How to IPsec site to site vpn port forwarding to remote site?
Hi All,
The scenario where a Site to Site VPN tunnel has been established between Site A and Site B. Lan on Site A can ping Lan on Site B. My problem is a Printer behind Site B needs to be accessed by using the WAN IP address of Site A. Also i could not ping the remote lan or printer from the router.
Below are my configure on the Cisco 877 in site A. Would you please advise the solution for that?
Building configuration...
Current configuration : 5425 bytes
! Last configuration change at 15:09:21 PCTime Fri Jun 15 2012 by admin01
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname Laverton
boot-start-marker
boot-end-marker
logging message-counter syslog
no logging buffered
aaa new-model
aaa authentication login default local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime 10
crypto pki trustpoint TP-self-signed-1119949081
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1119949081
revocation-check none
rsakeypair TP-self-signed-1119949081
crypto pki certificate chain TP-self-signed-1119949081
certificate self-signed 01
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX
69666963 6174652D 31313139 39343930 3831301E 170D3132 30363135 30343032
30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 31313939
quit
dot11 syslog
ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.50
ip dhcp pool DHCP_LAN
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 61.9.134.49
lease infinite
ip cef
no ipv6 cef
multilink bundle-name authenticated
object-group network VPN
description ---Port Forward to vpn Turnnel---
host 192.168.2.99
username admin01 privilege 15 secret 5 $1$6pJE$ngWtGp051xpSXLAizsX6B.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key mypasswordkey address 0.0.0.0 0.0.0.0
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
match address 100
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
archive
log config
hidekeys
no ip ftp passive
interface ATM0
description ---Telstra ADSL---
no ip address
no atm ilmi-keepalive
pvc 8/35
tx-ring-limit 3
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
dsl operating-mode auto
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
switchport access vlan 10
shutdown
interface FastEthernet3
interface Vlan1
description ---Ethernet LAN---
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1420
interface Vlan10
ip dhcp relay information trusted
ip dhcp relay information check-reply none
no ip dhcp client request tftp-server-address
no ip dhcp client request netbios-nameserver
no ip dhcp client request vendor-specific
no ip dhcp client request static-route
ip address dhcp
ip nat outside
ip virtual-reassembly
interface Dialer0
description ---ADSL Detail---
ip address negotiated
ip mtu 1460
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp adjust-mss 1420
dialer pool 1
dialer-group 1
ppp chap hostname [email protected]
ppp chap password 0 mypassword
crypto map SDM_CMAP_1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip dns server
ip nat inside source static tcp 192.168.2.99 80 interface Dialer0 8000
ip nat inside source static tcp 192.168.2.99 9100 interface Dialer0 9100
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_2 interface Dialer0 overload
ip access-list extended NAT
remark CCP_ACL Category=16
remark IPSec Rule
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.168.1.0 0.0.0.255 any
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 permit ip 192.168.2.0 0.0.0.255 any
route-map SDM_RMAP_1 permit 1
match ip address NAT
route-map SDM_RMAP_2 permit 1
match ip address 101
control-plane
line con 0
no modem enable
line aux 0
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
end
Your help would be very appreciated!
PS: I know it is easier if i config Site A as the VPN server but in out scenario, we need to access printer from internet over static WAN IP of site A.
Thanks,
Thai
Is there anyone can help please?
Similar Messages
-
VPN: Port-forwarding OK but Nothing Talking
I've set up several 10.3 & 10.4 VPN services but this one has me puzzled...
10.4.2 Server (does it just need updated?)
Internal ip only (no firewall on server) with router forwarding UDP 1701, 500 & 4500 (for L2TP).
When attempting to form the VPN with remote (wan side) Internet Connect client, there is no connection showing in vpnd.log (set to verbose logging) and no connection showing on Internet Connect log. It's like the port forwarding is not taking place. However...
If I run a port scan from remote machine, on UDP 1701, 500 & 4500, this traffic shows up on a TCPDump session running on the server.
Attempting to form the VPN, however, shows NO traffic with TCPDump.
The IP address of the server, in Internet Connect, is correct (same as the one used during port scanning). The VPN client is able to connect to several other servers OK.
Any ideas?
Ta.
-david
Server 10.4.81. What kind of router are you using?
Corega router at server side and Netgear DG834G on client side (with ethernet cable, not wireless).
The Netgear works fine to other sites. The Corega is 'unproven' in that I do not have another site with same router. It can act as a VPN gateway (this does work elsewhere) but is not active in this role at this site (we want to use server vpn service).
2. I have seen a few copies of 10.4.x Server just go
L2TP/IPSec deaf. They all eventually sorted
themselves out with software updates, but certain
versions were just plain ol' deaf.
I've now updated to 10.4.8. No difference.
Just to reiterate...
Port-forwarding of 500, 1701 and 4500 appears to be working, as a TCPDump on the server lists these packets when a remote machine is port scanning for them.
However, the same TCPDump session does not list any UDP 500 packets when the VPN client (internet connect) is attempting to start. Logs show nothing beyond "listening for connections...". As I understand it, L2TP commences with an IKE communication on port 500 prior to the later 'real' stuff. Why is this not showing up in a TCPDump?
Puzzled...
-david
Server 10.4.8 -
RV042 vpn&port forwarding problems
Hello,
I spent a few days trying to configure the RV042 router but I messed up. I need this router for VPN access on my site and Port Forwarding to an internal web server. Apparently very simple task, isn't it?
So:
1. PPTP is working fine but I need more than 5 concurrent accesses.
2. Quickvpn does not work when the DHCP server is checked and I can't access any computer from my lan. I have a DHCP server in my LAN but when I'm conected through Quickvpn I never reach it. In the log file there are messages like:
Connection refused - Policy violation TCP 169.254.x.x->192.168.1.2 (DHCP server from my lan)
3. On Setup > Forwarding I added a Port Range Forwarding for HTTP port 80 to an internal IP address (192.168.1.x). I although added a firewall access rule to allow traffic to Port 80 from any source interface and any source IP to 192.168.1.x.
From the internal LAN, using the WAN IP of the router, the Port forwarding works but not form the outside, though in the log file of the router it appears to work:
Connection Accepted TCP 208.64.252.230:33027->192.168.1.x:80 on ixp1
What could I have done wrong?
The router is configured with a static address as a gateway and it has the latest firmware 1.3.12.19-tm. The access rules are the default ones and the one I added.
Any help would be much apreciated.
Thanks.Can't answer as to why QVPN fails when you enable DHCP on the router, but concidering your requirements it seems to be a moot point. So, you have a DHCP server on your network which I will guess is also running your Web service. If this is a Windows server does your current configuration allow you to enable PPTP on it? If so, that would solve the five user limit. You will need to turn off the PPTP server on the router and then forward port 1723 TCP to your server and you are done. As for your http access, remove any rule that you have in reference to "allow" port 80 connectivity to your web server. Not sure why but this tends to confuse the poor little things. Once you have verified that port 80 is active on the server via the LAN (which you already have) then you are done. If you are still not successful with the connection to the server from the WAN you may want to default the router and start over (lame I know).
*** SORRY, just noticed that you stated that you added a "port range" forwarding rule. Remove that, and configure a UPnP rule for the same server instead. Do not know why they call it that, they just do. This is the same as configuring a single port forward they just call it something different. So just port forward 80 tcp to your server on 192.168.1.x and you are done. -
SRP547W, How to use multiple WAN IPs for port forwarding?
Hi folks,
We've run into some difficulty trying to take advantage of multiple WAN IPs in conjunction with the SRP547, and I'm hoping someone here can help out or at least tell us that we're going to need to buy a different router...
What we're trying to acheive is the ability to port forward from our distinct public IPs to different internal servers. Looking at the options under Port Forwarding it looks like we can only configure forwards at the "WAN interface" level, but our problem is that we can't work out how to set up separate interfaces for each of our Public IPs...
Our ISP provides us with a fully managed NTU/router with a single "Internet" ethernet port, which we can use by statically configuring IPs on our end. For this configuration this port has been directly patched to the WAN ethernet port on the SRP547W.
We have been allocated a 255.255.255.248 (/29) subnet, giving us 5 usable IPs after the ISP's gateway address is taken into account, like so:
a.b.c.208 Network Address (/29 subnet)
a.b.c.209 ISP Gateway
a.b.c.210 IP1
a.b.c.211 IP2
a.b.c.212 IP3
a.b.c.213 IP4
a.b.c.214 IP5
a.b.c.215 Broadcast Address
On the SRP we've set up the default "Ethernet WAN2" sub-interface with the following details for IP1
VLAN ID: 4088 (Uneditable)
Connection Type: Static IP
Internet IP Address: a.b.c.210
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
The next step (I would have thought) would be to add a second sub-interface, using similar info for IP2
VLAN ID: 4000 (Chosen arbitrarily)
Connection Type: Static IP
Internet IP Address: a.b.c.211
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
When we try to do so however we get:
Fail!
Conflict with Ether_WAN2 interface address type
I should mention at this point that we're running on firmware version 1.02.01 (023).
Any suggestions on how we can proceed?
Is there a CLI or other method of configuration that might work if the web interface won't?
Thanks,
Tim.OK, I've seen reference to this solution before but not much in the way of details. Perhaps you can spell out how this ought to work, as the Software DMZ doesn't behave as I'd expected it to.
As before, on the SRP we've set up the default "Ethernet WAN2" sub-interface with the details for IP1 with a /29 subnet.
VLAN ID: 4088 (Uneditable)
Connection Type: Static IP
Internet IP Address: a.b.c.210
Subnet Mask: 255.255.255.248
Default Gateway: a.b.c.209
We'd now like to expose a server function on IP2, let's say LAN details for this server are:
VLAN: 3000
VLAN IP Range: 192.168.1.1/24
Server IP: 192.168.1.10
Server Port: 80
So first we turn on Software DMZ:
Status: Enabled
Public IP: a.b.c.211
Private IP: 192.168.1.10
WAN Interface: Ether_WAN2
My understanding, based on what you've said, is that this should expose the whole server to external access via IP2. Unfortunately, it doesn't seem to work this way - we don't seem to have any access at all. Perhaps there's a default deny rule on the firewall?
Just to be sure, I tried creating a rule to allow HTTP traffic to the server in the Advanced Firewall page.
In Interface (WAN): All
Out Interface (LAN): VLAN.3000
Source IP: 0.0.0.0
Source Subnet: 0.0.0.0
Destination IP: 192.168.1.10
Destination Subnet: 255.255.255.255
Protocol: TCP
Source Port: Any
Destination Port: Single:80
Action: Permit
Schedule: Everyday
Times: 24 Hours
Still no dice. What am I missing?
Cheers,
Tim. -
How do I configure for port forwarding?
I just relpaced my CISCO E3000 wireless router with an Apple Airport Extreme and need to set up port forwarding. I find the Airport Utility confusing and very limited in capabilities. How do I configure the router for Port Forwarding?
Here's a document that you can follow: https://discussions.apple.com/docs/DOC-3415
However, I ran into an issue with setting this up and had to do a work-around: Custom Port Forwarding Config Not Working -
E4200 port forwarding not working (v1 1.0.05)
Hi there.
I'll try not to rant too much, but I've had nothing but problems with this 'supposed' high end router... and when I tried calling Cisco I got the old yee-ha to cough up $30 for tech support on a $200 router I got 10 months ago (/rant).
Anyway, following several speed drop issues with my router, I factory reset about 5 times. I later read in the internetz that QoS on these routers was causing the speed to fall to half no matter what settings are used, so I disabled QoS. This time I seem to have steady speeds, but no port forwarding method I use works! Used to work fine, but now Single PF, PF Range or anything else I can think of fails miserably. Even DMZ can't seem to open ports...
I am extremely disappointed in this router and please, don't advise me to factory reset: I've tried, it doesn't work and quite frankly I have way too many devices to painfully reconnect to not send me over the edge.
Please, if anyone has any idea what's going on, your help is more than welcome.
Thanks
-tstechnosinner wrote:
My setup is pretty simple: a Docsys3 modem through my ISP, piped to my Cisco E4200, and a few computers and devices connected to that, all on the same level (no switch or hub).
To my knowledge the modem doesn't filter or route anything, and I don't need to login or connect to my ISP - cable internet with direct filtering on the modem. I might have missed something but here is a question: if I open a port, will it show open even if there is no application to "receive" the connection? I'm asking because I'm starting to wonder if my server might be a bit fussy...?
To protect your router against possible DNS Rebinding Attacks, certain actions will not work from behind a router. Typically, doing this is for testing purposes. What you can do to test if a certain application (port forward) works remotely, is to do it from outside your network.
To test this functionality, this must be done from the outside of the router (remote area). This includes even if the “Filter anonymous Internet requests” is unchecked.
check the site below for reference:
http://blog.trendmicro.com/trendlabs-security-intelligence/protecting-your-router-against-possibl-dn... -
Port Forwarding, MI424WR
I'm not even sure I'll give enough information here, because I don't really know what I'm talking about. However, I've been working with a couple of "technical" people from my office.
Essentially, I'm trying to connect two devices (Yamaha Disklavier Pianos) over my FIOS connection (for a process called Remote Lesson) and need to utilize port forwarding. I've tried the instructions on the www.actiontec.com website (Basic Port Forwarding on the MI424WR Verion Fios Router), but have been unable to connect successfully.
Basically, here's the two things I need to do (cut and pasted from a technical document draft). Can someone please advise what might be going wrong? I could also forward the entire "connection" document to someone who might want to take a look at it and get a clearer picture.
At any rate, here are steps 2 and 3 of the process we're trying to do:
2. Port Forwarding for Remote Lesson (WAN to LAN)
- Port 58092 is used in both TCP and UDP by default.
- Note: You can choose any port unless it has already used.
- Please configure a system to forward the access of this port to Disklavier.
3. Release of the port to the Internet (LAN to WAN)
- If the access of port 58092 is filtered, please release this port in both TCP and UDP.
Note: If your partner has configured another port number, please release that port in both TCP and UDP.
Port setting table
PORT FORWARDING (WAN TO LAN): IP Address (original LAN Address)
Port Number (origin)
Protocol: Both TCP and UDP
RELEASE OF THE PORT (LAN TO WAN): Port Number: Destination or all
Protocol: Both TCP and UDP
Thanks for being patient with a "newbie" - I hope someone can help.levesq56 wrote:
Essentially, I'm trying to connect two devices (Yamaha Disklavier Pianos) over my FIOS connection (for a process called Remote Lesson) and need to utilize port forwarding. I've tried the instructions on the www.actiontec.com website (Basic Port Forwarding on the MI424WR Verion Fios Router), but have been unable to connect successfully.
Thanks for being patient with a "newbie" - I hope someone can help.
If you're only trying to connect the 2 devices within your local lan you do not need to do anything with port forwarding. You would only need to add port forwarding rules if you are going to access the devices from remote sites.
The below addresses step 2 of your question.
Step 3 of your question is not needed as the actiontec does not block any port access from the LAN to the WAN
Step 2 allowing wan to lan access
If you are doing the latter then you would want to give the device fixed ip addresses, make sure they are out of the dhcp range of the actiontec router.
Then go to firewall setting
Select Port Forwarding tab
Select New Entry
add the IP address of the device in the Local Host field
Make sure Forward to Port is set as Same as incoming Port
Make sure Schedule is set as Always
Under protocols Select User defined
Make the service name whatever you want - e.g Piano
Select new server ports
Under protocols Select TCP
Under source port select single
enter 58092
Make sure destination port saya Any
Hit OK
Select New server ports again and repeat the last five steps for protocol UDP
then say OK
Say OK to the Edit port Forwarding rule
Now you should be able to access the device from the outside WAN -
2 WTR54GX2, trying to do port forwarding
Hey all, So heres the thing, I have two WRT54GX2's in my network. One is the gateway router (192.168.1.1) and the other is quite a distance away and is the secondary (192.168.100.1). I want to set up a SlingBox on port 80 so basically a webserver. But due to restrictions of cabling and what not I have to attach it to 100.1 the secondary router. My question is how do I make this work with port forwarding? Because I can set the slingbox up with 192.168.110.12 and then port forward it on the secondary router and make it work, how do i do it on the gateway router, as I understand it, in order to port forward the device has to be on the same subnet as the router, but two routers on the same subnet is a PAIN. And the both routers have hardwired devices and wireless devices. Any help would be appreciated. Cheers! _KN
brickmonkey, i really aprecieate the help. I have one more question tho (i know this whole thing must be getting annoyin, sorry :/), when i do the static IP i tried setting the "Internet IP" as 192.168.1.34 but it gave me an error along the lines of "Internet IP cannot be on the same subnet as the gateway", so what IP do i give the second router? As I understand it, in order for the 1st (gateway) router to portforward correctly, the port its forwarding has to be on the same subnet. Any advice?
-
RV082 port forwarding limited to 30 entries ?
Hello,
we use RV082 as main gateway and need to open/forward around 50 ports to inside. But during setting of the rules I got an error message "The max of Port Range Forwarding is 30 entries. You can't add any more.".
In the online help is explicitely said "4. Click the Add to List button, and configure as many entries as you would like."
How can we setup more than 30 port forwarding rules ?
If it is this a sotfware bug, can this be corrected ?
Regards,
Petr SvobodaPetr, I agree with tekliu. I use the UPnP rules with UPnP disabled for all of my port forwarding, unless a range is needed. They should not cause any more exposure than regular Forwarding rules, and if you use port translation they will reduce your exposure.
The only differences:
Forwarding allows port ranges
Forwarding has a "Port Triggering" section
UPnP allows port translation (because it's only single port at a time, not a range)
UPnP has unlimited entries -
Phase 2 issue in IPSEC site-to-site
Hi All,
I have got an issue while creating an IPSEC site-to-site VPN between cisco2901-15.2(4)M3 ---> cisco861-12.4
Phase#1 is successfully up but when i'm putting command #show crypto ipsec sa i can't see encry & decry packets.
below is the running-conifgs and show crypto output for both side
cisco2901:-
Current configuration : 5668 bytes
! Last configuration change at 17:08:59 PCTime Mon Feb 3 2014 by ciscodxb
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname DXB-CIT
boot-start-marker
boot-end-marker
logging buffered 52000
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa session-id common
clock timezone PCTime 4 0
ip cef
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 192.168.10.1 192.168.10.9
ip dhcp excluded-address 192.168.10.101 192.168.10.254
ip dhcp pool dxb-pool
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 80.xxx.xx.xx 213.xxx.xxx.xx
ip domain name channelit
ip name-server 80.xx.xx.xx
ip name-server 213.xx.xx.xx
no ipv6 cef
multilink bundle-name authenticated
crypto pki trustpoint TP-self-signed-1231038404
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1231038404
revocation-check none
rsakeypair TP-self-signed-1231038404
crypto pki certificate chain TP-self-signed-1231038404
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323331 30333834 3034301E 170D3134 30313331 31333230
30375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32333130
33383430 3430819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100ECF1 71B270A3 EFBC3609 C136BC9B 7D54A077 33286BF1 45558928 6DF96244
2DAF0A50 E5DA03C6 E87AD7AE 4544C6B0 2649AE20 83C5F9F1 FA73B5BF 5CC421DE
1FA66C70 FD39938F 8E46AA22 2996FBF9 6C739C35 13F1A287 651A1904 57898B3F
F076A50E F4955677 6D0BD4B3 57FB590D 851500DC D789A175 FA0F18BD 1A982438
63730203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14546BDB F740F993 E0A596EF 93D4991E 751C4240 7F301D06
03551D0E 04160414 546BDBF7 40F993E0 A596EF93 D4991E75 1C42407F 300D0609
2A864886 F70D0101 05050003 8181000E 1FDDF0E2 8D04EFD3 850F2417 B49E1B6B
04CFFED3 D89C032E FEB03641 B5BC830B D60E8F8A 8EB28EA4 1242ECB5 01E91511
08A59585 27260A9F C8470C48 0E5797F8 3C04DE38 3213CF77 ADCACC53 D6771D55
6E6C0027 F11BE11E 06F9BC8A 1C7C3874 9C4B937D 35D0DB0F 0328FC38 DE9916AC
FE4AD16D 1EA2CF64 316146D5 A960DB
quit
voice-card 0
license udi pid CISCO2901/K9 sn FCZ1716C4QT
hw-module pvdm 0/0
username cisco
username ciscodxb privilege 15 password 0 cisco
username compumate privilege 15 secret 4 YCR80zERMiSH2RJpMWWOYdaDiHRm0U6p9mGMCktErQ2
redundancy
crypto ctcp
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key xxxxxxxxx address 41.xxx.xx.xx
crypto isakmp client configuration group CITDXB
key xxxxxx
pool SDM_POOL_1
crypto isakmp profile ciscocp-ike-profile-1
match identity group xxxxx
client authentication list ciscocp_vpn_xauth_ml_1
isakmp authorization list ciscocp_vpn_group_ml_1
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set Dxb-to-Nigeria esp-3des esp-md5-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
crypto dynamic-map hq-vpn 11
set security-association lifetime seconds 86400
set transform-set CHANNEL-DUBAI
crypto map Dxb-to-Nigeria 1 ipsec-isakmp
set peer 41.xxx.xxx.xxx
set transform-set Dxb-to-Nigeria
match address 110
crypto map VPN 1 ipsec-isakmp dynamic hq-vpn
interface Embedded-Service-Engine0/0
no ip address
shutdown
interface GigabitEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$$ES_LAN$$ETH-WAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface GigabitEthernet0/1
description $ES_WAN$
ip address 80.xxx.xxx.xxx 255.255.255.252
ip flow ingress
ip flow egress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map Dxb-to-Nigeria
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
ip local pool SDM_POOL_1 192.168.20.20 192.168.20.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip nat source list 100 interface GigabitEthernet0/1 overload
ip nat inside source route-map SDM_RMAP_1 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
ip sla auto discovery
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 101 deny ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 41.206.13.192 0.0.0.7
route-map SDM_RMAP_1 permit 1
match ip address 101
control-plane
mgcp profile default
gatekeeper
shutdown
line con 0
logging synchronous
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
transport input telnet ssh
line vty 5 15
access-class 23 in
transport input telnet ssh
scheduler allocate 20000 1000
end
DXB-CIT#show cry
DXB-CIT#show crypto isa
DXB-CIT#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
41.xxx.xxx.xx 80.xxx.xx.xx QM_IDLE 1011 ACTIVE
IPv6 Crypto ISAKMP SA
DXB-CIT#show cry
DXB-CIT#show crypto ips
DXB-CIT#show crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: Dxb-to-Nigeria, local addr 80.xxx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (192.168.10.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (41.xxx.xx.xx/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 1467, #recv errors 0
local crypto endpt.: 80.xxx.xxx.xx, remote crypto endpt.: 41.xxx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
cisco861:-
crypto pki trustpoint TP-self-signed-2499926077
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2499926077
revocation-check none
rsakeypair TP-self-signed-2499926077
crypto pki trustpoint test_trustpoint_config_created_for_sdm
subject-name [email protected]
revocation-check crl
crypto pki certificate chain TP-self-signed-2499926077
certificate self-signed 01
3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32343939 39323630 3737301E 170D3032 30333031 30303036
32315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 34393939
32363037 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C1D0 0C45FD24 19ECECA0 9F7686A4 42B81E39 F6485ED8 66EBFBF3 4F3DCD64
25D4C2C7 5B56E7EF 7BF1963F F0406CBB 9B782A92 7925BA63 C761D92A 9E97CA4A
4D83CDD3 4B9811B9 734D84AB EFD85F9D 82541A09 4C2B580F E3302B67 97F93286
6D908B49 D936A0D1 78AB3829 56896990 9008E8EC 0333B1F1 8AACD0B2 4BCE81E3
A4A10203 010001A3 74307230 0F060355 1D130101 FF040530 030101FF 301F0603
551D1104 18301682 14434954 5F322E79 6F757264 6F6D6169 6E2E636F 6D301F06
03551D23 04183016 8014E7CE C4274196 09907466 DE068815 C9987EDF 4712301D
0603551D 0E041604 14E7CEC4 27419609 907466DE 068815C9 987EDF47 12300D06
092A8648 86F70D01 01040500 03818100 B546F76E B5A79129 95A37822 132F6685
E5541CD5 0818A4FE 83AD17AC 9C18AAC2 C137AF00 43FB787C 30534B0C 7D494FA8
ACC28C3E 7CBC3BB5 92FAFD2C 5D1766FF 2C8CACE0 E523C53E 7617A9AF 7AD8FDF3
35CD6184 8BB076E4 FBDF86B3 92EA9488 B173ABBD F42B1CA1 ECCB586B 882CC097
DEE688A7 E04797CB 7ED73ED3 E9FFC8D0
quit
crypto pki certificate chain test_trustpoint_config_created_for_sdm
ip source-route
ip dhcp excluded-address 10.10.10.1
ip cef
ip domain name yourdomain.com
username emma privilege 15 password 0 PasemmaY
username admin privilege 15 secret 5 $1$GHAV$CuyCKFpaEVCRcTX4jTNzp/
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 3
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp policy 5
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp policy 7
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key &dtej4$ address 41.xxx.xx.xxx
crypto isakmp key ch@nn#l!t address 41.xx.xx.xx
crypto isakmp key t3l3comch@nn3l&mtn address 196.xx.xx.xx
crypto isakmp key CITDENjan2014 address 80.xxx.xx.xx
crypto ipsec transform-set MTN-TCWA esp-3des esp-sha-hmac
crypto ipsec transform-set channelit esp-3des esp-md5-hmac
crypto ipsec transform-set MTNG-TCWA esp-3des esp-md5-hmac
crypto ipsec transform-set CHANNEL-DUBAI esp-3des esp-md5-hmac
crypto map CHANNEL-DUBAI 14 ipsec-isakmp
set peer 80.xxx.xx.xxx
set transform-set CHANNEL-DUBAI
match address 160
crypto map MTNVPN local-address FastEthernet4
crypto map MTNVPN 10 ipsec-isakmp
set peer 41.xxx.xx.xx
set transform-set MTN-TCWA
match address 101
crypto map MTNVPN 11 ipsec-isakmp
set peer 41.xxx.xx.x
set transform-set channelit
match address 150
crypto map MTNVPN 12 ipsec-isakmp
set peer 196.xxx.xx.xx
set transform-set MTNG-TCWA
match address MTNG
archive
log config
hidekeys
ip tcp synwait-time 5
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description This interface connect MTN Fibre
ip address 41.206.xx.xxx 255.255.255.252
duplex auto
speed auto
crypto map MTNVPN
interface Vlan1
description This interface connects to CIT LAN
ip address 41.xxx.xx.xxx 255.255.255.248
ip tcp adjust-mss 1452
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 41.xxx.xx.xx
ip route 10.93.128.128 255.255.255.224 41.xxx.xx.x
ip route 10.109.95.64 255.255.255.240 41.xxx.xx.xxx
ip route 10.135.45.0 255.255.255.224 196.xxx.xx.xx
ip route 10.199.174.225 255.255.255.255 41.xxx.xx.xxx
ip route 192.168.10.0 255.255.255.0 80.xxx.xxx.xxx
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip access-list extended MTNG
permit ip 41.xxx.xx.xxx0.0.0.7 10.135.45.0 0.0.0.31
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit any
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 41.206.4.75
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.64 0.0.0.15
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.109.95.120 0.0.0.7
access-list 101 permit ip 41.206.13.192 0.0.0.7 host 10.199.174.225
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.64 0.0.0.31
access-list 101 permit ip 41.206.13.192 0.0.0.7 10.197.197.96 0.0.0.31
access-list 150 permit ip host 41.206.13.193 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.194 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.195 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.196 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.197 10.197.212.224 0.0.0.31
access-list 150 permit ip host 41.206.13.198 10.197.212.224 0.0.0.31
access-list 160 permit ip 41.206.xx.xxx 0.0.0.7 192.168.10.0 0.0.0.255
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^C
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.
YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS
Here are the Cisco IOS commands.
username <myuser> privilege 15 secret 0 <mypassword>
no username cisco
Replace <myuser> and <mypassword> with the username and password you want
to use.
IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
^C
line con 0
login local
no modem enable
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
login local
transport input telnet ssh
scheduler max-task-time 5000
end
CIT_2#show cry
CIT_2#show crypto isa
CIT_2#show crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
41.xxx.xx.xxx 80.xxx.xx.xxx QM_IDLE 2003 0 ACTIVE
IPv6 Crypto ISAKMP SA
CIT_2#show cry
CIT_2#show crypto ips
CIT_2#show crypto ipsec sa
interface: FastEthernet4
Crypto map tag: MTNVPN, local addr 41.xxx.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (41.xxx.x.xx/255.255.255.255/0/0)
current_peer 41.xxx.xx.xxxport 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xxx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (41.xxx.xx.xxx/255.255.255.248/0/0)
remote ident (addr/mask/prot/port): (10.109.95.120/255.255.255.248/0/0)
current_peer 41.xxx.xx.xxx port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 41.xxx.xx.xx, remote crypto endpt.: 41.xxx.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet4
current outbound spi: 0x0(0)
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:@Marcin
any suggestion to fix the issue????
i mean if i'll put below commands will i be able to fix the issue???
crypto map MTNVPN 12 ipsec-isakmp
set peer 80.xxx.xx.xxx
set transform-set CHANNEL-DUBAI
match address 160 -
How to make site root-relative links work in DW and Server both?
See details on buggy DW image link behavior, below. My question is:
1) how to make site root-relative links work in DW and Server both? Or…
2) how to reliably automate the change of several hundred legacy root-relative links of the form
/images/image.jpg to document-relative?
That is, to
../images/image.jpg or
../../images/image.jpg or
../../../images/image.jpg etc…depending on where the directory is.
The old format (/images/image.jpg ) used to work fine in my previous DW 8 configuration but appear grey in DW after “upgrading” to DW cs5.5 mac. (they look fine on the server, but it’s hard to edit image-heavy pages locally when they are all grey).
I tried changing the files to how DW creates root relative links now:
/public_html/images/image.jpg, which is a very easy, attractive root flow since there’s a one-to-one mapping. These look great in DW but are broken on the server!
I looked at the “advanced” site setup, and it looked like it might be possible to nuke the /public_html/ part of my server info…but it also looked like there was the potential for doing damage changing these settings, which are automatically generated from our server connection settings, which seem to work.
The “links relative to document/ site root” toggle…does that change how DW interprets existing links, or just change the default when you are adding a link? I have made 80% of the file links document relative…before wondering if root-relative isn’t better?
It sure seems less ambiguous for all those images if theres a way to make root relative work for DW design view, DW link check, and server.
Summary of buggy behavior: (see test with images here)
"old style" site root link
/images/img_book/WScover120x150_NEW.jpg
Design veiw in DW: broken (grey w/ broken icon)
Link check in DW: "external link" (i.e., uncheckable, + file could appear orphaned)
Browser: good
Ease of switching: n/a (existing format)
"new style" site root relative link
/public_html/images/img_book/WScover120x150_NEW.jpg
Design veiw in DW: good
Link check in DW: good
Browser: broken
Ease of switching: easy
Document relative link
../../images/img_book/WScover120x150_NEW.jpg
Design veiw in DW: good
Link check in DW: good
Browser: good
Ease of switching: hard (how to automate?)
Absolute link
http://www.oasisdesign.net/images/img_book/WScover120x150_NEW.jpg
Design veiw in DW: broken (grey w/ broken icon)
Link check in DW: external (i.e., uncheckable, + file could appear orphaned)
Browser: good
Ease of switching: n/a...not a real option
Thanks!
Similar discussion on "/"Hello again Jon!
Thanks for jumping on this.
All clear and understood about where publc_html is etc.
No contemplation of nuking the actual public_html directory on the server, just the "/public_html" text string at the start of the DW-generated links.
"/public_html" is automatically added to the front of the link in DW if I create the link with any of the GUI tools, if I have "site root relative" selected. And ""/public_html" ends up in the code, and gets uploaded that way to the server, where it (obviously) doesn't work.
Doesn't sound like it is supposed to work this way. Also, what seems to be the usual root relative format (/images/image.jpg) shows as a broken link in the GUI and an external link in the DW link check. All this togther makes me thinkI have some obscure setting incorrect?
The setting that caught my eye is manage sites/ site setup/ advance settings/ local info/ web url, which is automatically set to http://www.oasisdesign.net/public_html/
it gives an option to change it but it makes every effort to make this NOT look like something users should mess with:
Having gone through the more careful thought process during this post, I'm ready to do the experiment of changing the remote server web URL (why is it wrong by default?)...think I'll eat dinner first so there's 45 min to avert disaster if anyone knows this to be a bad idea!
Art
PS--don't have a local testing server...don't think this will solve the GUI broken link/ link shows as external problems.
Is there an easy, automated way to change links sitewide from document to root relative? -
I've got a NAS setup with various services running on custom ports to help minimize exposure (especially to script kiddies). I've tested everything both internally and externally to confirm they all work, and even had someone at a remote location confirm accessibility as well. Port forward configurations performed on the Actiontec are working well.
I installed an L2TP/IPSec VPN server, tested internally and it connected successfully. So for all intents & purposes, this validates that the VPN server is correctly configured to accept inbound connections and functioning correctly.
I logged into the Verizon Actiontec MI424WR router, setup port forwarding for UDP ports 500, 1701 & 4500.
Note: I added the AH & ESP protocols based on what I saw on the built-in L2TP/IPSec rules
With the port forwarding in place, I tested VPN externally but it didn't connect.
I've done the following so far to no avail:
Double & triple checked the port forwards, deleted & recreated the rules a few times to be sure
There are no other pre-existing L2RP/IPSec port forward rules or otherwise conflicting port forward rules (e.g.: another rule for ports 500, 1701 or 4500)
There was an L2TP port triggering rule enabled, that I toggled on and off with no change
Verified the firewall on VPN server had an exclusion for L2TP, or that the firewall is off. (Firewall is off to reduce a layer of complexity, but it worked internally to begin with so I doubt that's the issue.)
Since it works internally, and there are no entries in the logs on the device indicating inbound connections, I'm convinced its an issue with the Verizon Actiontec router. But unfortunately, I'm not sure what else to try or where else to look to troubleshoot this. For instance, is there a log on the router that I can view in real time (e.g.: tail) that would show me whether or not the inbound connection attempt is reaching the device, and whether or not the device allowed or blocked it?
My router details:
Verizon Actiontec
MI424WR-GEN2
Revision E
Firmware 20.21.0.2
Verizon Actiontec built-in L2TP/IPSec rule templates. They're not currently in use, but are baked into the firmware for easy configuration/selection from a drop down menu.
Solved!
Go to Solution.normally a vpn on that router, will have a GRE tunneling protocol as well.
two ways to build the PF rules,
Manually
Preconfigured
I know the preconfigured VPN rules will do the GRE protocol as well, but if you do it by hand you can't get it. -
Enterprise Mode for Internet Explorer 11. Difference in how adding a site works.
I am noticing a difference in how adding a site to open in Enterprise Mode works.
When I incorporate a XML file created by the List Manager, containing 'http://mysite/mypath'. Enterprise mode functions for the entire site. When I say entire site, I mean pages in virtual directories also open in Enterprise Mode.
This is good. But I for the time being I would like to put it on my users to approve their sites.
However, if I choose to not use a file and just allow the users to add sites, when they go to 'http://mysite/mypath' then go to Tools and Enterprise Mode to add the site. We close Internet Explorer, reopen, enter the site 'http://mysite/mypath'
opens in Enterprise Mode. But when they navigate to pages located in virtual directories, they display in standards mode. And would need to be added separately by going to Tools -> Enterprise Mode.
I just want to know am I seeing this behavior correctly, or am I possibly missing a step.
Thanks in advance for the response and feedback.Hi David,
I am testing in my environment, and I will let you know if we have any result.
Thanks for your patience.
Best regards,
Fangzhou CHEN
Fangzhou CHEN
TechNet Community Support -
How make dynamic site with MUSE
Howdy, i want ask how make dynamic site with muse, can it intergated with CMS like wordpress, joomla, drupal etc?
Thanks,
best regard,
harlesHello Harles,
The CMS functionality till now is only supported with Muse while using Business Catalyst as host.
Please refer to forum posts : http://forums.adobe.com/message/4418294?tstart=0 and http://forums.adobe.com/message/4776241#4776241 .
Hope this helps.
Regards,
Sachin -
How to extract .sit files(in MAC) using java program
Hi,
please help me , i want to simple program for
" how to extract .sit files(in MAC) using java program"
that sit files same as zip files in windows..[Thanks for reply...
but i search in the google about this topic...there is no results will appear..
the problem is "i have to run program in the MacOS like extract all the
.sit(StuffIt) extension files. These sit files same as zip files in the windows... we have one tool called StuffIt Expander but it is 3rd party tool. but here requirement is i have to write my own program to extract all the files same as zip file program...
please do the needful..i am waiting for ur reply,,,
Maybe you are looking for
-
Hi all, I'm very new to VBA and excel development, so please take that into consideration as you read on. I'm trying to create a work form for a database that (should) collect various information in comboboxes, including the date, the weekday, and t
-
Failure to connect - host not responding
I've been video conferencing regularly with my mother in Fla with no problems. We both have macs with mac accounts. I recently tried to initiate a video conference with my in-laws in N.C. and it wouldnt work. They have a PC with an AIM account. Thier
-
How do I transfer or backup tv shows I downloaded on my iPad from the iPad into my computer's iTunes library? I have a bunch of tv episodes on my iPad that I want to delete but first i want to back them up onto my computer so i have them. If I check
-
AutoVue Web Services - DMS Args
I am attempting to use AutoVue web services. I have this installed and setup to the point I have a java test client that consumes the ping method fine and returns what is expected. When I try to perform the convert functionality the web service hits
-
CiscoWorks LMS 4.0.1 login issue.
Hello. We are using CiscoWorks LMS 4.0.1 with TACACS login module enabled. We have an issue with an account, and only this account. I can successfully login with any other account, newly created also. I have deleted and created it without success. An