Ipsec puzzle on cisco 1811
I have a cage containing "V" (Windows XP) and "R/S" (Cisco 1811 Router+Switch). V needs to talk (via R/S) to a service on port 6910 of "P", which is outside the cage.
P talks IPSec for port 6910 traffic.
I am handcuffed, I cannot change config of P or config of V. So I need to use R/S to gateway the IPSec. I will be happy if R/S does IPSec for traffic to port 6910 at any address external to the cage.
Is this problem going to have a solution?
Your first question might be "what is the config at P?". I don't know how to answer that directly, but I have provided all info about a Windows secpol that successfully talks to P, which should yield the P config, right?
For more complete problem description including beautiful diagrams and an equivalent security policy on Windows that I'm trying to mimic, please see http://sites.google.com/site/ipsecpuzzleoncisco1800/home
Thanks for any guidance.
John Ruckstuhl
Hi,
Thanks for the reply.
Yes I found that page and carried out the instructions, but still no joy. Here is an update on my learning process:
-I now know that the rommon prompt (which I got to using Ctrl-Break from within hyperterm on window XP connected to the console) is the system that causes the IOS system to boot. When I changed the confreg parameter from the rommon prompt, I neglected to note what my current confreg setting was, so I cant change it back (help here please). At the moment, the confreg setting is 0x142. What should it be to get this router back to the state where I started with it?
-In the flash filespace, I have a number of files, all dated Nov 22 of this year, which Im assuming are what I need to get this back and going the way it was when I first poweed it up. These files are:
c181x-advipservicesk9-mz.124-2.T2.bin
sdmconfig-1811-1812.cfg
sdm.tar
es.tar
common.tar
home.shtml
home.tar
128MB.sdf
At the moment when I power-off and power-on the router, Im prompted with the following question:
Would you like to enter the initial configuration dialog [yes/no]. I anwser no. Im imagining that I need to change the rommon confreg setting to aviod this message and continue with the boot process.
Can someone instruct me as to how this is done?
TIA
Charlie
Similar Messages
-
This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
Thanks,That didn't work. Here is the new running config:
Building configuration...
Current configuration : 12519 bytes
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname *Host Name*
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging message-counter syslog
logging buffered 51200
logging console critical
enable secret 5 $1$3R6c$adcoV0cvM5hTzxOoPBByc0
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa session-id common
clock timezone PCTime -7
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-1097866965
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1097866965
revocation-check none
rsakeypair TP-self-signed-1097866965
crypto pki certificate chain TP-self-signed-1097866965
certificate self-signed 01
30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31303937 38363639 3635301E 170D3131 30393039 31383130
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393738
36363936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B1C3 0B9F3231 E9911C7A 7A84E566 F4530769 16830F32 4A61F775 12CDDB5C
23227963 5A53E5C5 2C0E8945 640DB32C ACD17F1A 2C52EC96 7C274099 5D4BBD26
6E7C4DA9 32C5162B 0A54D437 64B719B9 36904DDA 7B23FC3C E7763F5E BF651874
1870462E FA0ABE9C 37918D53 2B5B13A7 4FADFC9E 1D8B0B64 141733A7 8DC61C03
80E90203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
551D1104 22302082 1E426F77 5F49736C 616E6453 43414441 2E796F75 72646F6D
61696E2E 636F6D30 1F060355 1D230418 30168014 0AEF8942 249D4EF1 A18B1BA6
389822CB 16CB4922 301D0603 551D0E04 1604140A EF894224 9D4EF1A1 8B1BA638
9822CB16 CB492230 0D06092A 864886F7 0D010104 05000381 81008DC2 DFF3604C
93BE4175 7078AC30 7391F8AF 4A15E116 C53D523E 12F6B5F4 15CA5635 C12576F7
0D5D1A2A F330F781 459F3418 7E82FFBD 2679E17C CDF07A4F A257B599 E7CCC9C6
38617B96 F2E66F0D 6BFBC000 524B377B 969D51BD 48A9BF8F 8C0220D4 BB249435
08688D18 794CAFB3 1F74F2F9 4E0C0245 AEA8E55A 2AE758A0 36CC
quit
dot11 syslog
no ip source-route
ip dhcp excluded-address 10.11.101.1 10.11.101.99
ip dhcp pool ccp-pool1
import all
network 10.11.101.0 255.255.255.0
default-router 10.11.101.1
ip cef
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip inspect log drop-pkt
no ipv6 cef
multilink bundle-name authenticated
username *UserName* privilege 15 secret 5 $1$1O79$nIJGrBD9hCpDqheT3mDsC1
username VPNuser secret 5 $1$nPz8$Cni5jyIWv9zlKAU3B5no9.
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key *Key* address *External VPN IP Address*
crypto isakmp client configuration group VPN_Users
key *Key*
pool *VPN_pool*
acl 102
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto map SDM_CMAP_1 1 ipsec-isakmp
description Tunnel to*External VPN IP Address*
set peer *External VPN IP Address*
set transform-set ESP-3DES-SHA
match address 103
archive
log config
hidekeys
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
match access-group 105
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-all CCP_SSLVPN
match access-group name CCP_IP
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any SDM_WEBVPN
match access-group name SDM_WEBVPN
class-map type inspect match-all SDM_WEBVPN_TRAFFIC
match class-map SDM_WEBVPN
match access-group 101
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
match access-group 104
match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp extended
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
class-map type inspect match-all VNC_CLASS
match access-group name VNC
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect VNC_POLICY
class type inspect VNC_CLASS
inspect
policy-map type inspect ccp-sslvpn-pol
class type inspect CCP_SSLVPN
pass
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect sdm-pol-VPNOutsideToInside-1
class type inspect sdm-cls-VPNOutsideToInside-1
inspect
class class-default
drop
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_VPN_PT
pass
class type inspect SDM_WEBVPN_TRAFFIC
inspect
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect VNC-POLICY
class type inspect VNC_CLASS
inspect
zone security out-zone
zone security in-zone
zone security sslvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
service-policy type inspect ccp-sslvpn-pol
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
service-policy type inspect sdm-pol-VPNOutsideToInside-1
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address dhcp client-id FastEthernet0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
crypto map SDM_CMAP_1
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
shutdown
duplex auto
speed auto
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
interface FastEthernet5
interface FastEthernet6
interface FastEthernet7
interface FastEthernet8
interface FastEthernet9
interface Virtual-Template1
ip unnumbered FastEthernet0
zone-member security sslvpn-zone
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 10.11.101.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
ip local pool *VPN_pool* 10.11.101.50 10.11.101.99
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source static tcp 10.11.101.10 5950 interface FastEthernet0 5950
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
ip access-list extended CCP_IP
remark CCP_ACL Category=128
permit ip any any
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_WEBVPN
remark CCP_ACL Category=1
permit tcp any any eq 443
ip access-list extended VNC
permit tcp any host 10.11.101.10 eq 5950
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 10.11.101.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=128
access-list 101 permit ip any host 70.65.185.156
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 10.11.101.0 0.0.0.255 any
access-list 103 remark CCP_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 104 remark CCP_ACL Category=128
access-list 104 permit ip host *External VPN IP Address* any
access-list 105 remark CCP_ACL Category=0
access-list 105 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
access-list 106 remark CCP_ACL Category=2
access-list 106 remark IPSec Rule
access-list 106 deny ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
access-list 106 permit ip 10.11.101.0 0.0.0.255 any
no cdp run
route-map SDM_RMAP_1 permit 1
match ip address 106
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you want to
use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
scheduler interval 500
webvpn gateway gateway_1
ip address *External IP Address*port 443
http-redirect port 80
ssl trustpoint TP-self-signed-1097866965
inservice
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179-anyconnect.pkg sequence 1
webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 2
webvpn context *VPN_pool*
secondary-color white
title-color #CCCC66
text-color black
ssl authenticate verify all
policy group policy_1
functions svc-enabled
svc address-pool "*VPN_pool*"
svc keep-client-installed
virtual-template 1
default-group-policy policy_1
aaa authentication list ciscocp_vpn_xauth_ml_1
gateway gateway_1
inservice
end -
Is it possible to purchase replacement Flash Card that came with the Cisco 1811 Router?
I am in desperate need of a replacement Flash card that came included with the Cisco 1811 Router. I purchased the router used and it was working perfectly. I worked my way through all the information provided at cisco.com and had it pretty much configured the way I wanted it. Until the flash card got destroyed. A little embarassed to go into details how it was destroyed, let's just say my Grandson gave it a bath.
It would be great if I could just purchase a replacement somehow with the IOS and SDM on it without purchasing a Cisco Service Agreement, etc. I purchased the router just to further my "Self Education". I have pretty much conquered all the aspects of the Cisco routers, etc. more or less developed for the Home Office user and moved on to bigger and better things. Since I was able to find a Cisco 1811 in good working condition very inexpensively I decided to go for it.
Help from anyone would sure be appreciated.“Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.”
- Routers ----> Network Infrastructure Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Network_Infrastructure_discussion -
Cisco 1811 V.92 modem interface connected to NOKIA 32 PBX
the picture is:
We have a NOKIA 32 PBX device connected to the V.92 modem interface of a cisco 1811 fixed.
We are following the documentation for the configuration of remote management with v.92 analog modem for the configuration.
So far no good result on our aim to be able to connect to the cisco remotely over the modem, we would like to dial in the cisco throught the NOKIA 32 PBX.
Did someone ever try a configuration like that?
thanks
ljsSo far no luck, we are still working on it.
We were wonder if someone ever tried a configuration like that and made it work.
thanks -
How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000
Hello all.
This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with VPN.
On the site of Router Scientific Atlanta Cisco 2320 this is some info:
WAN IP: A.A.A.A
Router Local IP: 192.168.5.1
Subnet: 192.168.5.X
Subnet Mask: 255.255.255.0
On the site of RVS4000 4-Port Gigabit Security Router with VPN this is some info:
WAN IP: B.B.B.B
Router Local IP: 192.168.0.10
Subnet: 192.168.0.X
Subnet Mask: 255.255.255.0
Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
I show the configuration on Router Scientific Atlanta Cisco 2320:
I show the configuration on RVS4000 4-Port Gigabit Security Router with VPN:
If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with VPN the Status Up:
As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with VPN) by my own web browser accesing by the local IP 192.168.0.10
I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
I wish that this help to anyone that need to do this.
Best regards!Hey,
Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
Regards,
Prapanch -
Hello all,
I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:
crypto map vpnmap 6 ipsec-isakmp
description To_Grovecity
set peer X.X.X.X
set transform-set vpnset
match address To_Grovecity
crypto map vpnmap 10 ipsec-isakmp
description To_Datacenter
set peer Y.Y.Y.Y
set transform-set vpnset
match address To_Datacenter
qos pre-classify
ip access-list extended To_Grovecity
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
ip access-list extended To_Datacenter
permit ip 10.24.96.0 0.0.0.255 10.11.12.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 172.31.46.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.80.102.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 10.24.69.0 0.0.0.255
permit ip 10.24.96.0 0.0.0.255 192.168.15.0 0.0.0.255
From this router's LAN interface (10.24.96.1), I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is 10.80.103.3
As soon as I removed the statement " permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" which was unnecessarily present in the To_Datacenter ACL, things started working.
What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "
permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?
Thanks
MukundhHi,
In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...
Otherwise Phase II does not come up.
Thanks.
Portu.
Please rate any helpful posts. -
Hi!
I´m now setting up a new wireless connection with 1811 and its not possible to get the vlan and the FastEthernet see each other...I already made a kind of bridge and still not workin!!!
Someone know what could happen or where I can find information about this device...I think is out dated but I am not sure....
Thanks and this my first time in this new community and congratulations for it....“Thank you for your question. This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product. Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.”
-
IPT over IPSEC lines with cisco 2821
We are implementing a IPSEC VPN Connection over leased lines using cisco 2821 without AIM-VPN Hardware accelerators.
The line is 2 Mbps and should carry also IPtelephony traffic (4-5 conversations). Will we have problems by mastering the jitter? Since the traffic is devided in small packet, il the 2821 able to handle it accordignly?
Thanks and bye GiorgioGiorgio,
You should be fine with this configuration. Running voice and video over VPN is certainly a viable solution. It is commonly known as V3PN. Take a look at the V3PN SRND below for best practices, planning, and design tips. As mentioned in this document, IPSEC adds a trivial amount of delay (2 - 5 msec.) to voice deployments.
V3PN SRND
http://www.cisco.com/application/pdf/en/us/guest/netsol/ns241/c649/ccmigration_09186a00801ea79c.pdf
Hope this helps. If so, please rate the post.
Brandon -
I have two Cisco RV220W's. FTP over my VPN is so slow, that I have to slow down the FTP Transfer to about 10kbps in order to keep the tansfer steady. Trying to move TB's of information at that speed is not reasonable. What will resolve this issue?
Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
Please give me your insight on this.... -
Cisco 1921 replacing Cisco 1811
We're putting a 1921 in a remote data center to replace an 1811, but we can't find out for certain if we need to order new
rack mount ears? It seems like we can use the ears from the 1811 on the 1921, but can't confirm anything.
Does anyone know if this is true?I managed to get my hands on an 1811 to compare to the 1921. The 1921 is slightly wider, but all the holes match up.
The 1811 uses part#
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ACS-1800-RM-19 and the 1921 used
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-qformat:yes;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin:0in;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-fareast-font-family:"Times New Roman";
mso-fareast-theme-font:minor-fareast;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-bidi-font-family:"Times New Roman";
mso-bidi-theme-font:minor-bidi;}
ACS-1900-RM-19
You are thinking a 1900 switch, they are a full 19" wide so they would fit properly into a rack. -
Cannot telnet between machines behind cisco 1811
I have 2 separate exchange servers for 2 separate exchange organizations on
the same private network.
-One has an ip of 192.168.0.2
-Two has an ip of 192.168.0.3
The network is protected by a 1811 router/firewall and each server has their own
public IP.
I can telnet between these machines usign their private ips, but not using their public ips?
Here is the show run (attached):
Thanks for your helpNo problem.
Here it is.
I don't have access to equipment to test at this time. I am just typing it in. Excuse me if there's problems with my syntax as it's 11:40pm over here in US and I am about to call it quit for the day.
int lo0
ip add x.x.x.x y.y.y.y
int vlan1
ip policy route-map test
route-map test permit 10
match ip address 150
set int lo0
route-map test permit 15
match ip address 151
set int lo0
access-list 150 permit tcp host x.y.z.230 host x.y.z.231 eq smtp
access-list 151 permit tcp host x.y.z.231 host x.y.z.230 eq smtp
Let me know if you had any questions.
HTH,
Sundar -
GRE IPSec between Cisco 2811 and FortiGate 110C
Hello,
Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?Hi,
You can configure the GRE tunnel on the 2811.
I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
Federico. -
Unable to access satellite offices with Cisco VPN client
There are 4 sites:
Main office - 192.168.0.x/24
Sat office1 - 10.0.0.x/24
Sat Office2 - 10.0.1.x/24
Sat Office3 - 10.0.2.x/24
All 4 offices are connected via MPLS using other Cisco routers from the telcom co. The user VPN endpoint is at the main office. (Cisco 1811)
We can make the VPN connection with the Cisco VPN client and browse the 192 network all day long. We cannot access any of the other subnets over the VPN connection. Browsing the other subnets while physically at the main office is fine. This DID work in the past. Something changed that I cannot pinpoint, any ideas?
Scope for the VPN endusers is 10.100.100.x/24
Cisco VPN Client versions 4.x and 5.x (both affected)
Thanks in advanceKen
It is good to know that it did work in the past and then stopped working. That indicates that something changed. Is it possible that a software upgrade has been done and that the change is behavior is reflecting a different version of IOS? (I suspect that is is possible but not so likely - but we need to ask.)
My guess is either that there was some change in the routing logic or that the access lists which indicate what traffic is to be protected by the VPN used to include remote to remote but has been changed for some reason.
Could you post the configuration of the main office 1811?
Another question that occurs to me is whether the main office 1811 is directly connected to the Internet or does it go through some firewall? If if goes through some firewall is it possible that there has been some change in the firewall rules that is denying the remote to remote traffic?
HTH
Rick -
Cisco 28xx easy vpn server & MS NPS (RADIUS server)
Здравстуйте.
Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
Ниже выдежка из сонфига cisco 2821:
aaa new-model
aaa authentication login rausrs local
aaa authentication login VPN-XAUTH group radius
aaa authorization network ragrps local
aaa authorization network VPN-GROUP local
aaa session-id common
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 2
crypto isakmp client configuration address-pool local RAPOOL
crypto isakmp client configuration group ra1grp
key key-for-remote-access
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp client configuration group EasyVPN
key qwerty123456
domain domain.local
pool RAPOOL
acl split-acl
split-dns 192.168.11.9
crypto isakmp profile RA-profile
description profile for remote access VPN
match identity group ra1grp
client authentication list rausrs
isakmp authorization list ragrps
client configuration address respond
crypto isakmp profile VPN-IKMP-PROFILE
description profile for remote access VPN via RADIUS
match identity group EasyVPN
client authentication list VPN-XAUTH
isakmp authorization list VPN-GROUP
client configuration address respond
crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
crypto dynamic-map dyn-cmap 100
set transform-set tset1
set isakmp-profile RA-profile
reverse-route
crypto dynamic-map dyn-cmap 101
set transform-set tset1
set isakmp-profile VPN-IKMP-PROFILE
reverse-route
crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
int Gi0/1
descrition -- to WAN --
crypto map stat-cmap
В результате на cisco вылезает следующая ошибка (выделено жирным):
RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
RADIUS: AAA Unsupported Attr: interface [157] 14
RADIUS: 31 39 34 2E 38 38 2E 31 33 39 2E 31 [194.88.139.1]
RADIUS(000089E0): Config NAS IP: 192.168.11.1
RADIUS/ENCODE(000089E0): acct_session_id: 35296
RADIUS(000089E0): sending
RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
RADIUS: authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
RADIUS: User-Name [1] 9 "EasyVPN"
RADIUS: User-Password [2] 18 *
RADIUS: Calling-Station-Id [31] 16 "aaa.bbb.ccc.137"
RADIUS: NAS-Port-Type [61] 6 Virtual [5]
RADIUS: NAS-Port [5] 6 1
RADIUS: NAS-Port-Id [87] 16 "aaa.bbb.ccc.136"
RADIUS: Service-Type [6] 6 Outbound [5]
RADIUS: NAS-IP-Address [4] 6 192.168.11.1
RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
RADIUS: authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
RADIUS(000089E0): Received from id 1645/61
MS NAS выдает ошибку 6273:
Сервер сетевых политик отказал пользователю в доступе.
За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
Пользователь:
ИД безопасности: domain\VladimirK
Имя учетной записи: VladimirK
Домен учетной записи: domain
Полное имя учетной записи: domain.local/Users/VladimirK
Компьютер клиента:
ИД безопасности: NULL SID
Имя учетной записи: -
Полное имя учетной записи: -
Версия ОС: -
Идентификатор вызываемой станции: -
Идентификатор вызывающей станции: aaa.bbb.ccc.137
NAS:
Адрес IPv4 NAS: 192.168.11.1
Адрес IPv6 NAS: -
Идентификатор NAS: -
Тип порта NAS: Виртуальная
Порт NAS: 0
RADIUS-клиент:
Понятное имя клиента: Cisco2821
IP-адрес клиента: 192.168.11.1
Сведения о проверке подлинности:
Имя политики запроса на подключение: Использовать проверку подлинности Windows для всех пользователей
Имя сетевой политики: Подключения к другим серверам доступа
Поставщик проверки подлинности: Windows
Сервер проверки подлинности: DC01.domain.local
Тип проверки подлинности: PAP
Тип EAP: -
Идентификатор сеанса учетной записи: -
Результаты входа в систему: Сведения об учетных данных были записаны в локальный файл журнала.
Код причины: 66
Причина: Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
Если кто практиковал подобное, прошу дать направление для поиска решения.Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
replace the authorization from radius to local
and
changing the encryption type in transform set
However, in your configuration, your configuration already have those changes.
Here you can check the same : https://supportforums.cisco.com/thread/2226065
Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
~BR
Jatin Katyal
**Do rate helpful posts** -
Best solution for managing 50 remote sites via cisco vpn
At the moment my support organisation use the cisco vpn client on their windows pc's to provide remote support to our customers. I want to know if there is a solution from cisco that would support nialing up the 30 connections all the time without having to use clients on individual pc's. I know there will be issues because some of the sites will have conflicting lan ip address ranges. We would like to offer improved support to our customers for example using nagios to monitor their servers but this is not possible if vpn connection if not nialled up.
Please help with the best solution.L2L vpns solution is suitable for your scenario, depending on your traffic load for each site u would have to do assesment on that, any asa5510 or higher in an active/standby architecture with stateful failover sure can do the job. As for conflicting LAN ips there is ways to work around that by using NAT or Policy NAT.
ASA product line
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
Perhaps for monitoring/managing Ipsec tunels CSM Cisco Security manager
http://www.cisco.com/en/US/products/ps6498/index.html
Maybe you are looking for
-
Multiple row values of a column (variable) into a single record
Hi, I have the follwing table structure - ITEM_MASTER Item Item_Parent Item_Type ------- ---------------------- -----------1000 ITEM 998272 1000 EAN 998873 1000 EAN 998874 1000 EAN I need it as follows: Item EAN1 EAN2 EAN3 1000 998272 998873 998874 T
-
BPM send sql message to informix
Anyone has experience in bpm and informix? There BPM send sql to informix get error: java.sql.SQLException: 指定的表 'o_tns16_base' 不在数据库中. (table o_tns16_base not exist in database). But this work fine with SQL server. BPM is no probelm. I run the sql
-
When I try to sync my iPhone, I get an error message that says "This iPhone cannot be used because the Apple Mobile Device Service is not started. There's no explanation of what to do to fix it.
-
How can i connect a printer through PLSQL for taking printouts
Hi, I want to take a printout of the specified file through PLSQL. Pls give u'r idea. Thanks Suresh
-
Verifying a list of same events
Hi, I am writing a test method to verify playing a list of video. Each time a video is played, player sends "playing" event out. So my code would just listen for that event from the player. In addition, player implementation is asynchronous by nature