Support VPN Cisco 881
Hi all
I am not cisco trained or worked with cisco, im a complete beginner in Cisco platforms. We are an IT support MPH and we have recently taken on a client that has an office abroad using a Cisco 881 device with a Draytek router to the United Kingdom. Site to site connectivity is necessary. I watched and watched videos of youtube on how to configure the VPN and think I have it in place by using the config on the cisco below:
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
lifetime 28800
isakmp encryption key * address *.
!
Crypto ipsec transform-set esp-3des esp-sha-hmac sha3des
!
crypto map 1 VPN ipsec-isakmp
set peer *.
Set transform-set sha3des
PFS group2 Set
match address UK
!
interface FastEthernet4
!
UK extended IP access list
It shows the VPN and active but there is no movement between the two and I do not know why... Current state of the session crypto Interface: FastEthernet4
So it all seems perfect, however, if I try and ping the remote remote sites over ip LAN router I get the following: Type to abort escape sequence.
I also can't ping the remote site in the Cisco lan. I think that it is towards the end of cisco, the Draytek is a basic router and no routing is able to be configured. It does it automatically. The VPN is so no traffic... Please can someone point me in the right directoin? Thank you The additional ip route does not harm even if it is not needed. I love these additional routes that they can serve as a sort of "online documentation" when it is used with a keyword "name" extra at the end. Your NAT - ACL does not have the traffic. Just add the following: Tags: Cisco Network Site to site VPN works only on Cisco 881 I have 2 problems with a cisco 881. The first problem is that Vlan2 (192.168.5.xx) cannot access the internet on the outside. But I know that the router has internet, because I can ping the external ip address. The 2nd problem is that I have a set of site to another upward, but when I test the Site to site I get this error: destination of traffic of the tunnel must be channelled through the crypto map interface. The destination following (s) doesn't have a routing entry in the routing table I copied the config form this router from another cisco 881 work, where everything works. The only difference is that this router needs a site to site vpn connection. My question is how I can get internet on vlan2 and who can I solve the connection to site to site. Here's the running configuration: Building configuration... Current configuration: 12698 bytes !
This area is reserved for administrators of control systems. If you are here by mistake, please disconnect immediately. You have full access to 192.168.125.0 / 0.0.0.255 Support on continue to start your session. ^ C This area is limited to the PALL access only. If you are here by mistake, please disconnect immediately. You have full access to 192.168.125.0 / 0.0.0.255 Support on continue to start your session. ^ C
Unplug IMMEDIATELY if you are not an authorized user Thank you. It seems that DNS has failed, because it is indeed happened to internet, but it does not work when internet DNS resolution. Go ahead and try to ping this 157.166.226.25, and it's on the browser http://157.166.226.25/, CNN.com. Let's try those. Also just in case where to configure a DNS SERVER on your router. - http://www.cisco.com/c/en/us/support/docs/ip/domain-name-system-dns/2418... Disable any ZBF just in case. David Castro, Kind regards Cisco 881 - maximum number of VPN tunnels allowed? Hello I know it sounds simple and easy question, but I can't find the answer anywhere - so here it is: -. I need to know the maximum number of vpn tunnels that can manage a Cisco 881. (In the context, we have a group of users who work from home and office, so their laptops have the cisco vpn client, I need to know how much of these vpn connections the 881 can manage both before, he died a death) Host-, I read somewhere a line that State maximum number of users is 20 but believe it was referring to a VOIP service. Thanks in advance. The 881 supports 20-tunnel IPSec: -- Cisco 881 - Access Gateway VPN session Nice day I configured my Cisco 881 and finally has surpassed "thecan't see my network" issue IPSec VPN. I have a usecase where I need to access the gateway of the VPN Session. When I connect to the VPN using Cisco VPN Client 4.8 x, I do not return a default gateway on the VPN map. When I try to ping my IP from the LAN (10.20.30.1) bridge that does not work and I cannot access it with other tools. I'm sure it's an ACL question and it makes sense to hide the default gateway, but the big question is how to configure my router to see the gateway and access them from the VPN session? Please see my attached cleaned configuration. Network Info: Thank you in advance for your help! Kind regards -JsD Brand pls kindly this post as answered so that others facing the same issue can follow the workaround solution provided according to your final configuration. Great update and explanation btw. Thank you for that. Is supported PPTP vpn cisco ASA 5520 firewall? Hi all I'm Md.kamruzzaman. My compnay buy a firewall of cisco asa 5520 and I want to configure PPTP vpn on asa 5520 firewall. Is it possible to configure the PPTP vpn to asa firewall. If possible can you please tell me what is the procedure to configure the PPTP vpn. Best regards MD.kamruzzaman Sorry, but the Cisco ASA firewall does not support PPTP VPN termination. You may terminate IPSec and SSL VPN but not of type PPTP. If you are new to the ASA, how best to configure the supported VPN types is via the VPN Wizard integrated into the application of management of ASSISTANT Deputy Ministers. SSL VPN may be configured on the router from Cisco 881/K9? I'm now confused if SSL VPN can be configured on the router from Cisco 881/K9. Please someone advise me. If Yes, for only 5 users, what I need to buy the license or license is supplied with the router? Thank you. Yes, and you need a license: FL-WEBVPN-10-K9 License SSL VPN functionality for up to 10 users (incremental), to 12.4 T based only IOS versions FL-SSLVPN10-K9 License SSL VPN functionality for up to 10 users (incremental) for the only based 15.x IOS versions What clients VPN Cisco 2811 supports? Is the solution of VPN Cisco 2811 locked customers cisco or that market with other brands too? Best regards Tommy Svensson Hello With the correct IOS feature set, it will support IPsec VPN clients. This includes not only the Cisco VPN client but almost any standard IPsec client. In addition, if on the 2811 can accept any browser SSL VPN connections, or even use the AnyConnect SSL client. It will be useful. Federico. Cisco 881 can ping internet but computers behind the router cannot I have a cisco 881, which can ping internet but not of any computer behind it. Computers receive a static IP address, that is why there is no DHCP assigned to any LAN interface. Here's the running configuration: Building configuration... Current configuration: 6435 bytes !
Any ideas? Thank you. I see ip nat inside and ip nat outside interfaces configured on. But I don't see any translation of address configured. This would preclude anything inside the unit to be able to access the Internet. HTH Rick Check the ISE for the VPN Cisco posture Hello community, first of all thank you for taking the time to read my post. I have a deployment in which requires the characteristic posture of controls for machines of VPN Cisco ISE. I know that logically once a machine on the LAN, Cisco ISE can detect and apply controls posture on clients with the Anyconnect agent but what about VPN machines? The VPN will end via a VPN concentrator, which then connects to an ASA5555X that is deployed as an IPS only. Are there clues to this? Thank you! The Cisco ASA Version 9.2.1 supports the change in RADIUS authorization (CoA) (RFC 5176). This allows for the gesticulations of users against the ISE Cisco VPN without the need of an IPN. Once a VPN user connects, the ASA redirects web traffic to the LSE, where the user is configured with a Network Admission Control (NAC) or Web Agent. The agent performs specific controls on the user's computer to determine its conformity against one together configured posture rules, such as the rules of operating system (OS) patches, AntiVirus, registry, Application, or Service. The posture validation results are then sent to the ISE. If the machine is considered the complaint, then the ISE can send a RADIUS CoA to the ASA with the new set of authorization policies. After validation of the successful posture and CoA, the user is allowed to access internal resources. Want to update IOS through the Rommon mode in router Cisco 881 Hi all I'm not able to upgrade IOS via mode Rommon in Cisco 881 router as FE 4 port is in router only L3 and rommon mode it supports of 0 - 3-way only. So please confirm for me that is there any other way or Cisco 881 router will not support IOS via Rommon upgradation. Kindly help. Hi charrier you do not give the ip address of the router interface he gets in rommon so it should not matter what interface, as long as your pc and peripherals, same subnet to push the tftpdnld - see doc http://www.Cisco.com/c/en/us/TD/docs/routers/access/800/software/CONFIGU... EDIT: See this too good examples even syntax for 800 https://supportforums.Cisco.com/document/12441/tftpdnld-ROMMON-command-r... Activate nbar2 on Basic Firewall area - cisco 881 IOS version:-c880data-universalk9 - mz.154 - 3.M4.bin I'm looking to activate NBAR2 on cisco 881 router according to this doc. I couldn't find the command called "nbar - classified" within the following parameter-map command. Appreciate any rear power to solve this problem card type (config) #parameter - inspect global You missed this bit important. In Cisco IOS version 15.5 (1) T and later versions, the firewall area supports Network-Based Application recognition 2 (NBAR2). Several external IPs on Cisco 881 Nice day I have a Cisco 881 router on which I am putting in place some NAT to allow external connections on some IP addresses replacing my ISP to connect to some ports on my internal servers. Unfortunately, I'm not a network engineer and something seems to be non-tout to right with my setup. My ISP, I have IP 184.183.156.98, he was assigned to the WAN port on my router Cisco 881 (FastEthernet4), and I have this working properly. Rules of Port forwarding I have in place that use this IP address work very well. In addition, I have the small block of IPs 184.183.150.161 - 164. None of the port forwarding rules put in place for these seem to work at all. If you need the full config file, please let me know. This section below seems to be the relevant bits to my question, the entries in bold are the port forwarding rules that I think should work, but who do not seem to. ! interface FastEthernet4 WAN description $ FW_OUTSIDE$ IP 184.183.156.98 255.255.255.252 no ip redirection no ip unreachable NAT outside IP IP virtual-reassembly in automatic duplex automatic speed ! overload of IP nat inside source list 23 interface FastEthernet4 IP nat inside source static tcp 192.168.10.205 1024 184.183.150.162 1024 extensible IP nat inside source static tcp 192.168.10.205 1025 184.183.150.162 1025 extensible IP nat inside source static tcp 192.168.10.205 1026 184.183.150.162 1026 extensible IP nat inside source static tcp 192.168.10.205 184.183.150.162 1027 1027 extensible IP nat inside source static tcp 192.168.10.205 3061 184.183.150.162 3061 extensible IP nat inside source static tcp 192.168.10.205 3064 184.183.150.162 3064 extensible IP nat inside source static tcp 192.168.10.210 888 184.183.150.163 888 extensible IP nat inside source static tcp 192.168.10.93 1024 184.183.150.164 1024 extensible IP nat inside source static tcp 192.168.10.93 1026 184.183.150.164 1026 extensible IP nat inside source static tcp 192.168.10.93 184.183.150.164 1027 1027 extensible IP nat inside source static tcp 192.168.10.93 184.183.150.164 3060 3060 extensible IP nat inside source static tcp 192.168.10.93 6901 184.183.150.164 6901 extensible IP nat inside source static udp 192.168.10.93 6901 184.183.150.164 6901 extensible IP nat inside source static tcp 192.168.10.250 88 184.183.156.98 88 extensible IP nat inside source static tcp 192.168.10.250 37777 184.183.156.98 37777 extensible IP route 0.0.0.0 0.0.0.0 184.183.156.97 ! Note access-list 23 CCP_ACL category = 19 access-list 23 allow 192.168.10.0 0.0.0.255 access-list 23 allow 192.168.20.0 0.0.0.255 access-list 23 allow 192.168.30.0 0.0.0.255 access-list 23 permit 192.168.40.0 0.0.0.255 Note access-list 23 VPN Internet acccess access-list 23 allow 192.168.50.0 0.0.0.255 Thank you Adam Corbett Adam From what you have posted your config looks very good. Are you sure that your ISP routes these IPs to your external interface? How do you test it? Jon Hello I have a router Aztech DSL1015EW (S) and Cisco RV100w. Here's my setup. Phone - RJ11---> DSL1015EW (S) - RJ45---> RV110W -J' tried to build the portable computer remote VPN connection to RV110W (failed) -Also failefk quick VPN -PPTP failed Port forwarding on DSL1015EW I don't have the public ip address I use dydns. What can I do? Please help me. Fast VPN error message is "bridge not answer do you expect ot. PPTP error code is cannot estiblishe to the remote host. Hello Hi, thank you for using our forum, my name is Johnnatan I left the community of support to small businesses. I apologize for your stress, in this case I advise you to check this link with useful information about the VPN fast https://supportforums.cisco.com/docs/DOC-29399 I hope you find this answer useful, "* Please mark the issue as response or write it down so others can benefit from. Greetings, Johnnatan Rodríguez Miranda. Support of Cisco network engineer. Hi all We have a large ongoing project in which we implement a Firewall / VPN service to the customers to provide VPN connections back to a single VPN server. We have about 1,000 users but only run about 200-250 concurrent sessions at any time and the IP Sec and SSL will be fine. As part of our evaluation and the construction phase we need to firstly consider hardware and Cisco is an obviuos because we have the expertise in house. However, I consider that for this client, it would be preferable to provide a solution that will scale that their subscribers grow and therefore my opinion is the ASA 5510 would be a good starting point and we can improve if their subscriber base grows. There are also run active failover / standby. However, the licenceing issues are a little confussing to say the least and so would like a second opinion from someone on this forum which has some recent experience of a similar build and install. Hardware and software specifications for this build are important, so any suggestions in this regard would be also welcome. We considered all connect premium, but this can be expensive looking at 250 concurrent sessions. These are fundamental questions. 1. what would be the best material to offer to this customer to get them started? 