- Posts: 9
- Thank you received: 0
cisco easy VPN server
- aminosninatos
- Topic Author
- Offline
- New Member
-
Less
More
12 years 11 months ago #36910
by aminosninatos
cisco easy VPN server was created by aminosninatos
Hello all,
i have the following config for my home network :
internet
cisco 837 router
LAN (192.168.1.0/24).
i have setup an easy vpn server on my router using SDM.
the problem is that with my cisco vpn client i test to connect to the server from my lan, i can get a successful connection because i've got one address of the pool i setup up on the vpn server (192.168.1.70
>192.168.1.77)
but when i test to connect from a cyber coffee using my public IP, i cannot get connect please help !!!
here is my entire config :
[code:1]
Current configuration : 8168 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 debugging
enable secret 5 $1$dGAP$V02V4Tj84LM75A7qcSdcn0
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone CSt 0
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.3 192.168.1.6
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.217.0.12 212.217.0.1
!
!
ip cef
ip name-server 212.217.0.12
ip name-server 212.217.0.1
!
crypto pki trustpoint TP-self-signed-158575247
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-158575247
revocation-check none
rsakeypair TP-self-signed-158575247
!
!
crypto pki certificate chain TP-self-signed-158575247
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353835 37353234 37301E17 0D303230 33303130 30313030
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3135 38353735
32343730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AECC8EED A49B8EBC E77D9130 B1296EBA D71ACCD1 0C3DCD23 6E5314EB E9C9C05A
DCCFDF59 AD4FE89B 4A68DC19 D16ED945 63BF7F7B 2ED62E56 14CFEEBE 1AEC5DBB
7B34AD6F BB9A9CFB 7976832B 49CC5EBD 6332CC47 4799588F 786FE8E5 FDA175D9
3A58B37E B78F3732 FCED9AE2 E3D96225 8E8CAA63 4DA09274 8A0C5014 79E59853
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820752 6F757465 722E301F 0603551D 23041830 1680147F 64F352ED
7750BE56 261249C3 B849E619 105DAD30 1D060355 1D0E0416 04147F64 F352ED77
50BE5626 1249C3B8 49E61910 5DAD300D 06092A86 4886F70D 01010405 00038181
00559612 7E542FA0 BF95F4FE 610D1A0B 73104C5F 6A07D662 C81D3DF5 E42C1527
700CBE15 995130FA AF4C85DC 8E5E4030 6AE26DCB 4A845740 3B9105BC 78189F21
9E77DE92 3F75F8F8 0906AEB9 BDE1997C 3E05316F DBA1F8AA E00CA3FF FEE29A64
46F18439 E81119F1 9C0F9713 28D59EE7 BDF06A7F 2A112FF6 D927EB19 9550951D 87
quit
username amine privilege 15 nohangup secret 5 $1$6k3/$dJqWXdx8T29HusY1tOGzL/
username amine autocommand sh login failures
username vpnuser privilege 15 secret 5 $1$MftQ$9H7GNngrOWG90w2pfVMVn.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key 2002
pool SDM_POOL_3
max-users 2
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpngroup
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set myconfig esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA3
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
speed auto
full-duplex
!
interface Virtual-Template2 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Virtual-Template3 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dialer0
no ip address
!
interface Dialer1
description $FW_OUTSIDE$
ip ddns update hostname aminos.ath.cx
ip ddns update dyndns
ip address negotiated
ip access-group 110 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname kawazaki
ppp chap password 7 03550A5A575E
ppp pap sent-username kawazaki password 7 040A5A575E70
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip local pool SDM_POOL_3 192.168.1.70 192.168.1.77
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip http server
ip http authentication local
ip http secure-server
ip dns server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.3 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.3 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723
ip nat inside source static udp 192.168.1.1 1723 interface Dialer1 1723
ip nat inside source static udp 192.168.1.1 500 interface Dialer1 500
ip nat inside source static tcp 192.168.1.1 500 interface Dialer1 500
!
!
logging trap debugging
access-list 5 permit any log
access-list 5 deny any log
access-list 101 permit icmp any any echo log
access-list 101 permit icmp any any echo-reply log
access-list 101 permit icmp any any source-quench log
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any
access-list 101 permit ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=17
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit udp any any eq isakmp
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 120 0
privilege level 15
logging synchronous
autocommand sh login failures
autocommand-options nohangup
length 0
transport input ssh
!
scheduler max-task-time 5000
end
[/code:1].
thanks for your help.
i have the following config for my home network :
internet
cisco 837 router
LAN (192.168.1.0/24).
i have setup an easy vpn server on my router using SDM.
the problem is that with my cisco vpn client i test to connect to the server from my lan, i can get a successful connection because i've got one address of the pool i setup up on the vpn server (192.168.1.70
>192.168.1.77)
but when i test to connect from a cyber coffee using my public IP, i cannot get connect please help !!!
here is my entire config :
[code:1]
Current configuration : 8168 bytes
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging buffered 16000 debugging
enable secret 5 $1$dGAP$V02V4Tj84LM75A7qcSdcn0
!
aaa new-model
!
