see if it works.
  In addition, you don't need these static routes:
  IP route 0.0.0.0 0.0.0.0 71.246.236.11
  IP route 0.0.0.0 0.0.0.0 10.1.41.79
  Route IP 192.168.0.0 255.255.255.0 192.168.1.1
  IP route 192.168.1.0 255.255.255.0 192.168.1.1
  IP route 192.168.100.0 255.255.255.0 192.168.100.2

  If you don't want to show up at static routing, you might be able to get directions to RIP on the Linksys. You must have access to the Linksys however.

  At the end of the day, probably you will need to configure NAT on the interface to the Linksys and the VLAN1 interface and then Overload:

  Int fa 0/4
  IP NAT outside

  Int vlan1
  IP NAT inside

  Access-list 10
  Permit 192.168.100.0 0.0.0.255

  IP nat inside source list 10 interface f 0/4 overload

  Sent by Cisco Support technique iPhone App

• Help setting up a router Cisco 871 for home...

  871

  Hello Andrew,.

  Alain you provided the entire configuration of what you asked, but I think you also need to configure NAT in order to access internet from PC LAN.

  Reason for this is that get you the WAN IP address and default route ISP, for example:

  IP: 10.0.0.1

  Mask: 255.255.255.0

  Gateway: 10.0.0.254

  But your ISP guess you connect only a single PC, so only 10.0.0.1 IP address will have access to the internet. ISP will pass all traffic of 192.168.10.0/24 and 192.168.20.0/24 because these networks are unknown to the ISP. You will need to NAT your internal networks to your WAN IP 10.0.0.1.

  Here is the configuration:

  NAT_ACL extended IP access list

  deny ip 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255

  deny ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

  deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

  deny ip 192.168.20.0 0.0.0.255 192.168.20.0 0.0.0.255

  permit ip 192.168.10.0 0.0.0.255 any

  ip licensing 192.168.20.0 0.0.0.255 any

  refuse an entire ip

  NAT_MAP route map
  

  corresponds to the IP NAT_ACL

  IP nat inside source overload map route NAT_MAP interface FastEthernet4

  interface Vlan10

  IP nat inside

  interface Vlan20

  IP nat inside

  interface FastEthernet4

  NAT outside IP

  Last thing, it is not necessary, but maybe you want to prevent users of VLANS to access your internal network:

  Restrict_GUESTS extended IP access list

  deny ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

  ip licensing 192.168.20.0 0.0.0.255 any

  refuse an entire ip

  interface Vlan20

  IP access-group Restrict_GUESTS in

  Best regards

  Please note all useful messages and close issues resolved

• 3030 router Cisco LAN to LAN VPN, can only mount router tunnel

  I am unable to raise atunnel from inside my VPN concentrator 3030 (IOS 3.5.2) tunnel 3 uses Ethernet as the side private tunnel. Is there some kind of problem on the VPN 3030 internally that does not use the Ethernet IP source 3? Once triggered on the remote side, the tunnel passes and receives traffic and I can ping devices on the remote side of my private network, but I can't ping any remote device from inside the VPN 3030.

  Do you mean that you can now view the tunnel of something related to the 10.255.0.0/24 network, but no ping comes from the VPN3030 itself?

  When you ping the VPN3030 it will automatically use the private IP address I think. Debugging isn't warning us whatever it is the first that you attached is where the Diffie-Hellman group was incompatible. If you have passed Phase 1 but, you will see a debug on the router that is similar to the following message:

  * 26 Nov 08:51:37.901: IPSEC (validate_proposal_request): part #1 of the proposal

  (Eng. msg key.) Local INCOMING = 204.74.161.161, distance = 216.34.168.148,.

  local_proxy = 10.1.215.0/255.255.255.0/0/0 (type = 4),

  remote_proxy = 10.255.0.0/255.255.255.0/0/0 (type = 4),

  Protocol = ESP, transform = esp-3des esp-md5-hmac,

  lifedur = 0 and 0kb in

  SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4

  Here you can see that the remote_proxy is 10.255.0.0, which shows that the 3030 uses this network as the source subnet. If you try and ping from the 3030 again run debugging, you will probably see the 172.16.0.0 (the private interface) as the remote_proxy.

  Why is it important that you cannot bring up the tunnel within the 3030 anyway? When would you like to do this?

• Pass Cisco 871 and VPN to the SBS 2008 Server

  to precede the questions below, I'm responsible for COMPUTING internal with several years of site / offsite support. I also have very limited knowledge of the inner workings of a Cisco device. That said, I've beaten my head against a wall, trying to configure my router Cisco 871 to allow access to our internal server of SBS 2008 VPN hosting services. I think I, and properly configured the SBS 2008 Server.

  I use advanced IP services, version 12.4 (4) T7

  Here is the \windows\system32\conifg\system running

  Building configuration...

  Current configuration: 9414 bytes
  !
  version 12.4
  no service button
  tcp KeepAlive-component snap-in service
  a tcp-KeepAlive-quick service
  horodateurs service debug datetime localtime show-timezone msec
  Log service timestamps datetime localtime show-timezone msec
  encryption password service
  sequence numbers service
  !
  hostname yourname
  !
  boot-start-marker
  boot-end-marker
  !
  Security of authentication failure rate 3 log
  Passwords security min-length 6
  logging buffered debugging 51200
  recording console critical
  enable secret 5 *.

  !
  No aaa new-model
  !
  resources policy
  !
  PCTime-5 timezone clock
  PCTime of summer time clock day April 6, 2003 02:00 October 26, 2003 02:00
  IP subnet zero
  no ip source route
  IP cef
  !
  !
  !
  !
  synwait-time of tcp IP 10
  no ip bootp Server
  "yourdomain.com" of the IP domain name
  name of the IP-server 65.24.0.168
  name of the IP-server 65.24.0.196
  property intellectual ssh time 60
  property intellectual ssh authentication-2 retries
  inspect the IP name DEFAULT100 appfw DEFAULT100
  inspect the IP name DEFAULT100 cuseeme
  inspect the IP name DEFAULT100 ftp
  inspect the IP h323 DEFAULT100 name
  inspect the IP icmp DEFAULT100 name
  inspect the IP name DEFAULT100 netshow
  inspect the IP rcmd DEFAULT100 name
  inspect the IP name DEFAULT100 realaudio
  inspect the name DEFAULT100 rtsp IP
  inspect the IP name DEFAULT100 sqlnet
  inspect the name DEFAULT100 streamworks IP
  inspect the name DEFAULT100 tftp IP
  inspect the IP udp DEFAULT100 name
  inspect the name DEFAULT100 vdolive IP
  inspect the name DEFAULT100 http urlfilter IP
  inspect the IP router-traffic tcp name DEFAULT100
  inspect the IP name DEFAULT100 https
  inspect the IP dns DEFAULT100 name
  urlfilter IP interface-source FastEthernet4
  property intellectual urlfilter allow mode on
  urlfilter exclusive-area IP Deny. Facebook.com
  refuse the urlfilter exclusive-domain IP. spicetv.com
  refuse the urlfilter exclusive-domain IP. AddictingGames.com
  urlfilter exclusive-area IP Deny. Disney.com
  urlfilter exclusive-area IP Deny. Fest
  refuse the urlfilter exclusive-domain IP. freeonlinegames.com
  refuse the urlfilter exclusive-domain IP. hallpass.com
  urlfilter exclusive-area IP Deny. CollegeHumor.com
  refuse the urlfilter exclusive-domain IP. benmaller.com
  refuse the urlfilter exclusive-domain IP. gamegecko.com
  refuse the urlfilter exclusive-domain IP. ArmorGames.com
  urlfilter exclusive-area IP Deny. MySpace.com
  refuse the urlfilter exclusive-domain IP. Webkinz.com
  refuse the urlfilter exclusive-domain IP. playnow3dgames.com
  refuse the urlfilter exclusive-domain IP. ringtonemecca.com
  refuse the urlfilter exclusive-domain IP. smashingames.com
  urlfilter exclusive-area IP Deny. Playboy.com
  refuse the urlfilter exclusive-domain IP. pokemoncrater.com
  refuse the urlfilter exclusive-domain IP. freshnewgames.com
  refuse the urlfilter exclusive-domain IP. Toontown.com
  urlfilter exclusive-area IP Deny .online-Funny - Games.com
  urlfilter exclusive-area IP Deny. ClubPenguin.com
  refuse the urlfilter exclusive-domain IP. hollywoodtuna.com
  refuse the urlfilter exclusive-domain IP. andkon.com
  urlfilter exclusive-area IP Deny. rivals.com
  refuse the urlfilter exclusive-domain IP. moregamers.com
  !
  policy-name appfw DEFAULT100
  http request
  port-bad use p2p action reset alarm
  port-abuse im action reset alarm
  Yahoo im application
  default action reset service
  service-chat action reset
  Server deny name scs.msg.yahoo.com
  Server deny name scsa.msg.yahoo.com
  Server deny name scsb.msg.yahoo.com
  Server deny name scsc.msg.yahoo.com
  Server deny name scsd.msg.yahoo.com
  Server deny name messenger.yahoo.com
  Server deny name cs16.msg.dcn.yahoo.com
  Server deny name cs19.msg.dcn.yahoo.com
  Server deny name cs42.msg.dcn.yahoo.com
  Server deny name cs53.msg.dcn.yahoo.com
  Server deny name cs54.msg.dcn.yahoo.com
  Server deny name ads1.vip.scd.yahoo.com
  Server deny name radio1.launch.vip.dal.yahoo.com
  Server deny name in1.msg.vip.re2.yahoo.com
  Server deny name data1.my.vip.sc5.yahoo.com
  Server deny name address1.pim.vip.mud.yahoo.com
  Server deny name edit.messenger.yahoo.com
  Server deny name http.pager.yahoo.com
  Server deny name privacy.yahoo.com
  Server deny name csa.yahoo.com
  Server deny name csb.yahoo.com
  Server deny name csc.yahoo.com
  audit stop trail
  aol im application
  default action reset service
  service-chat action reset
  Server deny name login.oscar.aol.com
  Server deny name toc.oscar.aol.com
  Server deny name oam - d09a.blue.aol.com
  audit stop trail
  !
  !
  Crypto pki trustpoint TP-self-signed-1955428496
  enrollment selfsigned
  name of the object cn = IOS - Self - signed - certificate - 1955428496
  revocation checking no
  rsakeypair TP-self-signed-1955428496
  !
  !
  TP-self-signed-1955428496 crypto pki certificate chain
  certificate self-signed 01
  308201B 8 A0030201 02020101 3082024F 300 D 0609 2A 864886 F70D0101 04050030
  2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
  69666963 31393535 34323834 6174652D 3936301E 170 3032 30333031 30303035
  33315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
  4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 39353534 65642D
  32383439 3630819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
  8100CB6B E980F044 5FFD1DAE CBD35DE8 E3BE2592 DF0B2882 2F522195 4583FA03
  40F4DAC6 CEAD479F A92607D4 1 B 033714 51C3A84D EA837959 F5FC6508 4D71F8E6
  5B124BB3 31F0499F B0E871DB AF354991 7D45F180 5D8EE435 77C8455D 2E46DE46
  67791F49 44407497 DD911CB7 593E121A 0892DF33 3234CF19 B2AE0FFD 36A640DC
  2 010001 HAS 3 990203 AND 77307530 1 130101 FF040530 030101FF 30220603 0F060355 D
  1104 1B 301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D 551D
  301F0603 C 551 2304 18301680 145566 4581F9CD 7 5F1A49FB 49AC9EC4 678908FF
  2A301D06 04160414 5566 745 81F9CD5F 1A49FB49 AC9EC467 8908FF2A 03551D0E
  300 D 0609 2A 864886 818100B 3 04050003 903F5FF8 A2199E9E EA8CDA5D F70D0101
  60B2E125 AA3E511A C312CC4F 0130563F 28D3C813 99022966 664D52FA AB1AA0EE
  9A5C4823 6B19EAB1 7ACDA55F 6CEC4F83 5292 HAS 867 BFC65DAD A2391400 DA12860B
  5A 523033 E6128892 B9BE68E9 73BF159A 28D47EA7 76E19CC9 59576CF0 AF3DDFD1
  3CCF96FF EB5EB4C9 08366F8F FEC944CA 248AC7
  quit smoking
  secret of username admin privilege 15 5 *.

  !
  !
  Policy-map sdmappfwp2p_DEFAULT100
  !
  !
  !
  !
  !
  !
  interface FastEthernet0
  !
  interface FastEthernet1
  !
  interface FastEthernet2
  !
  interface FastEthernet3
  !
  interface FastEthernet4
  Description $$$ FW_OUTSIDE$ $ES_WAN$ ETH - WAN
  address IP dhcp client id FastEthernet4
  IP access-group 101 in
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  NAT outside IP
  inspect the DEFAULT100 over IP
  IP virtual-reassembly
  route IP cache flow
  automatic duplex
  automatic speed
  sdmappfwp2p_DEFAULT100 of service-policy input
  out of service-policy sdmappfwp2p_DEFAULT100
  !
  interface Vlan1
  Description $ETH - SW - LAUNCH$ $INTF - INFO - HWIC-$4ESW $ES_LAN$ $FW_INSIDE$
  the IP 192.168.0.1 255.255.255.0
  IP access-group 100 to
  no ip redirection
  no ip unreachable
  no ip proxy-arp
  IP nat inside
  IP virtual-reassembly
  route IP cache flow
  IP tcp adjust-mss 1452
  !
  IP classless
  !
  !
  IP http server
  local IP http authentication
  IP http secure server
  IP http timeout policy slowed down 60 life 86400 request 10000
  the IP nat inside source 1 list the interface FastEthernet4 overload
  IP nat inside source static tcp 192.168.0.100 1723 1723 interface FastEthernet4
  IP nat inside source static tcp 192.168.0.100 25 25 FastEthernet4 interface
  IP nat inside source static tcp interface 192.168.0.100 80 80 FastEthernet4
  IP nat inside source static tcp 192.168.0.100 interface FastEthernet4 443 443
  IP nat inside source static tcp 192.168.0.100 interface FastEthernet4 987 987
  !
  recording of debug trap
  Note access-list 1 INSIDE_IF = Vlan1
  Remark SDM_ACL category of access list 1 = 2
  access-list 1 permit 192.168.0.0 0.0.0.255
  access-list 100 remark self-generated by the configuration of the firewall Cisco SDM Express
  Access-list 100 = 1 SDM_ACL category note
  access-list 100 deny ip 255.255.255.255 host everything
  access-list 100 deny ip 127.0.0.0 0.255.255.255 everything
  access ip-list 100 permit a whole
  access list 101 remark self-generated by the configuration of the firewall Cisco SDM Express
  Note access-list 101 = 1 SDM_ACL category
  access-list 101 permit tcp any any eq 1723
  access-list 101 permit tcp any any eq 987
  access-list 101 permit tcp any any eq 443
  access-list 101 permit tcp any any eq www
  access-list 101 permit tcp any any eq smtp
  access-list 101 permit udp host 65.24.0.169 eq field all
  access-list 101 permit udp host 65.24.0.168 eq field all
  access-list 101 permit udp host 24.29.1.219 eq field all
  access-list 101 permit udp host 24.29.1.218 eq field all
  access-list 101 permit udp any eq bootps any eq bootpc
  access-list 101 deny ip 192.168.0.0 0.0.0.255 any
  access-list 101 permit icmp any any echo response
  access-list 101 permit icmp any one time exceed
  access-list 101 permit everything all unreachable icmp
  access-list 101 deny ip 10.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 172.16.0.0 0.15.255.255 all
  access-list 101 deny ip 192.168.0.0 0.0.255.255 everything
  access-list 101 deny ip 127.0.0.0 0.255.255.255 everything
  access-list 101 deny ip 255.255.255.255 host everything
  access-list 101 deny ip any one
  not run cdp
  !
  !
  control plan
  !
  connection of the banner ^ CCCCCAuthorized access only!
  Unplug IMMEDIATELY if you are not an authorized user. ^ C
  !
  Line con 0
  local connection
  no activation of the modem
  telnet output transport
  line to 0
  local connection
  telnet output transport
  line vty 0 4
  privilege level 15
  local connection
  transport input telnet ssh
  !
  max-task-time 5000 Planner
  Scheduler allocate 4000 1000
  Scheduler interval 500
  end

  All that top has been configured with the SDM interface. I hope someone here can take a look at this and see what my question is, and why I can't connect through the router.

  All thanks in advance to help me with this.

  Jason

  Based on your description, I am assuming that you are trying the traffic PPTP passthrough via the router 871, and the PPTP Protocol ends on your SBS 2008 Server.

  If this is the correct assumption, PPTP uses 2 protocols: TCP/1723 and GRE. Your configuration only allow TCP/1723, but not the GRE protocol.

  On 101 ACL, you must add "allow accord any any" before the declarations of refusal:

  101 extended IP access list

  1 allow any one

  I guess that the PPTP control connection works fine? Are you able to telnet to the router outside the ip address of the interface on port 1723?

• How to Setup Cisco 1841 as a site to site VPN VPN server, with watch guard

  I would like to implement a cisco 1841 as a VPN server to establish s IP VPN (site to another) of a watch guard firewall,.

  I have looked through some examples of cisco config, but can't seem to get a lot.

  Can you please send me sample config steps I need o perform on the cisco router? and what credentials must be awarded to watch keeps establishing a permanent VPN?

  emergency assistance will be greatly appreciated.

  The cisco router is configured as a lan to lan normal IPSEC tunnel, there is no difference when configuration to create a tunnel to a watchguard/sonicwall or all that peer will use, you can use this link as a guide:

  http://www.Cisco.com/en/us/products/HW/routers/ps221/products_configuration_example09186a008073e078.shtml

  If you have problems make me know.

• ASA VPN server and vpn client router 871

  Hi all

  I have ASA 5510 as simple VPN server and 871 router as simple VPN client. I want to have the user ID and permanent password on 871 and not to re - enter username and password since 871 uses dynamic IP address and every time I have to ' cry ipsec client ezvpn xauth "and type user name and password.

  any suggestions would be much appreciated.

  Thank you

  Alex

  Do "crypto ipsec client ezvpn show ' on 871, does say:

  ...

  Save password: refused

  ...

  ezVPN server dictates the client if it can automatically connect with saved password.

  Set "enable password storage" under the group policy on the ASA.

  Kind regards

  Roman

• Cisco 871 routing problem

  Hello.

  I have a Cisco 871 router with this network diagram

  10.218.10.117 host - 10.218.10.118 4 | CISCO 871 | 172.18.122.5-FE0 - 172.18.122.6 host

  I want the 172.18.122.6 host can do ping to the 10.218.10.117 host at the other end of the router, but its does not work, what is the problem with this config? could someone give me a hand?

  With the help of 1222 off 131072 bytes

  !

  version 12.4

  no service button

  horodateurs service debug datetime msec

  Log service timestamps datetime msec

  no password encryption service

  !

  hostname ALCALÁ-CNT-UIO

  !

  boot-start-marker

  boot-end-marker

  !

  enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

  activate the password XXXXXXXXXXXXXXX

  !

  No aaa new-model

  !

  resources policy

  !

  IP subnet zero

  IP cef

  !

  !

  !

  !

  !

  !

  interface FastEthernet0

  !

  interface FastEthernet1

  !

  interface FastEthernet2

  !

  interface FastEthernet3

  !

  interface FastEthernet4

  IP 10.218.10.118 255.255.255.252

  automatic speed

  full-duplex

  !

  interface Vlan1

  IP 172.18.122.5 255.255.255.0

  !

  router RIP

  redistribute connected

  10.0.0.0 network

  network 172.18.0.0

  !

  IP classless

  !

  !

  no ip address of the http server

  no ip http secure server

  !

  Dialer-list 1 ip protocol allow

  !

  !

  control plan

  !

  !

  Line con 0

  no activation of the modem

  line to 0

  line vty 0 4

  password XXXXXXXXXXXX

  opening of session

  !

  max-task-time 5000 Planner

  end

  Better compliance

  The f

  Jeff,

  Each host can ping their side? You have default gateways configured on the hosts?

  HTH,
  John

  Please note all useful messages *.

• Installation easy vpn Cisco 871

  I have a Cisco 871 router sitting behind my adsl router and I have configured to accept vpn connections from clients from outside (partially configured by cli and partly by SDM).

  It works well, in that I can connect my LAN and access my network inside resources, however I can't access the web when connected via vpn.

  Is it perhaps to nat? I hope that someone can see why in my config. Thank you.

  Hi Chris,

  The only reason I understand here, customers lose their ability to achieve internet when connected by VPN is, according to the current configuration, all traffic (including the NetBIOS) runs through the tunnel. So when a package leaves the machine with a source of intellectual property (one of the private ip address of the pool set) of the client and the destination 4.2.2.2 (can be any ip on the internet), there is no translation defined for the ip address of the VPN client on the router.

  Thus, package from the computer of the customer with an address NON-Routable cannot access the internet for obivous reasons.

  To work around the problem, try this.

  access-list 5 by 192.168.1.0 0.0.0.255

  (assuming that 192.168.1.0 is that the VPN client subnet have access)

  Then,

  Crypto home isakmp client configuration group

  key xxxx

  ACL 5< binding="" the="" acl="">

  By creating the acl the binder to the configuration of the client, and 5 am Division of traffic in the tunnel. In other words, only for the 192.168.1.x subnet traffic will pass through the tunnel and rest will take the path of the LOCAL ISP.

  I hope this helps...!

  Concerning

  M.

• 2651xm (IOS 12.4(9T) VPN server - default route

  When my clients connect to the VPN server, their default route prepared to go through the VPN. If they resemble the State of the connection, it shows "0.0.0.0 0.0.0.0" under the secure routes. I want to do so that one class C subnet is in the list. How can I do this?

  Thank you!

  This is called "split tunneling". For maximum security, you should not use it.

  Never done on IOS myself, but this would contribute to the code snippet:

  access-list 150 permit ip 30.30.30.0 0.0.0.255 any

  ISAKMP crypto group of hw-client-name client configuration.

  HW-client-password key

  DNS 30.30.30.10 30.30.30.11

  WINS 30.30.30.12 30.30.30.13

  domain cisco.com

  pool dynpool

  ACL 150

  Of http://www.cisco.com/application/pdf/en/us/guest/products/ps6659/c1650/cdccont_0900aecd80313bd6.pdf

• Cisco 831 - easy VPN server

  Hello

  I am trying to create an easy VPN server on Cisco 831. When I "test" the easy VPN he said that it tested successfully, but when I try to VPN in the router of the built in Windows XP VPN client, I'm unable to connect.

  Does anyone have recommendations for how to configure easy VPN? I basically just selected all the default options. I was not able to find tutorials in the Cisco online documentation.

  Do I need to have the Cisco VPN client to connect to the Cisco router?

  Other thoughts?

  Your IP address pool you are trying to assign to remote users is part of your local network, which is not the best way to assign the ip address to the VPN Clients, and I've seen a lot of problems in the past were route it not forwards the packets to the client. This allows you to change the POOL of something other than your LAN. E.g. 192.168.1.0/24.

  Also, make sure that you re - configure your 102 ACL accordingly.

  Once you make changes, try to connect again and let me know how it goes.

  Kind regards

  Arul

  * Please note all useful messages *.

• VPN site to Site on both ends using Cisco 871

  I would like to configure VPN Site to Site using the Cisco 871 templates at both ends, but a hard time to set it up. Can someone tell me how to do or if you know of a link that may help me set up as soon as possible?

  I can learn it, but it's time that banned me in the implementation. The other end is already configured to provide Internet access to all users.

  Tom,

  ########################################################################################

  Router 1 VPN config:

  Internal = 10.0.0.0/24
  Public = 196.1.161.65

  access-list 101 permit ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255

  access-list 102 deny ip 10.0.0.0 0.0.0.255 10.193.12.0 0.0.3.255
  access-list 102 permit ip 10.0.0.0 0.0.0.255 any

  IP nat inside source list 102 in interface (check the name of the external interface) overload

  crypto ISAKMP policy 10
  3des encryption
  sha hash
  Group 2

  ISAKMP crypto key cisco123 address 196.1.161.66

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  MYmap 10 ipsec-isakmp crypto map
  defined by peer 196.1.161.66
  Set transform-set RIGHT
  match address 101

  interface (check the name of the interface inside)
  IP nat inside

  interface (check the name of the external interface)
  NAT outside IP
  crypto mymap map

  ########################################################################################

  Router 2 VPN config:

  Internal = 10.193.12.0/22
  Public = 196.1.161.66

  access-list 101 permit ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255

  access-list 102 deny ip 10.193.12.0 0.0.3.255 10.0.0.0 0.0.0.255
  access-list 102 permit ip 10.193.12.0 0.0.3.255 all

  IP nat inside source list 102 in the fast4 interface overload

  crypto ISAKMP policy 10
  3des encryption
  sha hash
  Group 2

  ISAKMP crypto key cisco123 address 196.1.161.65

  Crypto ipsec transform-set esp-3des esp-sha-hmac RIGHT

  MYmap 10 ipsec-isakmp crypto map
  defined by peer 196.1.161.65
  Set transform-set RIGHT
  match address 101

  interface vlan1
  IP nat inside

  fast4 interface
  NAT outside IP
  crypto mymap map

  ########################################################################################

  The above is an example of configuration.
  It is always recommended to change the pre shared key to something else.

  Federico.

• Easy vpn server issues of Cisco 800 series.

  Hello.

  I want to deploy the easy vpn server on cisco 876 and 877 10 routers and access from a remote location (company headquarters). When I leave the firewall of the router off the vpn server works. When I turn it on it doesn't.

  Although I allow all traffic to my ip for example 80.76.61.158 I can't access the vpn server.

  I tried a place to let the firewall off and it worked fine.

  I use SDM to configure the vpn server. Any ideas what I can do with the cause of firewall I really can't leave it "open."

  Thanks in advance.

  It would be a good idea to paste the configuration of the VPN server to the firewall.

  Kind regards

  Kamal

• PlayBook &amp; cisco Easy VPN Server 831

  I don't seem to be able to connect to my router 831 cisco easy vpn server is configured by using my Blackberry Playbook.  Looking at the console of the router I can see Debugging but don't know what it means.  I have attached debugging as well as glued my setup, if someone is able to help me at all it would be much appreciated.  Thank you very much.

  Current configuration: 2574 bytes
  !
  version 12.3
  no service button
  horodateurs service debug datetime msec
  Log service timestamps datetime msec
  no password encryption service
  !
  router host name
  !
  enable secret 5 $1$ FM71$ y4ejS2icnqX79b9gD92E81
  enable password xxxx
  !
  username privilege 15 password 0 $1$ W1fA CRWS_Ritesh $ o1oSEpa163775446
  username privilege 15 secret 5 shamilton wFLF $1$ $ 8eRxnrrgVHMXXC0bXdEGi1
  AAA new-model
  !
  !
  AAA authentication login default local
  AAA authentication login ciscocp_vpn_xauth_ml_1 local
  AAA authorization exec default local
  AAA authorization ciscocp_vpn_group_ml_1 LAN
  AAA - the id of the joint session
  IP subnet zero
  no ip Routing
  !
  !
  audit of IP notify Journal
  Max-events of po verification IP 100
  No ftp server enable write
  !
  !
  !
  !
  crypto ISAKMP policy 1
  BA 3des
  preshared authentication
  Group 2
  ISAKMP xauth timeout 15 crypto

  !
  ISAKMP crypto client configuration group ciscogroup
  (deleted) 0 key
  DNS 172.16.60.246 172.16.60.237
  pool SDM_POOL_3
  ACL 100
  Save-password
  include-local-lan
  !
  !
  Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
  !
  crypto dynamic-map SDM_DYNMAP_1 1
  game of transformation-ESP-3DES-SHA
  market arriere-route
  !
  !
  card crypto SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1
  map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1 crypto
  client configuration address map SDM_CMAP_1 crypto answer
  map SDM_CMAP_1 65535-isakmp dynamic SDM_DYNMAP_1 ipsec crypto
  !
  !
  !
  !
  interface Ethernet0
  IP 172.16.60.241 255.255.255.0
  IP nat inside
  no ip route cache
  !
  interface Ethernet1
  DHCP IP address
  NAT outside IP
  no ip route cache
  automatic duplex
  map SDM_CMAP_1 crypto
  !
  interface FastEthernet1
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  interface FastEthernet2
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  interface FastEthernet3
  no ip address
  Shutdown
  automatic duplex
  automatic speed
  !
  interface FastEthernet4
  no ip address
  automatic duplex
  automatic speed
  !
  local IP SDM_POOL_1 172.16.60.190 pool 172.16.60.199
  pool of local SDM_POOL_2 192.168.1.1 IP 192.168.1.100
  local IP SDM_POOL_3 172.16.61.100 pool 172.16.61.150
  IP nat inside source overload map route SDM_RMAP_1 interface Ethernet1
  IP classless
  !
  IP http server
  no ip http secure server
  !
  Remark SDM_ACL category of access list 1 = 2
  access-list 1 permit 172.16.60.0 0.0.0.255
  Note access-list 100 category CCP_ACL = 4
  access-list 100 permit ip 172.16.60.0 0.0.0.255 any
  public RO SNMP-server community
  Enable SNMP-Server intercepts ATS
  !
  Line con 0
  no activation of the modem
  line to 0
  line vty 0 4
  exec-timeout 120 0
  password xxxxx
  length 0
  !
  max-task-time 5000 Planner
  !
  end

  Stace,

  *Mar  1 06:40:15.258: ISAKMP: transform 1, ESP_AES
  *Mar  1 06:40:15.258: ISAKMP:   attributes in transform:
  *Mar  1 06:40:15.262: ISAKMP:      SA life type in seconds
  *Mar  1 06:40:15.262: ISAKMP:      SA life duration (basic) of 10800
  *Mar  1 06:40:15.262: ISAKMP:      encaps is 61443
  *Mar  1 06:40:15.262: ISAKMP:      key length is 256
  *Mar  1 06:40:15.262: ISAKMP:      authenticator is HMAC-SHA
  *Mar  1 06:40:15.262: ISAKMP (0:14): atts are acceptable.
  *Mar  1 06:40:15.262: ISAKMP (0:14): IPSec policy invalidated proposal
  *Mar  1 06:40:15.262: ISAKMP (0:14): phase 2 SA policy not acceptable! (local 14
  

  The other end offers AES 256 and SHA IPSec transform set.

  While you have configured:

  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

  Suggestion:

  Add a new set of transofrm and apply it under crypto map.

  HTH,

  Marcin