03-04-2012 03:28 PM
Hi guys,
We've bought 2911 and replaced 877W, but now I'm unable to complete setup for VPN client. In additional I'd like to have access to remote office which is connected via site-to-site when connected via VPN Client (remote net: 192.168.17.0). Also, before I've added
aaa new-model
!
!
aaa authentication login CiscoVPNClient_auth local
aaa authorization network CiscoVPNClient_group local
for manage Cisco has asked 2 passwords, for login and for exec, but now - only one. It will be excellent if for manage Cisco will ask 2 passwords (for admin) and for VPN client will be separate user, like VPNClient - without permissions for login and manage.
My current config:
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname hostname
!
boot-start-marker
boot system flash c2900-universalk9-mz.SPA.152-2.T.bin
boot-end-marker
!
!
security passwords min-length 10
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login CiscoVPNClient_auth local
aaa authorization network CiscoVPNClient_group local
!
!
!
!
!
aaa session-id common
!
!
ipv6 spd queue min-threshold 62
ipv6 spd queue max-threshold 63
no ipv6 cef
ip auth-proxy max-login-attempts 5
ip admission max-login-attempts 5
!
!
!
ip dhcp excluded-address 192.168.10.1 192.168.10.99
ip dhcp excluded-address 192.168.22.1 192.168.22.99
ip dhcp excluded-address 192.168.33.1 192.168.33.99
ip dhcp excluded-address 192.168.44.1 192.168.44.99
ip dhcp excluded-address 192.168.55.1 192.168.55.99
ip dhcp excluded-address 192.168.10.240 192.168.10.254
ip dhcp excluded-address 192.168.22.240 192.168.22.254
ip dhcp excluded-address 192.168.33.240 192.168.33.254
ip dhcp excluded-address 192.168.44.240 192.168.44.254
ip dhcp excluded-address 192.168.55.240 192.168.55.254
!
ip dhcp pool desktops
import all
network 192.168.33.0 255.255.255.0
default-router 192.168.33.254
dns-server 192.168.10.10 dns
domain-name domain
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool wi-fi
import all
network 192.168.44.0 255.255.255.0
dns-server 192.168.10.10 dns
domain-name domain
default-router 192.168.44.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool DMZ
import all
network 192.168.55.0 255.255.255.0
dns-server 192.168.10.10 dns
domain-name domain
default-router 192.168.55.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool voip
import all
network 192.168.22.0 255.255.255.0
dns-server 192.168.10.10 dns
domain-name domain
default-router 192.168.22.254
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
ip dhcp pool servers
import all
network 192.168.10.0 255.255.255.0
default-router 192.168.10.254
dns-server 192.168.10.10 dns
domain-name domain
netbios-name-server 192.168.10.10
netbios-node-type h-node
!
!
ip domain name domain
ip name-server 192.168.10.10
ip cef
login block-for 180 attempts 3 within 180
login delay 10
vlan ifdescr detail
!
multilink bundle-name authenticated
!
!
crypto pki token default removal timeout 0
!
crypto pki trustpoint TP-self-signed-
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate
revocation-check none
rsakeypair TP-self-signed-
!
!
crypto pki certificate chain TP-self-signed
certificate self-signed 01
...
quit
license udi pid CISCO2911/K9 sn
!
!
object-group network FULL_NET
description complete network range
192.168.10.0 255.255.255.0
192.168.11.0 255.255.255.0
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
object-group network limited
description network without Servers and Router
192.168.22.0 255.255.255.0
192.168.33.0 255.255.255.0
192.168.44.0 255.255.255.0
!
vtp version 2
username nick privilege 15 password 7 pass
username admin privilege 0 password 7 pass
!
redundancy
!
!
!
!
!
no ip ftp passive
!
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp key admin address a.a.a.a
crypto isakmp invalid-spi-recovery
!
crypto isakmp client configuration group CiscoVPNClient
key 1
pool CiscoVPNClient
acl 103
include-local-lan
max-users 2
netmask 255.255.255.0
crypto isakmp profile CiscoVPNClient_profile
match identity group CiscoVPNClient
client authentication list CiscoVPNClient_auth
isakmp authorization list CiscoVPNClient_group
client configuration address respond
!
!
crypto ipsec transform-set PEER1 esp-aes esp-sha-hmac
crypto ipsec transform-set CiscoVPNClient esp-3des esp-sha-hmac
!
!
!
crypto dynamic-map CiscoVPNClient 1
set transform-set CiscoVPNClient
set isakmp-profile CiscoVPNClient_profile
reverse-route
!
!
crypto map CiscoVPNClient_map 65535 ipsec-isakmp dynamic CiscoVPNClient
!
crypto map MAP 10 ipsec-isakmp
set peer a.a.a.a
set peer b.b.b.b
set transform-set PEER1
match address 160
!
!
!
!
!
interface Port-channel1
no ip address
hold-queue 150 in
!
interface Port-channel1.1
encapsulation dot1Q 1 native
ip address 192.168.11.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.10
encapsulation dot1Q 10
ip address 192.168.10.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.22
encapsulation dot1Q 22
ip address 192.168.22.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.33
encapsulation dot1Q 33
ip address 192.168.33.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.44
encapsulation dot1Q 44
ip address 192.168.44.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Port-channel1.55
encapsulation dot1Q 55
ip address 192.168.55.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
no ip address
shutdown
duplex auto
speed auto
!
interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
duplex auto
speed auto
channel-group 1
!
interface GigabitEthernet0/0/0
ip address xxx.xxx.xxx.xxx 255.255.255.224
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map MAP
!
ip local pool CiscoVPNClient 192.168.9.1 192.168.9.2
ip forward-protocol nd
!
no ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload
ip nat inside source static tcp 192.168.10.20 1723 interface GigabitEthernet0/0/0 1723
ip nat inside source static udp xxx.xxx.xxx.xxx 500 interface GigabitEthernet0/0/0 500
ip nat inside source static udp xxx.xxx.xxx.xxx 4500 interface GigabitEthernet0/0/0 4500
ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193
!
ip access-list extended NAT_INTERNET
deny ip object-group FULL_NET 192.168.17.0 0.0.0.255
deny ip object-group FULL_NET 192.168.1.0 0.0.0.255
permit ip object-group FULL_NET any
deny ip object-group FULL_NET 192.168.9.0 0.0.0.255
deny ip 192.168.9.0 0.0.0.255 192.168.17.0 0.0.0.255
!
access-list 1 permit 192.168.44.100
access-list 23 permit 192.168.10.7
access-list 23 permit 123.108.151.13 log
access-list 23 permit 192.168.44.0 0.0.0.255
access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 103 remark CiscoVPNClient
access-list 103 permit ip object-group FULL_NET any
access-list 103 permit ip 192.168.17.0 0.0.0.255 any
access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.11.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.22.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.33.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.44.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.55.0 0.0.0.255 192.168.17.0 0.0.0.255
access-list 160 permit ip 192.168.9.0 0.0.0.255 192.168.17.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
!
line con 0
password 7 password
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
access-class 23 in
privilege level 15
transport input ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input ssh
!
scheduler allocate 20000 1000
!
end
Thanks a lot,
Nick
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: