Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5936
Views
0
Helpful
23
Replies

Open a port on Cisco 1811

Go to solution
jsandau
Level 1
Level 1

‎09-09-2011 01:51 PM - edited ‎03-11-2019 02:23 PM

This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to cadet alain

‎09-16-2011 01:33 AM

Hi,

ok let's try this:

ip access-list extended VNC

permit tcp any host 10.11.101.10 eq 5950

class-map type inspect match-all VNC_CLASS

   match access-group name VNC

  no policy-map type inspect VNC_POLICY

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class type inspect VNC_CLASS

inspect

class class-default

drop

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

Regards.

Alain.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
23 Replies 23

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎09-09-2011 02:03 PM

Hi,

Port forwarding on Cisco routers is accomplished using static PAT;

let's suppose the server on inside is located out port f0/0 and public port is f0/1

then you must do following: configure ip nat inside under f0/0 and ip nat outside under f0/1

then issue following global config command: ip nat inside source static tcp  10.11.101.10 5950 interface f0/1 5950

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-09-2011 02:27 PM

I'm not quite sure what you mean by F0/0 and F0/1. The outside internet is connnected to port FE0 and the inside computer (the vnc server) is getting an ip address from Vlan1

0 Helpful

Go to solution
pablo.nxh
Level 3
Level 3
In response to jsandau

‎09-09-2011 04:47 PM

Hi,

Alain was just trying to make a supposition with the interface names... In your case you need to put the command ip nat outside under your interface FE0 and ip nat inside on whatever interface is connected internally to VLAN1.

HTH

__ __

Pablo

0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-12-2011 10:13 AM

I entered the commands that you said and under the edit NAT configuration tab on CCP I have the following:

Original Address               Translated Address               Rule Type
10.11.101.10 (5950)           FastEthernet0 (5950)            Static

However VNC still isn't working from outside the network.

Shouldn't the original address be fastethernet0 and the translated address be 10.11.101.10?

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jsandau

‎09-12-2011 12:35 PM

Hi,

No this is how it should be but you also have to add an ACL permitting tcp traffic to the translated address and port 5950. Then apply this ACL to interface outside inbound.

eg: access-list VNC_INBOUND permit tcp any x.x.x.x eq 5950 where x.x.x.x is outside IP

      access-group VNC_INBOUND  in interface outside

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-12-2011 12:44 PM

I typed in:

access-list VNC_INBOUND permit tcp any *external IP* eq 5950

and I got Invalid input detected at '^' marker, and the ^ marker is right under the V in VNC_inbound

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jsandau

‎09-12-2011 01:47 PM

Hi,

sorry I gave config for an ASA not a router.

if this is a router then you don't nedd an ACL unless you've already got one in place then you have to modify to permit vnc access.

Post the output of sh access-list and sh run | i int| ip access-group

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-12-2011 02:20 PM

Here is the results of the show access-list:

standard IP access list 1

10 permit 10.11.101.0, wildcard bits 0.0.0.255

Extended IP access list 100

10 permit ip host 255.255.255.255 any

20 permit ip 127.0.0.0 0.255.255.255 any

Extended IP access list 101

10 permit ip any host *exteranl ip address*

Extended IP access list 102

10 permit ip 10.11.101.0 0.0.0.255 any

Extended IP access list 103

10 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

Extended IP access list 104

10 permit ip host *Site to site VPN address* any

Extended IP access list 105

10 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

Extended IP access list 106

10 deny ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

20 permit ip 10.11.101.0 0.0.0.255 any (71 matches)

Extended IP access list CCP_IP

10 permit ip any any

Extended IP access list SDM_AH

10 permit ahp any any

Extended IP access list SDM_BOOTPC

10 permit udp any any eq bootpc (2049 matches)

Extended IP access list SDM_ESP

10 permit esp any any

Extended IP access list SDM_WEBVPN

10 permit tcp any any eq 443

when I try the sh run | i int| ip access-group command I get an error

nvalid input detected at '^' marker, and the ^ marker is under the i after the |

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jsandau

‎09-13-2011 12:49 AM

Hi,

there must be a space after the first | and before the i but maybe your IOS version doesn't support pipe filtering.

Anyway then do a sh ip interface x/x for your outside and inside interfaces.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-13-2011 01:26 PM

Here is the results of sho ip interface fastethernet0 (the outside interface):

FastEthernet0 is up, line protocol is up

Internet address is *external IP*/22

Broadcast address is 255.255.255.255

Address determined by DHCP

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound  access list is not set

Proxy ARP is disabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are never sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain outside

BGP Policy Mapping is disabled

Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassem

bly, IPSec input classification, Virtual Fragment Reassembly After IPSec Decrypt

ion, NAT Outside, MCI Check

Output features: Post-routing NAT Outside, Stateful Inspection, IPSec output c

lassification, CCE Post NAT Classification, Firewall (firewall component), Post-

Ingress-NetFlow, IPSec: to crypto engine, Post-encryption output features

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

Here is the results fr show ip interface vlan 1 (inside interface):

Vlan1 is up, line protocol is up

Internet address is 10.11.101.1/24

Broadcast address is 255.255.255.255

Address determined by non-volatile memory

MTU is 1500 bytes

Helper address is not set

Directed broadcast forwarding is disabled

Outgoing access list is not set

Inbound  access list is not set

Proxy ARP is disabled

Local Proxy ARP is disabled

Security level is default

Split horizon is enabled

ICMP redirects are never sent

ICMP unreachables are never sent

ICMP mask replies are never sent

IP fast switching is enabled

IP fast switching on the same interface is disabled

IP Flow switching is disabled

IP CEF switching is enabled

IP CEF switching turbo vector

IP Null turbo vector

IP multicast fast switching is enabled

IP multicast distributed fast switching is disabled

IP route-cache flags are Fast, CEF

Router Discovery is disabled

IP output packet accounting is disabled

IP access violation accounting is disabled

TCP/IP header compression is disabled

RTP/IP header compression is disabled

Policy routing is disabled

Network address translation is enabled, interface in domain inside

BGP Policy Mapping is disabled

Input features: Stateful Inspection, Ingress-NetFlow, Virtual Fragment Reassem

bly, Virtual Fragment Reassembly After IPSec Decryption, MCI Check, TCP Adjust M

SS

Output features: NAT Inside, Stateful Inspection, CCE Post NAT Classification,

Firewall (firewall component), TCP Adjust MSS, Post-Ingress-NetFlow

WCCP Redirect outbound is disabled

WCCP Redirect inbound is disabled

WCCP Redirect exclude is disabled

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jsandau

‎09-14-2011 12:26 AM

Hi,

could you post the show run output please.

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-14-2011 07:49 AM

Here is the show run

Current configuration : 12201 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *Host Name*

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 $1$3R6c$adcoV0cvM5hTzxOoPBByc0

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1097866965

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1097866965

revocation-check none

rsakeypair TP-self-signed-1097866965

!

!

crypto pki certificate chain TP-self-signed-1097866965

certificate self-signed 01

30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303937 38363639 3635301E 170D3131 30393039 31383130

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393738

36363936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B1C3 0B9F3231 E9911C7A 7A84E566 F4530769 16830F32 4A61F775 12CDDB5C

23227963 5A53E5C5 2C0E8945 640DB32C ACD17F1A 2C52EC96 7C274099 5D4BBD26

6E7C4DA9 32C5162B 0A54D437 64B719B9 36904DDA 7B23FC3C E7763F5E BF651874

1870462E FA0ABE9C 37918D53 2B5B13A7 4FADFC9E 1D8B0B64 141733A7 8DC61C03

80E90203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603

551D1104 22302082 1E426F77 5F49736C 616E6453 43414441 2E796F75 72646F6D

61696E2E 636F6D30 1F060355 1D230418 30168014 0AEF8942 249D4EF1 A18B1BA6

389822CB 16CB4922 301D0603 551D0E04 1604140A EF894224 9D4EF1A1 8B1BA638

9822CB16 CB492230 0D06092A 864886F7 0D010104 05000381 81008DC2 DFF3604C

93BE4175 7078AC30 7391F8AF 4A15E116 C53D523E 12F6B5F4 15CA5635 C12576F7

0D5D1A2A F330F781 459F3418 7E82FFBD 2679E17C CDF07A4F A257B599 E7CCC9C6

38617B96 F2E66F0D 6BFBC000 524B377B 969D51BD 48A9BF8F 8C0220D4 BB249435

08688D18 794CAFB3 1F74F2F9 4E0C0245 AEA8E55A 2AE758A0 36CC

              quit

dot11 syslog

no ip source-route

!

!

ip dhcp excluded-address 10.11.101.1 10.11.101.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.11.101.0 255.255.255.0

   default-router 10.11.101.1

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username *username* privilege 15 secret 5 $1$1O79$nIJGrBD9hCpDqheT3mDsC1

username VPNuser secret 5 $1$nPz8$Cni5jyIWv9zlKAU3B5no9.

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *key* address *External VPN IP address*

!

crypto isakmp client configuration group VPN_Users

key *Key*

pool VPN_Pool

acl 102

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*External VPN IP address*

set peer *External VPN IP address*

set transform-set ESP-3DES-SHA

match address 103

!

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 105

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

pass

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

pass

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class class-default

drop

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

pass

class type inspect SDM_WEBVPN_TRAFFIC

inspect

class type inspect SDM_DHCP_CLIENT_PT

pass

class class-default

drop

!

zone security out-zone

zone security in-zone

zone security sslvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

!

!

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1

ip unnumbered FastEthernet0

zone-member security sslvpn-zone

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.11.101.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool VPN_Pool 10.11.101.50 10.11.101.99

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source static tcp 10.11.101.10 5950 interface FastEthernet0 5950

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.11.101.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host 70.65.185.156

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.11.101.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host *External VPN IP address* any

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 106 permit ip 10.11.101.0 0.0.0.255 any

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler interval 500

!

webvpn gateway gateway_1

ip address *External IP Address*port 443

http-redirect port 80

ssl trustpoint TP-self-signed-1097866965

inservice

!

webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179-anyconnect.pkg sequence 1

!

webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 2

!

webvpn context VPN_Pool

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "VPN_Pool"

   svc keep-client-installed

virtual-template 1

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

0 Helpful

Go to solution
cadet alain
VIP Alumni
VIP Alumni
In response to jsandau

‎09-14-2011 11:03 AM

Hi,

try this:

ip inspect log drop-pkt

ip access-list extended VNC

permit tcp any host 10.11.101.10 eq 5950

class-map type inspect VNC_CLASS

match access-group name VNC

policy-map type inspect VNC_POLICY

  class VNC_CLASS

   inspect

zone-pair security VNC_OUT_IN source out-zone destination in-zone

service-policy type inspect VNC_POLICY

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jsandau
Level 1
Level 1
In response to cadet alain

‎09-14-2011 12:33 PM

That didn't work. Here is the new running config:

Building configuration...

Current configuration : 12519 bytes

!

version 12.4

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

!

hostname *Host Name*

!

boot-start-marker

boot-end-marker

!

security authentication failure rate 3 log

security passwords min-length 6

logging message-counter syslog

logging buffered 51200

logging console critical

enable secret 5 $1$3R6c$adcoV0cvM5hTzxOoPBByc0

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

!

!

aaa session-id common

clock timezone PCTime -7

clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00

!

crypto pki trustpoint TP-self-signed-1097866965

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1097866965

revocation-check none

rsakeypair TP-self-signed-1097866965

!

!

crypto pki certificate chain TP-self-signed-1097866965

certificate self-signed 01

30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31303937 38363639 3635301E 170D3131 30393039 31383130

32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393738

36363936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

8100B1C3 0B9F3231 E9911C7A 7A84E566 F4530769 16830F32 4A61F775 12CDDB5C

23227963 5A53E5C5 2C0E8945 640DB32C ACD17F1A 2C52EC96 7C274099 5D4BBD26

6E7C4DA9 32C5162B 0A54D437 64B719B9 36904DDA 7B23FC3C E7763F5E BF651874

1870462E FA0ABE9C 37918D53 2B5B13A7 4FADFC9E 1D8B0B64 141733A7 8DC61C03

80E90203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603

551D1104 22302082 1E426F77 5F49736C 616E6453 43414441 2E796F75 72646F6D

61696E2E 636F6D30 1F060355 1D230418 30168014 0AEF8942 249D4EF1 A18B1BA6

389822CB 16CB4922 301D0603 551D0E04 1604140A EF894224 9D4EF1A1 8B1BA638

9822CB16 CB492230 0D06092A 864886F7 0D010104 05000381 81008DC2 DFF3604C

93BE4175 7078AC30 7391F8AF 4A15E116 C53D523E 12F6B5F4 15CA5635 C12576F7

0D5D1A2A F330F781 459F3418 7E82FFBD 2679E17C CDF07A4F A257B599 E7CCC9C6

38617B96 F2E66F0D 6BFBC000 524B377B 969D51BD 48A9BF8F 8C0220D4 BB249435

08688D18 794CAFB3 1F74F2F9 4E0C0245 AEA8E55A 2AE758A0 36CC

              quit

dot11 syslog

no ip source-route

!

!

ip dhcp excluded-address 10.11.101.1 10.11.101.99

!

ip dhcp pool ccp-pool1

   import all

   network 10.11.101.0 255.255.255.0

   default-router 10.11.101.1

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name yourdomain.com

ip inspect log drop-pkt

no ipv6 cef

!

multilink bundle-name authenticated

!

!

!

username *UserName* privilege 15 secret 5 $1$1O79$nIJGrBD9hCpDqheT3mDsC1

username VPNuser secret 5 $1$nPz8$Cni5jyIWv9zlKAU3B5no9.

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key *Key* address *External VPN IP Address*

!

crypto isakmp client configuration group VPN_Users

key *Key*

pool *VPN_pool*

acl 102

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to*External VPN IP Address*

set peer *External VPN IP Address*

set transform-set ESP-3DES-SHA

match address 103

!

archive

log config

hidekeys

!

!

ip tcp synwait-time 10

ip ssh time-out 60

ip ssh authentication-retries 2

!

class-map type inspect match-any SDM_BOOTPC

match access-group name SDM_BOOTPC

class-map type inspect match-all sdm-cls-VPNOutsideToInside-1

match access-group 105

class-map type inspect match-any SDM_DHCP_CLIENT_PT

match class-map SDM_BOOTPC

class-map type inspect match-all CCP_SSLVPN

match access-group name CCP_IP

class-map type inspect match-any SDM_AH

match access-group name SDM_AH

class-map type inspect match-any SDM_WEBVPN

match access-group name SDM_WEBVPN

class-map type inspect match-all SDM_WEBVPN_TRAFFIC

match class-map SDM_WEBVPN

match access-group 101

class-map type inspect match-any sdm-cls-bootps

match protocol bootps

class-map type inspect match-any SDM_ESP

match access-group name SDM_ESP

class-map type inspect match-any SDM_VPN_TRAFFIC

match protocol isakmp

match protocol ipsec-msft

match class-map SDM_AH

match class-map SDM_ESP

class-map type inspect match-all SDM_VPN_PT

match access-group 104

match class-map SDM_VPN_TRAFFIC

class-map type inspect match-any ccp-cls-insp-traffic

match protocol cuseeme

match protocol dns

match protocol ftp

match protocol h323

match protocol https

match protocol icmp

match protocol imap

match protocol pop3

match protocol netshow

match protocol shell

match protocol realmedia

match protocol rtsp

match protocol smtp extended

match protocol sql-net

match protocol streamworks

match protocol tftp

match protocol vdolive

match protocol tcp

match protocol udp

class-map type inspect match-all ccp-insp-traffic

match class-map ccp-cls-insp-traffic

class-map type inspect match-any ccp-cls-icmp-access

match protocol icmp

class-map type inspect match-all VNC_CLASS

match access-group name VNC

class-map type inspect match-all ccp-icmp-access

match class-map ccp-cls-icmp-access

class-map type inspect match-all ccp-invalid-src

match access-group 100

class-map type inspect match-all ccp-protocol-http

match protocol http

!

!

policy-map type inspect ccp-permit-icmpreply

class type inspect sdm-cls-bootps

pass

class type inspect ccp-icmp-access

inspect

class class-default

pass

policy-map type inspect VNC_POLICY

class type inspect VNC_CLASS

inspect

policy-map type inspect ccp-sslvpn-pol

class type inspect CCP_SSLVPN

pass

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class class-default

drop

policy-map type inspect sdm-pol-VPNOutsideToInside-1

class type inspect sdm-cls-VPNOutsideToInside-1

inspect

class class-default

drop

policy-map type inspect ccp-inspect

class type inspect ccp-invalid-src

drop log

class type inspect ccp-protocol-http

inspect

class type inspect ccp-insp-traffic

inspect

class class-default

drop

policy-map type inspect ccp-permit

class type inspect SDM_VPN_PT

pass

class type inspect SDM_WEBVPN_TRAFFIC

inspect

class type inspect SDM_DHCP_CLIENT_PT

pass

class class-default

drop

policy-map type inspect VNC-POLICY

class type inspect VNC_CLASS

inspect

!

zone security out-zone

zone security in-zone

zone security sslvpn-zone

zone-pair security ccp-zp-self-out source self destination out-zone

service-policy type inspect ccp-permit-icmpreply

zone-pair security ccp-zp-in-out source in-zone destination out-zone

service-policy type inspect ccp-inspect

zone-pair security ccp-zp-out-self source out-zone destination self

service-policy type inspect ccp-permit

zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone

service-policy type inspect ccp-sslvpn-pol

zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone

service-policy type inspect sdm-pol-VPNOutsideToInside-1

!

