I have a problem with configuration Site-to-site and Easy both together on the same router 871W
Something is work but not everything.
x.x.x.x - IP address of WAN
a.a.a.a - IP address of gw for WAN
z.z.z.z - IP address of Site-to-Site VPN
192.168.201.0/25 - LAN
192.168.200.0/24 - addresses Easy VPN
192.168.151.0/24 - Site-to-Site LAN
Site-to-site is working properly, everythings fine, but Easy VPN no.
Configuration of Cisco VPN Client:
Host - x.x.x.x, group auth name - remotegroup, pass *
user test, pass *
I have a successful connection of Cisco VPN Client (I see closed Lock - status Connected)
Connection gave me address 192.168.200.5.
But I cannot see LAN and/or Site-to-Site LAN.
And I do not have any idea what can be wrong.
Finalny config:
| Quote: |
Current configuration : 8860 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service sequence-numbers
!
hostname moj-waw-rtr
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret *
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login remoteusers local
aaa authorization exec default local
aaa authorization network remotegroup local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
ip cef
!
!
no ip domain lookup
ip domain name waw.moj.pl
ip name-server 194.204.152.34
ip name-server 193.178.240.2
!
!
crypto pki trustpoint TP-self-signed-*
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-*
revocation-check none
rsakeypair TP-self-signed-*
!
!
crypto pki certificate chain TP-self-signed-*
certificate self-signed 01
quit
username user privilege 15 secret *
username test privilege 4 secret *
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key * address y.y.y.y
crypto isakmp client configuration address-pool local TOVPNPOOL
!
crypto isakmp client configuration group remotegroup
key *
pool TOVPNPOOL
crypto isakmp profile vpnclient
match identity group remotegroup
match identity address 192.168.201.111 255.255.255.255
client authentication list remoteusers
isakmp authorization list remotegroup
client configuration address respond
!
!
crypto ipsec transform-set vpntowaw esp-3des esp-sha-hmac
crypto ipsec transform-set vpnwaw esp-3des esp-md5-hmac
!
crypto dynamic-map DYNAMIC 10
set transform-set vpnwaw
set isakmp-profile vpnclient
reverse-route
!
!
crypto map vpn_wro_waw 1 ipsec-isakmp
set peer y.y.y.y
set transform-set vpntowaw
set pfs group1
match address 104
crypto map vpn_wro_waw 65535 ipsec-isakmp dynamic DYNAMIC
!
bridge irb
!
!
interface FastEthernet0
spanning-tree portfast
!
interface FastEthernet1
spanning-tree portfast
!
interface FastEthernet2
spanning-tree portfast
!
interface FastEthernet3
spanning-tree portfast
!
interface FastEthernet4
description $ETH-LAN$
ip address x.x.x.x 255.255.255.0
ip access-group 102 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map vpn_wro_waw
!
interface Dot11Radio0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
!
encryption mode ciphers tkip
!
encryption vlan 1 mode ciphers tkip
!
ssid TO-WAW
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii *
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no dot11 extension aironet
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
ip address 192.168.201.1 255.255.255.128
ip access-group 101 in
ip nat inside
ip virtual-reassembly
!
ip local pool TOVPNPOOL 192.168.200.2 192.168.200.101
ip classless
ip route 0.0.0.0 0.0.0.0 a.a.a.a
!
ip http server
ip http access-class 1
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 192.168.201.3 80 interface FastEthernet4 80
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 192.168.201.0 0.0.0.127
access-list 1 permit 192.168.151.0 0.0.0.255
access-list 1 deny any
access-list 100 remark SDM_ACL Category=2
access-list 100 remark IPSec Rule
access-list 100 deny ip 192.168.201.0 0.0.0.127 192.168.3.0 0.0.0.255
access-list 100 deny ip 192.168.201.0 0.0.0.127 192.168.2.0 0.0.0.255
access-list 100 deny ip 192.168.201.0 0.0.0.127 192.168.151.0 0.0.0.255
access-list 100 deny ip 192.168.201.0 0.0.0.127 192.168.200.0 0.0.0.255
access-list 100 permit ip 192.168.201.0 0.0.0.127 any
access-list 101 remark auto generated by SDM firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip x.x.x.x 0.0.0.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 permit ip any any
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit icmp any any
access-list 102 permit icmp any host x.x.x.x
access-list 102 permit udp host 194.204.152.34 eq domain host x.x.x.x
access-list 102 permit udp host 193.178.240.2 eq domain host x.x.x.x
access-list 102 permit udp host y.y.y.y host x.x.x.x eq non500-isakmp
access-list 102 permit udp host y.y.y.y host x.x.x.x eq isakmp
access-list 102 permit esp host y.y.y.y host x.x.x.x
access-list 102 permit ahp host y.y.y.y host x.x.x.x
access-list 102 permit ip 192.168.151.0 0.0.0.255 192.168.201.0 0.0.0.127
access-list 102 permit ip 192.168.200.0 0.0.0.255 192.168.201.0 0.0.0.127
access-list 102 permit ip 192.168.2.0 0.0.0.255 192.168.201.0 0.0.0.127
access-list 102 permit ip 192.168.3.0 0.0.0.255 192.168.201.0 0.0.0.127
access-list 102 permit ip 192.168.201.0 0.0.0.127 any
access-list 102 deny ip 10.0.0.0 0.255.255.255 any
access-list 102 deny ip 172.16.0.0 0.15.255.255 any
access-list 102 deny ip 192.168.0.0 0.0.255.255 any
access-list 102 deny ip 127.0.0.0 0.255.255.255 any
access-list 102 deny ip 192.168.201.0 0.0.0.127 any
access-list 102 deny ip host 255.255.255.255 any
access-list 102 deny ip host 0.0.0.0 any
access-list 102 permit ip any any
access-list 103 permit ip 192.168.200.0 0.0.0.255 any
access-list 103 permit ip 192.168.151.0 0.0.0.255 any
access-list 103 permit ip 192.168.201.0 0.0.0.127 any
access-list 103 permit ip 192.168.2.0 0.0.0.255 any
access-list 103 permit ip 192.168.3.0 0.0.0.255 any
access-list 103 permit ip y.y.y.y 0.0.0.7 any
access-list 103 deny ip any any
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.201.0 0.0.0.127 192.168.151.0 0.0.0.255
access-list 104 permit ip 192.168.201.0 0.0.0.127 192.168.2.0 0.0.0.255
access-list 104 permit ip 192.168.201.0 0.0.0.127 192.168.3.0 0.0.0.255
access-list 104 permit ip 192.168.201.0 0.0.0.127 192.168.200.0 0.0.0.255
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 100
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 103 in
privilege level 15
transport input ssh
!
scheduler max-task-time 5000
end |
