08-22-2013 01:32 PM
Hi,
I've got a config I use and so far it's worked without issue.
The config template was created on a 771 router and I'm applying it to a 880 router.
I'm trying to use this router for a home business. It needs to allow internet access into the home LAN and remote access into the home LAN.
This config works on the 771, but does not on the 880.
The problem I'm having I believe is NAT.
When I apply ACL 111 the VPN quits working and I can't SSH to the UNIT's Public IP
Without ACL 111 I can connect to the VPN and SSH.
Without ACL 111 the home LAN can't access the internet.
I appreciate any help and tips.
Here's my config.
HomeGa#sh run
Building configuration...
Current configuration : 4728 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HomeGa
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
!
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-***********
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-***********
revocation-check none
rsakeypair TP-self-signed-***********
!
!
crypto pki certificate chain TP-self-signed-***********
certificate self-signed 01
quit
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
!
ip dhcp pool dhcp-pool
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
lease 8
!
!
no ip cef
no ip domain lookup
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW l2tp
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 **********************
!
!
crypto isakmp policy 5
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group ClientVPNPool
key ***********
pool ClientVPNPool
acl 101
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description Internet_WAN
ip address *.*.*.* 255.255.255.252
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map clientmap
!
interface Vlan1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool ClientVPNPool 192.168.254.1 192.168.254.10
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 *.*.*.*
ip http server
ip http authentication local
ip http secure-server
!
!
ip nat inside source list 111 interface FastEthernet4 overload
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.254.0 0.0.0.255
access-list 111 permit ip any any
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
privilege level 15
password 7 ************
transport input ssh
!
scheduler max-task-time 5000
end
HomeGa#
08-22-2013 03:52 PM
Duplicate post.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide