Hi Everyone,
Hoping someone can help me. I have nearly pulled whats left of my hair out.
I have a Cisco 837 ADSL Router which I would like to setup for VPN Access. I got sick of doing it manually and tried the Cisco SDM to set the router config. The SDM configuration seems to half work....
No matter what I do, when I connect to the router using the Cisco VPN Client (ver 4.6) I cannot ping anything internal. When I look at the Stats on the VPN Client, it tells me that packets are being encrypted and sent, but I get no response from the router.
I am connecting to the router through the internet from behind a NetScreen firewall. VPN Client IP Range 192.168.1.0/24 and Cisco 837 Ip Range 10.71.104.129/25. I have read all about No-NAT for IPSec, but cant seem to make this work - or maybe there is something else wrong
Help is greatly apreciated. Config is below.
Thank you
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 informational
enable secret 5 xxxxx
!
username xxxxxxx password 7 xxxxxx
username xxxxxxx privilege 15 secret 5 xxxxx
clock timezone WLGN 12
clock summer-time Wellington date Mar 16 2003 15:00 Oct 5 2003 14:00
aaa new-model
!
!
aaa authentication password-prompt "Enter password: "
aaa authentication username-prompt "Enter username: "
aaa authentication login default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 10.74.104.128 10.74.104.249
!
!
ip tcp synwait-time 10
ip cef
ip domain name xxxxxx.xxx
ip name-server 203.97.33.14
ip name-server 203.97.37.14
no ip bootp server
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips sdf location webflash://attack-drop.sdf
ip ips sdf location webflash://128MB.sdf
ip ips sdf location webflash://256MB.sdf
ip ips notify SDEE
ip ips po max-events 100
ip ips name sdm_ips_rule
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no virtual-template subinterface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group xxxxx
key xxxxx
dns 172.24.13.121 172.24.113.172
wins 10.70.32.11 10.71.32.11
domain xxxxx.xxx
pool SDM_POOL_1
include-local-lan
max-users 4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.71.104.250 255.255.255.128
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/100
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
speed 100
full-duplex
!
interface Dialer0
description $FW_OUTSIDE$
ip address 20.20.20.1 255.255.255.0
ip access-group 101 in
no ip redirects
ip mtu 1492
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx@xxx.xxx.xx password 7 xxxxxxxx
ppp ipcp dns request
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.71.104.251 10.71.104.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.70.0.0 255.255.0.0 Ethernet0
ip route 10.71.0.0 255.255.192.0 Ethernet0
ip route 10.71.64.0 255.255.224.0 Ethernet0
ip route 10.71.96.0 255.255.248.0 Ethernet0
ip route 10.71.105.0 255.255.255.0 Ethernet0
ip route 172.0.0.0 255.0.0.0 Ethernet0
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.71.104.128 0.0.0.127
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 10.71.104.251
access-list 102 deny ip any host 10.71.104.252
access-list 102 deny ip any host 10.71.104.253
access-list 102 deny ip any host 10.71.104.254
access-list 102 permit ip 10.71.104.128 0.0.0.127 any
access-list 102 permit ip 10.71.104.0 0.0.0.127 any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 10.71.104.128 0.0.0.127 any
access-list 103 deny ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^CGo Away^C
!
line con 0
logging synchronous
no modem enable
transport preferred none
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 103 in
privilege level 15
logging synchronous
login authentication local
transport preferred none
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
end
Hoping someone can help me. I have nearly pulled whats left of my hair out.
I have a Cisco 837 ADSL Router which I would like to setup for VPN Access. I got sick of doing it manually and tried the Cisco SDM to set the router config. The SDM configuration seems to half work....
No matter what I do, when I connect to the router using the Cisco VPN Client (ver 4.6) I cannot ping anything internal. When I look at the Stats on the VPN Client, it tells me that packets are being encrypted and sent, but I get no response from the router.
I am connecting to the router through the internet from behind a NetScreen firewall. VPN Client IP Range 192.168.1.0/24 and Cisco 837 Ip Range 10.71.104.129/25. I have read all about No-NAT for IPSec, but cant seem to make this work - or maybe there is something else wrong
Help is greatly apreciated. Config is below.
Thank you
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
logging buffered 51200 informational
enable secret 5 xxxxx
!
username xxxxxxx password 7 xxxxxx
username xxxxxxx privilege 15 secret 5 xxxxx
clock timezone WLGN 12
clock summer-time Wellington date Mar 16 2003 15:00 Oct 5 2003 14:00
aaa new-model
!
!
aaa authentication password-prompt "Enter password: "
aaa authentication username-prompt "Enter username: "
aaa authentication login default local
aaa authorization network default local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip dhcp excluded-address 10.74.104.128 10.74.104.249
!
!
ip tcp synwait-time 10
ip cef
ip domain name xxxxxx.xxx
ip name-server 203.97.33.14
ip name-server 203.97.37.14
no ip bootp server
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
ip ips sdf location webflash://attack-drop.sdf
ip ips sdf location webflash://128MB.sdf
ip ips sdf location webflash://256MB.sdf
ip ips notify SDEE
ip ips po max-events 100
ip ips name sdm_ips_rule
ip ssh time-out 60
ip ssh authentication-retries 2
no ftp-server write-enable
no virtual-template subinterface
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15
!
crypto isakmp client configuration group xxxxx
key xxxxx
dns 172.24.13.121 172.24.113.172
wins 10.70.32.11 10.71.32.11
domain xxxxx.xxx
pool SDM_POOL_1
include-local-lan
max-users 4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 1800
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list default
crypto map SDM_CMAP_1 isakmp authorization list default
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_INSIDE$
ip address 10.71.104.250 255.255.255.128
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
pvc 0/100
pppoe-client dial-pool-number 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
speed 100
full-duplex
!
interface Dialer0
description $FW_OUTSIDE$
ip address 20.20.20.1 255.255.255.0
ip access-group 101 in
no ip redirects
ip mtu 1492
ip nat outside
ip inspect SDM_LOW out
ip ips sdm_ips_rule in
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap callin
ppp pap sent-username xxxxx@xxx.xxx.xx password 7 xxxxxxxx
ppp ipcp dns request
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.71.104.251 10.71.104.254
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip route 10.70.0.0 255.255.0.0 Ethernet0
ip route 10.71.0.0 255.255.192.0 Ethernet0
ip route 10.71.64.0 255.255.224.0 Ethernet0
ip route 10.71.96.0 255.255.248.0 Ethernet0
ip route 10.71.105.0 255.255.255.0 Ethernet0
ip route 172.0.0.0 255.0.0.0 Ethernet0
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
!
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
access-list 1 remark HTTP Access-class list
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 10.71.104.128 0.0.0.127
access-list 1 deny any
access-list 100 remark auto generated by SDM firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any host 10.71.104.251
access-list 102 deny ip any host 10.71.104.252
access-list 102 deny ip any host 10.71.104.253
access-list 102 deny ip any host 10.71.104.254
access-list 102 permit ip 10.71.104.128 0.0.0.127 any
access-list 102 permit ip 10.71.104.0 0.0.0.127 any
access-list 103 remark VTY Access-class list
access-list 103 remark SDM_ACL Category=1
access-list 103 permit ip 10.71.104.128 0.0.0.127 any
access-list 103 deny ip any any
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
control-plane
!
banner login ^CGo Away^C
!
line con 0
logging synchronous
no modem enable
transport preferred none
transport output all
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 103 in
privilege level 15
logging synchronous
login authentication local
transport preferred none
transport input telnet ssh
transport output none
!
scheduler max-task-time 5000
end
