02-17-2013 08:20 PM
Hi,
I am trying to utilize the internet on my router for VPN clients rather than the client using its own internet for non private traffic. Just like a relay i guess.
Have followed the guide on the link below and have had some success. I can currently ping internal and external devices from client, but that is it. Anytime i try to use any protocal like www, i get nothing.The only think i can do is ping, for example, i can ping google.com but i cannot connect to google.com using a web browser.
Its been a long time since i have work with cisco devices and hoping someone out there can help me out. Below is my running config.
used cisco SDM to configure the easy vpn server and than used CLI with the link above to try to accomplish my goal.
Thanks
JD
Building configuration...
Current configuration : 8068 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname JamNet
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
logging console critical
enable secret 5
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone NewYork -5
ip subnet-zero
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.1.1.1 10.1.1.63
ip dhcp excluded-address 10.1.1.128 10.1.1.254
!
ip dhcp pool sdm-pool1
import all
network 10.1.1.0 255.255.255.0
default-router 10.1.1.1
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-138283221
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-138283221
revocation-check none
rsakeypair TP-self-signed-138283221
!
!
crypto pki certificate chain TP-self-signed-138283221
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31333832 38333232 31301E17 0D303831 30323130 34323531
335A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3133 38323833
32323130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
BC8FEAAC 8596D982 93D187F5 4EA7AB58 932CDEBA 0CB46EF0 509D0747 F7E1D464
E15FC06B 0E27F326 2F12FAAC C8F3458F 51221B81 B804536A E337974A 2D908ECA
D216D591 1F8B1B72 D9896FB9 3D20F23A CE828AAC 180643F1 E8D2B394 C5475812
4E675FE8 3B0A4F9C 439DD800 09533950 1827615D D79DA802 5091295B 784648D5
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 0982074A 616D4E65 742E301F 0603551D 23041830 1680146D FB4368E1
CE5E3442 747111B4 D223A453 3F75B030 1D060355 1D0E0416 04146DFB 4368E1CE
5E344274 7111B4D2 23A4533F 75B0300D 06092A86 4886F70D 01010405 00038181
004A3046 219731F2 FD4DAC31 752BFD05 4F76C984 F10BA1F6 1705F8D1 ED919FDC
BED6142F 8FA28AF8 173D1DA3 8B6ABD3C DFB5B84D 72689233 28487A7D D3D692B1
869091CE 089B2ABD D67D12D0 47326AD4 F667A97C E2ED53DF C780267C F1AF7CB0
BCB6FB9A BCB669B5 0D4303D8 5FF9835B E1629A61 1573405D 1E2811DE 50062DF9 FD
quit
username admin privilege 15 secret 5
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group JamNet
key
dns 208.180.42.68 208.180.42.100
pool SDM_POOL_1
save-password
banner ^CWelcome to JamRock ^C
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 14400
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
bridge irb
!
!
interface Loopback0
ip address 10.1.3.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet4
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect DEFAULT100 out
ip nat outside
ip virtual-reassembly
ip route-cache flow
ip policy route-map VPN-Client
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface Dot11Radio0
no ip address
!
broadcast-key membership-termination capability-change
!
!
encryption mode ciphers tkip
!
ssid JamNet
authentication open
authentication key-management wpa
guest-mode
infrastructure-ssid optional
wpa-psk ascii 7
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
54.0
station-role root
bridge-group 1
bridge-group 1 spanning-disabled
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$$FW_INSIDE$
ip address 10.1.1.1 255.255.255.0
ip access-group 100 in
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool SDM_POOL_1 10.1.2.64 10.1.2.127
ip classless
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 103 interface FastEthernet4 overload
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.1.1.0 0.0.0.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp host 208.180.42.100 eq domain any
access-list 101 permit udp host 208.180.42.68 eq domain any
access-list 101 permit ip 10.1.2.64 0.0.0.63 any
access-list 101 permit udp any any eq non500-isakmp
access-list 101 permit udp any any eq isakmp
access-list 101 permit esp any any
access-list 101 permit ahp any any
access-list 101 permit udp any eq bootps any eq bootpc
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any time-exceeded
access-list 101 permit icmp any any unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any 10.1.2.64 0.0.0.63
access-list 102 permit ip 10.1.1.0 0.0.0.255 any
access-list 102 permit ip any any
access-list 103 remark SDM_ACL Category=18
access-list 103 deny ip any 10.1.2.0 0.0.0.255
access-list 103 permit ip any any
access-list 144 permit ip 10.1.2.0 0.0.0.255 any
no cdp run
route-map VPN-Client permit 10
match ip address 144
set ip next-hop 10.1.3.2
!
route-map SDM_RMAP_1 permit 1
match ip address 102
set ip next-hop 10.1.3.2
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
02-21-2013 04:36 AM
Your inspections doesn't include http?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: