Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Cisco Community
- :
- About MikeCaditz
Stats
Member since
11-07-2011
37
Posts
5
Helpful
0
Solutions
Created by
MikeCaditz
in VPN and AnyConnect
in VPN and AnyConnect
10-23-2012
11:58 PM
10-23-2012
11:58 PM
FYI, the above solution worked.
... View more
Created by
MikeCaditz
in VPN and AnyConnect
in VPN and AnyConnect
10-22-2012
08:31 AM
10-22-2012
08:31 AM
Thanks so much, Herbert. As an alternative to what you suggest, what do you think of this? I got it from Cisco's support document, http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094634.shtml I would delete these lines: no ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 extendable no ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 extendable no ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 extendable no ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 extendable no ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 extendable and replace with these ip nat inside source static tcp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable ip nat inside source static udp 10.10.10.95 80 [outside IP) 80 route-map nonat extendable ip nat inside source static tcp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable ip nat inside source static udp 10.10.10.95 443 [outside IP) 443 route-map nonat extendable ip nat inside source static tcp 10.10.10.30 80 [outside IP) 80 route-map nonat extendable Then add: access-list 150 deny ip host 10.10.10.95 10.10.10.160 0.0.0.31 access-list 150 deny ip host 10.10.10.95 172.16.8.0 0.0.3.255 access-list 150 deny ip host 10.10.10.130 10.10.10.160 0.0.0.31 access-list 150 deny ip host 10.10.10.130 172.16.8.0 0.0.3.255 access-list 150 permit ip host 10.10.10.95 any access-list 150 permit ip host 10.10.10.130 any ! route-map nonat permit 10 match ip address 150
... View more
Created by
MikeCaditz
in VPN and AnyConnect
in VPN and AnyConnect
10-18-2012
10:02 PM
10-18-2012
10:02 PM
Users in remote site can get ping response but no http service from local web server where the local web server also has NAT rule allowing access from WAN. In the below config, users in remote 10.10.10.160/27 can ping 10.10.10.30 and 10.10.10.95, but http packets are not returned. What do I need to do to fix this? version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SFGallery ! boot-start-marker boot-end-marker ! ! no logging buffered ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authentication login ciscocp_vpn_xauth_ml_3 group radius local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local aaa authorization network ciscocp_vpn_group_ml_2 local ! ! ! ! ! aaa session-id common ! clock timezone PCTime -7 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! no ipv6 cef ip source-route ip cef ! ! ! ip dhcp excluded-address 172.16.0.1 172.16.3.99 ip dhcp excluded-address 172.16.3.200 172.16.3.254 ! ip dhcp pool SFGallery172 import all network 172.16.0.0 255.255.252.0 domain-name xxxxxxxxxxxx dns-server 10.10.10.10 default-router 10.10.10.94 netbios-name-server 10.10.10.10 ! ! ip domain name gpgallery.com ip name-server 10.10.10.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 10.10.10.80 ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! crypto pki trustpoint SFGallery_Certificate enrollment selfsigned serial-number none ip-address none revocation-check crl rsakeypair SFGallery_Certificate_RSAKey 512 ! ! crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain SFGallery_Certificate certificate self-signed 01 xxxxxx quit license udi pid CISCO2911/K9 sn FTX1542AKJ3 license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 hw-module sm 1 ! ! ! object-group network Corp 172.16.4.0 255.255.252.0 10.10.10.128 255.255.255.224 ! object-group network SFGallery 172.16.0.0 255.255.252.0 10.10.10.0 255.255.255.128 ! object-group network NY 10.10.10.160 255.255.255.224 172.16.16.0 255.255.252.0 ! object-group network GPAll group-object SFGallery group-object NY group-object Corp ! username xxx username xxx username xxx username xxx ! redundancy ! ! ! ! no ip ftp passive ip ssh version 1 ! class-map type inspect match-all CCP_SSLVPN match access-group name CCP_IP ! ! policy-map type inspect ccp-sslvpn-pol class type inspect CCP_SSLVPN pass ! zone security sslvpn-zone ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key TempVPN1# address xx.xx.xx.xx ! crypto isakmp client configuration group SFGallery key Peters2011 dns 10.10.10.10 10.10.10.80 wins 10.10.10.10 10.10.10.80 domain gpgallery.com pool SDM_POOL_1 acl 111 save-password split-dns gpgallery.com max-users 25 max-logins 3 netmask 255.255.252.0 banner ^CYou are now connected to the Santa Fe Gallery and Corp. ^C crypto isakmp profile ciscocp-ike-profile-1 match identity group SFGallery client authentication list ciscocp_vpn_xauth_ml_3 isakmp authorization list ciscocp_vpn_group_ml_2 client configuration address respond virtual-template 3 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 43200 set transform-set ESP-3DES-SHA3 set isakmp-profile ciscocp-ike-profile-1 ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel toxx.xx.xx.xx set peer xx.xx.xx.xx set transform-set ESP-3DES-SHA1 match address 107 reverse-route ! ! ! ! ! interface Loopback1 ip address 192.168.5.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description T1 Cybermesa$ETH-WAN$ ip address xx.xx.xx.xx 255.255.255.240 ip access-group 105 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SDM_CMAP_1 ! interface GigabitEthernet0/1 description LANOverloadNet$ETH-WAN$ no ip address ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 description LAN$ETH-LAN$ ip address 10.10.10.2 255.255.255.128 ip access-group 100 in ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface FastEthernet0/0/0 ip address 192.168.100.1 255.255.255.0 ip access-group ReplicationIN out duplex auto speed auto ! interface GigabitEthernet1/0 description $ETH-LAN$ ip address 172.16.0.1 255.255.252.0 ip nat inside ip virtual-reassembly in ! interface GigabitEthernet1/1 description Internal switch interface connected to EtherSwitch Service Module no ip address ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ! interface Virtual-Template2 ip unnumbered Loopback1 zone-member security sslvpn-zone ! interface Virtual-Template3 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! interface Vlan1 no ip address ! ! ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254 ip forward-protocol nd ! ip http server ip http access-class 1 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip flow-top-talkers top 10 sort-by bytes cache-timeout 60000 ! ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload ip nat inside source static tcp 10.10.10.95 22 xx.xx.xx.xx extendable ip nat inside source static udp 10.10.10.95 22 xx.xx.xx.xx extendable ip nat inside source static tcp 10.10.10.95 25 xx.xx.xx.xx extendable ip nat inside source static udp 10.10.10.95 25 xx.xx.xx.xx 25 extendable ip nat inside source static tcp 10.10.10.95 80 xx.xx.xx.xx 80 extendable ip nat inside source static udp 10.10.10.95 80 xx.xx.xx.xx 80 extendable ip nat inside source static tcp 10.10.10.95 443 xx.xx.xx.xx 443 extendable ip nat inside source static udp 10.10.10.95 443 xx.xx.xx.xx 443 extendable ip nat inside source static tcp 10.10.10.30 80 xx.xx.xx.xx 80 extendable ip nat inside source static tcp 10.10.10.104 80 xx.xx.xx.xx 80 extendable ip nat inside source static tcp 10.10.10.37 26 xx.xx.xx.xx 25 extendable ip nat inside source static udp 10.10.10.37 26 xx.xx.xx.xx 25 extendable ip nat inside source static tcp 10.10.10.115 80 xx.xx.xx.xx 80 extendable ip nat inside source static tcp 10.10.10.115 443 xx.xx.xx.xx 443 extendable ip nat inside source static tcp 10.10.10.80 443 xx.xx.xx.xx 443 extendable ip nat inside source static tcp 10.10.10.47 26 xx.xx.xx.xx 25 extendable ip nat inside source static udp 10.10.10.47 26 xx.xx.xx.xx 25 extendable ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx permanent ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 10 permanent ip route 10.10.10.44 255.255.255.255 10.10.10.1 permanent ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent ip route 10.10.10.172 255.255.255.255 10.10.10.3 permanent ip route 10.10.10.175 255.255.255.255 10.10.10.3 permanent ip route 10.10.10.177 255.255.255.255 10.10.10.3 permanent ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent ip route 192.168.100.0 255.255.255.0 FastEthernet0/0/0 permanent ip route 192.168.101.0 255.255.255.0 10.10.10.126 permanent ! ip access-list extended CCP_IP remark CCP_ACL Category=128 permit ip any any ip access-list extended ReplicationIN remark CCP_ACL Category=1 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 deny ip any any ip access-list extended ReplicationOUT remark CCP_ACL Category=1 deny ip any any ! no logging trap logging 10.10.10.107 access-list 1 permit 192.168.1.2 access-list 1 remark CCP_ACL Category=1 access-list 1 permit 72.216.51.56 0.0.0.7 access-list 1 permit 172.16.0.0 0.0.3.255 access-list 1 permit 172.16.4.0 0.0.3.255 access-list 1 permit 10.10.10.128 0.0.0.31 access-list 1 remark Auto generated by SDM Management Access feature access-list 1 permit xx.xx.xx.xx 0.0.0.15 access-list 1 permit 10.10.10.0 0.0.0.127 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit tcp object-group GPAll object-group NY eq www access-list 100 permit udp host 10.10.10.10 eq 1645 host 10.10.10.2 access-list 100 permit udp host 10.10.10.10 eq 1646 host 10.10.10.2 access-list 100 permit ip any host 10.10.10.2 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd access-list 100 deny tcp any host 10.10.10.2 eq telnet access-list 100 deny tcp any host 10.10.10.2 eq 22 access-list 100 deny tcp any host 10.10.10.2 eq www access-list 100 deny tcp any host 10.10.10.2 eq 443 access-list 100 deny tcp any host 10.10.10.2 eq cmd access-list 100 deny udp any host 10.10.10.2 eq snmp access-list 100 permit udp any eq domain host 10.10.10.2 access-list 100 permit udp host 10.10.10.80 eq domain any access-list 100 permit udp host 10.10.10.10 eq domain any access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark CCP_ACL Category=1 access-list 101 permit ip 72.216.51.56 0.0.0.7 any access-list 101 permit ip 172.16.0.0 0.0.3.255 any access-list 101 permit ip 172.16.4.0 0.0.3.255 any access-list 101 permit ip 10.10.10.128 0.0.0.31 any access-list 101 permit ip xx.xx.xx.xx 0.0.0.15 any access-list 101 permit ip host 192.168.1.2 any access-list 101 permit ip 10.10.10.0 0.0.0.127 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark CCP_ACL Category=1 access-list 102 permit ip 72.216.51.56 0.0.0.7 any access-list 102 permit ip 172.16.0.0 0.0.3.255 any access-list 102 permit ip 172.16.4.0 0.0.3.255 any access-list 102 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip xx.xx.xx.xx 0.0.0.15 any access-list 102 permit ip host 192.168.1.2 any access-list 102 permit ip 10.10.10.0 0.0.0.127 any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd access-list 103 deny tcp any host 172.16.0.1 eq telnet access-list 103 deny tcp any host 172.16.0.1 eq 22 access-list 103 deny tcp any host 172.16.0.1 eq www access-list 103 deny tcp any host 172.16.0.1 eq 443 access-list 103 deny tcp any host 172.16.0.1 eq cmd access-list 103 deny udp any host 172.16.0.1 eq snmp access-list 103 permit ip any any access-list 104 remark CCP_ACL Category=4 access-list 104 remark IPSec Rule access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 105 remark Auto generated by SDM Management Access feature access-list 105 remark CCP_ACL Category=1 access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.128 0.0.0.31 access-list 105 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.160 0.0.0.31 172.16.0.0 0.0.255.255 access-list 105 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-list 105 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 105 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq telnet access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq telnet access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq telnet access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 22 access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 22 access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 22 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq www access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq www access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq www access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq 443 access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq 443 access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq 443 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host xx.xx.xx.xx eq cmd access-list 105 permit tcp 172.16.0.0 0.0.3.255 host xx.xx.xx.xx eq cmd access-list 105 permit tcp xx.xx.xx.xx 0.0.0.15 host xx.xx.xx.xx eq cmd access-list 105 deny tcp any host xx.xx.xx.xx eq telnet access-list 105 deny tcp any host xx.xx.xx.xx eq 22 access-list 105 deny tcp any host xx.xx.xx.xx eq www access-list 105 deny tcp any host xx.xx.xx.xx eq 443 access-list 105 deny tcp any host xx.xx.xx.xx eq cmd access-list 105 deny udp any host xx.xx.xx.xx eq snmp access-list 105 permit tcp any host xx.xx.xx.xx eq 443 access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127 access-list 105 permit udp any eq domain host xx.xx.xx.xx access-list 105 permit ahp host 209.101.19.226 host xx.xx.xx.xx access-list 105 permit esp host 209.101.19.226 host xx.xx.xx.xx access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq isakmp access-list 105 permit udp host 209.101.19.226 host xx.xx.xx.xx eq non500-isakmp access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 105 permit ip any any access-list 106 remark CCP_ACL Category=2 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31 access-list 106 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 106 remark IPSec Rule access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31 access-list 106 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-list 106 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255 access-list 106 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 107 remark CCP_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 107 remark IPSec Rule access-list 107 permit ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31 access-list 107 remark IPSec Rule access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31 access-list 107 permit ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 107 permit ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255 access-list 107 permit ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-list 107 permit ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 107 remark IPSec Rule access-list 107 deny ip 172.16.0.0 0.0.255.255 host 10.10.10.177 access-list 108 remark CCP_ACL Category=2 access-list 108 remark IPSec Rule access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 permit ip 70.56.215.0 0.0.0.255 any access-list 109 remark CCP_ACL Category=2 access-list 109 remark IPSec Rule access-list 109 deny ip 10.10.10.128 0.0.0.31 10.10.10.160 0.0.0.31 access-list 109 remark IPSec Rule access-list 109 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 109 deny ip 192.168.0.0 0.0.255.255 192.168.0.0 0.0.255.255 access-list 109 remark IPSec Rule access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.160 0.0.0.31 access-list 109 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-list 109 deny ip 172.16.0.0 0.0.255.255 10.10.10.0 0.0.0.255 access-list 109 deny ip 10.10.10.0 0.0.0.255 172.16.0.0 0.0.255.255 access-list 109 permit ip 172.16.0.0 0.0.255.255 any access-list 111 remark CCP_ACL Category=4 access-list 111 permit ip 10.10.10.0 0.0.0.127 any access-list 111 permit ip 10.10.10.128 0.0.0.31 any access-list 111 permit ip 172.16.0.0 0.0.3.255 any access-list 111 permit ip 172.16.4.0 0.0.3.255 any access-list 111 permit ip 10.10.10.160 0.0.0.31 any ! ! ! ! route-map SDM_RMAP_4 permit 1 match ip address 109 ! route-map SDM_RMAP_1 permit 1 match ip address 106 ! route-map SDM_RMAP_2 permit 1 match ip address 108 ! ! snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps transceiver all snmp-server enable traps ds1 snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps envmon snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps flash insertion removal snmp-server enable traps c3g snmp-server enable traps ds3 snmp-server enable traps adslline snmp-server enable traps vdsl2line snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps mac-notification snmp-server enable traps bgp snmp-server enable traps isis snmp-server enable traps rf snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps resource-policy snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps nhrp nhs snmp-server enable traps nhrp nhc snmp-server enable traps nhrp nhp snmp-server enable traps nhrp quota-exceeded snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps l2tun pseudowire status snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server enable traps bfd snmp-server enable traps firewall serverstatus snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.10.10.107 public radius-server host 10.10.10.10 key HelloSFGal1# ! ! ! control-plane ! ! banner login ^CCCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line 67 no activation-character no exec transport preferred none transport input all transport output lat pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 flowcontrol software line vty 0 4 access-class 102 in transport input telnet line vty 5 15 access-class 101 in transport input telnet ! scheduler allocate 20000 1000 end
... View more
Labels:
12-13-2011
12:41 PM
Thanks, Somu. But I am confused. First, the link you provided id dead. Second, the document http://www.cisco.com/en/US/docs/routers/access/interfaces/nm/hardware/installation/guide/InstNetM.html states: Note The following routers do not support online insertion and removal (OIR) of service modules or network modules: •Cisco 1900 series •Cisco 2600 series •Cisco 2811 •Cisco 2821 •Cisco 2851 •Cisco 2900 series •Cisco 3620 •Cisco 3640 •Cisco MWR 1941-DC To avoid damaging the router, turn off electrical power and disconnect network cables before inserting or removing a network module into these routers.
... View more
12-13-2011
09:35 AM
I have a 2911 ISR and want to install a SM-ES2-24 Enhanced EtherSwitch Service Module. Do I need to power down the router?
... View more
Labels:
11-29-2011
07:39 PM
I have both a Easy VPN server and a site-to-site VPN on the same outside interface of a 2911 router. Currently, a Easy VPN client has no route int the router then out the site-to-site VPN to the remote site. How can I create this route? Building configuration... Current configuration : 18830 bytes ! ! Last configuration change at 19:01:55 PCTime Tue Nov 29 2011 by admin ! NVRAM config last updated at 19:02:42 PCTime Tue Nov 29 2011 by admin ! NVRAM config last updated at 19:02:42 PCTime Tue Nov 29 2011 by admin version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SFGallery ! boot-start-marker boot-end-marker ! ! no logging buffered ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authentication login ciscocp_vpn_xauth_ml_3 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local aaa authorization network ciscocp_vpn_group_ml_2 local ! ! ! ! ! aaa session-id common ! clock timezone PCTime -7 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! no ipv6 cef ip source-route ip cef ! ! ! ! ! ip domain name gpgallery.com ip name-server 10.10.10.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 10.10.10.80 ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! crypto pki trustpoint SFGallery_Certificate enrollment selfsigned serial-number none ip-address none revocation-check crl rsakeypair SFGallery_Certificate_RSAKey 512 ! ! crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain SFGallery_Certificate certificate self-signed 01 xxxx quit license udi pid CISCO2911/K9 sn xxxxxx license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! object-group network Corp 172.16.4.0 255.255.252.0 10.10.10.128 255.255.255.224 ! object-group network SFGallery 172.16.0.0 255.255.252.0 10.10.10.0 255.255.255.128 ! object-group network NY 10.10.10.160 255.255.255.224 ! object-group network GPAll group-object SFGallery group-object NY group-object Corp ! username xxx privilege 15 secret 5 xxxx username xxx privilege 15 secret 5 $xxx username xxxx privilege 15 secret 5 $xxxxx ! redundancy ! ! ! ! no ip ftp passive ip ssh version 1 ! class-map type inspect match-all CCP_SSLVPN match access-group name CCP_IP ! ! policy-map type inspect ccp-sslvpn-pol class type inspect CCP_SSLVPN pass ! zone security sslvpn-zone ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxx address 209.101.19.226 ! crypto isakmp client configuration group SFGallery key xxxxxx dns 10.10.10.10 10.10.10.80 wins 10.10.10.10 10.10.10.80 domain gpgallery.com pool SDM_POOL_1 acl 111 save-password split-dns gpgallery.com max-users 25 max-logins 2 netmask 255.255.252.0 banner ^CWelcome to GP Gallery . . . ^C crypto isakmp profile ciscocp-ike-profile-1 match identity group SFGallery client authentication list ciscocp_vpn_xauth_ml_3 isakmp authorization list ciscocp_vpn_group_ml_2 client configuration address respond virtual-template 3 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 43200 set transform-set ESP-3DES-SHA3 set isakmp-profile ciscocp-ike-profile-1 ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to209.101.19.226 set peer 209.101.19.226 set transform-set ESP-3DES-SHA1 match address 107 ! ! ! ! ! interface Loopback1 ip address 192.168.5.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description T1 Cybermesa$ETH-WAN$ ip address 65.19.62.60 255.255.255.240 ip access-group 105 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SDM_CMAP_1 ! interface GigabitEthernet0/1 description LANOverloadNet$ETH-WAN$ ip address 172.16.0.1 255.255.252.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 description LAN$ETH-LAN$ ip address 10.10.10.2 255.255.255.128 ip access-group 100 in ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ! interface Virtual-Template2 ip unnumbered Loopback1 zone-member security sslvpn-zone ! interface Virtual-Template3 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ! ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254 ip forward-protocol nd ! ip http server ip http access-class 1 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip flow-top-talkers top 10 sort-by bytes cache-timeout 60000 ! ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent ! ip access-list extended CCP_IP remark CCP_ACL Category=128 permit ip any any ! no logging trap logging 10.10.10.107 access-list 1 permit 192.168.1.2 access-list 1 remark CCP_ACL Category=1 access-list 1 permit 72.216.51.56 0.0.0.7 access-list 1 permit 172.16.0.0 0.0.3.255 access-list 1 permit 172.16.4.0 0.0.3.255 access-list 1 permit 10.10.10.128 0.0.0.31 access-list 1 remark Auto generated by SDM Management Access feature access-list 1 permit 65.19.62.48 0.0.0.15 access-list 1 permit 10.10.10.0 0.0.0.127 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit ip any host 10.10.10.2 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd access-list 100 deny tcp any host 10.10.10.2 eq telnet access-list 100 deny tcp any host 10.10.10.2 eq 22 access-list 100 deny tcp any host 10.10.10.2 eq www access-list 100 deny tcp any host 10.10.10.2 eq 443 access-list 100 deny tcp any host 10.10.10.2 eq cmd access-list 100 deny udp any host 10.10.10.2 eq snmp access-list 100 permit udp any eq domain host 10.10.10.2 access-list 100 permit udp host 10.10.10.80 eq domain any access-list 100 permit udp host 10.10.10.10 eq domain any access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark CCP_ACL Category=1 access-list 101 permit ip 72.216.51.56 0.0.0.7 any access-list 101 permit ip 172.16.0.0 0.0.3.255 any access-list 101 permit ip 172.16.4.0 0.0.3.255 any access-list 101 permit ip 10.10.10.128 0.0.0.31 any access-list 101 permit ip 65.19.62.48 0.0.0.15 any access-list 101 permit ip host 192.168.1.2 any access-list 101 permit ip 10.10.10.0 0.0.0.127 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark CCP_ACL Category=1 access-list 102 permit ip 72.216.51.56 0.0.0.7 any access-list 102 permit ip 172.16.0.0 0.0.3.255 any access-list 102 permit ip 172.16.4.0 0.0.3.255 any access-list 102 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip 65.19.62.48 0.0.0.15 any access-list 102 permit ip host 192.168.1.2 any access-list 102 permit ip 10.10.10.0 0.0.0.127 any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd access-list 103 deny tcp any host 172.16.0.1 eq telnet access-list 103 deny tcp any host 172.16.0.1 eq 22 access-list 103 deny tcp any host 172.16.0.1 eq www access-list 103 deny tcp any host 172.16.0.1 eq 443 access-list 103 deny tcp any host 172.16.0.1 eq cmd access-list 103 deny udp any host 172.16.0.1 eq snmp access-list 103 permit ip any any access-list 104 remark CCP_ACL Category=4 access-list 104 remark IPSec Rule access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 105 remark Auto generated by SDM Management Access feature access-list 105 remark CCP_ACL Category=1 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq telnet access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq telnet access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq 22 access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq 22 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq www access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq www access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq 443 access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq 443 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq cmd access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq cmd access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd access-list 105 deny tcp any host 65.19.62.60 eq telnet access-list 105 deny tcp any host 65.19.62.60 eq 22 access-list 105 deny tcp any host 65.19.62.60 eq www access-list 105 deny tcp any host 65.19.62.60 eq 443 access-list 105 deny tcp any host 65.19.62.60 eq cmd access-list 105 deny udp any host 65.19.62.60 eq snmp access-list 105 permit tcp any host 65.19.62.61 eq 443 access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127 access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255 access-list 105 permit udp any eq domain host 65.19.62.60 access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60 access-list 105 permit esp host 209.101.19.226 host 65.19.62.60 access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 105 permit ip any any access-list 106 remark CCP_ACL Category=2 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 107 remark CCP_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 remark CCP_ACL Category=2 access-list 108 remark IPSec Rule access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 permit ip 70.56.215.0 0.0.0.255 any access-list 109 remark CCP_ACL Category=2 access-list 109 remark IPSec Rule access-list 109 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 109 permit ip 172.16.0.0 0.0.255.255 any access-list 111 remark CCP_ACL Category=4 access-list 111 permit ip 10.10.10.0 0.0.0.127 any access-list 111 permit ip 10.10.10.128 0.0.0.31 any access-list 111 permit ip 172.16.0.0 0.0.3.255 any access-list 111 permit ip 172.16.4.0 0.0.3.255 any access-list 111 permit ip 10.10.10.160 0.0.0.31 any ! ! ! ! route-map SDM_RMAP_4 permit 1 match ip address 109 ! route-map SDM_RMAP_1 permit 1 match ip address 106 ! route-map SDM_RMAP_2 permit 1 match ip address 108 ! ! snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps transceiver all snmp-server enable traps ds1 snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps envmon snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps flash insertion removal snmp-server enable traps c3g snmp-server enable traps ds3 snmp-server enable traps adslline snmp-server enable traps vdsl2line snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps mac-notification snmp-server enable traps bgp snmp-server enable traps isis snmp-server enable traps rf snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps resource-policy snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps nhrp nhs snmp-server enable traps nhrp nhc snmp-server enable traps nhrp nhp snmp-server enable traps nhrp quota-exceeded snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps l2tun pseudowire status snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server enable traps bfd snmp-server enable traps firewall serverstatus snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.10.10.107 public ! ! ! control-plane ! ! banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 102 in transport input telnet line vty 5 15 access-class 101 in transport input telnet ! scheduler allocate 20000 1000 end
... View more
Labels:
Created by
MikeCaditz
in VPN and AnyConnect
in VPN and AnyConnect
11-29-2011
06:22 PM
11-29-2011
06:22 PM
I have successfully implented both a site-to-site VPN, and an Easy VPN server. The outside IP for each service is the same, i.e. 65.19.62.60. This is the IP address assigned to GE0/0. But I do not like this; I would like to move one of the services, preferably the Easy VPN server, to 65.19.62.61. But I do not know how to do this. In the case of an SSL VPN, I know it is possible to create an SSL VPN gateway listening on 65.19.62.61. But how is it done in Easy VPN? One other issue: Currently, traffic from a remote Easy VPN user is not routed out the site-to-site VPN. In other words, a Easy VPN client cannot reach the remote site on the site-to-site VPN. How would I create route for that?' Thanks! Building configuration... Current configuration : 18830 bytes ! ! Last configuration change at 19:01:55 PCTime Tue Nov 29 2011 by admin ! NVRAM config last updated at 19:02:42 PCTime Tue Nov 29 2011 by admin ! NVRAM config last updated at 19:02:42 PCTime Tue Nov 29 2011 by admin version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SFGallery ! boot-start-marker boot-end-marker ! ! no logging buffered ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authentication login ciscocp_vpn_xauth_ml_3 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local aaa authorization network ciscocp_vpn_group_ml_2 local ! ! ! ! ! aaa session-id common ! clock timezone PCTime -7 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! no ipv6 cef ip source-route ip cef ! ! ! ! ! ip domain name gpgallery.com ip name-server 10.10.10.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 10.10.10.80 ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! crypto pki trustpoint SFGallery_Certificate enrollment selfsigned serial-number none ip-address none revocation-check crl rsakeypair SFGallery_Certificate_RSAKey 512 ! ! crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain SFGallery_Certificate certificate self-signed 01 xxxx quit license udi pid CISCO2911/K9 sn xxxxxx license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! object-group network Corp 172.16.4.0 255.255.252.0 10.10.10.128 255.255.255.224 ! object-group network SFGallery 172.16.0.0 255.255.252.0 10.10.10.0 255.255.255.128 ! object-group network NY 10.10.10.160 255.255.255.224 ! object-group network GPAll group-object SFGallery group-object NY group-object Corp ! username xxx privilege 15 secret 5 xxxx username xxx privilege 15 secret 5 $xxx username xxxx privilege 15 secret 5 $xxxxx ! redundancy ! ! ! ! no ip ftp passive ip ssh version 1 ! class-map type inspect match-all CCP_SSLVPN match access-group name CCP_IP ! ! policy-map type inspect ccp-sslvpn-pol class type inspect CCP_SSLVPN pass ! zone security sslvpn-zone ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxx address 209.101.19.226 ! crypto isakmp client configuration group SFGallery key xxxxxx dns 10.10.10.10 10.10.10.80 wins 10.10.10.10 10.10.10.80 domain gpgallery.com pool SDM_POOL_1 acl 111 save-password split-dns gpgallery.com max-users 25 max-logins 2 netmask 255.255.252.0 banner ^CWelcome to GP Gallery . . . ^C crypto isakmp profile ciscocp-ike-profile-1 match identity group SFGallery client authentication list ciscocp_vpn_xauth_ml_3 isakmp authorization list ciscocp_vpn_group_ml_2 client configuration address respond virtual-template 3 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 43200 set transform-set ESP-3DES-SHA3 set isakmp-profile ciscocp-ike-profile-1 ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to209.101.19.226 set peer 209.101.19.226 set transform-set ESP-3DES-SHA1 match address 107 ! ! ! ! ! interface Loopback1 ip address 192.168.5.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description T1 Cybermesa$ETH-WAN$ ip address 65.19.62.60 255.255.255.240 ip access-group 105 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SDM_CMAP_1 ! interface GigabitEthernet0/1 description LANOverloadNet$ETH-WAN$ ip address 172.16.0.1 255.255.252.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 description LAN$ETH-LAN$ ip address 10.10.10.2 255.255.255.128 ip access-group 100 in ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ! interface Virtual-Template2 ip unnumbered Loopback1 zone-member security sslvpn-zone ! interface Virtual-Template3 type tunnel ip unnumbered GigabitEthernet0/0 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ! ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254 ip forward-protocol nd ! ip http server ip http access-class 1 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip flow-top-talkers top 10 sort-by bytes cache-timeout 60000 ! ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent ! ip access-list extended CCP_IP remark CCP_ACL Category=128 permit ip any any ! no logging trap logging 10.10.10.107 access-list 1 permit 192.168.1.2 access-list 1 remark CCP_ACL Category=1 access-list 1 permit 72.216.51.56 0.0.0.7 access-list 1 permit 172.16.0.0 0.0.3.255 access-list 1 permit 172.16.4.0 0.0.3.255 access-list 1 permit 10.10.10.128 0.0.0.31 access-list 1 remark Auto generated by SDM Management Access feature access-list 1 permit 65.19.62.48 0.0.0.15 access-list 1 permit 10.10.10.0 0.0.0.127 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit ip any host 10.10.10.2 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq telnet access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 22 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq www access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq 443 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443 access-list 100 permit tcp object-group GPAll host 10.10.10.2 eq cmd access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd access-list 100 deny tcp any host 10.10.10.2 eq telnet access-list 100 deny tcp any host 10.10.10.2 eq 22 access-list 100 deny tcp any host 10.10.10.2 eq www access-list 100 deny tcp any host 10.10.10.2 eq 443 access-list 100 deny tcp any host 10.10.10.2 eq cmd access-list 100 deny udp any host 10.10.10.2 eq snmp access-list 100 permit udp any eq domain host 10.10.10.2 access-list 100 permit udp host 10.10.10.80 eq domain any access-list 100 permit udp host 10.10.10.10 eq domain any access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark CCP_ACL Category=1 access-list 101 permit ip 72.216.51.56 0.0.0.7 any access-list 101 permit ip 172.16.0.0 0.0.3.255 any access-list 101 permit ip 172.16.4.0 0.0.3.255 any access-list 101 permit ip 10.10.10.128 0.0.0.31 any access-list 101 permit ip 65.19.62.48 0.0.0.15 any access-list 101 permit ip host 192.168.1.2 any access-list 101 permit ip 10.10.10.0 0.0.0.127 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark CCP_ACL Category=1 access-list 102 permit ip 72.216.51.56 0.0.0.7 any access-list 102 permit ip 172.16.0.0 0.0.3.255 any access-list 102 permit ip 172.16.4.0 0.0.3.255 any access-list 102 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip 65.19.62.48 0.0.0.15 any access-list 102 permit ip host 192.168.1.2 any access-list 102 permit ip 10.10.10.0 0.0.0.127 any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd access-list 103 deny tcp any host 172.16.0.1 eq telnet access-list 103 deny tcp any host 172.16.0.1 eq 22 access-list 103 deny tcp any host 172.16.0.1 eq www access-list 103 deny tcp any host 172.16.0.1 eq 443 access-list 103 deny tcp any host 172.16.0.1 eq cmd access-list 103 deny udp any host 172.16.0.1 eq snmp access-list 103 permit ip any any access-list 104 remark CCP_ACL Category=4 access-list 104 remark IPSec Rule access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 105 remark Auto generated by SDM Management Access feature access-list 105 remark CCP_ACL Category=1 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq telnet access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq telnet access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq 22 access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq 22 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq www access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq www access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq 443 access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq 443 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443 access-list 105 permit tcp 72.216.51.56 0.0.0.7 host 65.19.62.60 eq cmd access-list 105 permit tcp 172.16.0.0 0.0.3.255 host 65.19.62.60 eq cmd access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd access-list 105 deny tcp any host 65.19.62.60 eq telnet access-list 105 deny tcp any host 65.19.62.60 eq 22 access-list 105 deny tcp any host 65.19.62.60 eq www access-list 105 deny tcp any host 65.19.62.60 eq 443 access-list 105 deny tcp any host 65.19.62.60 eq cmd access-list 105 deny udp any host 65.19.62.60 eq snmp access-list 105 permit tcp any host 65.19.62.61 eq 443 access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127 access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255 access-list 105 permit udp any eq domain host 65.19.62.60 access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60 access-list 105 permit esp host 209.101.19.226 host 65.19.62.60 access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 105 permit ip any any access-list 106 remark CCP_ACL Category=2 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 107 remark CCP_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 remark CCP_ACL Category=2 access-list 108 remark IPSec Rule access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 permit ip 70.56.215.0 0.0.0.255 any access-list 109 remark CCP_ACL Category=2 access-list 109 remark IPSec Rule access-list 109 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 109 permit ip 172.16.0.0 0.0.255.255 any access-list 111 remark CCP_ACL Category=4 access-list 111 permit ip 10.10.10.0 0.0.0.127 any access-list 111 permit ip 10.10.10.128 0.0.0.31 any access-list 111 permit ip 172.16.0.0 0.0.3.255 any access-list 111 permit ip 172.16.4.0 0.0.3.255 any access-list 111 permit ip 10.10.10.160 0.0.0.31 any ! ! ! ! route-map SDM_RMAP_4 permit 1 match ip address 109 ! route-map SDM_RMAP_1 permit 1 match ip address 106 ! route-map SDM_RMAP_2 permit 1 match ip address 108 ! ! snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps transceiver all snmp-server enable traps ds1 snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps envmon snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps flash insertion removal snmp-server enable traps c3g snmp-server enable traps ds3 snmp-server enable traps adslline snmp-server enable traps vdsl2line snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps mac-notification snmp-server enable traps bgp snmp-server enable traps isis snmp-server enable traps rf snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps resource-policy snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps nhrp nhs snmp-server enable traps nhrp nhc snmp-server enable traps nhrp nhp snmp-server enable traps nhrp quota-exceeded snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps l2tun pseudowire status snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server enable traps bfd snmp-server enable traps firewall serverstatus snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.10.10.107 public ! ! ! control-plane ! ! banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 102 in transport input telnet line vty 5 15 access-class 101 in transport input telnet ! scheduler allocate 20000 1000 end
... View more
Created by
MikeCaditz
in VPN and AnyConnect
in VPN and AnyConnect
11-28-2011
05:34 PM
11-28-2011
05:34 PM
On my 2911 router, can I have both an Easy VPN server, and a site-to-site VPN? Also, with an Easy VPN, is it possible to specify another internet (outside) IP address in my assigned range as the address remote users use . . . rather than the specific IP address assigned to the interface? Thanks!
... View more
Labels:
11-28-2011
11:26 AM
Using CCP I deleted the SSL VPN. Instead I created an EasyVPN. Although my EasyVPN passed the "Test VPN", I still have inability to connect via VPN client 5. I have a site to site VPN which is working properly. I cannot see where I specify the internet IP address that the VPN client should connect to. I want to specify a different IP address (in my range of assigned outside IPs) than the main one assigned to Interface0/0. Building configuration... Current configuration : 17087 bytes ! ! Last configuration change at 12:11:17 PCTime Mon Nov 28 2011 by admin ! NVRAM config last updated at 11:53:24 PCTime Mon Nov 28 2011 by admin ! NVRAM config last updated at 11:53:24 PCTime Mon Nov 28 2011 by admin version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SFGallery ! boot-start-marker boot-end-marker ! ! no logging buffered ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authentication login ciscocp_vpn_xauth_ml_3 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local aaa authorization network ciscocp_vpn_group_ml_2 local ! ! ! ! ! aaa session-id common ! clock timezone PCTime -7 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! no ipv6 cef ip source-route ip cef ! ! ! ! ! ip domain name gpgallery.com ip name-server 10.10.10.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 10.10.10.80 ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! crypto pki trustpoint SFGallery_Certificate enrollment selfsigned serial-number none ip-address none revocation-check crl rsakeypair SFGallery_Certificate_RSAKey 512 ! ! crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain SFGallery_Certificate certificate self-signed 01 xxxxxx quit license udi pid CISCO2911/K9 sn FTX1542AKJ3 license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! username xxxx privilege 15 secret 5 xxx username xxxx privilege 15 secret 5 xxxxxx username xxxx privilege 15 secret 5 xxxxxx! redundancy ! ! ! ! no ip ftp passive ip ssh version 1 ! class-map type inspect match-all CCP_SSLVPN match access-group name CCP_IP ! ! policy-map type inspect ccp-sslvpn-pol class type inspect CCP_SSLVPN pass ! zone security sslvpn-zone ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key xxxxxx address 209.101.19.226 ! crypto isakmp client configuration group SFGallery key xxxxxxx dns 10.10.10.10 10.10.10.80 wins 10.10.10.10 10.10.10.80 domain gpgallery.com pool SDM_POOL_1 acl 111 split-dns gpgallery.com max-users 25 netmask 255.255.252.0 crypto isakmp profile ciscocp-ike-profile-1 match identity group SFGallery client authentication list ciscocp_vpn_xauth_ml_3 isakmp authorization list ciscocp_vpn_group_ml_2 client configuration address respond virtual-template 3 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac ! crypto ipsec profile CiscoCP_Profile1 set security-association idle-time 43200 set transform-set ESP-3DES-SHA3 set isakmp-profile ciscocp-ike-profile-1 ! ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to209.101.19.226 set peer 209.101.19.226 set transform-set ESP-3DES-SHA1 match address 107 ! ! ! ! ! interface Loopback1 ip address 192.168.5.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description T1 Cybermesa$ETH-WAN$ ip address 65.19.62.60 255.255.255.240 ip access-group 105 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SDM_CMAP_1 ! interface GigabitEthernet0/1 description LANOverloadNet$ETH-WAN$ ip address 172.16.0.1 255.255.252.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 description LAN$ETH-LAN$ ip address 10.10.10.2 255.255.255.128 ip access-group 100 in ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ! interface Virtual-Template2 ip unnumbered Loopback1 zone-member security sslvpn-zone ! interface Virtual-Template3 type tunnel ip unnumbered Loopback1 tunnel mode ipsec ipv4 tunnel protection ipsec profile CiscoCP_Profile1 ! ! ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254 ip forward-protocol nd ! ip http server ip http access-class 1 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip flow-top-talkers top 10 sort-by bytes cache-timeout 60000 ! ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent ip route 172.16.0.0 255.255.252.0 GigabitEthernet0/1 permanent ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent ! ip access-list extended CCP_IP remark CCP_ACL Category=128 permit ip any any ! no logging trap logging 10.10.10.107 access-list 1 permit 192.168.1.2 access-list 1 remark CCP_ACL Category=1 access-list 1 permit 172.16.4.0 0.0.3.255 access-list 1 permit 10.10.10.128 0.0.0.31 access-list 1 remark Auto generated by SDM Management Access feature access-list 1 permit 65.19.62.48 0.0.0.15 access-list 1 permit 10.10.10.0 0.0.0.127 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit ip any host 10.10.10.2 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd access-list 100 deny tcp any host 10.10.10.2 eq telnet access-list 100 deny tcp any host 10.10.10.2 eq 22 access-list 100 deny tcp any host 10.10.10.2 eq www access-list 100 deny tcp any host 10.10.10.2 eq 443 access-list 100 deny tcp any host 10.10.10.2 eq cmd access-list 100 deny udp any host 10.10.10.2 eq snmp access-list 100 permit udp any eq domain host 10.10.10.2 access-list 100 permit udp host 10.10.10.80 eq domain any access-list 100 permit udp host 10.10.10.10 eq domain any access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark CCP_ACL Category=1 access-list 101 permit ip 172.16.4.0 0.0.3.255 any access-list 101 permit ip 10.10.10.128 0.0.0.31 any access-list 101 permit ip 65.19.62.48 0.0.0.15 any access-list 101 permit ip host 192.168.1.2 any access-list 101 permit ip 10.10.10.0 0.0.0.127 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark CCP_ACL Category=1 access-list 102 permit ip 172.16.4.0 0.0.3.255 any access-list 102 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip 65.19.62.48 0.0.0.15 any access-list 102 permit ip host 192.168.1.2 any access-list 102 permit ip 10.10.10.0 0.0.0.127 any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd access-list 103 deny tcp any host 172.16.0.1 eq telnet access-list 103 deny tcp any host 172.16.0.1 eq 22 access-list 103 deny tcp any host 172.16.0.1 eq www access-list 103 deny tcp any host 172.16.0.1 eq 443 access-list 103 deny tcp any host 172.16.0.1 eq cmd access-list 103 deny udp any host 172.16.0.1 eq snmp access-list 103 permit ip any any access-list 104 remark CCP_ACL Category=4 access-list 104 remark IPSec Rule access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 105 remark Auto generated by SDM Management Access feature access-list 105 remark CCP_ACL Category=1 access-list 105 permit tcp any host 65.19.62.61 eq 443 access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127 access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255 access-list 105 permit udp any eq domain host 65.19.62.60 access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60 access-list 105 permit esp host 209.101.19.226 host 65.19.62.60 access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd access-list 105 deny tcp any host 65.19.62.60 eq telnet access-list 105 deny tcp any host 65.19.62.60 eq 22 access-list 105 deny tcp any host 65.19.62.60 eq www access-list 105 deny tcp any host 65.19.62.60 eq 443 access-list 105 deny tcp any host 65.19.62.60 eq cmd access-list 105 deny udp any host 65.19.62.60 eq snmp access-list 105 permit ip any any access-list 106 remark CCP_ACL Category=2 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 107 remark CCP_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 remark CCP_ACL Category=2 access-list 108 remark IPSec Rule access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 permit ip 70.56.215.0 0.0.0.255 any access-list 109 remark CCP_ACL Category=2 access-list 109 remark IPSec Rule access-list 109 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 109 permit ip 172.16.0.0 0.0.3.255 any access-list 111 remark CCP_ACL Category=4 access-list 111 permit ip 10.10.10.0 0.0.0.127 any access-list 111 permit ip 10.10.10.128 0.0.0.31 any access-list 111 permit ip 172.16.0.0 0.0.3.255 any access-list 111 permit ip 172.16.4.0 0.0.3.255 any ! ! ! ! route-map SDM_RMAP_4 permit 1 match ip address 109 ! route-map SDM_RMAP_1 permit 1 match ip address 106 ! route-map SDM_RMAP_2 permit 1 match ip address 108 ! ! snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps transceiver all snmp-server enable traps ds1 snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps envmon snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps flash insertion removal snmp-server enable traps c3g snmp-server enable traps ds3 snmp-server enable traps adslline snmp-server enable traps vdsl2line snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps mac-notification snmp-server enable traps bgp snmp-server enable traps isis snmp-server enable traps rf snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps resource-policy snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps nhrp nhs snmp-server enable traps nhrp nhc snmp-server enable traps nhrp nhp snmp-server enable traps nhrp quota-exceeded snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps l2tun pseudowire status snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server enable traps bfd snmp-server enable traps firewall serverstatus snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.10.10.107 public ! ! ! control-plane ! ! banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 102 in transport input telnet line vty 5 15 access-class 101 in transport input telnet ! scheduler allocate 20000 1000 end
... View more
11-26-2011
10:54 PM
Thanks, Ajay. Are you saying that the Cisco VPN client works with "EasyVPN" but the SSL VPN requires "AnyConnect"? I initially used the EasyVPN wizard in CCP, then deleted the EasyVPN. Were renants left in my config file? What do I need to delete to get rid of the EasyVPN completely?
... View more
11-26-2011
12:06 PM
When I try to connect from remote host to SSL VPN on 2911 router, I get following errors: Cisco Systems VPN Client Version 5.0.07.0410 Copyright (C) 1998-2010 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 3 Config file directory: C:\Program Files\Cisco Systems\VPN Client\ 1 12:52:38.538 11/26/11 Sev=Warning/2 IKE/0xE300009B Invalid SPI size (PayloadNotify:116) 2 12:52:38.538 11/26/11 Sev=Warning/3 IKE/0xA3000058 Received malformed message or negotiation no longer active (message id: 0x00000000) It doesn't matter what username and password I use; I guess it never gets to that point of authentication. Any suggestions? Running-config below: Building configuration... Current configuration : 16633 bytes ! ! Last configuration change at 11:28:48 PCTime Sat Nov 26 2011 by xxx ! NVRAM config last updated at 16:45:09 PCTime Fri Nov 25 2011 by xxx ! NVRAM config last updated at 16:45:09 PCTime Fri Nov 25 2011 by xxxxx version 15.1 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname SFGallery ! boot-start-marker boot-end-marker ! ! no logging buffered ! aaa new-model ! ! aaa authentication login default local aaa authentication login ciscocp_vpn_xauth_ml_1 local aaa authentication login ciscocp_vpn_xauth_ml_2 local aaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local ! ! ! ! ! aaa session-id common ! clock timezone PCTime -7 0 clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00 ! no ipv6 cef ip source-route ip cef ! ! ! ! ! ip domain name gpgallery.com ip name-server 10.10.10.10 ip name-server 8.8.8.8 ip name-server 8.8.4.4 ip name-server 10.10.10.80 ! multilink bundle-name authenticated ! ! crypto pki token default removal timeout 0 ! crypto pki trustpoint test_trustpoint_config_created_for_sdm subject-name e=sdmtest@sdmtest.com revocation-check crl ! crypto pki trustpoint SFGallery_Certificate enrollment selfsigned serial-number none ip-address none revocation-check crl rsakeypair SFGallery_Certificate_RSAKey 512 ! ! crypto pki certificate chain test_trustpoint_config_created_for_sdm crypto pki certificate chain SFGallery_Certificate certificate self-signed 01 30820194 3082013E A0030201 02020101 300D0609 2A864886 F70D0101 05050030 28312630 2406092A 864886F7 0D010902 16175346 47616C6C 6572792E 67706761 6C6C6572 792E636F 6D301E17 0D313131 31323230 34333233 315A170D 32303031 30313030 30303030 5A302831 26302406 092A8648 86F70D01 09021617 53464761 6C6C6572 792E6770 67616C6C 6572792E 636F6D30 5C300D06 092A8648 86F70D01 01010500 034B0030 48024100 993C9074 AD95147D EC76B19B 824EA499 4C760A3C 25057180 3348DAB7 074D6441 0FEED924 0385E47C E9B393C5 CB304B0C AC77C1E8 FF2ADAF0 1D492AAC DC58388F 02030100 01A35330 51300F06 03551D13 0101FF04 05300301 01FF301F 0603551D 23041830 16801452 5378B365 FA6BA8CA CA961FDF 57E7C401 03C09B30 1D060355 1D0E0416 04145253 78B365FA 6BA8CACA 961FDF57 E7C40103 C09B300D 06092A86 4886F70D 01010505 00034100 2249E24A 95AC0FE6 DE1D523C EA0DDBDE 4A5FF376 78A987BD 8EBE6197 9D7039D4 6E982DFC C6176C7B B563ABA3 5988148B B40B5250 FE15C70A E0A65080 3822D684 quit license udi pid CISCO2911/K9 sn FTX1542AKJ3 license boot module c2900 technology-package securityk9 license boot module c2900 technology-package datak9 ! ! username xxxx privilege 15 secret 5 xxxx username xxxxxx privilege 15 secret 5 xxxx ! redundancy ! ! ! ! no ip ftp passive ip ssh version 1 ! class-map type inspect match-all CCP_SSLVPN match access-group name CCP_IP ! ! policy-map type inspect ccp-sslvpn-pol class type inspect CCP_SSLVPN pass ! zone security sslvpn-zone ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp key TempVPN1# address 209.101.19.226 ! crypto isakmp client configuration group SFGallery key 12ui##143222 pool SDM_POOL_1 max-users 25 netmask 255.255.252.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac ! crypto map SDM_CMAP_1 1 ipsec-isakmp description Tunnel to209.101.19.226 set peer 209.101.19.226 set transform-set ESP-3DES-SHA1 match address 107 ! ! ! ! ! interface Loopback1 ip address 192.168.5.1 255.255.255.0 ! interface Embedded-Service-Engine0/0 no ip address shutdown ! interface GigabitEthernet0/0 description T1 Cybermesa$ETH-WAN$ ip address 65.19.62.60 255.255.255.240 ip access-group 105 in ip nat outside ip virtual-reassembly in duplex auto speed auto crypto map SDM_CMAP_1 ! interface GigabitEthernet0/1 description LANOverloadNet$ETH-WAN$ ip address 172.16.0.1 255.255.252.0 ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface GigabitEthernet0/2 description LAN$ETH-LAN$ ip address 10.10.10.2 255.255.255.128 ip access-group 100 in ip nat inside ip virtual-reassembly in duplex auto speed auto ! interface Virtual-Template1 type tunnel ip unnumbered Loopback1 ! interface Virtual-Template2 ip unnumbered Loopback1 zone-member security sslvpn-zone ! ! ip local pool SDM_POOL_1 172.16.3.200 172.16.3.254 ip forward-protocol nd ! ip http server ip http access-class 1 ip http authentication local no ip http secure-server ip http timeout-policy idle 60 life 86400 requests 10000 ip flow-top-talkers top 10 sort-by bytes cache-timeout 60000 ! ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/0 overload ip nat inside source route-map SDM_RMAP_4 interface GigabitEthernet0/0 overload ip route 0.0.0.0 0.0.0.0 65.19.62.49 permanent ip route 10.10.10.0 255.255.255.128 GigabitEthernet0/2 permanent ip route 10.10.10.128 255.255.255.224 10.10.10.126 permanent ip route 172.16.0.0 255.255.252.0 GigabitEthernet0/1 permanent ip route 172.16.4.0 255.255.252.0 10.10.10.126 permanent ! ip access-list extended CCP_IP remark CCP_ACL Category=128 permit ip any any ! no logging trap logging 10.10.10.107 access-list 1 permit 192.168.1.2 access-list 1 remark CCP_ACL Category=1 access-list 1 permit 172.16.4.0 0.0.3.255 access-list 1 permit 10.10.10.128 0.0.0.31 access-list 1 remark Auto generated by SDM Management Access feature access-list 1 permit 65.19.62.48 0.0.0.15 access-list 1 permit 10.10.10.0 0.0.0.127 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark CCP_ACL Category=1 access-list 100 permit ip any host 10.10.10.2 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq telnet access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 22 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq www access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq 443 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq 443 access-list 100 permit tcp 172.16.4.0 0.0.3.255 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.128 0.0.0.31 host 10.10.10.2 eq cmd access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.2 eq cmd access-list 100 deny tcp any host 10.10.10.2 eq telnet access-list 100 deny tcp any host 10.10.10.2 eq 22 access-list 100 deny tcp any host 10.10.10.2 eq www access-list 100 deny tcp any host 10.10.10.2 eq 443 access-list 100 deny tcp any host 10.10.10.2 eq cmd access-list 100 deny udp any host 10.10.10.2 eq snmp access-list 100 permit udp any eq domain host 10.10.10.2 access-list 100 permit udp host 10.10.10.80 eq domain any access-list 100 permit udp host 10.10.10.10 eq domain any access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark CCP_ACL Category=1 access-list 101 permit ip 172.16.4.0 0.0.3.255 any access-list 101 permit ip 10.10.10.128 0.0.0.31 any access-list 101 permit ip 65.19.62.48 0.0.0.15 any access-list 101 permit ip host 192.168.1.2 any access-list 101 permit ip 10.10.10.0 0.0.0.127 any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark CCP_ACL Category=1 access-list 102 permit ip 172.16.4.0 0.0.3.255 any access-list 102 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip 65.19.62.48 0.0.0.15 any access-list 102 permit ip host 192.168.1.2 any access-list 102 permit ip 10.10.10.0 0.0.0.127 any access-list 103 remark Auto generated by SDM Management Access feature access-list 103 remark CCP_ACL Category=1 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq telnet access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 22 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq www access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq 443 access-list 103 permit tcp host 192.168.1.2 host 172.16.0.1 eq cmd access-list 103 deny tcp any host 172.16.0.1 eq telnet access-list 103 deny tcp any host 172.16.0.1 eq 22 access-list 103 deny tcp any host 172.16.0.1 eq www access-list 103 deny tcp any host 172.16.0.1 eq 443 access-list 103 deny tcp any host 172.16.0.1 eq cmd access-list 103 deny udp any host 172.16.0.1 eq snmp access-list 103 permit ip any any access-list 104 remark CCP_ACL Category=4 access-list 104 remark IPSec Rule access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 104 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 105 remark Auto generated by SDM Management Access feature access-list 105 remark CCP_ACL Category=1 access-list 105 permit tcp any host 65.19.62.61 eq 443 access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.127 access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.160 0.0.0.31 10.10.10.0 0.0.0.255 access-list 105 permit udp any eq domain host 65.19.62.60 access-list 105 permit ahp host 209.101.19.226 host 65.19.62.60 access-list 105 permit esp host 209.101.19.226 host 65.19.62.60 access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq isakmp access-list 105 permit udp host 209.101.19.226 host 65.19.62.60 eq non500-isakmp access-list 105 remark IPSec Rule access-list 105 permit ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq telnet access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 22 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq www access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq 443 access-list 105 permit tcp 65.19.62.48 0.0.0.15 host 65.19.62.60 eq cmd access-list 105 deny tcp any host 65.19.62.60 eq telnet access-list 105 deny tcp any host 65.19.62.60 eq 22 access-list 105 deny tcp any host 65.19.62.60 eq www access-list 105 deny tcp any host 65.19.62.60 eq 443 access-list 105 deny tcp any host 65.19.62.60 eq cmd access-list 105 deny udp any host 65.19.62.60 eq snmp access-list 105 permit ip any any access-list 106 remark CCP_ACL Category=2 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.160 0.0.0.31 access-list 106 remark IPSec Rule access-list 106 deny ip 10.10.10.0 0.0.0.127 10.10.10.0 0.0.0.127 access-list 106 permit ip 10.10.10.0 0.0.0.255 any access-list 107 remark CCP_ACL Category=4 access-list 107 remark IPSec Rule access-list 107 permit ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 remark CCP_ACL Category=2 access-list 108 remark IPSec Rule access-list 108 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 108 permit ip 70.56.215.0 0.0.0.255 any access-list 109 remark CCP_ACL Category=2 access-list 109 remark IPSec Rule access-list 109 deny ip 10.10.10.0 0.0.0.255 10.10.10.160 0.0.0.31 access-list 109 permit ip 172.16.0.0 0.0.3.255 any ! ! ! ! route-map SDM_RMAP_4 permit 1 match ip address 109 ! route-map SDM_RMAP_1 permit 1 match ip address 106 ! route-map SDM_RMAP_2 permit 1 match ip address 108 ! ! snmp-server community public RO snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart snmp-server enable traps vrrp snmp-server enable traps transceiver all snmp-server enable traps ds1 snmp-server enable traps call-home message-send-fail server-fail snmp-server enable traps tty snmp-server enable traps eigrp snmp-server enable traps ospf state-change snmp-server enable traps ospf errors snmp-server enable traps ospf retransmit snmp-server enable traps ospf lsa snmp-server enable traps ospf cisco-specific state-change nssa-trans-change snmp-server enable traps ospf cisco-specific state-change shamlink interface snmp-server enable traps ospf cisco-specific state-change shamlink neighbor snmp-server enable traps ospf cisco-specific errors snmp-server enable traps ospf cisco-specific retransmit snmp-server enable traps ospf cisco-specific lsa snmp-server enable traps license snmp-server enable traps envmon snmp-server enable traps ethernet cfm cc mep-up mep-down cross-connect loop config snmp-server enable traps ethernet cfm crosscheck mep-missing mep-unknown service-up snmp-server enable traps flash insertion removal snmp-server enable traps c3g snmp-server enable traps ds3 snmp-server enable traps adslline snmp-server enable traps vdsl2line snmp-server enable traps icsudsu snmp-server enable traps isdn call-information snmp-server enable traps isdn layer2 snmp-server enable traps isdn chan-not-avail snmp-server enable traps isdn ietf snmp-server enable traps ds0-busyout snmp-server enable traps ds1-loopback snmp-server enable traps energywise snmp-server enable traps vstack snmp-server enable traps mac-notification snmp-server enable traps bgp snmp-server enable traps isis snmp-server enable traps rf snmp-server enable traps aaa_server snmp-server enable traps atm subif snmp-server enable traps cef resource-failure peer-state-change peer-fib-state-change inconsistency snmp-server enable traps memory bufferpeak snmp-server enable traps cnpd snmp-server enable traps config-copy snmp-server enable traps config snmp-server enable traps config-ctid snmp-server enable traps entity snmp-server enable traps fru-ctrl snmp-server enable traps resource-policy snmp-server enable traps event-manager snmp-server enable traps frame-relay multilink bundle-mismatch snmp-server enable traps frame-relay snmp-server enable traps frame-relay subif snmp-server enable traps hsrp snmp-server enable traps ipmulticast snmp-server enable traps msdp snmp-server enable traps mvpn snmp-server enable traps nhrp nhs snmp-server enable traps nhrp nhc snmp-server enable traps nhrp nhp snmp-server enable traps nhrp quota-exceeded snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message snmp-server enable traps pppoe snmp-server enable traps cpu threshold snmp-server enable traps rsvp snmp-server enable traps syslog snmp-server enable traps l2tun session snmp-server enable traps l2tun pseudowire status snmp-server enable traps vtp snmp-server enable traps ipsla snmp-server enable traps bfd snmp-server enable traps firewall serverstatus snmp-server enable traps isakmp policy add snmp-server enable traps isakmp policy delete snmp-server enable traps isakmp tunnel start snmp-server enable traps isakmp tunnel stop snmp-server enable traps ipsec cryptomap add snmp-server enable traps ipsec cryptomap delete snmp-server enable traps ipsec cryptomap attach snmp-server enable traps ipsec cryptomap detach snmp-server enable traps ipsec tunnel start snmp-server enable traps ipsec tunnel stop snmp-server enable traps ipsec too-many-sas snmp-server enable traps vrfmib vrf-up vrf-down vnet-trunk-up vnet-trunk-down snmp-server host 10.10.10.107 public ! ! ! control-plane ! ! banner login ^CCWelcome to Santa Fe Gallery Cisco 2911 router 10.10.10.1.^C ! line con 0 line aux 0 line 2 no activation-character no exec transport preferred none transport input all transport output pad telnet rlogin lapb-ta mop udptn v120 ssh stopbits 1 line vty 0 4 access-class 102 in transport input telnet line vty 5 15 access-class 101 in transport input telnet ! scheduler allocate 20000 1000 ! webvpn gateway gateway_1 ip address 65.19.62.61 port 443 http-redirect port 80 ssl trustpoint SFGallery_Certificate inservice ! webvpn context SFGallery secondary-color white title-color #FF9900 text-color black ssl authenticate verify all ! nbns-list "nbns_list_1" nbns-server 10.10.10.10 master nbns-server 10.10.10.80 ! policy group policy_1 nbns-list "nbns_list_1" functions file-access functions file-browse functions file-entry functions svc-enabled svc address-pool "SDM_POOL_1" svc rekey method new-tunnel default-group-policy policy_1 aaa authentication list ciscocp_vpn_xauth_ml_2 gateway gateway_1 domain gpgallery.com max-users 25 inservice ! end
... View more
Labels:
11-25-2011
04:29 PM
The answer is that I misunderstood the instructions (or lack thereof) on the web form where I register the feature licenses I purchased. The form asks for a PID and serial number. Although the instructions on the form do not specify this, both of these pertain to the hardware appliance, not the license; i.e. I entered the PID of the license--which the form accepted--but the resultant key file could not be installed on the appliance. I opened a TAC support case and had the license re-keyed with the PID and S/N of the appliance. Now it works.
... View more
11-25-2011
03:36 PM
I am new to Cisco . . . I want a simple remote client-initiated VPN for employees to access corporate resources from home simultaneously with being able to access the internet. I am using CCP and seem to have several options including Easy VPN server, SSL VPN. I also can choose "Full Tunnel" or not. I have a 2911 router. I have a static range of internet IP addresses. The router is already functioning with inside to outside and outside to inside NAT, etc. I am confused with all the options. Which one makes most sense in this straighforward situation?
... View more
Labels:
11-25-2011
01:05 PM
I think I found the problem. The IOS version is 12.2, whereas 12.4 is required: http://www.cisco.com/en/US/prod/collateral/routers/ps9422/data_sheet_c78_462210.html
... View more
11-25-2011
12:53 PM
I removed that command. Result is the same (Discovery Details: Connection to the device could not be established. Either the device is not reachable or the HTTP service is not enabled on the device.) Building configuration... Current configuration : 1982 bytes ! ! Last configuration change at 00:37:12 UTC Tue Mar 2 2010 by admin1 ! NVRAM config last updated at 00:37:22 UTC Tue Mar 2 2010 by admin1 ! version 12.2 service timestamps debug datetime msec service timestamps log datetime msec service password-encryption ! hostname Peters_Gallery ! logging queue-limit 100 enable secret 5 xxxxxxxxx username xxxx privilege 15 password 7 xxxx username xxx privilege 15 password 7 xxxx ip subnet-zero ! ! ip domain name gpgallery.com ! ip cef ! ! ! ! interface FastEthernet0 description corp lan ip address 10.10.10.126 255.255.255.128 ip access-group 100 in speed auto ! interface Serial0 ip address 10.3.0.37 255.255.255.252 ! ip classless ip route 0.0.0.0 0.0.0.0 10.10.10.1 ip route 10.10.10.128 255.255.255.224 10.3.0.38 ip route 172.16.4.0 255.255.252.0 10.3.0.38 ip http server ip http authentication local ip http timeout-policy idle 60 life 86400 requests 10000 ! ! ! access-list 100 remark MRC access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.126 eq telnet access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.126 eq 22 access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.126 eq www access-list 100 permit tcp 10.10.10.0 0.0.0.127 host 10.10.10.126 eq cmd access-list 100 deny tcp any host 10.10.10.126 eq telnet access-list 100 deny tcp any host 10.10.10.126 eq 22 access-list 100 deny tcp any host 10.10.10.126 eq www access-list 100 deny tcp any host 10.10.10.126 eq cmd access-list 100 permit ip any any access-list 101 remark MRC access-list 101 permit ip 10.10.10.0 0.0.0.127 any access-list 101 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip 10.10.10.128 0.0.0.31 any access-list 102 permit ip 10.10.10.0 0.0.0.127 any ! ! line con 0 line aux 0 line vty 0 4 access-class 102 in login local transport input telnet line vty 5 15 access-class 101 in login local transport input telnet ! no scheduler allocate end
... View more
Created by
MikeCaditz
in VPN and AnyConnect
10-22-2012
10-22-2012
Thanks so much, Herbert.As an alternative to what you suggest, what do
you think of this? I got it f...
Created by
MikeCaditz
in VPN and AnyConnect
10-18-2012
10-18-2012
Users in remote site can get ping response but no http service from
local web server where the local...
Created by
MikeCaditz
in Switching
12-13-2011
12-13-2011
Thanks, Somu.But I am confused. First, the link you provided id
dead.Second, the document
http://www...
12-13-2011
I have a 2911 ISR and want to install a SM-ES2-24 Enhanced EtherSwitch
Service Module.Do I need to p...
11-29-2011
I have both a Easy VPN server and a site-to-site VPN on the same outside
interface of a 2911 router....
Created by
MikeCaditz
in VPN and AnyConnect
11-29-2011
11-29-2011
I have successfully implented both a site-to-site VPN, and an Easy VPN
server. The outside IP for ea...
11-28-2011
On my 2911 router, can I have both an Easy VPN server, and a
site-to-site VPN?Also, with an Easy VPN...
11-28-2011
Using CCP I deleted the SSL VPN. Instead I created an EasyVPN. Although
my EasyVPN passed the "Test ...
11-26-2011
Thanks, Ajay.Are you saying that the Cisco VPN client works with
"EasyVPN" but the SSL VPN requires ...
11-26-2011
When I try to connect from remote host to SSL VPN on 2911 router, I get
following errors:Cisco Syste...
11-25-2011
The answer is that I misunderstood the instructions (or lack thereof) on
the web form where I regist...
11-25-2011
I am new to Cisco . . . I want a simple remote client-initiated VPN for
employees to access corporat...
11-25-2011
I think I found the problem. The IOS version is 12.2, whereas 12.4 is
required:http://www.cisco.com/...
Public Statistics
| Date Registered | 11-07-2011 02:36 PM |
| Date Last Visited | 08-18-2017 03:55 AM |
| Total Messages Posted | 37 |
| Total Helpful Votes Received | 5 |
Helpful Votes Given To
| User | Helpful Count |
|---|---|
| 5 | |
| 5 | |
| 5 | |
| 20 | |
| 5 |
.jpg "Hall of Fame Master"){kind=icon}