2. with Anyconnect is the example from the sessions simultaneous or registered user accounts or in other words we would have 1,000 accounts of users with 250 concurrent connections? 3. is there a better way to configure the VPN simultaneous 250 with about 1000 users? Any help would be as always greatly appreciated. Kind regards >> 1. What would be the best material to offer to this customer to get them started? The 5510 is a legacy that should not be bought and more like the first firewall. And the concurrent users are also too low. You should look into the 5525-X. This model supports VPN connections simultaneous 750. The next smallest model, the 5515-X only supports 250 simultaneous sessions. >> 2. With Anyconnect is the example from the sessions simultaneous or registered user accounts, or in other words we would have 1,000 accounts of users with 250 concurrent connections? Yes, concurrent sessions are what count. >> 3. Is there a better way to configure the VPN simultaneous 250 with about 1000 users? You must decide if you really need VPN without client. If your users could all use a complete tunnel (AnyConnect) client, then just buy the AnyConnect Essentials license which is pretty cheap. Sent by Cisco Support technique iPad App SHA version supported on Cisco IOS Guys, What is the SHA version that we support on the devices that support VPN from Cisco IOS? Just configuration options tell SHA... I do apreciate if you could point me to a cisco document to support your theory because client would require... Thanks in advance. To specify the hashing algorithm in a policy of Internet Key Exchange, use the command hash policy Internet Security Association Key Management Protocol (ISAKMP) configuration mode. IKE policy define a set of parameters to use when the IKE negotiation. To reset the hash algorithm for the algorithm of hash-1 defaultsecure hash algorithm (SHA), don't use No form of this command. hash {sha | SHA256 . SHA384 | md5} no hash SHA Specifies the hash algorithm SHA-1 (HMAC variant). SHA256 Specifies the family of SHA-2 256 bits (HMAC variant) as the hashing algorithm. SHA384 Specifies the family of SHA-2 384 bits (HMAC variant) as the hashing algorithm. MD5 Specifies the MD5 (HMAC variant) as the hashing algorithm. The SHA-1 hashing algorithm The ISAKMP policy configuration 11.3 T This command was introduced. 12.4 (4) T IPv6 support has been added. 12.2 (33) SRA This command was integrated into Cisco IOS version 12. (33) SRA. 12.2SX This command is supported in the Cisco IOS release 12.2SX train. Support in a specific 12.2SX release this train is dependent on your hardware platform game and platform functionality. Cisco IOS XE version 2.1 This command was introduced on the ASR 1000 series Cisco routers. 15.1 (2) T This command was modified. Sha256 , sha384 , and keywords have been added. Cannot add a new shared folder When I try and add a folder (click on +) and select a folder, it does not appear in the list. Close the window pop up, but the folder does not appear in the list. I tried with several files and am not able to add a few. I am logged on as administrato Disk recovery is required for Satellite P200 - 17 c Hi allI have a Satellite P200 - 17 c and I'm looking for a recorey record. Is there anyone out there with the drive, they got with the laptop? How can I fix the audio to the computer? I have lost all sound/audio to my computer. I have troubled the shot and found nothing. All audio sites are marked for a medium. Thanks for help. Ramona Access denied, need permission to record a simple text file I recently installed Windows 7 Ultimate Build 7600. This pc is a pc private home with no one else having access or all other user accounts. Even something as simple as change, then by recording a Notepad text file is not suitable. Things, I tried to Technical questions about X 1 carbon Touch base Please forgive me, I'm still recovering after the shock and frustration generated by dealing with Lenovo Tech Support. I recently received my X 1 carbon Touch and I have tried to understand some - I think - fundamental questions. As you know, to win
IP address
IP access-group netbios in
IP access-group netbios on
no ip proxy-arp
NAT outside IP
IP virtual-reassembly in
no ip-cache cef route
no ip route cache
automatic duplex
automatic speed
No cdp enable
VPN crypto card
interface Vlan1
secondary
IP
IP access-group netbios in
IP access-group netbios on
no ip proxy-arp
IP nat inside
IP virtual-reassembly in
no ip-cache cef route
no ip route cache
!
allow IP
allow IP
The session state: UP-ACTIVE
Peer: port of
IKEv1 SA: local
FLOW IPSEC: ip
Active sAs: 0, origin: card crypto
FLOW IPSEC: ip
Active sAs: 2, origin: card crypto
Send 5, 100 bytes to
.....
Success rate is 0% (0/5) ip access-list ext 102 1 deny ip
Similar Questions
192.168.2.0
!
version 15.3
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
hostname Cisco_881
!
boot-start-marker
boot-end-marker
!
AQM-registry-fnf
!
logging buffered 51200 warnings
!
AAA new-model
!
!
AAA authentication login default local
AAA authorization exec default local
AAA authorization network default local
!
!
!
!
!
AAA - the id of the joint session
!
Crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 1151531093
revocation checking no
rsakeypair TP-self-signed-1151531093
!
Crypto pki trustpoint TP-self-signed-2011286623
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 2011286623
revocation checking no
rsakeypair TP-self-signed-2011286623
!
!
TP-self-signed-1151531093 crypto pki certificate chain
certificate self-signed 01
3082022B 30820194 02020101 300 D 0609 2A 864886 F70D0101 05050030 A0030201
2 060355 04031326 494F532D 53656 C 66 2 AND 536967 6E65642D 43657274 31312F30
69666963 31313531 35333130 6174652D 3933301E 170 3135 30343031 31363230
34315A 17 0D 323030 31303130 30303030 305A 3031 06035504 03132649 312F302D
4F532D53 5369676E 656C662D 43 65727469 66696361 74652 31 31353135 65642D
33313039 3330819F 300 D 0609 2A 864886 01050003, 818, 0030, 81890281 F70D0101
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 98CD84A7 37697253 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 063EBBC5 02391432 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
A 547469, 2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D A3843F12 364639B 4
0B 090203 010001 HAS 3 53305130 1 130101 FF040530 030101FF 301F0603 0F060355
551 2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D 06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300 D 0609
2A 864886 F70D0101 8181002A 05050003 677B9BE6 CB60D188 73227C4B 2DC33101
BD448017 EDEF0296 FF7438A3 4C46519B 144C775F 1429CF06 7DB29F2D EB16EE75
22100B 63 0D75511A 98DC57DC EF87BED2 1C1635C8 B5352706 3963037A 4E9B739A
3A1EC9BE 8431BD70 116D3B31 E4A2AC4C 0F934B3F 196AF829 AD537005 6935B 451
EB31DB3F A9BA6D70 65B70D19 D00158
quit smoking
TP-self-signed-2011286623 crypto pki certificate chain
no ip source route
!
!
!
!
DHCP excluded-address IP 10.10.10.1
DHCP excluded-address IP 192.168.5.1 192.168.5.49
DHCP excluded-address IP 192.168.5.150 192.168.5.254
!
DHCP IP CCP-pool
import all
Network 10.10.10.0 255.255.255.248
default router 10.10.10.1
Rental 2 0
!
IP dhcp Internet pool
network 192.168.5.0 255.255.255.0
router by default - 192.168.5.254
DNS-Server 64.59.135.133 64.59.128.120
lease 6 0
!
!
!
no ip domain search
"yourdomain.com" of the IP domain name
name of the IP-Server 64.59.135.133
name of the IP-Server 64.59.128.120
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
udi pid C881-K9 sn FTX18438503 standard license
!
!
Archives
The config log
hidekeys
username * privilege 15 secret 5 $1$IBY.$X5/iqYy47a5vAWWuG4/Oa/
username * secret 5 $1$ 17 ST$ QzJMvQnZ9Q.1y7u0rYXFa0
username * secret 5 $1$ L4W9$ zBKpawZ3i5nXxwyS9H6Lf1
!
!
!
!
!
no passive ftp ip
!
!
crypto ISAKMP policy 1
BA aes 256
preshared authentication
Group 2
!
crypto ISAKMP policy 2
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 208.98.212.xx
!
Configuration group crypto isakmp MPE client
key *.
pool VPN_IP_POOL
ACL 100
include-local-lan
10 Max-users
netmask 255.255.255.0
banner ^ practive entered the field
!
Configuration group customer crypto isakmp PALL
key *.
pool VPN_IP_POOL_PALL
ACL 101
include-local-lan
Max - 1 users
netmask 255.255.255.0
banner ^ practive entered the field
ISAKMP crypto profile vpn_isakmp_profile
game of identity EMT group
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 1
ISAKMP crypto profile vpn_isakmp_profile_2
match of group identity PALL
client authentication list default
Default ISAKMP authorization list
client configuration address respond
virtual-model 2
!
!
Crypto ipsec transform-set esp - aes 256 esp-sha-hmac VPN_TRANSFORM
tunnel mode
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
!
Profile of crypto ipsec VPN_PROFILE_MPE
Set the security association idle time 3600
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile Set isakmp-profile
!
Profile of crypto ipsec VPN_PROFILE_PALL
Set the security association idle time 1800
game of transformation-VPN_TRANSFORM
vpn_isakmp_profile_2 Set isakmp-profile
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to208.98.212.xx
the value of 208.98.212.xx peer
game of transformation-ESP-3DES-SHA
match address 102
!
!
!
!
!
!
interface Loopback0
IP 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
IP address 208.98.213.xx 255.255.255.224
IP access-group 111 to
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
type of interface virtual-Template1 tunnel
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_MPE ipsec protection profile
!
tunnel type of interface virtual-Template2
IP unnumbered Loopback0
ipv4 ipsec tunnel mode
Tunnel VPN_PROFILE_PALL ipsec protection profile
!
interface Vlan1
Description of control network
IP 192.168.125.254 255.255.255.0
IP access-group CONTROL_IN in
IP access-group out CONTROL_OUT
IP nat inside
IP virtual-reassembly in
IP tcp adjust-mss 1452
!
interface Vlan2
Description Internet network
IP 192.168.5.254 255.255.255.0
IP access-group INTERNET_IN in
IP access-group out INTERNET_OUT
IP nat inside
IP virtual-reassembly in
!
local IP VPN_IP_POOL 192.168.40.100 pool 192.168.40.150
local IP VPN_IP_POOL_PALL 192.168.40.151 pool 192.168.40.152
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
!
IP nat inside source static tcp 192.168.125.2 25000 25000 FastEthernet4 interface
IP nat inside source overload map route SDM_RMAP_1 interface FastEthernet4
IP route 0.0.0.0 0.0.0.0 FastEthernet4 permanent 208.98.236.xx
!
CONTROL_IN extended IP access list
Note the access control
Note the category CCP_ACL = 17
allow any host 192.168.125.254 eq non500-isakmp udp
allow any host 192.168.125.254 eq isakmp udp
allow any host 192.168.125.254 esp
allow any host 192.168.125.254 ahp
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
IP 192.168.125.0 allow 0.0.0.255 192.168.40.0 0.0.0.255
Note Access VNC
permit tcp host 192.168.125.2 eq 25000 one
Comment by e-mail to WIN911
permit tcp host 192.168.125.2 any eq smtp
Note DNS traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq field
permit udp host 192.168.125.2 host 64.59.128.120 eq field
Note Everything Else block
refuse an entire ip
CONTROL_OUT extended IP access list
Note the access control
IP 192.168.125.0 allow 0.0.0.255 192.168.125.0 0.0.0.255
Note the VPN access
ip permit 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
Note Access VNC
allow any host 192.168.125.2 eq 25000 tcp
Comment by e-mail to WIN911
allow any host 192.168.125.2 eq smtp tcp
Note DNS responses
allowed from any host domain eq 192.168.125.2 udp
Note deny all other traffic
refuse an entire ip
INTERNET_IN extended IP access list
Note Access VNC on VLAN
allow any host 192.168.125.2 eq 25000 tcp
Note block all other controls and VPN
deny ip any 192.168.125.0 0.0.0.255
deny ip any 192.168.40.0 0.0.0.255
Note leave all other traffic
allow an ip
INTERNET_OUT extended IP access list
Note a complete outbound Internet access
allow an ip
WAN_IN extended IP access list
allow an ip host 207.229.14.xx
Note PERMIT ESTABLISHED TCP connections
allow any tcp smtp created everything eq
Note ALLOW of DOMAIN CONNECTIONS
permit udp host 64.59.135.133 eq field all
permit udp host 64.59.128.120 eq field all
Note ALLOW ICMP WARNING RETURNS
allow all all unreachable icmp
permit any any icmp parameter problem
allow icmp all a package-too-big
allow a whole icmp administratively prohibited
permit icmp any any source-quench
allow icmp all once exceed
refuse a whole icmp
allow an ip
!
auto discovering IP sla
not run cdp
!
allowed SDM_RMAP_1 1 route map
corresponds to the IP 103
!
access-list 1 remark out to WAN routing
Note CCP_ACL the access list 1 = 16 category
access-list 1 permit 192.168.125.2
access-list 1 permit 192.168.5.0 0.0.0.255
Note access-list 23 SSH and HTTP access permissions
access-list 23 permit 192.168.125.0 0.0.0.255
access-list 23 permit 192.168.40.0 0.0.0.255
access-list 23 allow one
Note access-list 100 VPN traffic
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
Note access-list 101 for PALL VPN traffic
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
Note access-list 103 CCP_ACL category = 2
Note access-list 103 IPSec rule
access-list 103 deny ip 192.168.5.0 0.0.0.255 192.168.2.0 0.0.1.255
access-list 103 allow ip 192.168.5.0 0.0.0.255 any
access-list 103 allow the host ip 192.168.125.2 all
Note access-list 111 CCP_ACL category = 17
access-list 111 permit udp any host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp any host 208.98.213.xx eq isakmp
access-list 111 allow esp any host 208.98.213.xx
access-list 111 allow ahp any host 208.98.213.xx
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.5.0 0.0.0.255
Note access-list 111 IPSec rule
access-list 111 permit ip 192.168.2.0 0.0.1.255 192.168.4.0 0.0.1.255
access-list 111 permit udp host 208.98.212.xx host 208.98.213.xx eq non500-isakmp
access-list 111 permit udp host 208.92.12.xx host 208.92.13.xx eq isakmp
access-list 111 allow esp host 208.92.12.xx host 208.92.13.xx
access-list 111 allow ahp host 208.92.12.xx host 208.92.13.xx
access-list 111 permit icmp any host 208.92.13.xx
access-list 111 permit tcp any host 208.92.13.xx eq 25000
access-list 111 permit tcp any host 208.92.13.xx eq 22
access-list 111 permit tcp any host 208.92.13.xx eq telnet
access-list 111 permit tcp any host 208.92.13.xx eq www
!
!
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
exec banner ^ C
% Warning of password expiration.
-----------------------------------------------------------------------
^ C
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class 23 in
password *.
transport input telnet ssh
transportation out all
line vty 5 15
access-class 160 in
password *.
transport of entry all
transportation out all
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
end
Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
http://www.Kiva.org/invitedBy/karsteni
!
! Last modification of the configuration at 22:15:30 UTC Friday, March 11, 2016
!
version 15.5
no service button
horodateurs service debug datetime msec
Log service timestamps datetime msec
no password encryption service
!
router host name
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
No aaa new-model
BSD-client server url https://cloudsso.cisco.com/as/token.oauth2
iomem 10 memory size
!
Crypto pki trustpoint TP-self-signed-76299383
enrollment selfsigned
name of the object cn = IOS - Self - signed - certificate - 76299383
revocation checking no
rsakeypair TP-self-signed-76299383
!
!
TP-self-signed-76299383 crypto pki certificate chain
certificate self-signed 01
30820227 30820190 A0030201 02020101 300 D 0609 2A 864886 F70D0101 05050030
2F312D30 2B 060355 04031324 494F532D 66 2 536967 6E65642D 43657274 53656C
69666963 37363239 39333833 31333031 33313231 30333034 301E170D 6174652D
5A170D32 30303130 31303030 3030305A 302F312D 302B 0603 55040313 24494F53
2D53656C D 662 5369 676E6564 2D 436572 74696669 63617465 2 373632 39393338
3330819F 300 D 0609 2A 864886 F70D0101 01050003 818 0030 81890281 8100B39C
1F1F1B5A 620D3DB7 E4B82486 D8A6E928 E880F817 20D8D5D8 744 HAS 6985 B48A0AEF
072919 6ABF6428 C 9 272B2F4E 28382554 1D1CC5CD 701F9646 38EEE5CE 67F475C4
DD5B464B ECBD78AF A5B6B36B D2791CFE E6CB886F B030E179 7A209BC4 1CDC6BA1
711616 C 4FD6BE16 4 489DCC5F A5EE9729 365858FD 1654EA5F 3B7F90B2 19470203
010001A 3 53305130 1 130101 FF040530 030101FF 301F0603 551 D 2304 0F060355
18301680 1465D9D2 8C6F18DF 98EF832A 03DE7ADD 97301 06 03551D0E D45A6C59
04160414 65D9D28C 6F18DF98 EF832A03 DE7ADDD4 5A6C5997 300 D 0609 2A 864886
818100A 6 05050003 928BFD76 AEE144B3 540415EE 7DC2339D B6142CF6 F70D0101
60E3A6DF 06DA321C B711183C 80755902 2D1D9407 857F05ED B987C08D 25002B5F
F3C0F996 8CDA1830 3F85456B 6C6F2A4B 774B93DC 256AB90E 5A46126C C2D044DB
3B76F1A2 0E98D2F0 A0D656CF 5031C7D7 1D9D2F88 188927 4 EEAA3915 E97C7B83
ECF7239B 5B7F0FDD E4C9CA
quit smoking
!
!
!
!
!
!
!
!
DHCP excluded-address IP 192.168.136.22 192.168.136.30
DHCP excluded-address IP 192.168.131.22 192.168.131.254
!
IP dhcp Internet pool
network 192.168.131.0 255.255.255.0
DNS-server 70.28.245.227 184.151.118.254
router by default - 192.168.131.157
!
!
!
name of the IP-server 70.28.245.227
name of the IP-server 184.151.118.254
IP cef
No ipv6 cef
!
!
!
!
!
Authenticated MultiLink bundle-name Panel
!
!
!
!
!
!
!
!
CTS verbose logging
udi pid C881-K9 sn FGL1927224B standard license
!
!
Archives
The config log
hidekeys
username * 15 secret 5 privilege TOHi $1$ $ xwZvR0n8p6r00xE5nnBE11
!
!
!
!
!
!
!
crypto ISAKMP policy 1
BA 3des
preshared authentication
Group 2
isakmp encryption key * address 96.45.14.xx
!
!
Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac
tunnel mode
Crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
tunnel mode
Crypto ipsec transform-set esp-SHA2-ESP-3DES-3des esp-sha-hmac
tunnel mode
Crypto ipsec transform-set esp-3des SHA3-ESP-3DES esp-sha-hmac
tunnel mode
!
!
!
map SDM_CMAP_1 1 ipsec-isakmp crypto
Description Tunnel to96.45.14.xx
the value of 96.45.14.xx peer
game of transformation-ESP-3DES-SHA2
match address 102
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
port WAN Description
DHCP IP address
response to IP mask
NAT outside IP
IP virtual-reassembly in
automatic duplex
automatic speed
map SDM_CMAP_1 crypto
!
interface Vlan1
Description of control network
IP 192.168.131.157 255.255.255.0
IP access-group VLAN1_In in
IP nat inside
IP virtual-reassembly in
!
local pool IP VPN 192.168.131.152 192.168.131.155
default IP gateway - 174.0.0.1
IP forward-Protocol ND
IP http server
23 class IP http access
local IP http authentication
IP http secure server
IP http timeout policy slowed down 60 life 86400 request 10000
!
IP high speed-flyers
Top 10
Sorting bytes
!
IP route 0.0.0.0 0.0.0.0 174.0.0.1 permanent
!
VLAN1_In extended IP access list
Note the incoming traffic
Note the category CCP_ACL = 1
Note the crosstalk
deny ip 192.168.135.0 0.0.0.255 192.168.130.0 0.0.1.255
deny ip 192.168.136.0 0.0.0.255 192.168.130.0 0.0.1.255
Note the crosstalk
deny ip 192.168.130.0 0.0.1.255 192.168.135.0 0.0.0.255
deny ip 192.168.130.0 0.0.1.255 192.168.136.0 0.0.0.255
allow an ip
VLAN1_Out extended IP access list
Note for diagnosis
Note the category CCP_ACL = 1
Note Diag
IP enable any any newspaper
allow_all extended IP access list
Note the category CCP_ACL = 1
IP enable any any newspaper
!
!
Note category of access list 1 = 2 CCP_ACL
access-list 1 permit 192.168.1.0 0.0.0.255
Note access-list category 2 CCP_ACL = 2
access-list 2 permit 192.168.130.0 0.0.0.255
Note access-list 100 category CCP_ACL = 4
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
Note access-list 100 IPSec rule
access-list 100 permit ip 192.168.131.0 0.0.0.255 192.168.120.0 0.0.0.255
Note access-list 101 category CCP_ACL = 4
Note access-list 101 IPSec rule
access-list 101 permit ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
Note access-list 102 CCP_ACL category = 4
Note access-list 102 IPSec rule
access-list 102 permit ip 192.168.131.128 0.0.0.31 192.168.125.0 0.0.0.255
Note access-list 103 CCP_ACL category = 4
Note access-list 103 IPSec rule
access-list 103 allow ip 192.168.131.0 0.0.0.255 192.168.125.0 0.0.0.255
!
control plan
!
!
!
MGCP behavior considered range tgcp only
MGCP comedia-role behavior no
disable the behavior MGCP comedia-check-media-src
disable the behavior of MGCP comedia-sdp-force
!
profile MGCP default
!
!
!
!
!
!
!
Line con 0
no activation of the modem
line to 0
line vty 0 4
access-class allow_all in
access-class allow_all out
privilege level 15
password *.
opening of session
transport telnet entry
telnet output transport
!
max-task-time 5000 Planner
Scheduler allocate 20000 1000
!
!
WebVPN WAN gateway
IP address 192.168.126.9 port 44443
redirect http port 80
SSL trustpoint TP-self-signed-76299383
development
!
WebVPN context PLC
WAN gateway
!
SSL authentication check all
development
!
default group policy
functions compatible svc
SVC-pool of addresses "VPN" netmask 255.255.255.224
SVC Dungeon-client-installed
generate a new key SVC new-tunnel method
SVC split include 192.168.131.0 255.255.255.224
mask-URL
by default-default group policy
!
endhash (IKE policy)
Description of the syntax
Default values
Control modes
Order history
Maybe you are looking for