cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2202
Views
0
Helpful
0
Replies

Cisco 2911 VPN client setup

Nick Sinyakov
Level 1
Level 1

Hi guys,

We've bought 2911 and replaced 877W, but now I'm unable to complete setup for VPN client. In additional I'd like to have access to remote office which is connected via site-to-site when connected via VPN Client (remote net: 192.168.17.0). Also, before I've added

aaa new-model

!

!

aaa authentication login CiscoVPNClient_auth local

aaa authorization network CiscoVPNClient_group local

for manage Cisco has asked 2 passwords, for login and for exec, but now - only one. It will be excellent if for manage Cisco will ask 2 passwords (for admin) and for VPN client will be separate user, like VPNClient - without permissions for login and manage.

My current config:

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname hostname

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.152-2.T.bin

boot-end-marker

!

!

security passwords min-length 10

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login CiscoVPNClient_auth local

aaa authorization network CiscoVPNClient_group local

!

!

!

!

!

aaa session-id common

!

!

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.22.1 192.168.22.99

ip dhcp excluded-address 192.168.33.1 192.168.33.99

ip dhcp excluded-address 192.168.44.1 192.168.44.99

ip dhcp excluded-address 192.168.55.1 192.168.55.99

ip dhcp excluded-address 192.168.10.240 192.168.10.254

ip dhcp excluded-address 192.168.22.240 192.168.22.254

ip dhcp excluded-address 192.168.33.240 192.168.33.254

ip dhcp excluded-address 192.168.44.240 192.168.44.254

ip dhcp excluded-address 192.168.55.240 192.168.55.254

!

ip dhcp pool desktops

import all

network 192.168.33.0 255.255.255.0

default-router 192.168.33.254

dns-server 192.168.10.10 dns

domain-name domain

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool wi-fi

import all

network 192.168.44.0 255.255.255.0

dns-server 192.168.10.10 dns

domain-name domain

default-router 192.168.44.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool DMZ

import all

network 192.168.55.0 255.255.255.0

dns-server 192.168.10.10 dns

domain-name domain

default-router 192.168.55.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

dns-server 192.168.10.10 dns

domain-name domain

default-router 192.168.22.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.254

dns-server 192.168.10.10 dns

domain-name domain

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

!

ip domain name domain

ip name-server 192.168.10.10

ip cef

login block-for 180 attempts 3 within 180

login delay 10

vlan ifdescr detail

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate

revocation-check none

rsakeypair TP-self-signed-

!

!

crypto pki certificate chain TP-self-signed

certificate self-signed 01

...

      quit

license udi pid CISCO2911/K9 sn

!

!

object-group network FULL_NET

description complete network range

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

object-group network limited

description network without Servers and Router

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

vtp version 2

username nick privilege 15 password 7 pass

username admin privilege 0 password 7 pass

!

redundancy

!

!

!

!

!

no ip ftp passive

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key admin address a.a.a.a  

crypto isakmp invalid-spi-recovery

!

crypto isakmp client configuration group CiscoVPNClient

key 1

pool CiscoVPNClient

acl 103

include-local-lan

max-users 2

netmask 255.255.255.0

crypto isakmp profile CiscoVPNClient_profile

   match identity group CiscoVPNClient

   client authentication list CiscoVPNClient_auth

   isakmp authorization list CiscoVPNClient_group

   client configuration address respond

!

!

crypto ipsec transform-set PEER1 esp-aes esp-sha-hmac

crypto ipsec transform-set CiscoVPNClient esp-3des esp-sha-hmac

!

!

!

crypto dynamic-map CiscoVPNClient 1

set transform-set CiscoVPNClient

set isakmp-profile CiscoVPNClient_profile

reverse-route

!

!

crypto map CiscoVPNClient_map 65535 ipsec-isakmp dynamic CiscoVPNClient

!

crypto map MAP 10 ipsec-isakmp

set peer a.a.a.a

set peer b.b.b.b

set transform-set PEER1

match address 160

!

!

!

!

!

interface Port-channel1

no ip address

hold-queue 150 in

!

interface Port-channel1.1

encapsulation dot1Q 1 native

ip address 192.168.11.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.10

encapsulation dot1Q 10

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.22

encapsulation dot1Q 22

ip address 192.168.22.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.33

encapsulation dot1Q 33

ip address 192.168.33.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.44

encapsulation dot1Q 44

ip address 192.168.44.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.55

encapsulation dot1Q 55

ip address 192.168.55.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/2

description $ES_LAN$

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/0/0

ip address xxx.xxx.xxx.xxx 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map MAP

!

ip local pool CiscoVPNClient 192.168.9.1 192.168.9.2

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload

ip nat inside source static tcp 192.168.10.20 1723 interface GigabitEthernet0/0/0 1723

ip nat inside source static udp xxx.xxx.xxx.xxx 500 interface GigabitEthernet0/0/0 500

ip nat inside source static udp xxx.xxx.xxx.xxx 4500 interface GigabitEthernet0/0/0 4500

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193

!

ip access-list extended NAT_INTERNET

deny   ip object-group FULL_NET 192.168.17.0 0.0.0.255

deny   ip object-group FULL_NET 192.168.1.0 0.0.0.255

permit ip object-group FULL_NET any

deny   ip object-group FULL_NET 192.168.9.0 0.0.0.255

deny   ip 192.168.9.0 0.0.0.255 192.168.17.0 0.0.0.255

!

access-list 1 permit 192.168.44.100

access-list 23 permit 192.168.10.7

access-list 23 permit 123.108.151.13 log

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 103 remark CiscoVPNClient

access-list 103 permit ip object-group FULL_NET any

access-list 103 permit ip 192.168.17.0 0.0.0.255 any

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.11.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.22.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.33.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.44.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.55.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.9.0 0.0.0.255 192.168.17.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

!

line con 0

password 7 password

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

transport input ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

!

end

Thanks a lot,

Nick

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: