Configure VPN Server Cisco 877W

Similar Messages

• How to configure VPN with Cisco ASA 5505 behind Actiontec MI424WR

  I'm trying to test my Cisco VPN client from my workplace to my home where I have a Cisco ASA 5505 (VPN server) behind the Actiontec MI424WR.  I'm able to Ping the Actiontec external IP.  I also have Port Forwarding for IKE and IPSec configured on the Actiontec, but I cannot establish the VPN connection.
  What do I need to configure on the Actiontec to make this work?
  Also, when I test this at home, the MI424WR acts as the DHCP server for my laptop and the Cisco outside interface.  At home, I'm able to establish the VPN connection from my laptop to the ASA, allowing me to see a shared drive behind the ASA.  However, at home, I cannot go to the Internet while using the VPN client.
  Thanks for any help.
  Steve
  Solved!
  Go to Solution.

  http://www.dslreports.com/faq/verizonfios/3.0_Networking
  those are the best sample config's and resources on how to set the FiOS network
  Bridging is possible but difficult.  That link will give you great info on it.
  Are you a FiOS customer that has phone/internet/tv
  or no tv?   or no phone?    You have to be careful on your configuration or you might lose some TV features and functionality, like the Interactive Program Guide, or the VOD or the Widgets.
  Sorry the Portforwarding wasn't enough to resolve your issue, I am not sure that it's a Actiontec config you are looking for, from my understanding of Cisco's and FiOS it may be something behind the cisco that is causing an issue.  You may want to reach out to the Cisco admin that manages that, and find out if there are additional ports that are required and then you can come back and configure those ports too.

• Do I have to configure DNS server before configuring VPN server?

  Hi,
  In my journey to get this mac os X server to actually work...
  Do I need to configure DNS server on Mac OS X server first before setting up VPN or ICHAT server?
  Or, it seems that I can use my D-Link Gaming router as a DNS server.
  I think I'm most confused with which numbers to enter as my DNS... is it the local IP of my mac mini being used as the server (192.168.0.1) or is it the IP address assigned to my cabel modem?
  There are so many posts on this, I am feeling lost.... has anyone found a really great step by step that explains how to do this?
  thanks
  Ethan-

  Ethan,
  My experience is that it is absolutely necessary to have an external DNS server setup correctly BEFORE you even start installing your OS X Server, so why not keep it. Still, once you have set up OS X Server, you can also use its own DNS server, but be VERY careful to set it up correctly. DNS mistakes, especially the ones regarding server's own IP addresses, are usually not forgiven by OS X Server. Many of us here have learned that the hard way. As for me, I prefer to have a dedicated DNS.
  Best regards,
  Andrus

• Problems w/ VPN Server & Cisco VPN Client on same machine

  I really wish that I read about how the developer of the program iVPN no longer supports his work BEFORE I paid for it. It's a great, simple, GUI frontend to the existing Leopard VPN server built in to regular (non-server) OSX...
  Anyway, on my Mac that stays @ home:
  (1) - I have the iVPN server set up & running to allow me to connect (from my iphone or another computer on the road) to my Mac @ home using L2TP.
  (2) - When I'm @ home and need to connect to my company's network, I need to use the Cisco VPN Client (which uses IPSec etc).
  So, I found out that when I need to use my Mac to connect to work, I first have to open up the iVPN server to click "Stop Server" (which has me enter my password twice sometimes). Now I close iVPN until I'm done, then open up Activity Monitor for the purpose of finding the still-running process "racoon". I realized this not because it's published info, but because if I don't do this, and try to connect to work using the Cisco VPN Client, it simply will not connect. So, I quit the process "racoon" (which also has me enter my password because it's running as root yada yada). NOW, I can load Cisco VPN Client and successfully connect to my company's network. When I'm finished here, I disconnect the C.V.C., then reopen iVPN Server and restart my server (enter password again).
  Is there any way I can make the process "racoon" quit automatically when I turn off the iVPN server? I'd email the developer but I guess that's a lost cause now. It's a shame because he did a fabulous job making iVPN & gave the less computer-networking-literate-user the ability to create their own VPN server without using Terminal.
  I thought about the possibility of using iVPN to create a PPTP connection instead of L2TP - thinking that would allow me to keep my iVPN PPTP server running at all times, even when I wanted to use the CVC to connect OUT to work - but:
  (1) - I would like the increased security of L2TP.
  (2) - When I tried running a PPTP server, and connecting to it from iPhone or other computer, I was NOT able to access the other devices on my network, or the internet. I couldn't even open up a webpage to check whatismyip.com (while sending all traffic over VPN). And yes, the IP Address Range that I have iVPN handing out is within my normal home network's range.
  My end goal for all of this when using my Mac is to be able to leave my iVPN server running at all times, while still being able to run the Cisco VPN CLIENT to connect to my company's network.
  Or, at least not having to open up Activity Monitor to quit the process racoon... let alone having to enter my password 3 times after opening up iVPN, again to stop the server, again to quit the process racoon. Then a forth when I'm all done and need to start the iVPN server again.
  Am I going about this the wrong way? Is there an easier way to accomplish these secure connections? There is a slight possibility of me upgrading and running a dedicated Mac Mini server of some sort perhaps with the real OSX Server. But not right now. I think I'm over complicating this. I mean, my needs are pretty simple:
  (1) - Need to connect TO my Mac from IPhone / someone else's Mac or PC for: VNC over SSH, SSH/SFTP file level access, in the future shared network volumes (time capsule). I'd use Back To My Mac for all of this but I don't always connect FROM a Mac.
  (2) - Need to connect FROM my Mac to work VPN for: VNC to my work PC to access our company's Windows-only program (dual booting into boot camp or using a virtual machine is out of the question), using Mocha for AS400 access, thinking about using file sharing on work PC but not needed so far.
  So it's really just VNC and sometimes SFTP. The "S" being important to me. That's why I don't like the idea of doing away with my iVPN server and just forwarding the outside ports. I use the Vine VNC Server which when checked, only allows access over SSH. The only other remote-logins are used from my iphone using an app called BriefCase (SSH to browse files on remote machine), or using an SFTP client on a computer.
  Thank you for reading all of this, and in advance for any insight you can offer.

  If the two servers need the same ports, then hosting two different VPN packages on the same box usually won't work.
  A firewall-based VPN service can be an option; that external box can deal with NAT and routing and other such and can field incoming or LAN-to-LAN VPNs, and your internal Mac boxes located "behind" that box can be free to initiate outbound VPNs.

• Help with configuration vpn server on mac os

  Does anyone know a step by step way to configurtae a vpn server on the normal snowleopard
  i tried ivpn but i cannot connect to the L2TP vpn server ( i configurated it as described )
  does anyone has a solution to try out ivpn
  or is there any alternativ way for ivpn

  Does anyone know a step by step way to configurtae a vpn server on the normal snowleopard
  i tried ivpn but i cannot connect to the L2TP vpn server ( i configurated it as described )
  does anyone has a solution to try out ivpn
  or is there any alternativ way for ivpn

• Configuring wireless on cisco 877w router

  Hi all
  I have a Cisco 877W wireless/ADSL router and having great difficulty with configuring wireless on this router. Here is a quick summary.
  1. The ADSL is configured to obtain public IP from the ISP
  2. Default interface vlan 1 is configured with an IP address
  3. I went into vlan database, tried to configure multi vlans and the router prompted me that it can only have max 2 vlans. Hence what's the use of up to 16 different SSID using wireless?
  4. I've setup DHCP scope on the router to give out IP address to clients (both wireless and wired)
  5. I'm able to configure WPA-PSK on the router and was able to connect wirelessly to the router but I won't be able to obtain an IP address from the router
  6. There are two scenarios that I'd like to do:
  A. Setup wireless to connect to the same subnet as what's on vlan1
  B. Setup wireless to connect to a different subnet to vlan1
  For the life of me, I could not find docs on Cisco web site that shows me how to exactly this. I found some documents that use interface F0 as a trunk port and treat the interface Dot11Radio0 with sub-interfaces. I don't connect this router to a switch (standalone router) so how can I do this? Please point me to some docs.
  Thanks in advance for your help.

  My configuration works for wireless no authentication, but failed for WPA-PSK:
  ip dhcp excluded-address 172.16.250.1
  ip dhcp pool TEST
  import all
  network 172.16.250.0 255.255.255.0
  default-router 172.16.250.1
  bridge irb
  interface FastEthernet4
  description $ES_WAN$
  ip address dhcp client-id FastEthernet4
  ip nat outside
  ip virtual-reassembly
  duplex auto
  speed auto
  interface Dot11Radio0
  no ip address
  ssid 111
  vlan 1
  authentication open
  authentication key-management wpa
  wpa-psk ascii 0 Cisco1234
  speed basic-1.0 2.0 5.5 6.0 9.0 11.0 12.0 18.0 24.0 36.0 48.0 54.0
  station-role root
  interface Dot11Radio0.1
  encapsulation dot1Q 1 native
  no cdp enable
  bridge-group 1
  bridge-group 1 subscriber-loop-control
  bridge-group 1 spanning-disabled
  bridge-group 1 block-unknown-source
  no bridge-group 1 source-learning
  no bridge-group 1 unicast-flooding
  interface Vlan1
  no ip address
  bridge-group 1
  bridge-group 1 spanning-disabled
  interface BVI1
  ip address 172.16.250.1 255.255.255.0
  ip nat inside
  ip virtual-reassembly
  After I configured the same wpa-psk key on the XP computer using windows zero configuration and tried to connect to the wireless work, I got the following errors on the router:
  *Mar 1 03:00:51.623: *** Not encrypted dot1x packet from 000c.f123.25cf has been discarded
  *Mar 1 03:00:52.623: %DOT11-7-AUTH_FAILED: Station 000c.f123.25cf Authentication failed
  What could be wrong? Thanks!

• How setup SPA525 vpn client?How configuration Cisco VPN server?

  Hi all,
  How setup SPA525 vpn?
  How configuration Cisco VPN server for SPA525?
  Regards
  John

  Hi John,
  Do you want to setup the SPA525 on the UC300?  If so the UC300 does not support any VPN or remote users.  If you need configuration help with the UC5XX just let me know.
  Thank you,
  Jason Nickle

• VPN client connect to CISCO 887 VPN Server bat they stop at router!!

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.5.2/24)
  |
  |
  CISCO-887 (192.168.5.4) with VPN server
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on xp machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
  They can ping only router!!!
  They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Peraps ACL problem?
  Building configuration...
  Current configuration : 5019 bytes
  ! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname gate
  boot-start-marker
  boot-end-marker
  no logging buffered
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki token default removal timeout 0
  crypto pki trustpoint TP-self-signed-453216506
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-453216506
  revocation-check none
  rsakeypair TP-self-signed-453216506
  crypto pki certificate chain TP-self-signed-453216506
  certificate self-signed 01
          quit
  ip name-server 212.216.112.222
  ip cef
  no ipv6 cef
  password encryption aes
  license udi pid CISCO887VA-K9 sn ********
  username adm privilege 15 secret 5 *****************
  username user1 secret 5 ******************
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key 6 *********\*******
  dns 192.168.5.2
  wins 192.168.5.2
  domain domain.local
  pool SDM_POOL_1
  save-password
  crypto isakmp profile ciscocp-ike-profile-1
     match identity group EXTERNALS
     client authentication list ciscocp_vpn_xauth_ml_2
     isakmp authorization list ciscocp_vpn_group_ml_2
     client configuration address respond
     virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Loopback0
  ip address 10.10.10.10 255.255.255.0
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  interface ATM0.1 point-to-point
  pvc 8/35
    encapsulation aal5snap
    protocol ppp dialer
    dialer pool-member 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip unnumbered Dialer0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.5.4 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip nat inside
  ip virtual-reassembly in
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ******@*******.****
  ppp chap password 0 alicenewag
  ppp pap sent-username ******@*******.**** password 0 *********
  ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 1 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 192.168.5.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 permit ip 192.168.5.0 0.0.0.255 any
  dialer-list 1 protocol ip permit
  line con 0
  line aux 0
  line vty 0 4
  transport input all
  end

  Hello,
  Your pool of VPN addresses is overlapping with the interface vlan1.
  Since proxy-arp is disabled on that interface, it will never work
  2 solutions
  1- Pool uses a different network than 192.168.5
  2- Enable ip proxy-arp on interface vlan1
  Cheers,
  Olivier

• VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN

  Hi
  my scenario is as follows
  SERVER1 on lan (192.168.1.4)
  |
  |
  CISCO-887 (192.168.1.254)
  |
  |
  INTERNET
  |
  |
  VPN Cisco client on windows 7 machine
  My connection have public ip address assegned by ISP, after ppp login.
  I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
  All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
  But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
  I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
  What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
  Perhaps ACL problem?
  Building configuration...
  Current configuration : 4921 bytes
  ! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
  version 15.2
  no service pad
  service timestamps debug datetime msec
  service timestamps log datetime msec
  no service password-encryption
  hostname TestLab
  boot-start-marker
  boot-end-marker
  enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authentication login ciscocp_vpn_xauth_ml_2 local
  aaa authorization exec default local
  aaa authorization network ciscocp_vpn_group_ml_1 local
  aaa authorization network ciscocp_vpn_group_ml_2 local
  aaa session-id common
  memory-size iomem 10
  crypto pki trustpoint TP-self-signed-3013130599
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-3013130599
  revocation-check none
  rsakeypair TP-self-signed-3013130599
  crypto pki certificate chain TP-self-signed-3013130599
  certificate self-signed 01
  3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
  35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
  33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
  9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
  8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
  C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
  AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
  551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
  03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
  2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
  AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
  B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
  B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
  CBB28E7A E91A090D 53DAD1A0 3F66A3
  quit
  no ip domain lookup
  ip cef
  no ipv6 cef
  license udi pid CISCO887VA-K9 sn ***********
  username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
  username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
  controller VDSL 0
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp client configuration group EXTERNALS
  key NetasTest
  dns 8.8.4.4
  pool VPN-Pool
  acl 120
  crypto isakmp profile ciscocp-ike-profile-1
  match identity group EXTERNALS
  client authentication list ciscocp_vpn_xauth_ml_2
  isakmp authorization list ciscocp_vpn_group_ml_2
  client configuration address respond
  virtual-template 1
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
  mode tunnel
  crypto ipsec profile CiscoCP_Profile1
  set transform-set ESP-3DES-SHA1
  set isakmp-profile ciscocp-ike-profile-1
  interface Ethernet0
  no ip address
  shutdown
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  hold-queue 224 in
  pvc 8/35
  pppoe-client dial-pool-number 1
  interface FastEthernet0
  no ip address
  interface FastEthernet1
  no ip address
  interface FastEthernet2
  no ip address
  interface FastEthernet3
  no ip address
  interface Virtual-Template1 type tunnel
  ip address 192.168.2.1 255.255.255.0
  tunnel mode ipsec ipv4
  tunnel protection ipsec profile CiscoCP_Profile1
  interface Vlan1
  ip address 192.168.1.254 255.255.255.0
  ip nat inside
  ip virtual-reassembly in
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip mtu 1452
  ip nat outside
  ip virtual-reassembly in
  encapsulation ppp
  dialer pool 1
  dialer-group 1
  ppp authentication chap pap callin
  ppp chap hostname ****
  ppp chap password 0 *********
  ppp pap sent-username ****** password 0 *******
  no cdp enable
  ip local pool VPN-Pool 192.168.2.210 192.168.2.215
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list 100 interface Dialer0 overload
  ip route 0.0.0.0 0.0.0.0 Dialer0
  access-list 100 remark
  access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  access-list 100 remark
  access-list 100 permit ip 192.168.1.0 0.0.0.255 any
  access-list 120 remark
  access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
  line con 0
  exec-timeout 5 30
  password ******
  no modem enable
  line aux 0
  line vty 0 4
  password ******
  transport input all
  end
  Best Regards,

  I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin  and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
  router#sh crypto session detail 
  Crypto session current status
  Code: C - IKE Configuration mode, D - Dead Peer Detection     
  K - Keepalives, N - NAT-traversal, T - cTCP encapsulation     
  X - IKE Extended Authentication, F - IKE Fragmentation
  Interface: Dialer0
  Uptime: 00:40:37
  Session status: UP-ACTIVE     
  Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
        Phase1_id: 192.168.1.100
        Desc: (none)
    IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active 
            Capabilities:(none) connid:2001 lifetime:07:19:22
    IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0 
          Active SAs: 4, origin: dynamic crypto map
          Inbound:  #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
          Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162

• Cisco VPN server internal connection

  I have a cisco 1841 router which I use as VPN server. This is the configuration:
  Cisco#show running-config Building configuration...Current configuration : 6382 bytes!version 15.1service tcp-keepalives-inservice tcp-keepalives-outservice timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname Cisco!boot-start-markerboot-end-marker!!enable secret 5 $1$Xg19$MKt1eIm4yrmDwcYn1z0x2/enable password qwerty!aaa new-model!!aaa authentication login default localaaa authentication login ciscocp_vpn_xauth_ml_1 localaaa authorization exec default local aaa authorization network ciscocp_vpn_group_ml_1 local !         !!         !!         aaa session-id common!         dot11 syslogip source-route!!         !!         !ip cef    no ipv6 cef!         multilink bundle-name authenticated!         crypto pki token default removal timeout 0!         crypto pki trustpoint TP-self-signed-947112914 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-947242914 revocation-check none rsakeypair TP-self-signed-947182914!         !crypto pki certificate chain TP-self-signed-947142914 certificate self-signed 01  3082023B 308201A4 A0030201 02020101 300D0609 2A874886 F70D1101 04050030   30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274   69666963 6174652D 39343731 34325931 34301E17 0D313131 31323532 30353931   325A170D 32303031 30313030 30303030 5A303031 2E302C06 03559403 1325444F   532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3934 37313432   39313430 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100   B4C6CC16 5EA2210F D4A0234B 90D9E29C E1132F0D 491CC9BC F513EF57 A5986C31   C03BC061 B3B4E103 0005F992 A7CA2605 8C46FCB2 C22AAC4B 739D1DC2 49EA3883   253D553C A1E7BD3A 26D49347 86414B11 5C03F4E6 A4BD5306 CD857F99 0A567B85   FD639414 C2E25161 74A52A7B 32753F25 AE8FDC73 EC859EEC D8A1C9C4 D8A50EED   02030100 01A36530 63300F06 03551D13 0101FF04 05300301 01FF3010 0603551D   11040930 07820543 6973636F 301F0603 551D2304 18301680 14414AD6 2A674283   54CC008C A6B81E1D 7A3B09A4 8C301D06 03551D0E 04160414 414AD62A 67428354   CC008CA6 B81E1D7A 3B09A48C 300D0609 2A864886 F70D0101 04050003 8181007B   00264BAE A55C3CB0 20F83B46 A047F400 3B5748CA D8C64A49 5484FE1E 7588949F   A8E5EBAE BE5FAD22 0C89FC92 671E0BB6 1155EB76 21E72F07 68F76AE3 2F0CB2C6   EC26A8C1 C3EA1300 CE284F9B 3E3F6BB9 7807CF63 8154BC4B AD33392E 68347E0B   F78AE625 818C3A4E 6E0302D8 26DF4890 08E42063 37BF9026 BF4E251D A86EEA        quit!!         license udi pid CISCO1841 sn FCZ150218ACusername root privilege 15 password 0 qwertyusername admin secret 5 $1$78MV2Yc72fwt5PoEm.eK33PlKw1username test privilege 15 password 0 test_123!redundancy!!         ! crypto ctcp keepalive 6crypto ctcp port 443 !         crypto isakmp policy 1 encr 3des hash md5 authentication pre-share group 2crypto isakmp keepalive 10 10 periodiccrypto isakmp nat keepalive 20!         crypto isakmp client configuration group cisco key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_client include-local-lan max-users 1000 netmask 255.255.255.0!crypto isakmp client configuration group server_1 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_1 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_2 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_2 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_3 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_3 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_4 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_4 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_5 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_5 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_6 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_6 include-local-lan netmask 255.255.255.0!crypto isakmp client configuration group server_7 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_7 save-password include-local-lan netmask 255.255.255.0!         crypto isakmp client configuration group server_8 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_8 include-local-lan netmask 255.255.255.0!         crypto isakmp client configuration group server_9 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_9 include-local-lan netmask 255.255.255.0!         crypto isakmp client configuration group server_10 key qwerty dns 8.8.8.8 domain cisco.com pool SDM_POOL_server_10 include-local-lan netmask 255.255.255.0!         crypto ipsec security-association lifetime seconds 86400crypto ipsec security-association idle-time 86400!crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac !crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route!!         crypto map SDM_CMAP_1 local-address FastEthernet0/0crypto map SDM_CMAP_1 client authentication list ciscocp_vpn_xauth_ml_1crypto map SDM_CMAP_1 isakmp authorization list ciscocp_vpn_group_ml_1crypto map SDM_CMAP_1 client configuration address respondcrypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 !         !!         !!         interface Loopback0 ip address 172.16.0.1 255.255.255.255!interface FastEthernet0/0 ip address 192.168.1.130 255.255.255.0 ip flow ingress speed auto full-duplex no mop enabled crypto map SDM_CMAP_1!interface FastEthernet0/1 no ip address shutdown speed auto full-duplex no mop enabled!         ip local pool SDM_POOL_client 10.10.10.51 10.10.10.190ip local pool SDM_POOL_server_1 10.10.10.1ip local pool SDM_POOL_server_2 10.10.10.2ip local pool SDM_POOL_server_3 10.10.10.3ip local pool SDM_POOL_server_4 10.10.10.4ip local pool SDM_POOL_server_5 10.10.10.5ip local pool SDM_POOL_server_6 10.10.10.6ip local pool SDM_POOL_server_7 10.10.10.7ip local pool SDM_POOL_server_8 10.10.10.8ip local pool SDM_POOL_server_9 10.10.10.9ip local pool SDM_POOL_server_10 10.10.10.10ip forward-protocol ndip http serverip http authentication localip http secure-server!         !ip route 0.0.0.0 0.0.0.0 192.168.1.1!logging esm configaccess-list 100 remark CCP_ACL Category=4access-list 100 permit ip 10.10.0.0 0.0.255.255 any!!         !!         !!         !!         control-plane!         !!         line con 0line aux 0line vty 0 4 password qwerty transport input telnet ssh!         scheduler allocate 20000 1000end       Cisco#
  I have a VPN clients which can connect to the VPN server and communicate  each other. I want to connect dedicated server to port FE 0/1 and all  VPN clients to be able to see and communicate with the server. How I can  connect the two networks?

  Ideally, VPN connectivity is tested from devices behind the endpoint devices that do the encryption, yet many users test VPN connectivity with the ping command on the devices that do the encryption. While the ping generally works for this purpose, it is important to source your ping from the correct interface. If the ping is sourced incorrectly, it can appear that the VPN connection has failed when it really works. If ping works continuously then the problem can be that the xauth times out. Increase the timeout value for AAA server in order to resolve this issue.
  For further information about troubleshoot the VPN connectivity click this link.
  http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml#solunf

• Cisco 871W eZVPN is unable to connect Cisco PIX vpn server

  crypto ipsec client ezvpn TEST
  connect auto
  group Cisco key cisco123
  mode client
  peer 172.1.1.1
  xauth userid mode interfactive
  interface FastEthernet4
  ip address 10.1.1.1 255.255.255.0
  ip access-group 101 in
  ip nat outside
  crypto ipsec client ezvpn TEST
  Internet Vlan1
  ip address 192.168.1.1 255.255.255.0
  ip access-group 100 out
  ip nat inside
  crypto ipsec client ezvpn TEST inside
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254
  ip nat inside source route-map EzVPN1 interface FastEthernet4 overload
  access-list 100 permit ip any any
  access-list 101 permit ip any any
  access-list 103 permit ip 192.168.1.0 0.0.0.255 any
  route-map EzVPN1 permit 1
  match ip address 103
  These are the following commands I applied in my Router, It is able to connect but unable to access any other servers. The same user name & password I tried with the VPN dialer it works on my Laptop. Anything I am missing on the router configuration. The VPN server is Cisco PIX 515E.
  Cisco IOS on 871W is 12.3(8)Y12

  1) Isn't your default route supposed to be pointing towards the external interface?
  ip route 0.0.0.0. 0.0.0.0 192.168.1.254 ?
  2) Can you change the 'mode client' to 'mode network-extension'. Also the PIX will need 'nem enable'.
  Have a look at the following (I'm assuming you already have as your config seems to be similar):
  http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080809222.shtml
  For old 6.x code on PIX, have a look at:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a0080241a0d.shtml
  Regards
  Farrukh

• Cisco 28xx easy vpn server & MS NPS (RADIUS server)

  Здравстуйте.
  Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
  Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
  На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
  Ниже выдежка из сонфига cisco 2821:
  aaa new-model
  aaa authentication login rausrs local
  aaa authentication login VPN-XAUTH group radius
  aaa authorization network ragrps local
  aaa authorization network VPN-GROUP local
  aaa session-id common
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp client configuration address-pool local RAPOOL
  crypto isakmp client configuration group ra1grp
  key key-for-remote-access
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp client configuration group EasyVPN
  key qwerty123456
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp profile RA-profile
     description profile for remote access VPN
     match identity group ra1grp
     client authentication list rausrs
     isakmp authorization list ragrps
     client configuration address respond
  crypto isakmp profile VPN-IKMP-PROFILE
     description profile for remote access VPN via RADIUS
     match identity group EasyVPN
     client authentication list VPN-XAUTH
     isakmp authorization list VPN-GROUP
     client configuration address respond
  crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
  crypto dynamic-map dyn-cmap 100
  set transform-set tset1
  set isakmp-profile RA-profile
  reverse-route
  crypto dynamic-map dyn-cmap 101
  set transform-set tset1
  set isakmp-profile VPN-IKMP-PROFILE
  reverse-route
  crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
  int Gi0/1
  descrition -- to WAN --
  crypto map stat-cmap
  В результате на cisco вылезает следующая ошибка (выделено жирным):
  RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
  RADIUS:  AAA Unsupported Attr: interface         [157] 14
  RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
  RADIUS(000089E0): Config NAS IP: 192.168.11.1
  RADIUS/ENCODE(000089E0): acct_session_id: 35296
  RADIUS(000089E0): sending
  RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
  RADIUS:  authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
  RADIUS:  User-Name           [1]   9   "EasyVPN"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  Calling-Station-Id  [31]  16  "aaa.bbb.ccc.137"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-Port            [5]   6   1
  RADIUS:  NAS-Port-Id         [87]  16  "aaa.bbb.ccc.136"
  RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  RADIUS:  NAS-IP-Address      [4]   6   192.168.11.1
  RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
  RADIUS:  authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
  RADIUS(000089E0): Received from id 1645/61
  MS NAS выдает ошибку 6273:
  Сервер сетевых политик отказал пользователю в доступе.
  За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
  Пользователь:
      ИД безопасности:            domain\VladimirK
      Имя учетной записи:            VladimirK
      Домен учетной записи:           domain
      Полное имя учетной записи:   domain.local/Users/VladimirK
  Компьютер клиента:
      ИД безопасности:            NULL SID
      Имя учетной записи:            -
      Полное имя учетной записи:    -
      Версия ОС:            -
      Идентификатор вызываемой станции:        -
      Идентификатор вызывающей станции:       aaa.bbb.ccc.137
  NAS:
      Адрес IPv4 NAS:        192.168.11.1
      Адрес IPv6 NAS:        -
      Идентификатор NAS:            -
      Тип порта NAS:            Виртуальная
      Порт NAS:            0
  RADIUS-клиент:
      Понятное имя клиента:        Cisco2821
      IP-адрес клиента:            192.168.11.1
  Сведения о проверке подлинности:
      Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
      Имя сетевой политики:        Подключения к другим серверам доступа
      Поставщик проверки подлинности:        Windows
      Сервер проверки подлинности:        DC01.domain.local
      Тип проверки подлинности:        PAP
      Тип EAP:            -
      Идентификатор сеанса учетной записи:        -
      Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
      Код причины:            66
      Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
  Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
  Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
  Если кто практиковал подобное, прошу дать направление для поиска решения.

  Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
  replace the authorization from radius to local
  and
  changing the encryption type in transform set
  However, in your configuration, your configuration already have those changes.
  Here you can check the same : https://supportforums.cisco.com/thread/2226065
  Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco 877w -Configuration of subinterfaces and main interface within the same bridge group is not permitted

  Hi,
  I have another problem - after upgrade ios wirelles connection not work.
  After reload i have :
  Configuration of subinterfaces and main interface
  within the same bridge group is not permitted
  STP: Unable to get the port parameters.
  Please configure the bridge group on this interface first.
  Please configure the bridge group on this interface first.
  Please configure the bridge group on this interface first.
  SETUP: new interface NVI0 placed in "shutdown" state
  my old configuration work propertly in the old software, but after update i have notificatio.
  Old thread:
  https://supportforums.cisco.com/discussion/12379491/cisco-877w-no-wireless-connection
  my current sh run:
  version 12.4 
  no service pad 
  service tcp-keepalives-in 
  service tcp-keepalives-out 
  service timestamps debug datetime msec localtime 
  service timestamps log datetime msec localtime 
  service password-encryption 
  hostname cisco 
  boot-start-marker 
  boot system flash:c870-advipservicesk9-mz.124-24.T6.bin 
  boot-end-marker 
  logging message-counter syslog 
  logging buffered 4096 informational 
  enable secret 5 $1$eCNp$rWuBfZ/cexnwnkm7L447s. 
  aaa new-model 
  aaa session-id common 
  dot11 syslog 
  dot11 ssid ciscowifi 
   vlan 1 
   authentication open 
   authentication key-management wpa 
   guest-mode 
   wpa-psk ascii 7 050D031D26595D0617 
  dot11 wpa handshake timeout 500 
  ip source-route 
  no ip dhcp use vrf connected 
  ip dhcp excluded-address 192.168.56.1 
  ip dhcp pool CLIENT 
     import all 
     network 192.168.56.0 255.255.255.0 
     default-router 192.168.56.1 
     dns-server 8.8.8.8 194.204.159.1 194.204.152.34 
     lease 0 2 
  ip cef 
  no ip domain lookup 
  no ipv6 cef 
  multilink bundle-name authenticated 
  username marek password 7 00121A0908500A 
  archive 
   log config 
    hidekeys 
  ip tcp path-mtu-discovery 
  bridge irb 
  interface ATM0 
   description Polaczenie ADSL do ISP$ES_WAN$ 
   no ip address 
   no atm ilmi-keepalive 
   pvc 0/35 
    encapsulation aal5mux ppp dialer 
    dialer pool-member 1 
   hold-queue 224 in 
  interface FastEthernet0 
   description Edzia 
  interface FastEthernet1 
   description dom 
  interface FastEthernet2 
   description Dziadek 
  interface FastEthernet3 
  interface Dot11Radio0 
   no ip address 
   no ip redirects 
   ip local-proxy-arp 
   ip nat inside 
   ip virtual-reassembly 
   no dot11 extension aironet 
   encryption vlan 1 mode ciphers tkip 
   encryption mode ciphers aes-ccm tkip 
   broadcast-key change 3600 
   ssid ciscowifi 
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0 
   station-role root 
   world-mode dot11d country AU indoor 
   no cdp enable 
   bridge-group 1 
   bridge-group 1 subscriber-loop-control 
   bridge-group 1 spanning-disabled 
   bridge-group 1 block-unknown-source 
   no bridge-group 1 source-learning 
   no bridge-group 1 unicast-flooding 
  interface Dot11Radio0.1 
   description ciscowifi 
   encapsulation dot1Q 1 native 
   no cdp enable 
  interface Vlan1 
   no ip address 
   bridge-group 1 
  interface Dialer0 
   description Interfejs dzwoniacy 
   ip address negotiated 
   ip nat outside 
   ip virtual-reassembly 
   encapsulation ppp 
   dialer pool 1 
   dialer-group 1 
   ppp chap hostname [email protected] 
   ppp chap password 7 xxxxxxxxxxxxxxxxxxxxxx 
  interface BVI1 
   description Polaczenie dla sieci LAN 
   ip address 192.168.56.1 255.255.255.0 
   ip nat inside 
   ip virtual-reassembly 
  no ip forward-protocol nd 
  ip route 0.0.0.0 0.0.0.0 Dialer0 
  no ip http server 
  no ip http secure-server 
  ip nat inside source list 100 interface Dialer0 overload 
  ip nat inside source static tcp 192.168.56.10 80 interface Dialer0 80 
  ip nat inside source static tcp 192.168.56.10 22 interface Dialer0 22 
  logging trap debugging 
  logging 192.168.56.10 
  access-list 100 permit ip 192.168.56.0 0.0.0.255 any 
  access-list 100 deny   ip any any 
  no cdp run 
  snmp-server community ciskacz RO 
  snmp-server chassis-id ciskacz 
  control-plane 
  bridge 1 protocol ieee 
  bridge 1 route ip 
  line con 0 
   no modem enable 
  line aux 0 
  line vty 0 4 
   exec-timeout 0 0 
   transport preferred ssh 
   transport input ssh 
  scheduler max-task-time 5000 
  end 
  please help - thanks!

  Hello Marek,
  I suppose you are not planning to do any kinds of advanced config using several VLANs and multiple SSIDs so let's just make your configuration simple and working.
  In short, you need to remove all references to VLAN 1 and to any subinterfaces possibly related to the VLAN 1. This means in particular (follow these steps in sequence):
  Remove the Dot11Radio0.1 subinterface entirely
  In the Dot11Radio0 section, remove the encryption vlan 1 mode ciphers tkip command
  In the dot11 ssid ciscowifi section, remove the vlan 1 command
  After performing these steps, make sure that the ssid ciscowifi and encryption mode commands are still present in the Dot11Radio0 configuration, and if not, reenter them.
  Best regards,
  Peter

• Cisco 3825 as a EZ VPN Server

  I have a Cisco 3825 setup as a EZ VPN Server. I can connect and authenticate to it but I can't pass traffic (at least that's what it seems like).
  My internal network is 192.168.111.x and my VPN pool is 10.13.0.x. I am succesfully assigned an IP from that pool when I authenticate with the Cisco client.
  Here is my Group part of my config with my domain name pulled out:
  crypto isakmp client configuration group SRC
  key "whatever"
  dns 192.168.111.221 192.168.111.220
  wins 192.168.111.221
  domain domain.com
  pool SDM_POOL_1
  acl 106
  split-dns domain.com
  netmask 255.255.255.0
  And here is my ACL:
  access-list 106 remark VPN ACL
  access-list 106 permit ip 192.168.111.0 0.0.0.255 any
  access-list 106 permit icmp any any
  Also, just in case it helps, the interface that I am terminating on is a loopback. My external interface has an IP that my ISP will not route so I NAT'd one of my public IP's to the Loopback.
  Please let me know if you need more info and I'll be happy to give it to you.
  I know I'm close, just one last thing to tweak. Thanks for all the help!

  I just found this link with a quick search:
  PIX/ASA 7.x: Allow Split Tunneling for VPN Clients on the ASA Configuration Example
  <http://www.cisco.com/en/US/customer/products/ps6120/prod_configuration_examples_list.html>
  Links for more examples:
  http://www.cisco.com/en/US/customer/products/ps6120/prod_configuration_examples_list.html
  Do you plan on using SSL VPN or Cisco IPSEC VPN Client? SSL VPN client can auto-deploy to any non-Vista Windows machine (does not yet support Vista to my knowledge). If remote users have Vista, you'll need to use VPN Client software installed on their machines. Also consider how you will do authentication...do you require two-factor, or pointing ASA to a Cisco Secure ACS server, or perhaps pointing to Windows Active Directory for authentication? Lots of possibilities...

• Still trying to configure a Cisco 877W router

  Hi,
  I am still unable to configure my Cisco 877W router for use on a B.T. ADSL phone line.
  I can log in to the router which starts up the SDM Express. I then select the wizard and get as far as filling in the DHCP server configuration.
  When I then press next it does not go to the next step, it just stays on the DHCP config screen. I am now using a Windows XP machine to configure the router  as someone suggested, but it continues to halt at the same place.
  Can anyone help please,
  Thanks.
  Dave.

  Hi. You may check out the topics in this link instead.