- Cisco Community
- Technology and Support
- Security
- VPN
- Hi there, Add this line
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Can't access Cisco 881 router Via VPN Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2015 10:09 AM
I have a Cisco 881 router that has been configured for VPN access. The VPN works, I can log into it, but I can't access the router via CCP (or even telent, CCP is more important though) The VPN connection get an ip of 192.168.40.xx and the router's ip is 192.168.125.254. I'm not sure why the VPN connection cant access the router via CCP. Here is the running config:
thanks.
- Labels:
-
Remote Access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2015 04:05 PM
Hi there,
Add this line before the permit line on ACL 199
access-list 199 deny ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
Let me know, if this helps.
Thanks
Rizwan Rafeek
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2015 04:25 PM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-12-2015 04:42 PM
show access-list 199
then look for index number for each permit or deny lines and then use desired index number to insert the deny line and be sure to insert it before any permit lines.
I am not in front of a router now, below example came out just top of my head.
Below I am using index "1".
router (config) access-list extendeded 199
router (config-ext-nacl) 1 deny ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 08:13 AM
Thanks for helping me, but I still can't access the router via VPN connection. Below is the updated running config:
Current configuration : 11796 bytes
!
! Last configuration change at 14:23:22 UTC Fri Mar 13 2015 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1151531093
revocation-check none
rsakeypair TP-self-signed-1151531093
!
!
crypto pki certificate chain TP-self-signed-1151531093
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313531 35333130 3933301E 170D3134 31303237 31323533
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
2A864886 F70D0101 05050003 81810010 2D33C733 D97B1387 2E88E625 B0640CDE
F6EC596B CF071E50 D225E97A ED34EECD 9545582F 8A704365 94F8E831 E065987E
6011CBA1 E8133A32 6935A2C0 467770A3 0EACF953 0720E0CD 061938C6 F8B8C04F
E2764497 830B7EF8 5E0D9CCC 0191EBD4 DCBDADBA 2D25F70A C69E543B 139B8319
155C7F8C E6600C4E 0BD24BD8 84937A
quit
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.4.1 192.168.5.49
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool Internet
import all
network 192.168.4.0 255.255.254.0
dns-server 64.59.135.133 64.59.128.120
default-router 192.168.5.254
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
username **** privilege 15 secret 5 $1$45So$aONTP0VVI.NT5rpQeEtg0/
username **** secret 5 $1$qaKU$2H0QSW1jHo8XYuEy3FPbU0
username **** secret 5 $1$SHF9$pXvR3gVTCe4w4G7c2FS9P1
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ***** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
key ******
pool VPN_IP_POOL
acl 100
max-users 10
netmask 255.255.255.0
banner ^CYou have entered the System Domain
This area is restricted to Control Systems Administrators.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Press continue to begin your session.^C
!
crypto isakmp client configuration group PALL
key ****
pool VPN_IP_POOL_PALL
acl 101
max-users 10
netmask 255.255.255.0
banner ^CYou have entered the System Domain
This area is restricted to Control Systems Administrators.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Press continue to begin your session.^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group MPE
client authentication list default
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
match identity group PALL
client authentication list default
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-2
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to208.98.212.xx
set peer 208.98.213.xx
set transform-set ESP-3DES-SHA2
match address 102
!
!
!
!
!
!
interface Loopback0
ip address 192.168.40.254 255.255.255.0
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
ip address 208.98.213.xx 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.125.254 255.255.255.0
ip access-group CONTROL_IN in
ip access-group CONTROL_OUT out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.5.254 255.255.254.0
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.236.62 permanent
!
ip access-list extended CONTROL_IN
remark Controll Access
remark CCP_ACL Category=1
permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VPN Access
permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
remark VNC Access
permit tcp host 192.168.125.2 eq 25000 any
remark Email for WIN911
permit tcp host 192.168.125.2 any eq smtp
remark DNS Traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq domain
permit udp host 192.168.125.2 host 64.59.128.120 eq domain
ip access-list extended CONTROL_OUT
remark Control Access
remark CCP_ACL Category=1
permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VPN Access
permit ip 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
permit tcp any host 192.168.125.2 eq 25000
remark Email for WIN911
permit tcp any eq smtp host 192.168.125.2
remark DNS Replies
permit udp any eq domain host 192.168.125.2
ip access-list extended INTERNET_IN
remark VNC access across VLAN
remark CCP_ACL Category=1
permit tcp any eq 25000 host 192.168.125.2
remark Allow all other traffic
permit ip any any
ip access-list extended INTERNET_OUT
remark Complete access for internet outgoing
remark CCP_ACL Category=1
permit ip any any
ip access-list extended WAN_IN
remark CCP_ACL Category=1
permit ip host 207.229.68.xx any
permit tcp any eq smtp any established
permit udp host 64.59.135.133 eq domain any
permit udp host 64.59.128.120 eq domain any
permit icmp any any unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any time-exceeded
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 199
!
route-map SDM_RMAP_2 permit 1
match ip address 110
!
access-list 100 remark VPN Traffic
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark VPN Traffic for PALL
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 remark CCP_ACL Category=2
access-list 110 remark IPSec Rule
access-list 110 deny ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 permit ip host 192.168.125.2 any
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 160 remark CCP_ACL Category=1
access-list 160 permit tcp any any
access-list 160 permit udp any any
access-list 160 permit icmp any any
access-list 160 permit ip any any
access-list 199 remark CCP_ACL Category=16
access-list 199 remark IPSec Rule
access-list 199 deny ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
access-class 160 in
transport input all
transport output all
!
scheduler allocate 20000 1000
!
end
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 08:47 AM
Please assign a password under both lines, under config mode.
line vty 5 15
password WhateverYourPassword
line vty 0 4
password WhateverYourPassword
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 08:53 AM
Passwords have been added. Thanks for pointing that out, I must have overlooked that.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 09:38 AM
Are you able to access now?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 09:44 AM
No, still can't access it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 09:58 AM
Are you able to ping inside interface IP, when vpn in?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 10:10 AM
I can't ping anything on the internal network from VPN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 10:22 AM
Hi there,
Can you shutdown this loopback0 .
interface Loopback0
shutdown
and then try it.
thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 10:25 AM
nope, still not working.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 10:27 AM
Please post your current config.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-13-2015 10:48 AM
here is the current config:
Current configuration : 11856 bytes
!
! Last configuration change at 17:18:31 UTC Fri Mar 13 2015 by admin
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 881
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1151531093
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1151531093
revocation-check none
rsakeypair TP-self-signed-1151531093
!
!
crypto pki certificate chain TP-self-signed-1151531093
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31313531 35333130 3933301E 170D3134 31303237 31323533
31375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31353135
33313039 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100AC6E E7FA8AFD 9D4E206C 2B23DFC1 990AFDB3 37697253 98CD84A7 A7EF2520
0C45190E 298B6E9F E2711580 80DCFBFB 05A6A0BA 347B960B D9DA17FC B1543B9D
FBC048F3 02391432 063EBBC5 F0232A73 EAC7278E 8CB83005 D13A1D47 BEF18198
547469A2 F65ED0E6 249BF517 1E74117D C94BE542 46EE487D 364639B4 A3843F12
0B090203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 147996F4 3E6D0EE2 2D9065BB D726137C 2DF42ABE 01301D06
03551D0E 04160414 7996F43E 6D0EE22D 9065BBD7 26137C2D F42ABE01 300D0609
2A864886 F70D0101 05050003 81810010 2D33C733 D97B1387 2E88E625 B0640CDE
F6EC596B CF071E50 D225E97A ED34EECD 9545582F 8A704365 94F8E831 E065987E
6011CBA1 E8133A32 6935A2C0 467770A3 0EACF953 0720E0CD 061938C6 F8B8C04F
E2764497 830B7EF8 5E0D9CCC 0191EBD4 DCBDADBA 2D25F70A C69E543B 139B8319
155C7F8C E6600C4E 0BD24BD8 84937A
quit
!
!
!
!
!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.4.1 192.168.5.49
ip dhcp excluded-address 192.168.5.151 192.168.5.254
!
ip dhcp pool Internet
import all
network 192.168.4.0 255.255.254.0
dns-server 64.59.135.133 64.59.128.120
default-router 192.168.5.254
!
!
!
no ip domain lookup
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C881-K9 sn FTX18438503
!
!
username **** privilege 15 secret 5 $1$45So$aONTP0VVI.NT5rpQeEtg0/
username **** secret 5 $1$qaKU$2H0QSW1jHo8XYuEy3FPbU0
username **** secret 5 $1$SHF9$pXvR3gVTCe4w4G7c2FS9P1
!
!
!
!
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key ***** address 208.98.212.xx
!
crypto isakmp client configuration group MPE
key ****
pool VPN_IP_POOL
acl 100
max-users 10
netmask 255.255.255.0
banner ^CYou have entered the System Domain
This area is restricted to Control Systems Administrators.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Press continue to begin your session.^C
!
crypto isakmp client configuration group PALL
key ****
pool VPN_IP_POOL_PALL
acl 101
max-users 10
netmask 255.255.255.0
banner ^CYou have entered the System Domain
This area is restricted to Control Systems Administrators.
If you are here by mistake, please disconnect immediately.
You have full access to 192.168.125.0 / 0.0.0.255
Press continue to begin your session.^C
crypto isakmp profile ciscocp-ike-profile-1
match identity group MPE
client authentication list default
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto isakmp profile ciscocp-ike-profile-2
match identity group PALL
client authentication list default
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile CiscoCP_Profile2
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-2
!
!
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to208.98.213.xx
set peer 208.98.213.xx
set transform-set ESP-3DES-SHA2
match address 102
!
!
!
!
!
!
interface Loopback0
ip address 192.168.40.254 255.255.255.0
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
switchport access vlan 2
no ip address
!
interface FastEthernet3
switchport access vlan 2
no ip address
!
interface FastEthernet4
ip address 208.98.213.xx 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Virtual-Template1 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile2
!
interface Vlan1
description $ETH_LAN$
ip address 192.168.125.254 255.255.255.0
ip access-group CONTROL_IN in
ip access-group CONTROL_OUT out
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Vlan2
ip address 192.168.5.254 255.255.254.0
ip access-group INTERNET_IN in
ip access-group INTERNET_OUT out
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN_IP_POOL_PALL 192.168.40.151 192.168.40.152
ip local pool VPN_IP_POOL 192.168.40.100 192.168.40.150
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source static tcp 192.168.125.2 25000 interface FastEthernet4 25000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_2 interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 FastEthernet4 208.98.213.xx permanent
!
ip access-list extended CONTROL_IN
remark Controll Access
remark CCP_ACL Category=1
permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VPN Access
permit ip 192.168.125.0 0.0.0.255 192.168.40.0 0.0.0.255
remark VNC Access
permit tcp host 192.168.125.2 eq 25000 any
remark Email for WIN911
permit tcp host 192.168.125.2 any eq smtp
remark DNS Traffic
permit udp host 192.168.125.2 host 64.59.135.133 eq domain
permit udp host 192.168.125.2 host 64.59.128.120 eq domain
ip access-list extended CONTROL_OUT
remark Control Access
remark CCP_ACL Category=1
permit ip 192.168.125.0 0.0.0.255 192.168.125.0 0.0.0.255
remark VPN Access
permit ip 192.168.40.0 0.0.0.255 192.168.125.0 0.0.0.255
permit tcp any host 192.168.125.2 eq 25000
remark Email for WIN911
permit tcp any eq smtp host 192.168.125.2
remark DNS Replies
permit udp any eq domain host 192.168.125.2
ip access-list extended INTERNET_IN
remark VNC access across VLAN
remark CCP_ACL Category=1
permit tcp any eq 25000 host 192.168.125.2
remark Allow all other traffic
permit ip any any
ip access-list extended INTERNET_OUT
remark Complete access for internet outgoing
remark CCP_ACL Category=1
permit ip any any
ip access-list extended WAN_IN
remark CCP_ACL Category=1
permit ip host 207.229.65.xx any
permit tcp any eq smtp any established
permit udp host 64.59.135.133 eq domain any
permit udp host 64.59.128.120 eq domain any
permit icmp any any unreachable
permit icmp any any parameter-problem
permit icmp any any packet-too-big
permit icmp any any administratively-prohibited
permit icmp any any source-quench
permit icmp any any time-exceeded
!
ip sla auto discovery
no cdp run
!
route-map SDM_RMAP_1 permit 1
match ip address 199
!
route-map SDM_RMAP_2 permit 1
match ip address 110
!
access-list 100 remark VPN Traffic
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.125.0 0.0.0.255 any
access-list 100 permit ip 192.168.40.0 0.0.0.255 any
access-list 101 remark VPN Traffic for PALL
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.125.0 0.0.0.255 any
access-list 101 permit ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 remark CCP_ACL Category=2
access-list 110 remark IPSec Rule
access-list 110 deny ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 110 permit ip host 192.168.125.2 any
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 160 remark CCP_ACL Category=1
access-list 160 permit tcp any any
access-list 160 permit udp any any
access-list 160 permit icmp any any
access-list 160 permit ip any any
access-list 199 remark CCP_ACL Category=16
access-list 199 remark IPSec Rule
access-list 199 deny ip 192.168.4.0 0.0.1.255 192.168.2.0 0.0.1.255
access-list 199 deny ip 192.168.4.0 0.0.1.255 192.168.40.0 0.0.0.255
access-list 199 permit ip any any
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
password *****
transport input telnet ssh
line vty 5 15
access-class 160 in
password *****
transport input all
transport output all
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:
