Marvin

Thanks very helpfull

I downloaded CCP

durning discovery I got these messages

Unable to detect CME version. Voice features will not be available.

License feature cannot be discovered. This and associated features may not function correctly.

Switch Port feature cannot be discovered. This and associated features may not function correctly.

Switch VLAN feature cannot be discovered. This and associated features may not function correctly.

MAC Address feature cannot be discovered. This and associated features may not function correctly.

When I select configure or monitor all the folders are greyed out

I installed this on my Windows 7 64 bit pc

Do I need to install any thing on the router?

any ideas

Tom

Have you setup CCP per the Quick Start Guide and discovered your router successfully (see Figure 13 of the guide)?

Once a router has been successfully discovered, all installed features should be manageable. Some things, like CME (Call Manager Express) I would not expect if they were not available or installed on the router.

The 851 is a very small and limited feature router. CCP won't configure features not supported in your hardware or IOS.

Marvin

yes it was discovered it just took awhile

Thanks

Tom

Tom,

So once it got properly discovered are you able to configure the applicable interfaces and other settings?

Marvin

yes I was able to config the vpn all features of my router are now accessable

Now I need to figure out why it is not working (the VPN that is)

Tom

Great - one step at a time.

When a site-site VPN is not working during initial setup, it can usually be isolated to an IKE Phase 1 or Phase 2 issue. I've found a small handful of commands useful in checking that out:

debug crypto condition peer [ip of your peer]

debug crypto ipsec 7

debug crypto isakmp 7

(The first command only necessary when you have multiple peers. It restricts the next two commands to only debug traffic to the peer in question. The next two commands will break out phase 1 and phase 2 issues. Level 7 is a good informative debug level for this task.)

Introduce interesting traffic to your router (i.e., something that should be tunneled to the peer) and check the debug results. You should see phase 1 establish and then Phase 2. If either fails, the debug output should highlight the mismatched parameter.

You probably also want to use:

no logging console

logging buffered debug

If you haven't already done so as not to overwhelm your console with debug messages.

Marvin

yes baby steps here lol

I used EasyVPN does are those commands work for easyvpn also?

I recieved this report

Router Details

Test Activity Summary

Test Activity Details

Troubleshooting Results

How do I make the connection up? and what interface are they talking about should I do a show interfaces?

Tom

The commands I posted earlier are for a command line interface (CLI) window. Detailed troubleshooting is best done from that lower level.

That said, EasyVPN seems to be indicating that either your interface is down or there is no crypto map applied to your interface.

If you could post your configuration file here, we can have a look for any obvious issues. Capture the output from "show run" and "show interface status" commands if you can.

FYI, if you'd like to learn more what's going on under the covers, there are numerous good configuration examples out on the web. Here are a couple good ones:

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml

http://www.vpnc.org/InteropProfiles/cisco-ios.txt

Marvin

Thanks

-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------

User Access Verification

Username: mycisco

Password:

MyRouter#show run
Building configuration...

Current configuration : 7302 bytes
!
! Last configuration change at 10:39:23 EST Tue Dec 27 2011 by netman
! NVRAM config last updated at 10:17:10 EST Tue Dec 27 2011 by netman
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MyRouter
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx/
!
aaa new-model
!
!
aaa group server radius sdm-vpn-server-group-1
server 192.168.69.15 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 group sdm-vpn-server-group-1 loc
al
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 group sdm-vpn-server-group-1 lo
cal
!
aaa session-id common
!
resource policy
!
clock timezone EST -5
clock summer-time edt recurring
ip subnet-zero
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool sdm-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip cef
ip domain name TGCSNET.COM
ip name-server 71.242.0.12
ip name-server 71.250.0.12
ip name-server 4.2.2.2
!
!
crypto pki trustpoint TP-self-signed-1164042433
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1164042433
revocation-check none
rsakeypair TP-self-signed-1164042433
!
!
crypto pki certificate chain TP-self-signed-1164042433
certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31313634 30343234 3333301E 170D3032 30333031 30303038
  34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31363430
  34323433 3330819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B993 8AAE8B8C D8869842 C0C80A8C 57559B0A 243A306C EF726BD6 A79FBB30
  63569C86 5117E6D9 9E14BF1D 2721D4C6 2CCFB67A D7A03AC3 6BC719DB 1237121C
  8E310E9F 68F65DF7 B5986355 71B6C338 C34EC816 A677028D 0E131859 3A50E498
  C1F94525 2DA35215 3EF10350 018C419A 4F49245F 1218C545 0BE18AA4 04A8F049
  7AA90203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
  551D1104 18301682 144D7952 6F757465 722E5447 43534E45 542E434F 4D301F06
  03551D23 04183016 80149A8A F1DA8EF9 7BC577ED 349FDA87 2E93A11F 8D16301D
  0603551D 0E041604 149A8AF1 DA8EF97B C577ED34 9FDA872E 93A11F8D 16300D06
  092A8648 86F70D01 01040500 03818100 3092C5D5 9FA063C7 E85E37A5 7F9B3AC3
  A71B0BF1 A0BE1E4B 088C151A 6E056769 8E8FFCC9 3FA38091 38C53A49 CE1F20BE
  172A1C93 282C5F97 19A6D3B0 CF65552D FEADA8C0 E89075DD 667B6ABE 9CF76D13
  5E23D7CA A3BEC64D 21941DFB 3915D0C4 4221F663 1306DDF8 DF48E0AC DCC43028
  0D392C9C 66EABDED BB4F4D54 5ED039B9
  quit
username mycisco privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
username mynet privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group TGCSVPN
key ourvpn
dns 192.168.69.10 192.168.69.15
wins 192.168.69.10 192.168.69.15
domain our
pool SDM_POOL_1
max-users 10
netmask 255.255.255.0
crypto isakmp profile ciscocp-ike-profile-1
   match identity group WGP-1
   match identity group WGP-2
   match identity group ACCTG
   match identity group CSVC
   match identity group TGCSVPN
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ETH-WAN$
ip address 72.88.223.20 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid 010659120255
!
ssid TGCSNET
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 010659120255000000
!
speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
channel 2437
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no snmp trap link-status
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip virtual-reassembly
ip tcp adjust-mss 1452
bridge-group 1
bridge-group 1 spanning-disabled
!
interface BVI1
ip address 192.168.69.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip local pool SDM_POOL_1 192.168.70.75 192.168.70.99
ip classless
ip route 0.0.0.0 0.0.0.0 72.88.223.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 110 interface FastEthernet4 overload
ip nat inside source static tcp 192.168.69.26 8080 interface FastEthernet4 8080
ip nat inside source static tcp 192.168.69.26 25 interface FastEthernet4 25
ip nat inside source static tcp 192.168.69.15 80 interface FastEthernet4 80
ip nat inside source static tcp 192.168.69.15 21 interface FastEthernet4 21
ip nat inside source static tcp 192.168.69.15 5900 interface FastEthernet4 5900
ip nat inside source static tcp 192.168.69.26 443 interface FastEthernet4 443
!
ip access-list extended denyDHCP
deny   udp any any eq bootpc
deny   udp any any eq bootps
permit ip any any
!
ip radius source-interface BVI1
access-list 23 permit 192.168.69.0 0.0.0.255
access-list 110 permit ip 192.168.69.0 0.0.0.255 any
no cdp run
radius-server host 192.168.69.15 auth-port 1645 acct-port 1646
!
control-plane
!
bridge 1 route ip
banner login ^C
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device.
This feature requires the one-time use of the username "cisco"
with the password "cisco". The default username and password have a privilege le
vel of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username   privilege 15 secret 0
no username cisco

Replace and with the username and password you want to use
.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm
-----------------------------------------------------------------------
^C
!
line con 0
no modem enable
line aux 0
line vty 0 4
access-class 23 in
transport input telnet ssh
!
scheduler max-task-time 5000
ntp clock-period 17175142
ntp server 141.165.5.137
end

MyRouter#
MyRouter#
MyRouter#show interface status

Port    Name               Status       Vlan       Duplex Speed Type
Fa0                        connected    1          a-full   a-100 10/100BaseTX
Fa1                        connected    1          a-full   a-100 10/100BaseTX
Fa2                        connected    1          a-full   a-100 10/100BaseTX
Fa3                        notconnect   1            auto    auto 10/100BaseTX
MyRouter#

I can telnet to my router from my pc  that is the low level access you are talking about correct?

Should I still run those commands above now or wait till after you review my config?

Thanks for all your help

Tom

Yes, telnet is one way of acccessing the CLI I was referring to.

Before doing any debugging, your configuration shows you have only partly configured your router. Only the outside interface (Fa4) and the wireless are assigned IP addresses.

Can you tell me what you are expecting to establish a VPN to or from again? Is it for site to site or for remote clients? Have you worked through the wizard for either of them in CCP or SDM?

Marvin

Good thought telnet was the one great

I thought i missed something not sure what I missed

Yes I used the CCP wizard?

I have users that need access to my network here.  All are remote some are laptops and some are pc's connected directly to the internet and some via wireless. I am hopeing that they can just go into the network setup and select new network connection and choose vpn connection. Then I need to give them some info I guess.

So yes Remote clients only

Does that help?

Tom