| Computers Forum Index » Computer - DCOM - Cisco » Setting up VPN on 1811 router... |
|
Page 1 of 1 |
|
| Author |
Message |
| ... |
 Posted: Fri Nov 13, 2009 5:02 pm |
|
|
|
Guest
|
I have a Cisco 1811 as my router. Inside there are 2 VLAN's. One VLAN
for my desktops and one VLAN as a DMZ for my servers. Both VLAN's use
NAT to map the private internal IPs to the external IP address.
I'd like to add a VPN Server to allow my Mac laptop and iphone to
access resources inside my network. I tried adding it via the web GUI
however connections aren't working with no errors that it can tell
me.
Attached is my running configuration. Can somebody please tell me what
I need to add in order to set up the VPN? My preference is to use the
IOS CLI and not the Cisco web thing.
!
! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by
root
! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by
root
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname <myhostname>
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$45Pl$xpQQD4Z2a6U1RuCAlI5h21
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
ip subnet-zero
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.127
!
ip dhcp pool sdm-pool1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
domain-name scottsavarese.com
dns-server 192.168.2.2
!
ip dhcp pool wireless-pool
import all
network 192.168.3.0 255.255.255.0
default-router 192.168.3.1
domain-name scottsavarese.com
dns-server 192.168.2.2
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name <mydomain>
ip name-server 192.168.2.2
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
no ip ips deny-action ips-interface
ip ips notify SDEE
!
!
crypto pki trustpoint TP-self-signed-4111549971
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4111549971
revocation-check none
rsakeypair TP-self-signed-4111549971
!
!
crypto pki certificate chain TP-self-signed-4111549971
certificate self-signed 01
<crypto key here>
quit
username root privilege 15 secret 5 <pasword>
username savarese privilege 0 view SDM_EasyVPN_Remote secret 5
<password>
!
!
class-map match-all nbar
class-map match-all p2p
match protocol bittorrent
class-map match-all voice
!
!
crypto isakmp xauth timeout 15
!
!
!
interface Dot11Radio0
ip address 192.168.3.1 255.255.255.0
ip access-group wireless-in in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
shutdown
!
encryption mode ciphers tkip
!
ssid <ssid>
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 <password>
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
36.0 48.0 54.0
!
interface Dot11Radio1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
ip address <outside-3octet>.2 255.255.255.248 secondary
ip address <outside-3octet>.1 255.255.255.248
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
description DMZ Interface
switchport access vlan 2
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
switchport access vlan 3
!
interface FastEthernet9
description LAN Interface
!
interface Vlan1
description Inside LAN
ip address 192.168.1.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
description Inside DMZ
ip address 192.168.2.1 255.255.255.0
ip access-group vlan2-in in
ip nat inside
ip virtual-reassembly
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
shutdown
!
ip classless
ip route 0.0.0.0 0.0.0.0 <outside-3octet>.6 permanent
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source route-map wireless-rmap interface FastEthernet0
overload
ip nat inside source static udp 192.168.2.2 53 interface FastEthernet0
53
ip nat inside source static tcp 192.168.2.2 53 interface FastEthernet0
53
ip nat inside source static tcp 192.168.2.2 993 interface
FastEthernet0 993
ip nat inside source static tcp 192.168.2.2 465 interface
FastEthernet0 465
ip nat inside source static tcp 192.168.2.2 443 interface
FastEthernet0 443
ip nat inside source static tcp 192.168.2.2 25 interface FastEthernet0
25
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0
overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0
overload
ip nat inside source static tcp 192.168.2.2 80 interface FastEthernet0
80
ip nat inside source static tcp 192.168.2.2 8080 interface
FastEthernet0 8080
ip nat inside source static tcp 192.168.2.2 587 interface
FastEthernet0 587
ip nat inside source static tcp 192.168.2.3 443 <outside-3octet>.2 443
extendable
!
ip access-list extended vlan2-in
permit tcp 192.168.2.0 0.0.0.255 eq 22 192.168.1.0 0.0.0.255
permit tcp 192.168.2.0 0.0.0.255 eq 22 host 192.168.2.1
permit tcp 192.168.2.0 0.0.0.255 eq smtp 192.168.1.0 0.0.0.255
permit udp host 192.168.2.2 eq domain 192.168.0.0 0.0.255.255
permit tcp host 192.168.2.2 eq domain 192.168.0.0 0.0.255.255
permit tcp 192.168.2.0 0.0.0.255 eq 443 192.168.1.0 0.0.0.255
permit tcp 192.168.2.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255
permit tcp 192.168.2.0 0.0.0.255 eq 465 192.168.1.0 0.0.0.255
permit tcp 192.168.2.0 0.0.0.255 eq 993 192.168.1.0 0.0.0.255
permit udp 192.168.2.0 0.0.0.255 eq 5060 192.168.1.0 0.0.0.255
permit udp 192.168.2.0 0.0.0.255 eq 4569 192.168.1.0 0.0.0.255
permit udp 192.168.2.0 0.0.0.255 eq 5036 192.168.1.0 0.0.0.255
permit udp 192.168.2.0 0.0.0.255 range 10000 20000 192.168.1.0
0.0.0.255
permit udp 192.168.2.0 0.0.0.255 eq 2727 192.168.1.0 0.0.0.255
deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
deny ip <outside-3octet>.0 0.0.0.7 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
permit ip any any
ip access-list extended vlan3-in
permit ip any any
ip access-list extended wireless-in
deny ip <outside-3octet>.0 0.0.0.7 any
deny ip host 255.255.255.255 any
deny ip 127.0.0.0 0.255.255.255 any
deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip any any
ip access-list extended wireless-ips
permit ip 192.168.3.0 0.0.0.255 any
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 2 remark SDM_ACL Category=2
access-list 2 permit 192.168.2.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip <outside-3octet>.0 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 permit udp host 64.73.32.134 eq ntp host
<outside-3octet>.1 eq ntp
access-list 101 permit udp host 66.96.96.29 eq ntp host
<outside-3octet>.1 eq ntp
access-list 101 permit udp host 132.160.49.93 eq ntp host
<outside-3octet>.1 eq ntp
access-list 101 permit udp any host <outside-3octet>.1 eq domain
access-list 101 permit tcp any host <outside-3octet>.1 eq domain
access-list 101 permit tcp any host <outside-3octet>.1 eq 993
access-list 101 permit tcp any host <outside-3octet>.1 eq 465
access-list 101 permit tcp any host <outside-3octet>.1 eq 587
access-list 101 permit tcp any host <outside-3octet>.1 eq 443
access-list 101 permit tcp any host <outside-3octet>.1 eq www
access-list 101 permit tcp any host <outside-3octet>.1 eq smtp
access-list 101 permit ahp any host <outside-3octet>.1
access-list 101 permit esp any host <outside-3octet>.1
access-list 101 permit udp any host <outside-3octet>.1 eq isakmp
access-list 101 permit udp any host <outside-3octet>.1 eq non500-
isakmp
access-list 101 permit tcp any host <outside-3octet>.2 eq 443
access-list 101 deny ip any host <outside-3octet>.2
access-list 101 deny ip 192.168.1.0 0.0.0.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
no cdp run
!
route-map wireless-rmap permit 1
match ip address wireless-ips
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
route-map SDM_RMAP_2 permit 1
match ip address 103
!
!
!
!
control-plane
!
banner login Authorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input ssh
line vty 5 14
transport input ssh
line vty 15
transport input ssh
parser view SDM_EasyVPN_Remote
secret 5 <password>
! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by
root
! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by
root
!
! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by
root
! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by
root
!
commands interface include all crypto
commands interface include all no crypto
commands interface include no
commands configure include end
commands configure include all access-list
commands configure include all interface
commands configure include all crypto
commands configure include ip
commands configure include no end
commands configure include all no access-list
commands configure include all no interface
commands configure include all no crypto
commands configure include no ip
commands configure include no
commands exec include dir all-filesystems
commands exec include dir
commands exec include crypto ipsec client ezvpn connect
commands exec include crypto ipsec client ezvpn xauth
commands exec include crypto ipsec client ezvpn
commands exec include crypto ipsec client
commands exec include crypto ipsec
commands exec include crypto
commands exec include write memory
commands exec include write
commands exec include all ping ip
commands exec include ping
commands exec include configure terminal
commands exec include configure
commands exec include all show
commands exec include no
commands exec include all debug appfw
commands exec include debug
commands exec include all clear
!
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180139
ntp update-calendar
ntp server 64.73.32.134 source FastEthernet0
ntp server 132.160.49.93 source FastEthernet0
ntp server 66.96.96.29 source FastEthernet0
end
Thanks,
Scott |
|
|
| Back to top |
|
|
|
|
