08-28-2017 10:19 AM - edited 03-05-2019 09:03 AM
I have a Cisco 877 router which connects my network to the Internet using an ADSL line, static IP address and NAT; the IOS version is 15.
Everything is working ok, but I'd like to configure this router to be a VPN server, to be able to connect to the network from the outside.
letting single remote computers access the internal network
I can connect to my vpn from home using router ip as server name in vpn client (is this wright) but I can not from the outside using public internet
And, finally: how to set up this?
my config
Current configuration : 5563 bytes
!
! Last configuration change at 15:16:15 UTC Mon Aug 28 2017 by me
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
--More--
*Aug 28 15:18:19.652: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug 28 15:18:19.660: %LINK-3-UPDOWN: Interface Virtual-Access3, changed staaaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username me privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username she secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENTvpn
key firewallvpn
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENTvpn
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile VPN-Profile-1-ike-profile-1
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8059afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8059afb35580@skydsl password 0 efrtyuie
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.0.20 192.168.0.25
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
ip access-list extended vpn_resources
permit ip 192.168.0.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
08-31-2017 01:16 PM
Hamid,
how exactly are you trying to connect, what client do you use (AnyConnect) ? What error or other message do you get ?
08-31-2017 01:54 PM
Hi George
I use cisco Client VPN and Anyconnect.
When I use Client on my mobile I get error message the vpn server did not respond
when I use Anyconnect on my mobile I get error message could not connect to server. please verify connectivity and server adress .
When I use Anyconnect on my pc i get error message No valid certificates available for authentication. 21:53:06 Connection attempt has failed.
Kind Regards
Hamid
08-31-2017 02:08 PM
Hello,
the problem might be on the client side. Do the logs on the router show anything ?
Which AnyConnect version are you running ?
08-31-2017 02:16 PM
09-01-2017 10:32 AM
09-01-2017 11:43 AM
Hello,
for some reason, your VPN client expects a different encryption algorithm and no preshared authentication.
Try to change your policy to:
crypto isakmp policy 2
encr aes
hash md5
group 2
09-01-2017 12:01 PM
Hi
Sorry did no work.
best Regards
09-01-2017 12:07 PM
Hello,
try and locate and then delete the AnyConnect client profile (in Windows it should be located in %ProgramData%\Cisco\Cisco AnyConnect Secure Mobility Client\Profile)...
09-01-2017 12:31 PM
Hi
I could'nt find the AnyConnect client profile in windows 10.
I found cisco client profile which I can connect to vpn from inside as I mentioned before. However when I use pc AnyConnect client there is no debug message only when I use my iphone I get a debug message.
09-01-2017 12:38 PM
Hello,
in Windows 10, the 'Program Data' folder is hidden by default. You need to un-hide the files & folders in 'File Explorer' for it to become visible.
You can then go to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile and check for any .pcf or .xml files...
09-01-2017 12:47 PM
Hi
I have program file i did search and show hidden. I could'nt find it
09-01-2017 12:53 PM
Hi
I found it and deleted but still same problem.
09-01-2017 12:57 PM
Hello,
which AnyConnect client version are you using ?
09-01-2017 12:59 PM
Hi
Version 4.3
09-01-2017 12:39 PM
Hi
I could'nt find the AnyConnect client profile in Windows 10.
I have found the Cisco client profile which i can connect to vpn from inside as I mentioned before but not from outside however when I use the pc
AnyConnect client no debug message only when i use iphone AnyConnect client .
Best Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: