Cisco router T1 gw voip Radius Radiator

All
I got a cisco router and want to output the radiator,
however I found that the /cgi-bin/radacct.cgi , each call record had generate 4 records...
What is the best method for me to take the one.
00000572 27 Sep 2004 16:39:21 0:00:00 3101 3200 156 80
00000572 27 Sep 2004 16:39:26 0:00:00 3101 3200 156 80
00000572 27 Sep 2004 16:39:31 0:00:00 3101 3200 156 80
00000576 27 Sep 2004 16:39:32 0:00:00 3111 3141 157 80
00000572 27 Sep 2004 16:39:36 0:00:00 3101 3200 156 80
00000576 27 Sep 2004 16:39:37 0:00:00 3111 3141 157 80
00000576 27 Sep 2004 16:39:42 0:00:00 3111 3141 157 80
00000576 27 Sep 2004 16:39:47 0:00:00 3111 3141 157 80

Thanks for the link Calvin.
I actually got it to work by just old fashion trial and error. Turned out to be two things:
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">Authentication Methods.... CHAP had to be enabled.
Microsoft 2008 R2 NPS>Policies>Network Policies>" Wireless Policy I created">conditions..... delete the friendly name I read I needed to create. This "various RADIUS Clients was not so important to us" (will make sense if you follow link)
I mainly used this link for anyone interested:
http://www.darylhunter.me/blog/2010/06/cisco-ios-fu-7-cisco-radius-windows-server-2008-nps.html

Similar Messages

Do you need a cisco router at remote sites when using VRF BGP?

Hello.....
If you could refer to the attached document and read the following... I need to know if a CISCO router is required for each of the sites. OR does the ISP (Provider) provide the only required Router in the private cloud?
We want to replace the Cisco 891 with a PepLink but I don't know if we can do that. Can anyone jump in and help me understand?
When we hear about VRF, its almost synonymous to MPLS VPN. Virtual Routing and Forwarding is commonly used by Service Providers to provide services within an MPLS cloud with multiple customers. The most interesting feature of this is that, VRF allows creation of multiple routing tables within a single router. This means that overlapping use of IP addresses from different customers is possible. Some enterprises use VRF to seggrate their services like VOIP, wireless, geographical location and other varieties.

Whether you can replace the 891 device with another device boils down to a single question: Do you need to run BGP with the Service Provider in order to use their service. If you need to run a routing protocol with your service provider, your service is likely a L3VPN (IP VPN) solution ( i.e. you inject your site's routes into the providers L3VPN session, they use MP-BGP+VRF for segmentation within their network).
If, however, they just drop you a L2 connection and provide L2 emulated services ( e.g. L2VPN or VPLS ) across their network, then your device can be whatever you want it to be.
From your device's perspective, it is not VRF aware. That is, it does not know about how the service provider segments your service from another customers. In the L3VPN case, your device is routing-protocol aware. In the L2VPN case, your device is not routing protocol aware and does not need to form adjacency with the service provider's equipment.
HTH.
Rate if helpful.

Changing Wireless Channel on CISCO Router

How do I change the wireless channel on a CISCO 1811W (MPC8500) router? Currently it is channel 10 and I prefer to change it to channel 1 to reduce interference with microwave oven. I have already replaced the standard antenna with 7dBi high gain antenna.
Out of 12 wireless clients about 3 are being dropped whenever microwave oven is turned on. These clients have Linksys WMP54G Wireless G PCI adapters. Other client computers are notebooks with builtin wireless adapters and desktops with Belkin, TRENDnet, or Motorola Wireless PCI or USB adapters.
All computers are within about 60'-80' radius from the CISCO wireless router and are about 20' away from the microwave oven. Any suggestions?
Thanks.
N Murugesan
[email protected]

I tried in SDM and could not find a way to change radio channel.
How do I invoke command line interface (CLI)? I found the following from Cisco Wireless ISR and HWIC Access Point Configuration Guide.
Configuring Radio Channel Settings
Step 1          configure terminal                     - enter global configuration mode
Step 2          interface dot11radio 0                   - enter interface configuration mode for the radio interface. The 2.4 GHz radio is radio 0, and 5 GHz is 1.
Step 3           channel frequency | least-congested - set the default channel for the wireless radio - Channel 1 2412 MHz, Ch 2 2417, Ch 3 2422, etc.
                                                                      - To search for the least-congested channel on startup, enter least-congested
Step 4          end                                        - return to privileged EXEC mode
Step 5          copy running-config startup-config          -(optional) save your entries in the configuration file.
I need help to enter into the privileged EXEC mode. Once I type https://10.10.10.1 (router IP) I get a login screen (Level_15 or view access). Once I enter User Id and Password I get Cisco Router and Security Device Manager (SDM) that has Home, Configure, and Monitor tabs.
Configure - Interfaces & Connections - Edit Interfaces & Connections - DOT11Radio0 shows status as Up; but does not allow me to change anything. Neither channel nor frequency is displayed.
So I not sure how to use SDM to change the default channel.
I will appreciate any help in this regard.
N Murugesan
[email protected]

Cisco router 877M capability to use Unified Communications technology?

Hi all,
Can Cisco router 877M have the features or capability to use VOIP or Unified Communications technology?
Cheers,

Hi Tai,
You may want to take a look at the 2800 series routers. There are bundles to support the number of users you currently have.
If you were to install a 2800 series at your headquarters your remote sites could VPN to headquarters and receive their phone service from headquarters.
Doing this will eliminate any toll charges for calls between the offices.
There is the need to maintain connections to the PSTN in case you lose your WAN connection you will maintain telephony services utilizing the PSTN.
At your remote sites you may want to consider the 880 series routers which have a provision for Survivable remote site telephony (SRST).
This feature allows the router at the remote site to maintain call management if the remote site loses the WAN connection to headquarters.
These calls would then be automatically routed through the PSTN until the WAN connection is restored.
The savings from eliminating charges for calls between your sites may justify the purchase of the new technology.
I would suggest you do a cost study to see how much you spend monthly on calls between the offices.
Hope this helps.
Mark

Setting PPPoE clients speed Via Cisco router

Hi i have a 7200 cisco router working as NAS (network access server) for PPPoE sessions , the clients connected DSLAMS and the Cisco connected to an AAA external Raduis server.
i want to set the user speed Via cisco router in a way which can be controlled in the Radius server , and not through the actual speed of the DSLAMS ports
Thanks alot

Hello Mohamed,
there is a feature called controlled subscriber bandwidth that may fit your needs:
see
http://www.cisco.com/en/US/docs/ios/bbdsl/configuration/guide/bba_con_sub_bdwth_ps6441_TSD_Products_Configuration_Guide_Chapter.html
it manipulates the ATM traffic parameters on a per user basis
these settings can be done on radius AV:
example:
The following example shows how to configure RADIUS attributes for a user profile for DBS:
[email protected] Password = "userpassword1", Service-Type = Outbound
     Service-Type = Outbound,
     Cisco-Avpair = "vpdn:tunnel-id=tunnel33",
     Cisco-Avpair = "vpdn:tunnel-type=l2tp",
     Cisco-Avpair = "vpdn:l2tp-tunnel-password=password2",
     Cisco-Avpair = "vpdn:ip-addresses=172.16.0.0",
     Cisco-Avpair = "atm:peak-cell-rate=155000",
     Cisco-Avpair = "atm:sustainable-cell-rate=155000"
Hope to help
Giuseppe

Does anyone configure cisco router with MGCP to link Call agent Clarent ?

hi,
We require to configure As5300 with MGCP to link Clarent call agent. Does anyone have cisco router configuration ?
thanks.
best regards.
fred.

Below is the sample configuration for the 5300 to Call-Agent. This is also dependant on which package is configured on the call-agent so we can configure it accordingly. Hope this helps.
version 12.3
no service pad
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
hostname AS5300-5
boot system tftp c5300-is-mz.123-2.T1 171.68.191.135
logging buffered 100000 debugging
enable password xxxx
backhaul-session-manager
set bh5300-vsc1 client nft
group bhgrp1 set bh5300-vsc1
session group bhgrp1 172.16.20.35 7007 172.16.20.28 7007 0
isdn switch-type primary-ni
isdn voice-call-failure 0
no scripting tcl init
no scripting tcl encdir
voice call carrier capacity active
voice class codec 1
codec preference 1 g723r63
codec preference 2 g711ulaw
no voice hpi capture buffer
no voice hpi capture destination
dial-control-mib retain-timer 240
dial-control-mib max-size 600
controller T1 0
framing esf
clock source line primary
linecode b8zs
pri-group timeslots 1-24 service mgcp
controller T1 1
framing esf
clock source line secondary 1
linecode b8zs
ds0-group 0 timeslots 1-24 type none service mgcp
controller T1 2
framing esf
clock source line secondary 2
linecode b8zs
controller T1 3
framing esf
clock source line secondary 3
linecode b8zs
interface Ethernet0
no ip address
no ip mroute-cache
shutdown
interface Serial0
no ip address
no ip mroute-cache
shutdown
clockrate 2015232
no fair-queue
interface Serial1
no ip address
no ip mroute-cache
shutdown
clockrate 2015232
no fair-queue
interface Serial2
no ip address
no ip mroute-cache
shutdown
clockrate 2015232
no fair-queue
interface Serial3
no ip address
no ip mroute-cache
shutdown
clockrate 2015232
no fair-queue
interface Serial0:23
no ip address
isdn switch-type primary-ni
isdn bind-l3 backhaul bh5300-vsc1
no cdp enable
interface FastEthernet0
ip address 172.16.20.28 255.255.255.192
no ip mroute-cache
duplex full
speed auto
no cdp enable
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.20.1
no ip http server
radius-server host 172.21.59.165 auth-port 1645 acct-port 1646
radius-server key xxxxxxxx
radius-server vsa send accounting
voice-port 0:23
voice-port 1:0
mgcp
mgcp call-agent 172.16.20.35 2427 service-type mgcp version 0.1
mgcp quarantine mode loop
mgcp package-capability dtmf-package
mgcp package-capability rtp-package
mgcp package-capability as-package
mgcp default-package gm-package
mgcp profile default
timeout tsmax 100
no max1 lookup
dial-peer cor custom

Cisco router with freeradius

I have cisco Router 7206VXR and freeradius server , what I need is to change the user sevice in cisco router when changing it on freeradius.so if a user has1Mbps speed on freeradius the following commands will be applied to the user virtual interface on cisco router:
rate-limit output 1048000 196608 393216 conform-action transmit exceed-action drop
what I need is to change this command Automatically when changing the user service on freeradius so that the command become :
rate-limit output 2096000 393216 786432 conform-action transmit exceed-action drop (for 2Mbps)
I tried the following configuration but it didnt work:
aaa authorization network <name> group <radius>
aaa server radius dynamic-author
client <freeradius ip address> server-key xxxxx
any suggessions?
Thanks in advance

Framed-IP-Netmask has influence only on NAS side and
it'll insert the correct route into the routing table
(see the enclosed part), but it'll have NO effect
on the client side - meaning that the end-user should
do all addressing by himself.
Routing table for PPP user with one /28 subnet:
U 192.168.1.128/28 [1/0] via 192.168.100.129
C 192.168.1.129/32 is directly connected, Virtual-Access35
/Igor

New VLAN config on Cisco router

We are in the process of rolling out VOIP with new Cisco router
configurations. When the VLAN config is changed on the router it can no
longer ping the server. The router config is setup with secondary IP info
so that we don't have to go thru the process of changing IP config on the
NW 6.5 SP 6 servers.
Has anyone seen this issue? Do I need to bind new VLAN ti IP NICs? Any
other thoughts?
Thanks for any help received,
Todd W Carter

On 6/5/2007 Todd W Carter wrote:
> We are in the process of rolling out VOIP with new Cisco router
> configurations. When the VLAN config is changed on the router it can no
> longer ping the server. The router config is setup with secondary IP info so
> that we don't have to go thru the process of changing IP config on the NW 6.5
> SP 6 servers.
>
> Has anyone seen this issue? Do I need to bind new VLAN ti IP NICs? Any other
> thoughts?
When pinging from the router, the packets will be source from its primary
ip address. If the server's subnet is part of the secondary IP address on the
router, you must use an extended ping in the router for it to work.
However, I recommend implementing router-in-a-stick instead of secondary IP
addressing when creating multiple VLANs.
On the router, you can create sub-interfaces under the LAN interface and deploy
dot1q trunking. At the switch-port, configure dot1q trunking as well and the
router
will route between VLANs while providing a better design.
This is outside of the scope of this forum so I recommend posting in the Cisco
forums at http://forum.cisco.com/eforum/servlet/NetProf?page=main
Thanks !
Edison Ortiz
(Routing & Switching, CCIE # 17943)

Cisco Router tried to take a firmware update and no longer works

Ok so internet was working fine until Cisco Connect told me to take an update. My connection is wired and there were no disruptions during the download. Yet the download still failed and now my power light blinks continuously and there is no internet access. I tried instructions on "How to unbrick your Cisco Router", even got them to work, it took the firmware update from the cmd line. Still doesnt work though. What's wrong with this thing and how do i fix it?
Solved!
Go to Solution.

I ended up downloading a firmware utility program and was able to get it to reload. The power light became solid somewhere between 2-5 mins, however still didnt connect to the internet. Found that all this factory resetting will change your Internet access name & password, with no way to find out the new one. You have to remove the Cisco Connect program from your computer and reload it from the original disk. Only then will you be up and running again. While I appreciate the response Helm, I was way beyond a 30 second reset button solution when I posted this lol.

Cant ping behind cisco router (site2site vpn)

Dears;
After configure site to site vpn between cisco router and fortigate firewall,
site A : 10.0.0.0/24     behind fortigate
site B: 10.10.10.0/24 behind cisco router
the tunnel is up and I can ping 10.0.0.1 from site B and can ping 10.10.10.1 from site A but I cant ping any ip inside 10.0.0.0/24 form site B or network 10.10.10.0/24 from site A
my cisco router configuration is
Current configuration : 2947 bytes
! No configuration change since last restart
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
boot-start-marker
boot-end-marker
enable secret 4 EE103as6FtdocdBefpgugX6P9eGaDKDyBvwz7AywH5Q
no aaa new-model
memory-size iomem 10
clock timezone cairo 2 0
crypto pki token default removal timeout 0
ip source-route
ip dhcp excluded-address 192.168.16.1
ip dhcp excluded-address 10.10.10.1 10.10.10.10
ip dhcp pool GUEST
network 192.168.16.0 255.255.255.0
default-router 192.168.16.1
dns-server 8.8.8.8 8.8.4.4
ip dhcp pool LAN
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 8.8.8.8 8.8.4.4
ip cef
controller VDSL 0
ip ssh version 2
crypto isakmp policy 10
encr aes
hash sha256
authentication pre-share
group 5
crypto isakmp key 6 *********** address 4.x.x.x no-xauth
crypto ipsec transform-set myset esp-aes esp-sha256-hmac
crypto map kon-map 10 ipsec-isakmp
set peer 4.x.x.x
set transform-set myset
set pfs group5
match address 105
interface Ethernet0
no ip address
no fair-queue
interface ATM0
no ip address
ip mtu 1452
ip tcp adjust-mss 1452
no atm ilmi-keepalive
interface ATM0.1 point-to-point
ip flow ingress
pvc 0/35
encapsulation aal5snap
pppoe-client dial-pool-number 1
interface FastEthernet0
switchport mode trunk
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
switchport access vlan 2
no ip address
interface FastEthernet3
no ip address
interface Vlan1
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Vlan2
ip address 192.168.16.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
ppp authentication chap pap callin
ppp chap hostname
ppp chap password 0
ppp pap sent-username
crypto map kon-map
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat inside source list 100 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
access-list 100 deny   ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 any
access-list 100 permit ip 192.168.16.0 0.0.0.255 any
access-list 105 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.0.0.255
banner motd ^C^C
end
when ping from cisco router
konsuler#ping 10.0.0.27 source vlan1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.27, timeout is 2 seconds:
Packet sent with a source address of 10.10.10.1
Success rate is 0 percent (0/5)
help please

Thank you karsten
I can ping interface of router from remote site but cant ping any device behind the router and can ping firewall interface but cant ping any device behind the firewall
-counters in
# sh crypto ipsec sa
increased only while ping 10.0.0.1 or 10.10.10.1 from both sides
r#show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer1
Uptime: 00:03:12
Session status: UP-ACTIVE
Peer: 4.x.x.x port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 4.x.x.x
      Desc: (none)
IKEv1 SA: local 6.x.x.x/500 remote 4.x.x.x/500 Active
          Capabilities:(none) connid:2001 lifetime:22:39:59
IPSEC FLOW: permit ip 10.10.10.0/255.255.255.0 10.0.0.0/255.255.255.0
        Active SAs: 2, origin: crypto map
        Inbound: #pkts dec'ed 9 drop 0 life (KB/Sec) 4605776/3407
        Outbound: #pkts enc'ed 14 drop 0 life (KB/Sec) 4605775/3407

Not able to telnet or ssh to outside interface of ASA and Cisco Router

Dear All
Please help me with following question, I have set up testing lab, but still not work.
it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
Hub -- Juniper SRX
Spoke One - Cisco ASA with version 9.1(5)
spoke two - Cisco router with version 12.3
site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
When I tested it, of cause site to site vpn still up and running.
Thanks
YK

Hello YK,
On this case on the ASA, you should have the following:
CConfiguring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
To specify an interface as a mangement-only interface, enter the following command:
hostname(config)# management access management_interface
where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
You can define only one management-access interface
Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
SSH
- ssh 0 0 outside
- aaa authentication ssh console LOCAL
- Make sure you have a default RSA key, or create a new one either ways, with this command:
*crypto key generate rsa modulus 2048
Telnet
- telnet 0 0 outside
- aaa authentication telnet console LOCAL
Afterwards, if this works you can define the subnets that should be permitted.
On the router:
!--- Step 1: Configure the hostname if you have not previously done so.
hostname Router
!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the router's DNS domain.
ip domain-name yourdomain.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Step 4: By default the vtys' transport is Telnet. In this case,
!--- Telnet and SSH is supported with transport input all
line vty 0 4
transport input All
*!--- Instead of aaa new-model, the login local command may be used.
no aaa new-model
line vty 0 4
login local
Let me know how it works out!
Please don't forget to Rate and mark as correct the helpful Post!
David Castro,
Regards,

Remote access VPN with Cisco Router - Can not get the Internal Lan .

Dear Sir ,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .Please see the attachment for Scenario, Configuration and Ping status.
I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Below is the IP address of the device.
Local PC connect with Router -2 (Through MS Loopback) Router -2 Router-1 PC -01
IP Address :10.10.10.2 Mask : 255.255.255.0 F0/01
IP address:10.10.10.1
Mask:255.255.255.0 F0/0
IP Address :20.20.20.1
Mask :255.255.255.0
F0/1
IP address :192.168.1.3
Mask:255.255.255.0
F0/0
IP address :20.20.20.2
Mask :255.255.255.0
F0/1
IP address :192.168.1.1
Mask:255.255.255.0
I can ping from local PC to the network 10.10.10.0 and 20.20.20.0 .Please find the attach file for ping status .So connectivity is ok from my local PC to Remote Router 1 and 2.
Through Cisco remote vpn client, I can get connected with the VPN Router R1 (Please see the VPN Client pic.)But cannot ping the network 192.168.1.0
Need your help to fix the problem.
Router R2 Configuration :!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R2
boot-start-marker
boot-end-marker
no aaa new-model
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
ip tcp synwait-time 5
interface FastEthernet0/0
ip address 20.20.20.2 255.255.255.0
duplex auto
speed auto
interface FastEthernet0/1
ip address 10.10.10.1 255.255.255.0
duplex auto
speed auto
ip forward-protocol nd
no ip http server
no ip http secure-server
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
login
end
Router R1 Configuration :
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1
boot-start-marker
boot-end-marker
aaa new-model
aaa authentication login USERAUTH local
aaa authorization network NETAUTHORIZE local
aaa session-id common
memory-size iomem 5
no ip icmp rate-limit unreachable
ip cef
no ip domain lookup
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
username vpnuser password 0 strongpassword
ip tcp synwait-time 5
crypto keyring vpnclientskey
pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp client configuration group remotevpn
key cisco123
dns 192.168.1.2
wins 192.168.1.2
domain mycompany.com
pool vpnpool
acl VPN-ACL
crypto isakmp profile remoteclients
description remote access vpn clients
keyring vpnclientskey
match identity group remotevpn
client authentication list USERAUTH
isakmp authorization list NETAUTHORIZE
client configuration address respond
crypto ipsec transform-set TRSET esp-3des esp-md5-hmac
crypto dynamic-map DYNMAP 10
set transform-set TRSET
set isakmp-profile remoteclients
crypto map VPNMAP 10 ipsec-isakmp dynamic DYNMAP
interface FastEthernet0/0
ip address 20.20.20.1 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPNMAP
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpnpool 192.168.50.1 192.168.50.10
ip forward-protocol nd
ip route 10.10.10.0 255.255.255.0 FastEthernet0/0
no ip http server
no ip http secure-server
ip nat inside source list NAT-ACL interface FastEthernet0/0 overload
ip access-list extended NAT-ACL
deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended VPN-ACL
permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
control-plane
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
line vty 0 4
end

Dear All,
I am doing Remote Access VPN through Cisco Router. Before the real deployment, I want to simulate it with GNS3.Need you help to complete the job .
Please see the attachment for Scenario, Configuration and Ping status. I am getting IP address when i connect through VPN client .But I can not ping to the internal lan -192.168.1.0.Need your help to sole the issue.
Waiting for your responce .
--Milon

Site-to-Site VPN between Cisco ASA 5505 (8.4) and Cisco Router (IOS 15.2)

Hi, I'm trying to create Site-to-Site VPN between Cisco ASA 5505 and Cisco Router 3945.
I've tried create configuration with and without ASA wizard, but anyway it doesn't work.
Please help me to find where is the issue.
I have two sites and would like to get access from 192.168.83.0 to 192.168.17.0
192.168.17.0 --- S1.S1.S1.S1 (IOS Router) ==================== S2.S2.S2.S2 (ASA 5505) --- 192.168.83.0
Here is my current configuration.
Thanks for your help.
IOS Configuration
version 15.2
crypto isakmp policy 1
encr aes 256
authentication pre-share
group 2
crypto isakmp key cisco address 198.0.183.225
crypto isakmp invalid-spi-recovery
crypto ipsec transform-set AES-SET esp-aes esp-sha-hmac
mode transport
crypto map static-map 1 ipsec-isakmp
set peer S2.S2.S2.S2
set transform-set AES-SET
set pfs group2
match address 100
interface GigabitEthernet0/0
ip address S1.S1.S1.S1 255.255.255.240
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map static-map
interface GigabitEthernet0/1
ip address 192.168.17.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
access-list 100 permit ip 192.168.17.0 0.0.0.255 192.168.83.0 0.0.0.255
ASA Configuration
ASA Version 8.4(3)
interface Ethernet0/0
switchport access vlan 2
interface Vlan1
nameif inside
security-level 100
ip address 192.168.83.1 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address S2.S2.S2.S2 255.255.255.248
ftp mode passive
same-security-traffic permit intra-interface
object network inside-network
subnet 192.168.83.0 255.255.255.0
object network datacenter
host S1.S1.S1.S1
object network datacenter-network
subnet 192.168.17.0 255.255.255.0
object network NETWORK_OBJ_192.168.83.0_24
subnet 192.168.83.0 255.255.255.0
access-list outside_access_in extended permit icmp any any echo-reply
access-list outside_access_in extended deny ip any any log
access-list outside_cryptomap extended permit ip 192.168.83.0 255.255.255.0 object datacenter-network
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
ip local pool vpn_pool 192.168.83.200-192.168.83.254 mask 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
nat (inside,outside) source dynamic inside-network interface
nat (inside,outside) source static inside-network inside-network destination static inside-network inside-network no-proxy-arp route-lookup
nat (inside,outside) source static inside-network inside-network destination static datacenter-network datacenter-network no-proxy-arp route-lookup
nat (inside,outside) source static NETWORK_OBJ_192.168.83.0_24 NETWORK_OBJ_192.168.83.0_24 destination static datacenter-network pdatacenter-network no-proxy-arp route-lookup
access-group outside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 DEFAULT_GATEWAY 1
crypto ipsec ikev1 transform-set vpn-transform-set esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set vpn-transform-set mode transport
crypto ipsec ikev1 transform-set L2L_SET esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set L2L_SET mode transport
crypto dynamic-map dyno 10 set ikev1 transform-set vpn-transform-set
crypto map vpn 1 match address outside_cryptomap
crypto map vpn 1 set pfs
crypto map vpn 1 set peer S1.S1.S1.S1
crypto map vpn 1 set ikev1 transform-set L2L_SET
crypto map vpn 20 ipsec-isakmp dynamic dyno
crypto map vpn interface outside
crypto isakmp nat-traversal 3600
crypto ikev1 enable outside
crypto ikev1 policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
group-policy GroupPolicy_S1.S1.S1.S1 internal
group-policy GroupPolicy_S1.S1.S1.S1 attributes
vpn-tunnel-protocol ikev1
group-policy remote_vpn_policy internal
group-policy remote_vpn_policy attributes
vpn-tunnel-protocol ikev1 l2tp-ipsec
username artem password 8xs7XK3To4s5WfTvtKAutA== nt-encrypted
username admin password rqiFSVJFung3fvFZ encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
address-pool vpn_pool
default-group-policy remote_vpn_policy
tunnel-group DefaultRAGroup ipsec-attributes
ikev1 pre-shared-key *****
tunnel-group DefaultRAGroup ppp-attributes
authentication ms-chap-v2
tunnel-group S1.S1.S1.S1 type ipsec-l2l
tunnel-group S1.S1.S1.S1 general-attributes
default-group-policy GroupPolicy_S1.S1.S1.S1
tunnel-group S1.S1.S1.S1 ipsec-attributes
ikev1 pre-shared-key *****
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:f55f10c19a0848edd2466d08744556eb
: end

Thanks for helping me again. I really appreciate.
I don't hve any NAT-exemptions in Cisco IOS Router. Transform-set I will change soon, but I've tried with tunnel mode and it didn't work.
Maybe NAT-exemptions is the issue. Can you advice me which exemptions should be in Cisco IOS Router?
Because on Cisco ASA I guess I have everything.
Here is show crypto session detail
router(config)#do show crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: GigabitEthernet0/0
Session status: DOWN
Peer: 198.0.183.225 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
IPSEC FLOW: permit ip 192.168.17.0/255.255.255.0 192.168.83.0/255.255.255.0
        Active SAs: 0, origin: crypto map
        Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Should I see something in crypto isakmp sa?
pp-border#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
IPv6 Crypto ISAKMP SA
Thanks again for your help.

TS2709 I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

I have AppleTV and Ipad2 running VJay app to my TV over a private cisco router disabled firewall but I keep loosing the video on my TV after a few minutes what can I do?

I also get this problem on my iPad, so probably not related to the AppleTV. On the iPad I restarted Airport Extreme this time, and then the iPad saw my Home Sharing.
So to recap, restarting the router or Airport Express allowed the iPad and AppleTV to see Home Sharing. Restarting AppleTV also allows AppleTV to see Home Sharing.
So does anyone have any idea?
Thanks

How to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

how to configure one dsl connection and one public ip in cisco router and map to one interface for using exchange server

Hi ,
Have you got any additional public IP Address from your service provider , If yes on router you can have static route for those additional IP Address pointing to your ASA outside interface .
Accordingly you can configure NAT
HTH
Sandy .

Cisco router T1 gw voip Radius Radiator

Similar Messages

Maybe you are looking for