First, sorry for my english. I speak only italian.
I am a little technical user, but the last year I have shaped my 2 routers and I have had my VPN working on 2 Cisco 837 until 2 months behind.
Then I have changed one of the ADSL ISP's and I give had to reshape 1 router.
From that moment they are not more successful to give up the vpn
I have put much disorder and I am not more able to resolve the problem
The VPN work from loc(al).net(work).GZ.XXX to loc.net.VA.XXX
The public IP address are pub.ip.add.GZ and pub.ip.add.VA
I enclose the configuration of the router.
Can you check out this config and help me???
------------------------------------------------
Current configuration : 4317 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GZ
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username CRWS_xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username CRWS_xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username xx password 7 xxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip name-server dns.srv.ip.add.
ip dhcp excluded-address loc.net.GZ.254
ip dhcp excluded-address loc.net.GZ.1 loc.net.GZ.200
!
ip dhcp pool CLIENT
import all
network loc.net.GZ.0 255.255.255.0
default-router loc.net.GZ.254
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key 0 123456 address pub.ip.add.VA
!
!
crypto ipsec transform-set ABC esp-des esp-sha-hmac
!
crypto map XYZ 1 ipsec-isakmp
set peer pub.ip.add.VA
set transform-set ABC
match address 100
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:loc.net.GZ.254-255.255.255.0
ip address loc.net.GZ.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip nat outside
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address pub.ip.add.GZ 255.255.255.254
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname username@isp.it
ppp chap password xxxxxxxxxxxxxxx
ppp pap sent-username username@isp.it password xxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map XYZ
hold-queue 224 in
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 100 permit ip loc.net.GZ.0 0.0.0.255 loc.net.VA.0 0.0.0.255
access-list 102 deny ip loc.net.GZ.0 0.0.0.255 loc.net.VA.0 0.0.0.255
access-list 102 permit ip loc.net.GZ.0 0.0.0.255 any
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 199 permit tcp any any established
access-list 199 permit ip host pub.ip.add.VA any
access-list 199 deny ip any any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 102
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
GZ#
---------------------------------------------------------
The ACL 111 was in the router first that I buy it.....
Thanks.
Ghesss
I am a little technical user, but the last year I have shaped my 2 routers and I have had my VPN working on 2 Cisco 837 until 2 months behind.
Then I have changed one of the ADSL ISP's and I give had to reshape 1 router.
From that moment they are not more successful to give up the vpn
I have put much disorder and I am not more able to resolve the problem
The VPN work from loc(al).net(work).GZ.XXX to loc.net.VA.XXX
The public IP address are pub.ip.add.GZ and pub.ip.add.VA
I enclose the configuration of the router.
Can you check out this config and help me???
------------------------------------------------
Current configuration : 4317 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname GZ
!
no logging buffered
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
username CRWS_xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username CRWS_xxxxxx privilege 15 password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username xx password 7 xxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
ip name-server dns.srv.ip.add.
ip dhcp excluded-address loc.net.GZ.254
ip dhcp excluded-address loc.net.GZ.1 loc.net.GZ.200
!
ip dhcp pool CLIENT
import all
network loc.net.GZ.0 255.255.255.0
default-router loc.net.GZ.254
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
authentication pre-share
crypto isakmp key 0 123456 address pub.ip.add.VA
!
!
crypto ipsec transform-set ABC esp-des esp-sha-hmac
!
crypto map XYZ 1 ipsec-isakmp
set peer pub.ip.add.VA
set transform-set ABC
match address 100
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:loc.net.GZ.254-255.255.255.0
ip address loc.net.GZ.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
ip nat outside
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer1
ip address pub.ip.add.GZ 255.255.255.254
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication pap chap callin
ppp chap hostname username@isp.it
ppp chap password xxxxxxxxxxxxxxx
ppp pap sent-username username@isp.it password xxxxxxxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map XYZ
hold-queue 224 in
!
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
no ip http secure-server
!
access-list 100 permit ip loc.net.GZ.0 0.0.0.255 loc.net.VA.0 0.0.0.255
access-list 102 deny ip loc.net.GZ.0 0.0.0.255 loc.net.VA.0 0.0.0.255
access-list 102 permit ip loc.net.GZ.0 0.0.0.255 any
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 199 permit tcp any any established
access-list 199 permit ip host pub.ip.add.VA any
access-list 199 deny ip any any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 102
!
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
!
end
GZ#
---------------------------------------------------------
The ACL 111 was in the router first that I buy it.....
Thanks.
Ghesss