!
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 local
!
aaa session-id common
!
resource policy
!
clock timezone CSt 0
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.3 192.168.1.6
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 212.217.0.12 212.217.0.1
!
!
ip cef
ip name-server 212.217.0.12
ip name-server 212.217.0.1
!
crypto pki trustpoint TP-self-signed-158575247
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-158575247
revocation-check none
rsakeypair TP-self-signed-158575247
!
!
crypto pki certificate chain TP-self-signed-158575247
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31353835 37353234 37301E17 0D303230 33303130 30313030
395A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3135 38353735
32343730 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
AECC8EED A49B8EBC E77D9130 B1296EBA D71ACCD1 0C3DCD23 6E5314EB E9C9C05A
DCCFDF59 AD4FE89B 4A68DC19 D16ED945 63BF7F7B 2ED62E56 14CFEEBE 1AEC5DBB
7B34AD6F BB9A9CFB 7976832B 49CC5EBD 6332CC47 4799588F 786FE8E5 FDA175D9
3A58B37E B78F3732 FCED9AE2 E3D96225 8E8CAA63 4DA09274 8A0C5014 79E59853
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820752 6F757465 722E301F 0603551D 23041830 1680147F 64F352ED
7750BE56 261249C3 B849E619 105DAD30 1D060355 1D0E0416 04147F64 F352ED77
50BE5626 1249C3B8 49E61910 5DAD300D 06092A86 4886F70D 01010405 00038181
00559612 7E542FA0 BF95F4FE 610D1A0B 73104C5F 6A07D662 C81D3DF5 E42C1527
700CBE15 995130FA AF4C85DC 8E5E4030 6AE26DCB 4A845740 3B9105BC 78189F21
9E77DE92 3F75F8F8 0906AEB9 BDE1997C 3E05316F DBA1F8AA E00CA3FF FEE29A64
46F18439 E81119F1 9C0F9713 28D59EE7 BDF06A7F 2A112FF6 D927EB19 9550951D 87
quit
username amine privilege 15 nohangup secret 5 $1$6k3/$dJqWXdx8T29HusY1tOGzL/
username amine autocommand sh login failures
username vpnuser privilege 15 secret 5 $1$MftQ$9H7GNngrOWG90w2pfVMVn.
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key 2002
pool SDM_POOL_3
max-users 2
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
match identity group vpngroup
client authentication list sdm_vpn_xauth_ml_2
isakmp authorization list sdm_vpn_group_ml_2
client configuration address respond
virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set myconfig esp-des esp-md5-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
set transform-set ESP-3DES-SHA3
set isakmp-profile sdm-ike-profile-1
!
!
!
!
!
interface Ethernet0
description $FW_INSIDE$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip mroute-cache
hold-queue 100 out
!
interface Ethernet2
no ip address
shutdown
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
duplex auto
speed auto
!
interface FastEthernet2
duplex auto
speed auto
!
interface FastEthernet3
duplex auto
speed auto
!
interface FastEthernet4
speed auto
full-duplex
!
interface Virtual-Template2 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Virtual-Template3 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
!
interface Virtual-Template1 type tunnel
ip unnumbered Dialer1
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
!
interface Dialer0
no ip address
!
interface Dialer1
description $FW_OUTSIDE$
ip ddns update hostname aminos.ath.cx
ip ddns update dyndns
ip address negotiated
ip access-group 110 in
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname kawazaki
ppp chap password 7 03550A5A575E
ppp pap sent-username kawazaki password 7 040A5A575E70
ppp ipcp dns request
ppp ipcp wins request
hold-queue 224 in
!
ip local pool SDM_POOL_3 192.168.1.70 192.168.1.77
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1 2
ip http server
ip http authentication local
ip http secure-server
ip dns server
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.3 21 interface Dialer1 21
ip nat inside source static tcp 192.168.1.3 3389 interface Dialer1 3389
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723
ip nat inside source static udp 192.168.1.1 1723 interface Dialer1 1723
ip nat inside source static udp 192.168.1.1 500 interface Dialer1 500
ip nat inside source static tcp 192.168.1.1 500 interface Dialer1 500
!
!
logging trap debugging
access-list 5 permit any log
access-list 5 deny any log
access-list 101 permit icmp any any echo log
access-list 101 permit icmp any any echo-reply log
access-list 101 permit icmp any any source-quench log
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any time-exceeded
access-list 101 deny icmp any any
access-list 101 permit ip any any
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 remark SDM_ACL Category=17
access-list 110 permit udp any any eq non500-isakmp
access-list 110 permit udp any any eq isakmp
access-list 110 permit esp any any
access-list 110 permit ahp any any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 5 in
exec-timeout 120 0
privilege level 15
logging synchronous
autocommand sh login failures
autocommand-options nohangup
length 0
transport input ssh
!
scheduler max-task-time 5000
end
[/code:1].
thanks for your help.
Time to create page: 0.136 seconds