06-05-2002 06:55 PM - edited 02-21-2020 11:47 AM
I built a VPN between two points. One point uses ADSL (with CISCO 1720 plus wic-1enet, without fixed IP adress), the other point uses DDN line (with CISCO 2611, with fixed IP adress). The VPN only use ipsec encryption without building tunnel.With transporting in vpn,the two points' computer can ping each other, but they can't find out eachother in 'MS windows network neighbor'.
I want to know how can i make tow points find out eachother?
Router#sh run
Building configuration...
Current configuration : 1695 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
no logging buffered
no logging buffered
logging rate-limit console 10 except errors
enable secret 5 $1$1wN5$AWKZpt5/WiT7ERgcv6kgJ0
!
memory-size iomem 25
ip subnet-zero
no ip finger
!
vpdn enable
no vpdn logging
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 202.96.192.17
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto map rtp 1 ipsec-isakmp
set peer 202.96.192.17
set transform-set rtpset
match address 115
!
!
!
!
interface Ethernet0
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
!
interface FastEthernet0
ip address 10.0.0.1 255.255.255.0
ip nat inside
speed auto
!
interface Dialer1
ip address negotiated
ip mtu 1410
ip nat outside
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username ad50045108 password 7 11390E5C023A522216
crypto map rtp
!
ip nat inside source route-map nonat interface Dialer1 overload
ip kerberos source-interface any
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
!
access-list 115 permit ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 115 deny ip 10.0.0.0 0.0.0.255 any
access-list 120 deny ip 10.0.0.0 0.0.0.255 10.0.1.0 0.0.0.255
access-list 120 permit ip 10.0.0.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 120
!
!
line con 0
transport input none
line aux 0
line vty 0 4
password cisco
login
!
end
Router#
Router#sh run
Building configuration...
Current configuration : 1348 bytes
!
version 12.1
no service single-slot-reload-enable
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname Router
!
enable secret 5 $1$Q7n0$7O7pK/8tKcsV87mJMk82v1
enable password cisco
!
!
!
!
!
ip subnet-zero
!
!
!
crypto isakmp policy 1
hash md5
authentication pre-share
crypto isakmp key cisco123 address 0.0.0.0
!
!
crypto ipsec transform-set rtpset esp-des esp-md5-hmac
!
crypto dynamic-map rtpmap 10
set transform-set rtpset
match address 115
!
!
crypto map rtptrans 10 ipsec-isakmp dynamic rtpmap
!
!
!
!
!
!
interface Ethernet0/0
ip address 202.96.192.17 255.255.255.252
ip nat outside
crypto map rtptrans
!
interface Ethernet0/1
ip address 202.96.192.30 255.255.255.248 secondary
ip address 61.129.60.234 255.255.255.252 secondary
ip address 10.0.1.254 255.255.255.0
ip nat inside
!
ip nat inside source route-map nonat interface Ethernet0/1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 202.96.192.18
no ip http server
!
access-list 115 permit ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 115 deny ip 10.0.1.0 0.0.0.255 any
access-list 120 deny ip 10.0.1.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 120 permit ip 10.0.1.0 0.0.0.255 any
route-map nonat permit 10
match ip address 120
!
!
!
!
line con 0
line aux 0
line vty 0 4
password ibm
login
!
end
06-10-2002 12:56 AM
Assuming there is ip connectivity & browsing is now the problem, this is probably a Microsoft issue. Essentially, the WINS needs to be set up at the central site, and
the remote client has to use this service, since we can not pass the broadcast packets through IPSEC tunnel. I would suggest that you had a look at the following
URLs:
98
Chapter 18 - Logon, Browsing, and Resource Sharing
http://www.microsoft.com/TechNet/win98/Reskit/Part3/wrkc18.asp
95
Chapter 11 Logon, Browsing, and Resource Sharing
http://www.microsoft.com/TechNet/win95/reskit/part3/rk11_res.asp
95
http://support.microsoft.com/support/kb/articles/Q150/8/00.asp
Domain Browsing with TCP/IP and LMHOSTS Files
95, 98, NT
http://support.microsoft.com/support/kb/articles/Q210/3/27.ASP
Manually Populating Network Neighborhood with Static Entries for Browsing
NT
MS Windows NT Browser
http://www.microsoft.com/TechNet/winnt/Winntas/technote/ntbrowse.asp
Win95/98/NT Dialup, Authentication, Browsing Using TCPIP, IPX/SPX, or
NetBEUI
http://support.microsoft.com/support/kb/articles/q232/5/11.asp
Also, some more information that might be useful for you, regarding logging into the domain:
Domain Logon
Make sure that the PC is set up to log into the Domain when it boots up. Put in the user information and password when the computer boots up and prompts for a
domain logon. It will return a message about being unable to find domain controller. Hit OK. This will cache the information for use after you've established your
VPN connection. Log into your ISP and then connect with the VPN Client. Once connected, right click on Network Neighborhood and select "Find Computer".
Put in the IP address of the Primary Domain Controller. Once it is found, double click on the blue computer icon that it's found. Since the PDC is also the Master
Browser for the domain, connecting also prompts the remote PC to get the browse list from the PDC. Now you should be able to browse the Network
Neighborhood. In order to make the Find Computer easier, it is recommended to create a shortcut for the PDC on the desktop so that double clicking it will make
the connection and establish the browse list easily. You may also use an LMHOSTS file instead of the Find Computer method. Put an LMHOSTS file on the remote
workstation with information pointing to the PDC. Information on LMHOSTS files may be found in the LMHOSTS.SAM file found on all Windows platforms.
If you do not have an ethernet card in your PC, then you'll have to enable the Domain Login prompt in your dialup settings. It's a check box that asks if you'd like to
login to network. You'll find it if you right click on your dialup connection icon in dialup networking and select properties. Then select the Server Type button.
Note** On Win95/98 workstations, the Workgroup name of the workstation MUST be the same as the Domain name they are trying to log into or they will NOT
be able to see a browse list. Also, due to the nature of NT and it's browsing method, it sometimes fails to find the PDC when using Autologon. If this occurs, use the
"Find Computer" mentioned above for the PDC before attempting to open the Network Neighborhood.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide