Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Remote access VPN config cisco 1721

Reply
Thread Tools

Remote access VPN config cisco 1721

 
 
Eric Berthiaume
Guest
Posts: n/a
 
      04-22-2004
It looked simple in the start ... just want to know if my config holds
water.

I'm able to connect to the VPN but thats it ... cant ping either
interface on the cisco or telnet to the internal network (its just for
tests).

wan--(Ethernet)cisco1721(FastE)----InternalFW(multiple
int.)----InternalServer.

The thing to consider is that the internal FW has only one route to
the cisco which is the 192.168.40 ... not the 192.168.41 (ip from
clients).

In the stats of my vpn client I can see traffic getting encrypted and
getting send but I can't receive anything.

Im new but if you see something wrong with this config ... please dont
hold, i can take the heat.

Thanks for you help.

VPN1#show run
Building configuration...

Current configuration : 4700 bytes
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname VPN1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 52000 debugging
logging console critical
enable secret 5 $1$1pON$gGXa75zZikKI98OomYsTw/
!
username admin privilege 15 password 7 06120A32581F5B4A
aaa new-model
!
!
aaa authentication login GLOBALVPN1 local
aaa authorization network GLOBALVPN1 local
aaa session-id common
ip subnet-zero
!
!
!
!
ip tcp synwait-time 10
ip domain name test.com
ip name-server x.x.x.x
no ip bootp server
ip cef
ip audit notify log
ip audit po max-events 100
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 60 20
crypto isakmp xauth timeout 30

!
crypto isakmp client configuration group VPNUSRG1
key xxxxxx
pool IPPOOL1
acl 150
!
crypto isakmp client configuration group VPNUSRG0
key xxxxxx
pool IPPOOL0
acl 101
!
crypto isakmp client configuration group VPNUSRG2
key xxxxxx
pool IPPOOL2
acl 150
!
crypto isakmp client configuration group VPNUSRG3
key xxxxxx
pool IPPOOL3
acl 150
!
crypto isakmp client configuration group VPNUSRG4
key xxxxxx
pool IPPOOL4
acl 150
!
!
crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
!
crypto ipsec profile IPSECPROFILE1
set transform-set TRFMSET1
!
!
crypto dynamic-map DYNMAP1 1
set security-association lifetime seconds 86400
set transform-set TRFMSET1
!
!
crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
crypto map DYNMAP1 client configuration address respond
crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP0 isakmp authorization list VPNUSRG0
crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP1 isakmp authorization list VPNUSRG1
crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP2 isakmp authorization list VPNUSRG2
crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP3 isakmp authorization list VPNUSRG3
crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
!
crypto map MAP4 isakmp authorization list VPNUSRG4
crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
!
!
!
!
interface Ethernet0
description $ETH-WAN$wan dmz interface
ip address x.x.x.x 255.255.255.248
ip access-group sdm_ethernet0_in in
no ip unreachables
no ip proxy-arp
ip nat outside
ip route-cache flow
half-duplex
no cdp enable
crypto map DYNMAP1
!
interface FastEthernet0
description $ETH-LAN$$FW_INSIDE$internal lan
ip address 192.168.40.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
speed auto
full-duplex
no cdp enable
!
ip local pool IPPOOL0 192.168.41.100
ip local pool IPPOOL1 192.168.41.101
ip local pool IPPOOL2 192.168.41.102
ip local pool IPPOOL3 192.168.41.103
ip local pool IPPOOL4 192.168.41.104
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet0
ip route 192.9.200.0 255.255.255.0 192.168.40.1
no ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended sdm_ethernet0_in
remark SDM_ACL Category=1
permit ahp any host x.x.x.x
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
permit udp any host x.x.x.x eq non500-isakmp
remark Permit HTTPS
permit tcp host x.x.x.x host x.x.x.x eq 443
remark Permit SSH from geneve
permit tcp host x.x.x.x host x.x.x.x eq 22
logging trap debugging
access-list 101 permit ip 192.168.41.0 0.0.0.255 any
access-list 101 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 permit ip 192.9.200.0 0.0.0.255 any
!
no cdp run
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input ssh
line vty 5 15
privilege level 15
transport input ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
end
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Issue with cisco vpn client in accessing remote vpn access rudresh02 Cisco 1 02-24-2009 07:58 AM
Trying to access the PDM of a Cisco pix over a Remote Access VPN withCisco VPN Client BF Cisco 2 09-07-2008 03:00 PM
VPN site to site & Remote access VPN ( vpn client) over the same interface pasatealinux Cisco 1 12-17-2007 07:41 PM
Cisco Newbie: Cisco 1721 - no internet - no idea why - Here´s the config. Christian Lungwitz Cisco 1 01-02-2005 02:03 AM



Advertisments