Solved: Re: Site-To-Site VPN using Cisco 871 on both ends - Page 2

tom.manliclic · ‎05-31-2010

I would like to setup Site-To-Site VPN using Cisco 871 models on both ends but having a hard time to configure it. Can anyone tell me how to do this or if you know any link that can help me setup as soon as possible?

I can learn this but it is the timing that prohibits me in making it work. The other end is already configured to provide Internet access to all users.

tom.manliclic · ‎06-02-2010

Hi Federico,

I was having a hard time configuring the devices and testing them. If I could just have allowed to RDP to the remote server like below then I will get result much faster.

Can you help me again?

RDP to office network 196.1.65.54 ( cisco router) ---> (tunnel) 10.193.12.17(RDP Server)

Please give me the whole commands to do it.

Federico Coto Fajardo · ‎06-02-2010

Tom,

You want to be able to RDP to 10.193.12.17 from the other side?

If the tunnel is not configured yet, then an easy way to do this is to configure a port redirection for port 3389 on the router.

On the 196.1.65.54 Cisco router

ip nat inside source static tcp 10.193.12.17 3389 196.1.65.54 3389

In this way, when you connect via RDP to the router (196.1.65.54), the router will redirect this connection to the internal RDP server (10.193.12.17).

Is this what you're looking for?

Federico.

tom.manliclic · ‎06-28-2010

Ok ,

I have a VPN, NAT configured now I added some ACL and I'm not getting the DHCP to assign IP addresses in the remote client side. I'm sure I'm missing something so tried removing remotein ACL and it works. I would like to implement it with the restrictions in remotein ACL.

Can anyone provide a simple example on how to do it?

Here is my config

R1#sh run

Building configuration...

Current configuration : 5463 bytes

!

version 12.4

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname R1

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging buffered 51200 warnings

enable secret 5 secret

!

aaa new-model

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1597452845

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-1597452845

revocation-check none

rsakeypair TP-self-signed-1597452845

!

crypto pki certificate chain TP-self-signed-1597452845

certificate self-signed 01

30820249 308201B2 A0030201 02020101 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274

69666963 6174652D 31353937 30353330 3436301E 170D3130 30353038 30333533

32335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649

quit

dot11 syslog

ip source-route

!

ip dhcp excluded-address 10.10.10.1 10.10.10.2

!

ip dhcp pool sdm-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

dns-server 205.214.192.201 205.214.192.201

domain-name 208.67.222.222

netbios-name-server 10.193.12.100

!

ip cef

ip domain name yourdomain.com

ip name-server 1.1.1.1

ip name-server 2.2.2.2

no ipv6 cef

!

multilink bundle-name authenticated

!

username admin privilege 15 secret 5 secret

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key shared-secret address 200.200.200.1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto map SDM_CMAP_1 1 ipsec-isakmp

description Tunnel to 200.200.200.1

set peer 200.200.200.1

set transform-set ESP-3DES-SHA

match address 100

!