| Home | Forums | Reviews | Guides | Newsgroups | Register | Search |
 |
| Thread Tools |
|
Guest
Posts: n/a
|
Hi.
I have Cisco 1721 with crypto module and SOHO Cisco 831 routers. After reading docs and experimenting for couple of days with my hardware I finally connected the two devices to the internet (they have fixed IP addresses). I configured the 1721 as EzVPN server and 831 (IP software . NO IPPlus!) as EzVPN client. My configuration is attached below. With the mentioned configuration I encountered flowing problems: - I have to establish a tunnel manually by clicking a link on the Cisco http server (when establishing the tunnel this way I had to enter a username and password every time); - When using 831 as EzVPN client I couldn.t route traffic to internet nor directly nor trough VPN; - I didn.t found a way to configure EzVPN server without creating a local user with .username. command (I don.t have an RADIUS server, nor I plan to use it). Any suggestion and/or sample how to solve my problem will be welcome . 10x in advance  . Basically I want to achieve following goals:- Establish a VPN tunnel between locations that will not timeout and will automatically reconnect (without user interactions) on e.g. power failure; - Provide internet access to local and also to remote locations (not only access to main LAN {the LAN in behind of 1721}); - I don.t know if it is possible to provide also access remote (831) location from the main one (1721), however if this is possible it will be great to get this to work. Tanks for any all of you 1721 configuration: ---- no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Cisco1721 ! enable password mainpass ! username user password 0 pass memory-size iomem 15 aaa new-model ! aaa authentication login default local ! aaa authentication login userlist local aaa authorization network groupauthor local aaa session-id common ip subnet-zero ! ip domain lookup ip name-server 140.140.140.1 ip domain name mydomain.local ! crypto isakmp policy 3 encr 3des authentication pre-share group 2 ! ! First VPN client crypto isakmp client configuration group vpn_user key pass pool ip_pool1 acl 140 dns 140.140.140.1 wins 140.140.140.1 domain mydomain.local ! crypto ipsec transform-set myset esp-3des esp-md5-hmac mode transport ! crypto dynamic-map dynmap 10 set transform-set myset ! crypto map clientmap client authentication list userauthen crypto map clientmap isakmp authorization list groupauthor crypto map clientmap client configuration address respond crypto map clientmap 10 ipsec-isakmp dynamic dynmap ! interface Ethernet0 no shutdown no keepalive no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface Dialer1 ip address negotiated ip mtu 1492 ip nat outside encapsulation ppp dialer pool 1 dialer idle-timeout 28800 dialer-group 1 no cdp enable ppp authentication chap callin ppp chap hostname adsl_user ppp chap password adsl_pass ppp pap sent-username adsl_user password adsl_pass crypto map clientmap ! sntp server 140.140.140.1 ! ! IP pools ip local pool ip_pool1 192.168.11.200 192.168.11.220 ! ip nat inside source route-map nonat interface Dialer1 overload ip classless ! ! FastEthernet Firewall ! ip inspect name firewall cuseeme ip inspect name firewall ftp ip inspect name firewall http ip inspect name firewall rcmd ip inspect name firewall realaudio ip inspect name firewall smtp ip inspect name firewall tftp ip inspect name firewall udp ip inspect name firewall h323 ip inspect name firewall tcp ip inspect name firewall sqlnet ip inspect name firewall streamworks ip inspect name firewall vdolive ip inspect name firewall netshow ! ! Firewall ! no cdp run no ip source-route no service tcp-small-servers no service udp-small-servers interface Ethernet0 no ip directed-broadcast interface FastEthernet0 no ip directed-broadcast interface Dialer1 no ip directed-broadcast no access-list 110 access-list 110 deny ip 192.168.10.0 0.0.0.255 any access-list 110 permit esp any any access-list 110 permit udp any any eq isakmp access-list 110 permit icmp any any echo-reply access-list 110 permit icmp any any unreachable access-list 110 permit icmp any any time-exceeded access-list 110 permit ip 192.168.11.0 0.0.0.255 any access-list 110 permit tcp any any established ! interface Dialer1 ip access-group 110 in no access-list 111 access-list 111 permit tcp any any established access-list 111 permit udp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 range netbios-ns netbios-dgm access-list 111 permit udp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 range netbios-ns netbios-dgm access-list 111 permit tcp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 139 access-list 111 permit tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 139 access-list 111 permit tcp 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 eq 445 access-list 111 permit tcp 192.168.11.0 0.0.0.255 192.168.10.0 0.0.0.255 eq 445 access-list 111 deny udp any any range netbios-ns netbios-dgm access-list 111 deny tcp any any eq 139 access-list 111 deny tcp any any eq 445 access-list 111 permit ip 192.168.10.0 0.0.0.255 any access-list 111 permit ip 192.168.11.0 0.0.0.255 any ! interface FastEthernet0 no shutdown ip address 192.168.10.1 255.255.255.0 ip nat inside ip inspect firewall in ip route-cache policy ip access-group 111 in ntp broadcast version 3 speed auto no cdp enable ! ip classless no ip http server no ip http secure-server ! ip nat inside source route-map Rmap interface Dialer1 overload ip route 0.0.0.0 0.0.0.0 Dialer1 ! access-list 140 permit ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.11.0 0.0.0.255 access-list 150 permit ip any any route-map nonat permit 10 match ip address 150 ! radius-server authorization permit missing Service-Type ! line con 0 password kanta line aux 0 password kanta line vty 0 4 password kanta ! no scheduler allocate end ---- 831 configuration: ---- no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname Cisco831 ! no logging buffered enable password 0 mainpass ! username CRWS_Giri privilege 15 password 7 xxxx username user password 0 pass username CRWS_Ulags privilege 15 password 7 xxxx ip subnet-zero ip name-server 140.140.140.1 ip name-server 140.140.140.2 ip dhcp excluded-address 10.0.201.1 ! ip dhcp pool CLIENT import all network 10.0.201.0 255.255.255.224 default-router 10.0.201.1 lease 0 2 ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip urlfilter alert ip audit notify log ip audit po max-events 100 ! crypto ipsec client ezvpn crws-client connect auto group vpn_user key pass mode client peer 150.150.150.1 ! interface Ethernet0 ip address 10.0.201.1 255.255.255.224 ip tcp adjust-mss 1348 no cdp enable crypto ipsec client ezvpn crws-client inside hold-queue 32 in hold-queue 100 out ! interface Ethernet1 no ip address pppoe enable pppoe-client dial-pool-number 1 no cdp enable ! interface Dialer1 ip address negotiated ip access-group 111 in ip mtu 1492 ip inspect myfw out encapsulation ppp ip tcp adjust-mss 1348 dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname adsl_user ppp chap password 0 adsl_pass ppp pap sent-username adsl_user password 0 adsl_pass ppp ipcp dns request crypto ipsec client ezvpn crws-client ! ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server no ip http secure-server ! access-list 23 permit 10.0.201.0 0.0.0.31 access-list 111 permit tcp any any eq 3389 access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 deny ip any any dialer-list 1 protocol ip permit ! line con 0 exec-timeout 120 0 no modem enable stopbits 1 line aux 0 transport input all stopbits 1 line vty 0 4 access-class 23 in exec-timeout 120 0 login local length 0 ! scheduler max-task-time 5000 end ---- 10x and regards, Dezo |
|
|
|
|||
|
|
| |
|
| Thread Tools | |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| One IPsec tunnel and no ISAKMP tunnel. | AM | Cisco | 7 | 07-19-2007 03:11 PM |
| no icon for wireless network to reestablish a wireless | =?Utf-8?B?QnVmaGFs?= | Wireless Networking | 1 | 11-23-2004 06:49 PM |
| Split Tunnel Blocks http through tunnel but passes http around tunnel | a.nonny mouse | Cisco | 2 | 09-19-2004 12:10 AM |
| Termination of an IPSec VPN tunnel and a GRE Tunnel on one physical interface. | John Ireland | Cisco | 1 | 11-11-2003 04:47 PM |
| PIXD to PIX Fully Meshed VPN fails to reestablish VPN after one side reboots | Gary | Cisco | 2 | 10-20-2003 04:21 PM |
