Remote access VPN config cisco 1721

Discussion in 'Cisco' started by Eric Berthiaume, Apr 22, 2004.

  1. It looked simple in the start ... just want to know if my config holds
    water.

    I'm able to connect to the VPN but thats it ... cant ping either
    interface on the cisco or telnet to the internal network (its just for
    tests).

    wan--(Ethernet)cisco1721(FastE)----InternalFW(multiple
    int.)----InternalServer.

    The thing to consider is that the internal FW has only one route to
    the cisco which is the 192.168.40 ... not the 192.168.41 (ip from
    clients).

    In the stats of my vpn client I can see traffic getting encrypted and
    getting send but I can't receive anything.

    Im new but if you see something wrong with this config ... please dont
    hold, i can take the heat.

    Thanks for you help.

    VPN1#show run
    Building configuration...

    Current configuration : 4700 bytes
    !
    version 12.3
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname VPN1
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 52000 debugging
    logging console critical
    enable secret 5 $1$1pON$gGXa75zZikKI98OomYsTw/
    !
    username admin privilege 15 password 7 06120A32581F5B4A
    aaa new-model
    !
    !
    aaa authentication login GLOBALVPN1 local
    aaa authorization network GLOBALVPN1 local
    aaa session-id common
    ip subnet-zero
    !
    !
    !
    !
    ip tcp synwait-time 10
    ip domain name test.com
    ip name-server x.x.x.x
    no ip bootp server
    ip cef
    ip audit notify log
    ip audit po max-events 100
    ip ssh time-out 60
    ip ssh authentication-retries 2
    no ftp-server write-enable
    no scripting tcl init
    no scripting tcl encdir
    !
    !
    !
    !
    !
    crypto isakmp policy 3
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp keepalive 60 20
    crypto isakmp xauth timeout 30

    !
    crypto isakmp client configuration group VPNUSRG1
    key xxxxxx
    pool IPPOOL1
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG0
    key xxxxxx
    pool IPPOOL0
    acl 101
    !
    crypto isakmp client configuration group VPNUSRG2
    key xxxxxx
    pool IPPOOL2
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG3
    key xxxxxx
    pool IPPOOL3
    acl 150
    !
    crypto isakmp client configuration group VPNUSRG4
    key xxxxxx
    pool IPPOOL4
    acl 150
    !
    !
    crypto ipsec transform-set TRFMSET1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile IPSECPROFILE1
    set transform-set TRFMSET1
    !
    !
    crypto dynamic-map DYNMAP1 1
    set security-association lifetime seconds 86400
    set transform-set TRFMSET1
    !
    !
    crypto map DYNMAP1 isakmp authorization list GLOBALVPN1
    crypto map DYNMAP1 client configuration address respond
    crypto map DYNMAP1 10 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP0 isakmp authorization list VPNUSRG0
    crypto map MAP0 20 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP1 isakmp authorization list VPNUSRG1
    crypto map MAP1 30 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP2 isakmp authorization list VPNUSRG2
    crypto map MAP2 40 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP3 isakmp authorization list VPNUSRG3
    crypto map MAP3 50 ipsec-isakmp dynamic DYNMAP1
    !
    crypto map MAP4 isakmp authorization list VPNUSRG4
    crypto map MAP4 60 ipsec-isakmp dynamic DYNMAP1
    !
    !
    !
    !
    interface Ethernet0
    description $ETH-WAN$wan dmz interface
    ip address x.x.x.x 255.255.255.248
    ip access-group sdm_ethernet0_in in
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip route-cache flow
    half-duplex
    no cdp enable
    crypto map DYNMAP1
    !
    interface FastEthernet0
    description $ETH-LAN$$FW_INSIDE$internal lan
    ip address 192.168.40.10 255.255.255.0
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip route-cache flow
    speed auto
    full-duplex
    no cdp enable
    !
    ip local pool IPPOOL0 192.168.41.100
    ip local pool IPPOOL1 192.168.41.101
    ip local pool IPPOOL2 192.168.41.102
    ip local pool IPPOOL3 192.168.41.103
    ip local pool IPPOOL4 192.168.41.104
    ip classless
    ip route 0.0.0.0 0.0.0.0 Ethernet0
    ip route 192.9.200.0 255.255.255.0 192.168.40.1
    no ip http server
    ip http authentication local
    ip http secure-server
    !
    !
    !
    ip access-list extended sdm_ethernet0_in
    remark SDM_ACL Category=1
    permit ahp any host x.x.x.x
    permit esp any host x.x.x.x
    permit udp any host x.x.x.x eq isakmp
    permit udp any host x.x.x.x eq non500-isakmp
    remark Permit HTTPS
    permit tcp host x.x.x.x host x.x.x.x eq 443
    remark Permit SSH from geneve
    permit tcp host x.x.x.x host x.x.x.x eq 22
    logging trap debugging
    access-list 101 permit ip 192.168.41.0 0.0.0.255 any
    access-list 101 permit ip 192.168.40.0 0.0.0.255 any
    access-list 101 permit ip 192.9.200.0 0.0.0.255 any
    !
    no cdp run
    !
    !
    control-plane
    !
    banner login ^CAuthorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!^C
    !
    line con 0
    transport output telnet
    line aux 0
    transport output telnet
    line vty 0 4
    privilege level 15
    transport input ssh
    line vty 5 15
    privilege level 15
    transport input ssh
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    !
    end
     
    Eric Berthiaume, Apr 22, 2004
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Eric Berthiaume
    Replies:
    3
    Views:
    3,940
    Pete Mainwaring
    Apr 30, 2004
  2. Christian Lungwitz
    Replies:
    1
    Views:
    1,308
    thrill
    Jan 2, 2005
  3. Rohan
    Replies:
    1
    Views:
    1,426
    tweety
    Nov 29, 2006
  4. pasatealinux
    Replies:
    1
    Views:
    2,105
    pasatealinux
    Dec 17, 2007
  5. BF
    Replies:
    2
    Views:
    791
Loading...

Share This Page