!

!

interface FastEthernet0

description $ES_WAN$$FW_OUTSIDE$

ip address dhcp client-id FastEthernet0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat outside

ip virtual-reassembly

zone-member security out-zone

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

shutdown

duplex auto

speed auto

!

interface FastEthernet2

!

interface FastEthernet3

!

interface FastEthernet4

!

interface FastEthernet5

!

interface FastEthernet6

!

interface FastEthernet7

!

interface FastEthernet8

!

interface FastEthernet9

!

interface Virtual-Template1

ip unnumbered FastEthernet0

zone-member security sslvpn-zone

!

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$

ip address 10.11.101.1 255.255.255.0

no ip redirects

no ip unreachables

no ip proxy-arp

ip flow ingress

ip nat inside

ip virtual-reassembly

zone-member security in-zone

ip tcp adjust-mss 1452

!

interface Async1

no ip address

no ip redirects

no ip unreachables

no ip proxy-arp

encapsulation slip

!

ip local pool *VPN_pool* 10.11.101.50 10.11.101.99

ip forward-protocol nd

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

!

ip nat inside source static tcp 10.11.101.10 5950 interface FastEthernet0 5950

ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload

!

ip access-list extended CCP_IP

remark CCP_ACL Category=128

permit ip any any

ip access-list extended SDM_AH

remark CCP_ACL Category=1

permit ahp any any

ip access-list extended SDM_BOOTPC

remark CCP_ACL Category=0

permit udp any any eq bootpc

ip access-list extended SDM_ESP

remark CCP_ACL Category=1

permit esp any any

ip access-list extended SDM_WEBVPN

remark CCP_ACL Category=1

permit tcp any any eq 443

ip access-list extended VNC

permit tcp any host 10.11.101.10 eq 5950

!

logging trap debugging

access-list 1 remark INSIDE_IF=Vlan1

access-list 1 remark CCP_ACL Category=2

access-list 1 permit 10.11.101.0 0.0.0.255

access-list 100 remark CCP_ACL Category=128

access-list 100 permit ip host 255.255.255.255 any

access-list 100 permit ip 127.0.0.0 0.255.255.255 any

access-list 101 remark CCP_ACL Category=128

access-list 101 permit ip any host 70.65.185.156

access-list 102 remark CCP_ACL Category=4

access-list 102 permit ip 10.11.101.0 0.0.0.255 any

access-list 103 remark CCP_ACL Category=4

access-list 103 remark IPSec Rule

access-list 103 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 104 remark CCP_ACL Category=128

access-list 104 permit ip host *External VPN IP Address* any

access-list 105 remark CCP_ACL Category=0

access-list 105 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255

access-list 106 remark CCP_ACL Category=2

access-list 106 remark IPSec Rule

access-list 106 deny   ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255

access-list 106 permit ip 10.11.101.0 0.0.0.255 any

no cdp run

!

!

!

!

route-map SDM_RMAP_1 permit 1

match ip address 106

!

!

!

control-plane

!

banner exec ^C

% Password expiration warning.

-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device

and it provides the default username "cisco" for one-time use. If you have

already used the username "cisco" to login to the router and your IOS image

supports the "one-time" user option, then this username has already expired.

You will not be able to login to the router with this username after you exit

this session.

It is strongly suggested that you create a new username with a privilege level

of 15 using the following command.

username privilege 15 secret 0

Replace and with the username and password you want to

use.

-----------------------------------------------------------------------

^C

banner login ^CAuthorized access only!

Disconnect IMMEDIATELY if you are not an authorized user!^C

!

line con 0

transport output telnet

line 1

modem InOut

stopbits 1

speed 115200

flowcontrol hardware

line aux 0

transport output telnet

line vty 0 4

transport input telnet ssh

line vty 5 15

transport input telnet ssh

!

scheduler interval 500

!

webvpn gateway gateway_1

ip address *External IP Address*port 443

http-redirect port 80

ssl trustpoint TP-self-signed-1097866965

inservice

!

webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179-anyconnect.pkg sequence 1

!

webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 2

!

webvpn context *VPN_pool*

secondary-color white

title-color #CCCC66

text-color black

ssl authenticate verify all

!

!

policy group policy_1

   functions svc-enabled

   svc address-pool "*VPN_pool*"

   svc keep-client-installed

virtual-template 1

default-group-policy policy_1

aaa authentication list ciscocp_vpn_xauth_ml_1

gateway gateway_1

inservice

!

end

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card