Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About cco4mike1
Stats
Member since
03-25-2008
32
Posts
5
Helpful
0
Solutions
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
02-22-2010
03:59 PM
02-22-2010
03:59 PM
The plot thickens. I've only just been told that the HS1100 is split up into 3 VLANS .110.x , 111.x , .112.x the 112.x subnet is for the wireless clients and the .111.x .110.x ar for ethernet . fe0-1 = VLAN 110, fe2-3 = VLAN 111. The Cisco 877 I am told is plugged into Fe3, hence VLAN 2 of the Cisco 877 now has the address of - 192.168.111.230 (HS1100 = 111.1) I have also confirmed that the HS1100 now has a static route in it to the 10.0.0.0/24 network via 192.168.111.230 The current config is as follows- (note VLAN 2 has been setup for future bridging with another interface if required) version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname TB_BB_Advantage ! boot-start-marker boot-end-marker ! logging buffered 16000 no logging console ! no aaa new-model ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxx address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 periodic ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile TPLUS_Profile1 set transform-set ESP-3DES-SHA ! ! no ip source-route ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.61.3.11 ip dhcp excluded-address 10.61.3.20 ip dhcp excluded-address 10.61.3.253 ip dhcp excluded-address 10.61.3.191 ip dhcp excluded-address 10.61.3.6 ip dhcp excluded-address 10.61.3.1 ! ip dhcp pool CUSTOMER_LAN_POOL network 10.61.3.0 255.255.255.0 default-router 10.61.3.1 dns-server 203.50.2.71 139.130.4.4 ! ! no ip bootp server ip domain name direct.telstra.net ip name-server 203.50.2.71 ip name-server 139.130.4.4 ip name-server 202.27.184.3 ip name-server 202.27.184.5 ! multilink bundle-name authenticated ! ! username xxxxxx privilege 15 secret xxxxxxxxx log config hidekeys ! ! ip ssh version 2 ! bridge irb ! ! interface Tunnel0 bandwidth 1000 ip address 172.16.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication TPLUS_NW ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp cache non-authoritative ip virtual-reassembly ip tcp adjust-mss 1360 no ip split-horizon ip policy route-map policy-route delay 1000 tunnel source 111.111.111.111 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile TPLUS_Profile1 ! interface ATM0 no ip address no ip route-cache cef no ip route-cache load-interval 30 no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 switchport access vlan 2 spanning-tree portfast ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 description CUSTOMER_LOCAL_LAN ip address 10.61.3.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip route-cache cef ! interface Vlan2 description HS1100_VLAN no ip address ip virtual-reassembly no ip route-cache cef bridge-group 1 bridge-group 1 spanning-disabled ! interface Dialer0 description ADSL Link FNN xxxxxxx ip address 111.111.111.111 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxx ppp chap password xxxxxxxxx ! interface BVI1 ip address 192.168.111.230 255.255.255.0 ip nat inside ip virtual-reassembly ! router rip version 2 network 10.0.0.0 network 172.16.0.0 network 192.168.111.0 default-information originate no auto-summary ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! no ip http server ip http access-class 22 ip http authentication local ip http secure-server ip nat inside source list NAT interface Dialer0 overload ip nat inside source static tcp 10.61.3.30 80 interface Dialer0 80 ip nat inside source static tcp 10.61.3.30 443 interface Dialer0 443 ip nat inside source static tcp 10.61.3.30 1494 interface Dialer0 1494 ip nat inside source static tcp 10.61.3.30 2598 interface Dialer0 2598 ip nat inside source static tcp 10.61.3.253 1433 interface Dialer0 1433 ip nat inside source static tcp 10.61.3.191 3389 interface Dialer0 3389 ! ip access-list extended NAT deny ip 10.61.3.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 192.168.111.0 0.0.0.255 192.168.10.0 0.0.0.255 deny ip 10.61.3.0 0.0.0.255 192.168.10.0 0.0.0.255 permit ip 10.61.3.0 0.0.0.255 any ! access-list 22 permit 10.61.3.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any no cdp run ! ! ! route-map policy-route permit 10 match ip address 100 set ip next-hop 192.168.111.1 ! route-map policy-route permit 20 ! ! control-plane ! bridge 1 route ip banner login ^C *********************************************************************** * Access to this computer system is limited to authorised users only. * * Unauthorised users may be subject to prosecution under the Crimes * * Act or State legislation * * * * Please note, ALL CUSTOMER DETAILS are confidential and must * * not be disclosed. * *********************************************************************** ^C ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 2 access-class 22 in exec-timeout 20 0 login local transport input telnet line vty 3 4 exec-timeout 20 0 login local transport input ssh ! scheduler max-task-time 5000 ! webvpn cef end
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
02-15-2010
07:00 PM
02-15-2010
07:00 PM
Jeff, Yes I can ping 192.168.112.254 from router A. I will look at getting that static route to 10.0.0.0/24 via 192.168.112.230 added to the HS1100 and see how that goes. Unfortunately the HS1100 isn't modular regards, Mike.
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
02-15-2010
03:44 PM
02-15-2010
03:44 PM
Hi Jeff, The HS1100 will need to NAT 192.168.112.x traffic out 10.61.3.1 (VLAN1) and then 10.61.3.x traffic will need to NAT out dialer0 of the cisco 877. This is where it gets confusing since the HS1100 will only be NATTing out 192.168.112.x traffic, however do we need the 10.0.0.x network to 'appear' as if it's coming from 192.168.112.x in order for the HS1100 Natting to work properly. The HS1100 is setup to accept ping and even though I didn't expect the traceroute to get out the the internet (due to the auth requirement) I would have thought it may have made it to 192.168.112.254 before being dropped. Right now the HS1100s WAN interface is setup to receive it's default gateway automatically via DHCP, which it is, and is working successfully for local wireless clients at Site A. Perhaps another public IP is required, so it can sit on VLAN1 so there is not this 'double nat' situation going on. A colleague of mine has the following ideas that we'll have to also explore- " the solution might require bridging the two ends over the vpn so layer 2 info can pass and the remote router can just get dhcp from the hub, so remote clients are basically on the local network. apparently l2tpv3 is the way to go for this? Or any other way to bridge over the current VPN so layer 2 info can go through? add the tunnel to the bridge group? assign bvi on remote router a ip address on the hub subnet " ?? Thanks so much for you info so far Jeff, really appreciated!
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
02-14-2010
08:21 PM
02-14-2010
08:21 PM
Jeff, Ive just tried the policy-based method and also taken out "ip nat inside" from VLAN2 and "ip permit 10.0.0.0 0.0.0.255 any" from the PAT statement. but when I try a traceroute from SITE B to the internet from a source of 10.0.0.1 I get stuck at the HUB's GRE IP 172.16.0.1 SITEB#traceroute 4.2.2.2 source 10.0.0.1 Type escape sequence to abort. Tracing the route to 4.2.2.2 1 172.16.0.1 36 msec 32 msec 32 msec 2 * * * 3 * * * 4 * * * 5 * * * 6 * * * 7 * * Perhaps, my issue is more fundamental, or possibly the HS1100 won't accept traffic from 10.0.0.0 network? The config now looks like this- SITE-A version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname TB_BB_Advantage ! boot-start-marker boot-end-marker ! logging buffered 16000 no logging console ! no aaa new-model ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key caroline address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 periodic ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile TPLUS_Profile1 set transform-set ESP-3DES-SHA ! ! ! dot11 ssid xxxxxxxx authentication open authentication key-management wpa optional guest-mode wpa-psk ascii xxxxxxxx ! no ip source-route ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.61.3.11 ip dhcp excluded-address 10.61.3.20 ip dhcp excluded-address 10.61.3.253 ip dhcp excluded-address 10.61.3.191 ip dhcp excluded-address 10.61.3.6 ip dhcp excluded-address 10.61.3.1 ! ip dhcp pool CUSTOMER_LAN_POOL network 10.61.3.0 255.255.255.0 default-router 10.61.3.1 dns-server 203.50.2.71 139.130.4.4 ! ! no ip bootp server ip domain name direct.telstra.net ip name-server 203.50.2.71 ip name-server 139.130.4.4 ip name-server 202.27.184.3 ip name-server 202.27.184.5 ! multilink bundle-name authenticated ! ! username advantage privilege 15 secret xxxxxxxxxxxxx archive log config hidekeys ! ! ip ssh version 2 ! bridge irb ! ! interface Tunnel0 bandwidth 1000 ip address 172.16.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication TPLUS_NW ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp cache non-authoritative ip virtual-reassembly ip tcp adjust-mss 1360 no ip split-horizon ip policy route-map policy-route delay 1000 tunnel source 111.111.111.111 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile TPLUS_Profile1 ! interface ATM0 no ip address no ip route-cache cef no ip route-cache load-interval 30 no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 switchport access vlan 2 spanning-tree portfast ! interface Dot11Radio0 no ip address shutdown ! encryption mode ciphers tkip wep128 ! ssid xxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description CUSTOMER_LOCAL_LAN no ip address ip nat inside ip virtual-reassembly no ip route-cache cef bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan2 description HS1100_VLAN ip address 192.168.112.230 255.255.255.0 ip virtual-reassembly no ip route-cache cef ! interface Dialer0 description ADSL Link FNN xxxxxxx ip address 111.111.111.111 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxx ppp chap password xxxxxxxx ! interface BVI1 ip address 10.61.3.1 255.255.255.0 ip nat inside ip virtual-reassembly ! router rip version 2 network 10.0.0.0 network 172.16.0.0 network 192.168.112.0 default-information originate no auto-summary ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! no ip http server ip http access-class 22 ip http authentication local ip http secure-server ip nat inside source list NAT interface Dialer0 overload ip nat inside source static tcp 10.61.3.30 80 interface Dialer0 80 ip nat inside source static tcp 10.61.3.30 443 interface Dialer0 443 ip nat inside source static tcp 10.61.3.30 1494 interface Dialer0 1494 ip nat inside source static tcp 10.61.3.30 2598 interface Dialer0 2598 ip nat inside source static tcp 10.61.3.253 1433 interface Dialer0 1433 ip nat inside source static tcp 10.61.3.191 3389 interface Dialer0 3389 ! ip access-list extended NAT deny ip 10.61.3.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 192.168.112.0 0.0.0.255 192.168.10.0 0.0.0.255 deny ip 10.61.3.0 0.0.0.255 192.168.10.0 0.0.0.255 permit ip 10.61.3.0 0.0.0.255 any permit ip 192.168.112.0 0.0.0.255 any ! access-list 22 permit 10.61.3.0 0.0.0.255 access-list 100 permit ip 10.0.0.0 0.0.0.255 any no cdp run ! ! ! route-map policy-route permit 10 match ip address 100 set ip next-hop 192.168.112.254 ! route-map policy-route permit 20 ! ! control-plane ! bridge 1 route ip banner login ^C *********************************************************************** * Access to this computer system is limited to authorised users only. * * Unauthorised users may be subject to prosecution under the Crimes * * Act or State legislation * * * * Please note, ALL CUSTOMER DETAILS are confidential and must * * not be disclosed. * *********************************************************************** ^C ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 2 access-class 22 in exec-timeout 20 0 login local transport input telnet line vty 3 4 exec-timeout 20 0 login local transport input ssh ! scheduler max-task-time 5000 ! webvpn cef end
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
02-14-2010
06:23 PM
02-14-2010
06:23 PM
Hi Jeff, I noticed that about the attachment as well, but open as .PDF and you should be ok. You are right in saying that the clients at Site A get to the Internet via the wireless on the HS1100 and not the Cisco 877. The clients at Site B get to the internet also like you suggested-- RouterB --> DMVPN --> RouterA -->(ethernet) HS1100 --> RouterA --> Internet. Unfortunately getting another physical router is out of the question and my experience with VRF is limited at this stage. I've thought about some sort of policy based routing but am not sure how to implement at this stage, do you have anything in mind and would the policy be applied to Tunnel 0? I will have a look at your link on VRF now. thanks for the reply Mike.
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
02-14-2010
03:51 PM
02-14-2010
03:51 PM
Hi all, I have a big bad DMVPN (Hub and 2 spokes) problem which I can't quite sort out. There are 3 sites - A (hub), B and C - (C is not an issue however as it uses it's own link to get out to the internet) All users from Site B need to access all traffic (internet) through the DMVPN tunnel. (through site A's ADSL 2+ link) This part is now sorted out. However, there are 2 VLANs on the Site A Cisco 877 router - 1 for Admin use and one for customers to pay for internet usage via an Ericsson HS 1100 Hotspot router. VLAN 1 - Admin = 10.61.3.x VLAN 2- Customer = 192.168.112.x (Fe3) Also - Site B = 10.0.0.x Site C= 192.168.10.x The HS 1100 has 4 Lan ports on the back and a wifi link - If users connect to the router via wifi/ethernet, they are prompted to enter a username and password to pay for internet access. The HS1100 also has a default gateway for it's WAN port of 10.61.3.1 (Site A's VLAN1 Lan address). This gets them out to the internet ok. So far I cannot get users from Site B to be prompted for username/password to pay for their internet usage through the DMVPN tunnel. I have attached a rough diagram and have SITE A and SITE B's configs Please assist. SITE A version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname TB_BB_Advantage ! boot-start-marker boot-end-marker ! logging buffered 16000 no logging console ! no aaa new-model ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxxx address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 60 periodic ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile TPLUS_Profile1 set transform-set ESP-3DES-SHA ! ! ! dot11 ssid xxxxxxxxx authentication open authentication key-management wpa optional guest-mode wpa-psk ascii xxxxxxxxxxx ! no ip source-route ip cef ! ! no ip dhcp use vrf connected ip dhcp excluded-address 10.61.3.11 ip dhcp excluded-address 10.61.3.20 ip dhcp excluded-address 10.61.3.253 ip dhcp excluded-address 10.61.3.191 ip dhcp excluded-address 10.61.3.6 ip dhcp excluded-address 10.61.3.1 ! ip dhcp pool CUSTOMER_LAN_POOL network 10.61.3.0 255.255.255.0 default-router 10.61.3.1 dns-server 203.50.2.71 139.130.4.4 ! ! no ip bootp server ip domain name direct.telstra.net ip name-server 203.50.2.71 ip name-server 139.130.4.4 ip name-server 202.27.184.3 ip name-server 202.27.184.5 ! multilink bundle-name authenticated ! ! username xxxxxxxxxxx privilege 15 secret xxxxxxxxxxxxx archive log config hidekeys ! ! ip ssh version 2 ! bridge irb ! ! interface Tunnel0 bandwidth 1000 ip address 172.16.0.1 255.255.255.0 no ip redirects ip mtu 1400 ip nat inside ip nhrp authentication TPLUS_NW ip nhrp map multicast dynamic ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp cache non-authoritative ip virtual-reassembly ip tcp adjust-mss 1360 no ip split-horizon delay 1000 tunnel source 111.111.111.111 tunnel mode gre multipoint tunnel key 100000 tunnel protection ipsec profile TPLUS_Profile1 ! interface ATM0 no ip address no ip route-cache cef no ip route-cache load-interval 30 no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 switchport access vlan 2 spanning-tree portfast ! interface Dot11Radio0 no ip address shutdown ! encryption mode ciphers tkip wep128 ! ssid xxxxxxxxx ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description CUSTOMER_LOCAL_LAN no ip address ip nat inside ip virtual-reassembly no ip route-cache cef bridge-group 1 bridge-group 1 spanning-disabled ! interface Vlan2 description HS1100_VLAN ip address 192.168.112.230 255.255.255.0 ip nat inside ip virtual-reassembly no ip route-cache cef ! interface Dialer0 description ADSL Link FNN xxxxxxx ip address 111.111.111.111 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxx ppp chap password xxxxxxxxxx ! interface BVI1 ip address 10.61.3.1 255.255.255.0 ip nat inside ip virtual-reassembly ! router rip version 2 network 10.0.0.0 network 172.16.0.0 network 192.168.112.0 default-information originate no auto-summary ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ! no ip http server ip http access-class 22 ip http authentication local ip http secure-server ip nat inside source list NAT interface Dialer0 overload ip nat inside source static tcp 10.61.3.30 80 interface Dialer0 80 ip nat inside source static tcp 10.61.3.30 443 interface Dialer0 443 ip nat inside source static tcp 10.61.3.30 1494 interface Dialer0 1494 ip nat inside source static tcp 10.61.3.30 2598 interface Dialer0 2598 ip nat inside source static tcp 10.61.3.253 1433 interface Dialer0 1433 ip nat inside source static tcp 10.61.3.191 3389 interface Dialer0 3389 ! ip access-list extended NAT deny ip 10.61.3.0 0.0.0.255 10.0.0.0 0.0.0.255 deny ip 192.168.112.0 0.0.0.255 192.168.10.0 0.0.0.255 deny ip 10.61.3.0 0.0.0.255 192.168.10.0 0.0.0.255 permit ip 10.61.3.0 0.0.0.255 any permit ip 10.0.0.0 0.0.0.255 any <----- perhaps not required? permit ip 192.168.112.0 0.0.0.255 any ! ! access-list 22 permit 10.61.3.0 0.0.0.255 no cdp run ! ! ! ! control-plane ! bridge 1 route ip banner login ^C *********************************************************************** * Access to this computer system is limited to authorised users only. * * Unauthorised users may be subject to prosecution under the Crimes * * Act or State legislation * * * * Please note, ALL CUSTOMER DETAILS are confidential and must * * not be disclosed. * *********************************************************************** ^C ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 2 access-class 22 in exec-timeout 20 0 login local transport input telnet line vty 3 4 exec-timeout 20 0 login local transport input ssh ! scheduler max-task-time 5000 ! webvpn cef end SITE B version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname TB_BB_Advantage ! boot-start-marker boot-end-marker ! logging buffered 16000 no logging console ! no aaa new-model no ip source-route no ip dhcp use vrf connected ip dhcp excluded-address 10.0.0.1 ! ip dhcp pool CUSTOMER_LAN_POOL network 10.0.0.0 255.255.255.0 default-router 10.0.0.1 dns-server 203.50.2.71 139.130.4.4 ! ! ip cef no ip bootp server ip domain name direct.telstra.net ip name-server 203.50.2.71 ip name-server 139.130.4.4 ip ssh version 2 ! ! ! ! username xxxxxxxxxx privilege 15 secret xxxxxxxxxxxxx ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxxx address 111.111.111.111 crypto isakmp keepalive 60 periodic ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac mode transport ! crypto ipsec profile TPLUS_Profile1 set transform-set ESP-3DES-SHA ! ! ! ! ! interface Tunnel0 bandwidth 1000 ip address 172.16.0.3 255.255.255.0 ip mtu 1400 ip nhrp authentication TPLUS_NW ip nhrp map 172.16.0.1 111.111.111.111 ip nhrp network-id 100000 ip nhrp holdtime 360 ip nhrp nhs 172.16.0.1 ip nhrp registration no-unique ip nhrp cache non-authoritative ip tcp adjust-mss 1360 delay 1000 tunnel source Dialer0 tunnel destination 111.111.111.111 tunnel key 100000 tunnel protection ipsec profile TPLUS_Profile1 ! interface ATM0 no ip address no ip route-cache cef no ip route-cache load-interval 30 no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 description CUSTOMER_LOCAL_LAN ip address 10.0.0.1 255.255.255.0 ip virtual-reassembly no ip route-cache cef ! interface Dialer0 description ADSL Link FNN xxxxxxx ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 no cdp enable ppp authentication chap callin ppp chap hostname xxxxxxxxxxxxx ppp chap password xxxxxxxxxxxxx ! router rip version 2 network 10.0.0.0 network 172.16.0.0 no auto-summary ! ip route 111.111.111.0 255.255.255.0 Dialer0 ! no ip http server ip http access-class 22 ip http authentication local ip http secure-server ! no cdp run ! control-plane ! banner login ^C *********************************************************************** * Access to this computer system is limited to authorised users only. * * Unauthorised users may be subject to prosecution under the Crimes * * Act or State legislation * * * * Please note, ALL CUSTOMER DETAILS are confidential and must * * not be disclosed. * *********************************************************************** ^C ! line con 0 no modem enable transport output all line aux 0 transport output all line vty 0 2 exec-timeout 20 0 login local transport input telnet line vty 3 4 exec-timeout 20 0 login local transport input ssh ! scheduler max-task-time 5000 end
... View more
- Tags:
- all_internet_traffic_through_tunnel
- all_traffic_through_tunnel
- cisco_877
- dmvpn
- hotspot
- shared_internet
Labels:
Created by
cco4mike1
in Security Management
in Security Management
09-20-2009
11:26 PM
09-20-2009
11:26 PM
Hi, A client of mine needs to initiate a PPTP VPN 'from' a Cisco 877w router into a Windows Server 2008. So have I have seen that VPDN should be used and have also stumbled across various scripts on the internet, however I cannot work out how to add them to my current 877 config(standard config initialising PPPoA session from Dialer 0- Here is a script I found- ip multicast-routing no ip gratuitous-arps service internal vpdn enable ! vpdn-group 1 request-dialin protocol pptp rotary-group 0 initiate-to ip SERVER IP interface Dialer0 ip address negotiated ip pim dense-mode encapsulation ppp dialer in-band dialer idle-timeout 0 dialer string 111 dialer vpdn dialer-group 1 no cdp enable ppp pfc local request ppp pfc remote apply ppp encrypt mppe auto ppp chap hostname USERNAME ppp chap password PASSWORD dialer-list 1 protocol ip permit I added this to my working config- but no joy. Please assist!
... View more
Labels:
04-08-2009
04:30 PM
Hi, I am finding it difficult to select a HUB router for DMVPN (Hub-Spoke topology) where there are 42 spokes with ADSL2+ connections and a 100Mb Ethernet at the HUB site. Will a Cisco 2821 router be enough to handle that amount of VPN traffic or will an upgrade be required? thanks is advance. Mike
... View more
Labels:
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
07-27-2008
09:04 PM
07-27-2008
09:04 PM
Thanks very, much, This worked a treat!
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
07-27-2008
04:33 AM
07-27-2008
04:33 AM
Thanks very much for both of your replys. When using the - "deny ip any remote-net" command I'm assuming the 'remote-net' is not a command but the ip range on the other side of the tunnel? ie. 192.168.0.0 0.0.0.255 ? or the remote network's public ip address ? regards, os4mike
... View more
Created by
cco4mike1
in VPN and AnyConnect
in VPN and AnyConnect
07-24-2008
04:02 PM
07-24-2008
04:02 PM
Hi, I have a Site to site VPN (Site A - 10.0.0.x, Site B- 192.168.0.x) active and also need the requirement for port forwarding TCP 3389 to a Terminal Services Server from the outside. I have the nat statement- ip nat inside source static tcp 10.0.0.78 3389 interface dialer 0 3389 on side A and can now get in via the public(dialer 0) IP address straight to the server (10.0.0.78) I can also RDP to 10.0.0.78 from inside Site A but cannot RDP from Site B to 10.0.0.78 I can ping 10.0.0.78 fron site B and there is no firewall currently on the machine but it does not work. As soon as I remove the Static NAT statement, I can RDP straight in from Site B (through the tunnel) to 10.0.0.78 Is there a way to set this up so both Remote (internet) clients can RDP to the server AND tunnel clients? *note Tunnel clients can get on ok via the public IP if static nat is present. thanks in advance.
... View more
Labels:
Created by
cco4mike1
in Other Security Subjects
in Other Security Subjects
06-17-2008
10:54 PM
06-17-2008
10:54 PM
Thanks very much, with your suggestion, it appears to be working now. I've created a 'loopback 0' interface and then in the 'Virtual template interface' added ip unnumbered to loopback0 Both the site to site tunnel and the VPN Server are working ok! Thanks again.
... View more
Created by
cco4mike1
in Other Security Subjects
in Other Security Subjects
06-14-2008
09:21 PM
06-14-2008
09:21 PM
Hi, I have managed to successfully implement a Site to Site VPN connection as done by my team on a daily basis however I'm not sure if I can run the unit as a VPN server(concentrator) at the same time because whenever I apply the 'Crypto map <mapname>' command to the end of the 'Dialer 0' interface , the original site-to-site "crypto map <mapname>" command gets overwritten and it look like I can only have the 857 running as either a site-to-site VPN 'OR' a VPN concentrator for remote clients, but not both. Can someone please help me determine if I am able have a concurrent setup like this on the Cisco 857w I've tried it with SDM as well and it seems to not allow me to add the VPN concentrator functionally to the same interface (ie..dialer 0) that the site-to-site VPN is using. Perhaps I need to use Dialer 1 or Tunnel 0 to achieve this, but really I don't have an idea at this stage. thankyou.
... View more
Labels:
Created by
cco4mike1
in Other Security Subjects
in Other Security Subjects
04-08-2008
10:10 PM
04-08-2008
10:10 PM
I have 2 Cisco 857w's currently running a basic Site to Site VPN configured successfully through SDM. Site 1 LAN = 10.10.10.0 /24 Site 2 LAN = 10.10.20.0 /24 The client would now like all users to access the Internet only through Site 2's Internet connection.. ie Site 1 must gain access through the VPN tunnel and out to the internet through Site 2's Router. Can this be Done? What needs to be changed on both the Router's configs? CURRENT CONFIG SITE 1 (relevant parts) crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxx address 111.222.333.444 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to 111.222.333.444 set peer 111.222.333.444 set transform-set ESP-3DES-SHA match address 100 ! ! ! interface ATM0 no shut no ip address no ip route-cache cef no ip route-cache load-interval 30 no atm ilmi-keepalive pvc 8/35 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto ! interface FastEthernet0 spanning-tree portfast ! interface FastEthernet1 spanning-tree portfast ! interface FastEthernet2 spanning-tree portfast ! interface FastEthernet3 spanning-tree portfast ! interface Dot11Radio0 no ip address shutdown speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 station-role root ! interface Vlan1 description LOCAL_LAN ip address 10.10.10.1 255.255.255.0 ip nat inside ip virtual-reassembly no ip route-cache cef ! interface Dialer0 description ADSL Link FNN xxxxxxx ip address negotiated no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip virtual-reassembly encapsulation ppp ip route-cache flow dialer pool 1 no cdp enable ppp authentication chap callin ppp chap hostname username@xxxxx.xxxxxx.net ppp chap password xxxxxx crypto map SDM_CMAP_1 ! ip route 0.0.0.0 0.0.0.0 Dialer0 ! ip http server ip http access-class 20 ip http authentication local ip http secure-server ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ! access-list 22 remark SDM_ACL Category=17 access-list 22 permit 10.10.10.0 0.0.0.255 access-list 100 remark SDM_ACL Category=4 access-list 100 remark IPSec Rule access-list 100 permit ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 access-list 101 remark SDM_ACL Category=2 access-list 101 remark IPSec Rule access-list 101 deny ip 10.10.10.0 0.0.0.255 10.10.20.0 0.0.0.255 access-list 101 permit ip 10.10.10.0 0.0.0.255 any no cdp run route-map SDM_RMAP_1 permit 1 match ip address 101
... View more
Labels:
03-25-2008
05:24 PM
Yes it's very strange that it solved the problem, so in that case perhaps the customer's internal Server is doing more than I first thought. This part will also need to be looked at. Thanks for your prompt response.
... View more
- « Previous
-
- 1
- 2
- Next »
Created by
cco4mike1
in VPN and AnyConnect
02-22-2010
02-22-2010
The plot thickens.I've only just been told that the HS1100 is split up
into 3 VLANS .110.x , 111.x ,...
Created by
cco4mike1
in VPN and AnyConnect
02-15-2010
02-15-2010
Jeff,Yes I can ping 192.168.112.254 from router A.I will look at getting
that static route to 10.0.0...
Created by
cco4mike1
in VPN and AnyConnect
02-15-2010
02-15-2010
Hi Jeff,The HS1100 will need to NAT 192.168.112.x traffic out 10.61.3.1
(VLAN1) and then 10.61.3.x t...
Created by
cco4mike1
in VPN and AnyConnect
02-14-2010
02-14-2010
Jeff,Ive just tried the policy-based method and also taken out "ip nat
inside" from VLAN2 and "ip pe...
Created by
cco4mike1
in VPN and AnyConnect
02-14-2010
02-14-2010
Hi Jeff,I noticed that about the attachment as well, but open as .PDF
and you should be ok.You are r...
Created by
cco4mike1
in VPN and AnyConnect
02-14-2010
02-14-2010
Hi all,I have a big bad DMVPN (Hub and 2 spokes) problem which I can't
quite sort out.There are 3 si...
09-20-2009
Hi,A client of mine needs to initiate a PPTP VPN 'from' a Cisco 877w
router into a Windows Server 20...
04-08-2009
Hi,I am finding it difficult to select a HUB router for DMVPN (Hub-Spoke
topology) where there are 4...
Created by
cco4mike1
in VPN and AnyConnect
07-27-2008
07-27-2008
Thanks very, much, This worked a treat!
Created by
cco4mike1
in VPN and AnyConnect
07-27-2008
07-27-2008
Thanks very much for both of your replys.When using the - "deny ip any
remote-net" commandI'm assumi...
Created by
cco4mike1
in VPN and AnyConnect
07-24-2008
07-24-2008
Hi,I have a Site to site VPN (Site A - 10.0.0.x, Site B- 192.168.0.x)
active and also need the requi...
Created by
cco4mike1
in Other Security Subjects
06-17-2008
06-17-2008
Thanks very much, with your suggestion, it appears to be working
now.I've created a 'loopback 0' int...
Created by
cco4mike1
in Other Security Subjects
06-14-2008
06-14-2008
Hi,I have managed to successfully implement a Site to Site VPN
connection as done by my team on a da...
04-08-2008
I have 2 Cisco 857w's currently running a basic Site to Site VPN
configured successfully through SDM...
Public Statistics
| Date Registered | 03-25-2008 02:56 PM |
| Date Last Visited | 10-09-2017 11:52 AM |
| Total Messages Posted | 32 |
| Total Helpful Votes Received | 5 |
