Ipsec puzzle on cisco 1811

Similar Messages

• Open a port on Cisco 1811

  This is problably a stupid question but how do I open a prot on a cisco 1811? I have a cisco 1811 and a computer that has VNC installed on it. I want to be able to access that computer from out side the network using the external ip address and port 5950. People outside the network will be able to open vnc viewer and type in *external ip address*:5950 and it will be directed to the computer with a static internal ip address of 10.11.101.10. What commands do I use to do this?
  Thanks,

  That didn't work. Here is the new running config:
  Building configuration...
  Current configuration : 12519 bytes
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname *Host Name*
  boot-start-marker
  boot-end-marker
  security authentication failure rate 3 log
  security passwords min-length 6
  logging message-counter syslog
  logging buffered 51200
  logging console critical
  enable secret 5 $1$3R6c$adcoV0cvM5hTzxOoPBByc0
  aaa new-model
  aaa authentication login default local
  aaa authentication login ciscocp_vpn_xauth_ml_1 local
  aaa authorization exec default local
  aaa session-id common
  clock timezone PCTime -7
  clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-1097866965
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1097866965
  revocation-check none
  rsakeypair TP-self-signed-1097866965
  crypto pki certificate chain TP-self-signed-1097866965
  certificate self-signed 01
  30820256 308201BF A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31303937 38363639 3635301E 170D3131 30393039 31383130
  32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 30393738
  36363936 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B1C3 0B9F3231 E9911C7A 7A84E566 F4530769 16830F32 4A61F775 12CDDB5C
  23227963 5A53E5C5 2C0E8945 640DB32C ACD17F1A 2C52EC96 7C274099 5D4BBD26
  6E7C4DA9 32C5162B 0A54D437 64B719B9 36904DDA 7B23FC3C E7763F5E BF651874
  1870462E FA0ABE9C 37918D53 2B5B13A7 4FADFC9E 1D8B0B64 141733A7 8DC61C03
  80E90203 010001A3 7E307C30 0F060355 1D130101 FF040530 030101FF 30290603
  551D1104 22302082 1E426F77 5F49736C 616E6453 43414441 2E796F75 72646F6D
  61696E2E 636F6D30 1F060355 1D230418 30168014 0AEF8942 249D4EF1 A18B1BA6
  389822CB 16CB4922 301D0603 551D0E04 1604140A EF894224 9D4EF1A1 8B1BA638
  9822CB16 CB492230 0D06092A 864886F7 0D010104 05000381 81008DC2 DFF3604C
  93BE4175 7078AC30 7391F8AF 4A15E116 C53D523E 12F6B5F4 15CA5635 C12576F7
  0D5D1A2A F330F781 459F3418 7E82FFBD 2679E17C CDF07A4F A257B599 E7CCC9C6
  38617B96 F2E66F0D 6BFBC000 524B377B 969D51BD 48A9BF8F 8C0220D4 BB249435
  08688D18 794CAFB3 1F74F2F9 4E0C0245 AEA8E55A 2AE758A0 36CC
                quit
  dot11 syslog
  no ip source-route
  ip dhcp excluded-address 10.11.101.1 10.11.101.99
  ip dhcp pool ccp-pool1
     import all
     network 10.11.101.0 255.255.255.0
     default-router 10.11.101.1
  ip cef
  no ip bootp server
  no ip domain lookup
  ip domain name yourdomain.com
  ip inspect log drop-pkt
  no ipv6 cef
  multilink bundle-name authenticated
  username *UserName* privilege 15 secret 5 $1$1O79$nIJGrBD9hCpDqheT3mDsC1
  username VPNuser secret 5 $1$nPz8$Cni5jyIWv9zlKAU3B5no9.
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key *Key* address *External VPN IP Address*
  crypto isakmp client configuration group VPN_Users
  key *Key*
  pool *VPN_pool*
  acl 102
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to*External VPN IP Address*
  set peer *External VPN IP Address*
  set transform-set ESP-3DES-SHA
  match address 103
  archive
  log config
  hidekeys
  ip tcp synwait-time 10
  ip ssh time-out 60
  ip ssh authentication-retries 2
  class-map type inspect match-any SDM_BOOTPC
  match access-group name SDM_BOOTPC
  class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
  match access-group 105
  class-map type inspect match-any SDM_DHCP_CLIENT_PT
  match class-map SDM_BOOTPC
  class-map type inspect match-all CCP_SSLVPN
  match access-group name CCP_IP
  class-map type inspect match-any SDM_AH
  match access-group name SDM_AH
  class-map type inspect match-any SDM_WEBVPN
  match access-group name SDM_WEBVPN
  class-map type inspect match-all SDM_WEBVPN_TRAFFIC
  match class-map SDM_WEBVPN
  match access-group 101
  class-map type inspect match-any sdm-cls-bootps
  match protocol bootps
  class-map type inspect match-any SDM_ESP
  match access-group name SDM_ESP
  class-map type inspect match-any SDM_VPN_TRAFFIC
  match protocol isakmp
  match protocol ipsec-msft
  match class-map SDM_AH
  match class-map SDM_ESP
  class-map type inspect match-all SDM_VPN_PT
  match access-group 104
  match class-map SDM_VPN_TRAFFIC
  class-map type inspect match-any ccp-cls-insp-traffic
  match protocol cuseeme
  match protocol dns
  match protocol ftp
  match protocol h323
  match protocol https
  match protocol icmp
  match protocol imap
  match protocol pop3
  match protocol netshow
  match protocol shell
  match protocol realmedia
  match protocol rtsp
  match protocol smtp extended
  match protocol sql-net
  match protocol streamworks
  match protocol tftp
  match protocol vdolive
  match protocol tcp
  match protocol udp
  class-map type inspect match-all ccp-insp-traffic
  match class-map ccp-cls-insp-traffic
  class-map type inspect match-any ccp-cls-icmp-access
  match protocol icmp
  class-map type inspect match-all VNC_CLASS
  match access-group name VNC
  class-map type inspect match-all ccp-icmp-access
  match class-map ccp-cls-icmp-access
  class-map type inspect match-all ccp-invalid-src
  match access-group 100
  class-map type inspect match-all ccp-protocol-http
  match protocol http
  policy-map type inspect ccp-permit-icmpreply
  class type inspect sdm-cls-bootps
  pass
  class type inspect ccp-icmp-access
  inspect
  class class-default
  pass
  policy-map type inspect VNC_POLICY
  class type inspect VNC_CLASS
  inspect
  policy-map type inspect ccp-sslvpn-pol
  class type inspect CCP_SSLVPN
  pass
  class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
  class class-default
  drop
  policy-map type inspect sdm-pol-VPNOutsideToInside-1
  class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
  class class-default
  drop
  policy-map type inspect ccp-inspect
  class type inspect ccp-invalid-src
  drop log
  class type inspect ccp-protocol-http
  inspect
  class type inspect ccp-insp-traffic
  inspect
  class class-default
  drop
  policy-map type inspect ccp-permit
  class type inspect SDM_VPN_PT
  pass
  class type inspect SDM_WEBVPN_TRAFFIC
  inspect
  class type inspect SDM_DHCP_CLIENT_PT
  pass
  class class-default
  drop
  policy-map type inspect VNC-POLICY
  class type inspect VNC_CLASS
  inspect
  zone security out-zone
  zone security in-zone
  zone security sslvpn-zone
  zone-pair security ccp-zp-self-out source self destination out-zone
  service-policy type inspect ccp-permit-icmpreply
  zone-pair security ccp-zp-in-out source in-zone destination out-zone
  service-policy type inspect ccp-inspect
  zone-pair security ccp-zp-out-self source out-zone destination self
  service-policy type inspect ccp-permit
  zone-pair security zp-out-zone-sslvpn-zone source out-zone destination sslvpn-zone
  service-policy type inspect ccp-sslvpn-pol
  zone-pair security zp-sslvpn-zone-out-zone source sslvpn-zone destination out-zone
  service-policy type inspect ccp-sslvpn-pol
  zone-pair security zp-in-zone-sslvpn-zone source in-zone destination sslvpn-zone
  service-policy type inspect ccp-sslvpn-pol
  zone-pair security zp-sslvpn-zone-in-zone source sslvpn-zone destination in-zone
  service-policy type inspect ccp-sslvpn-pol
  zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
  service-policy type inspect sdm-pol-VPNOutsideToInside-1
  interface FastEthernet0
  description $ES_WAN$$FW_OUTSIDE$
  ip address dhcp client-id FastEthernet0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat outside
  ip virtual-reassembly
  zone-member security out-zone
  duplex auto
  speed auto
  crypto map SDM_CMAP_1
  interface FastEthernet1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  shutdown
  duplex auto
  speed auto
  interface FastEthernet2
  interface FastEthernet3
  interface FastEthernet4
  interface FastEthernet5
  interface FastEthernet6
  interface FastEthernet7
  interface FastEthernet8
  interface FastEthernet9
  interface Virtual-Template1
  ip unnumbered FastEthernet0
  zone-member security sslvpn-zone
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
  ip address 10.11.101.1 255.255.255.0
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  ip flow ingress
  ip nat inside
  ip virtual-reassembly
  zone-member security in-zone
  ip tcp adjust-mss 1452
  interface Async1
  no ip address
  no ip redirects
  no ip unreachables
  no ip proxy-arp
  encapsulation slip
  ip local pool *VPN_pool* 10.11.101.50 10.11.101.99
  ip forward-protocol nd
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source static tcp 10.11.101.10 5950 interface FastEthernet0 5950
  ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
  ip access-list extended CCP_IP
  remark CCP_ACL Category=128
  permit ip any any
  ip access-list extended SDM_AH
  remark CCP_ACL Category=1
  permit ahp any any
  ip access-list extended SDM_BOOTPC
  remark CCP_ACL Category=0
  permit udp any any eq bootpc
  ip access-list extended SDM_ESP
  remark CCP_ACL Category=1
  permit esp any any
  ip access-list extended SDM_WEBVPN
  remark CCP_ACL Category=1
  permit tcp any any eq 443
  ip access-list extended VNC
  permit tcp any host 10.11.101.10 eq 5950
  logging trap debugging
  access-list 1 remark INSIDE_IF=Vlan1
  access-list 1 remark CCP_ACL Category=2
  access-list 1 permit 10.11.101.0 0.0.0.255
  access-list 100 remark CCP_ACL Category=128
  access-list 100 permit ip host 255.255.255.255 any
  access-list 100 permit ip 127.0.0.0 0.255.255.255 any
  access-list 101 remark CCP_ACL Category=128
  access-list 101 permit ip any host 70.65.185.156
  access-list 102 remark CCP_ACL Category=4
  access-list 102 permit ip 10.11.101.0 0.0.0.255 any
  access-list 103 remark CCP_ACL Category=4
  access-list 103 remark IPSec Rule
  access-list 103 permit ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
  access-list 104 remark CCP_ACL Category=128
  access-list 104 permit ip host *External VPN IP Address* any
  access-list 105 remark CCP_ACL Category=0
  access-list 105 permit ip 10.11.100.0 0.0.0.255 10.11.101.0 0.0.0.255
  access-list 106 remark CCP_ACL Category=2
  access-list 106 remark IPSec Rule
  access-list 106 deny   ip 10.11.101.0 0.0.0.255 10.11.100.0 0.0.0.255
  access-list 106 permit ip 10.11.101.0 0.0.0.255 any
  no cdp run
  route-map SDM_RMAP_1 permit 1
  match ip address 106
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username privilege 15 secret 0
  Replace and with the username and password you want to
  use.
  ^C
  banner login ^CAuthorized access only!
  Disconnect IMMEDIATELY if you are not an authorized user!^C
  line con 0
  transport output telnet
  line 1
  modem InOut
  stopbits 1
  speed 115200
  flowcontrol hardware
  line aux 0
  transport output telnet
  line vty 0 4
  transport input telnet ssh
  line vty 5 15
  transport input telnet ssh
  scheduler interval 500
  webvpn gateway gateway_1
  ip address *External IP Address*port 443
  http-redirect port 80
  ssl trustpoint TP-self-signed-1097866965
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179-anyconnect.pkg sequence 1
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 2
  webvpn context *VPN_pool*
  secondary-color white
  title-color #CCCC66
  text-color black
  ssl authenticate verify all
  policy group policy_1
     functions svc-enabled
     svc address-pool "*VPN_pool*"
     svc keep-client-installed
  virtual-template 1
  default-group-policy policy_1
  aaa authentication list ciscocp_vpn_xauth_ml_1
  gateway gateway_1
  inservice
  end

• Is it possible to purchase replacement Flash Card that came with the Cisco 1811 Router?

  I am in desperate need of a replacement Flash card that came included with the Cisco 1811 Router. I purchased the router used and it was working perfectly. I worked my way through all the information provided at cisco.com and had it pretty much configured the way I wanted it. Until the flash card got destroyed. A little embarassed to go into details how it was destroyed, let's just say my Grandson gave it a bath.
  It would be great if I could just purchase a replacement somehow with the IOS and SDM on it without purchasing a Cisco Service Agreement, etc. I purchased the router just to further my "Self Education". I have pretty much conquered all the aspects of the Cisco routers, etc. more or less developed for the Home Office user and moved on to bigger and better things. Since I was able to find a Cisco 1811 in good working condition very inexpensively I decided to go for it.
  Help from anyone would sure be appreciated.

  “Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main  This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.”
  - Routers ----> Network Infrastructure Forum http://forum.cisco.com/eforum/servlet/NetProf;jsessionid=E0EEC3D9CB4E5165ED16933737822748.SJ3A?page=Network_Infrastructure_discussion

• Cisco 1811 V.92 modem interface connected to NOKIA 32 PBX

  the picture is:
  We have a NOKIA 32 PBX device connected to the V.92 modem interface of a cisco 1811 fixed.
  We are following the documentation for the configuration of remote management with v.92 analog modem for the configuration.
  So far no good result on our aim to be able to connect to the cisco remotely over the modem, we would like to dial in the cisco throught the NOKIA 32 PBX.
  Did someone ever try a configuration like that?
  thanks
  ljs

  So far no luck, we are still working on it.
  We were wonder if someone ever tried a configuration like that and made it work.
  thanks

• How to setup an IPSec VPN Tunnel Cisco 2320 Vs RVS4000

  Hello all.
  This forum has always helped me in all my investigations about VPN and now I'm gonna help everyone with this post.
  I have succesfully config an IPSec VPN Tunnel by using a Router Scientific Atlanta Cisco 2320 and a RVS4000 4-Port Gigabit Security Router with  VPN.
  On the site of Router Scientific Atlanta Cisco 2320 this is some info:
  WAN IP: A.A.A.A
  Router Local IP: 192.168.5.1
  Subnet: 192.168.5.X
  Subnet Mask: 255.255.255.0
  On the site of RVS4000 4-Port Gigabit Security Router with  VPN this is some info:
  WAN IP: B.B.B.B
  Router Local IP: 192.168.0.10
  Subnet: 192.168.0.X
  Subnet Mask: 255.255.255.0
  Remember that you can not be on the same range of IP, I mean, you can not have 192.168.0.X if the remote network is on 192.168.0.X, you have to change some of the Routers.
  I show the configuration on Router Scientific Atlanta Cisco 2320:
  I show the configuration on RVS4000 4-Port Gigabit Security Router with  VPN:
  If all is correctly configured, you should see on Router Scientific Atlanta Cisco 2320 the Status Connected:
  If all is correctly configured, you should see on RVS4000 4-Port Gigabit Security Router with  VPN the Status Up:
  As you can see, I'm connected to the remote Router (RVS4000 4-Port Gigabit Security Router with  VPN) by my own web browser accesing by the local IP 192.168.0.10
  I have used Authentication MD5, maybe is not the best one but I had no time to test SHA1, I will when I will have time.
  I wish that this help to anyone that need to do this.
  Best regards!

  Hey,
  Thanks a ton for posting this out here. I am sure it will be helpful for people trying this out.
  Regards,
  Prapanch

• IPSEC issue in Cisco IAD 2431

  Hello all,
  I cam across something when i was troubleshooting IPSEC VPN connections between two Cisco IAD 2431s. Here is a snapshot of config on one of the routers:
  crypto map vpnmap 6 ipsec-isakmp
  description To_Grovecity
  set peer X.X.X.X
  set transform-set vpnset
  match address To_Grovecity
  crypto map vpnmap 10 ipsec-isakmp
  description To_Datacenter
  set peer Y.Y.Y.Y
  set transform-set vpnset
  match address To_Datacenter
  qos pre-classify
  ip access-list extended To_Grovecity
  permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
  ip access-list extended To_Datacenter
  permit ip 10.24.96.0 0.0.0.255 10.11.12.0 0.0.0.255
  permit ip 10.24.96.0 0.0.0.255 172.31.46.0 0.0.0.255
  permit ip 10.24.96.0 0.0.0.255 10.80.102.0 0.0.0.255
  permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255
    permit ip 10.24.96.0 0.0.0.255 10.24.69.0 0.0.0.255
  permit ip 10.24.96.0 0.0.0.255 192.168.15.0 0.0.0.255
  From this router's LAN interface (10.24.96.1), I couldn't ping the router's LAN interface corresponding to the Grovecitypeer which is x.x.x.x. The LAN interface at Grovecity is 10.80.103.3
  As soon as I removed the statement " permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" which was unnecessarily present in the To_Datacenter ACL, things started working.
  What confuses me is since the crypto map vpnmap for Grovecity is at sequence 6 and is before the vpnmap for Datacenter, the statement "
  permit ip 10.24.96.0 0.0.0.255 10.80.103.0 0.0.0.255" under the To-Datacenter ACL would never be considered and it doesn't matter if that staement is present in the ACL or not but apparently it does. HAs anyone faced this before or am I missng something?
  Thanks
  Mukundh

  Hi,
  In order to successfully build a SA, the L2L peers need to exchange the same exact ACE (mirror of each other) along with other parameters like the transform-set, PFS group (if configured)...
  Otherwise Phase II does not come up.
  Thanks.
  Portu.
  Please rate any helpful posts.

• Cisco 1811 wlan router

  Hi!
  I´m now setting up a new wireless connection with 1811 and its not possible to get the vlan and the FastEthernet see each other...I already made a kind of bridge and still not workin!!!
  Someone know what could happen or where I can find information about this device...I think is out dated but I am not sure....
  Thanks and this my first time in this new community and congratulations for it....

  “Thank you for your question.  This community is for Cisco Small Business products and your question is in reference to a Cisco Elite/Classic product.  Please post your question in the Cisco NetPro forums located here: http://forums.cisco.com/eforum/servlet/NetProf?page=main  This forum has subject matter experts on Cisco Elite/Classic products that may be able to answer your question.”

• IPT over IPSEC lines with cisco 2821

  We are implementing a IPSEC VPN Connection over leased lines using cisco 2821 without AIM-VPN Hardware accelerators.
  The line is 2 Mbps and should carry also IPtelephony traffic (4-5 conversations). Will we have problems by mastering the jitter? Since the traffic is devided in small packet, il the 2821 able to handle it accordignly?
  Thanks and bye Giorgio

  Giorgio,
  You should be fine with this configuration. Running voice and video over VPN is certainly a viable solution. It is commonly known as V3PN. Take a look at the V3PN SRND below for best practices, planning, and design tips. As mentioned in this document, IPSEC adds a trivial amount of delay (2 - 5 msec.) to voice deployments.
  V3PN SRND
  http://www.cisco.com/application/pdf/en/us/guest/netsol/ns241/c649/ccmigration_09186a00801ea79c.pdf
  Hope this helps. If so, please rate the post.
  Brandon

• IPSec with two Cisco RV220W's

  I have two Cisco RV220W's. FTP over my VPN is so slow, that I have to slow down the FTP Transfer to about 10kbps in order to keep the tansfer steady. Trying to move TB's of information at that speed is not reasonable. What will resolve this issue?

  Also, if the IP Helper command is used to relay DHCP request to the root bridge side router.....
  will the VLAN settings (trunks) on non-root bridge side router work ok since I will need to remove the DHCP pools configured there...... Or is it a better idea to keep it there and just exclude addressees that are available to the other side, and vice versa???
  I say this because the non-root bride is also going to serve for wireless clients as well, and has VLANs setup on it so I'm guessing the non-root bridge side router needs the DHCP pools for both VLANs intact, for VLANs to operate correctly.
  Please give me your insight on this....

• Cisco 1921 replacing Cisco 1811

  We're putting a 1921 in a remote data center to replace an 1811, but we can't find out for certain if we need to order new
  rack mount ears? It seems like we can use the ears from the 1811 on the 1921, but can't confirm anything.
  Does anyone know if this is true?

  I managed to get my  hands on an 1811 to compare to the 1921. The 1921 is slightly wider, but all the holes match up.
  The 1811 uses part#
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ACS-1800-RM-19 and the 1921 used
  /* Style Definitions */
  table.MsoNormalTable
  {mso-style-name:"Table Normal";
  mso-tstyle-rowband-size:0;
  mso-tstyle-colband-size:0;
  mso-style-noshow:yes;
  mso-style-priority:99;
  mso-style-qformat:yes;
  mso-style-parent:"";
  mso-padding-alt:0in 5.4pt 0in 5.4pt;
  mso-para-margin:0in;
  mso-para-margin-bottom:.0001pt;
  mso-pagination:widow-orphan;
  font-size:11.0pt;
  font-family:"Calibri","sans-serif";
  mso-ascii-font-family:Calibri;
  mso-ascii-theme-font:minor-latin;
  mso-fareast-font-family:"Times New Roman";
  mso-fareast-theme-font:minor-fareast;
  mso-hansi-font-family:Calibri;
  mso-hansi-theme-font:minor-latin;
  mso-bidi-font-family:"Times New Roman";
  mso-bidi-theme-font:minor-bidi;}
  ACS-1900-RM-19
  You are thinking a 1900 switch, they are a full 19" wide so they would fit properly into a rack.

• Cannot telnet between machines behind cisco 1811

  I have 2 separate exchange servers for 2 separate exchange organizations on
  the same private network.
  -One has an ip of 192.168.0.2
  -Two has an ip of 192.168.0.3
  The network is protected by a 1811 router/firewall and each server has their own
  public IP.
  I can telnet between these machines usign their private ips, but not using their public ips?
  Here is the show run (attached):
  Thanks for your help

  No problem.
  Here it is.
  I don't have access to equipment to test at this time. I am just typing it in. Excuse me if there's problems with my syntax as it's 11:40pm over here in US and I am about to call it quit for the day.
  int lo0
  ip add x.x.x.x y.y.y.y
  int vlan1
  ip policy route-map test
  route-map test permit 10
  match ip address 150
  set int lo0
  route-map test permit 15
  match ip address 151
  set int lo0
  access-list 150 permit tcp host x.y.z.230 host x.y.z.231 eq smtp
  access-list 151 permit tcp host x.y.z.231 host x.y.z.230 eq smtp
  Let me know if you had any questions.
  HTH,
  Sundar

• GRE IPSec between Cisco 2811 and FortiGate 110C

  Hello,
  Does anybody know if it is possible to configure GRE IPSec tunnel between Cisco 2811 router and FortiGate 110C firewall? I know that FortiGate supports IPSec and GRE tunnels, but maybe somebody succeeded in establishing an IPSec GRE between those routers? Could you also give a link to the appropriate documentation if it is possible?

  Hi,
  You can configure the GRE tunnel on the 2811.
  I'm aware that you can configure sort of a GRE tunnel on the Fortinet as well, but I have not seen a GRE tunnel between a Cisco and other vendor.
  I've only seen GRE tunnels between Cisco devices (however I have not tried it to assure you that it will not work :-()
  Federico.

• Unable to access satellite offices with Cisco VPN client

  There are 4 sites:
  Main office - 192.168.0.x/24
  Sat office1 - 10.0.0.x/24
  Sat Office2 - 10.0.1.x/24
  Sat Office3 - 10.0.2.x/24
  All 4 offices are connected via MPLS using other Cisco routers from the telcom co. The user VPN endpoint is at the main office. (Cisco 1811)
  We can make the VPN connection with the Cisco VPN client and browse the 192 network all day long. We cannot access any of the other subnets over the VPN connection. Browsing the other subnets while physically at the main office is fine. This DID work in the past. Something changed that I cannot pinpoint, any ideas?
  Scope for the VPN endusers is 10.100.100.x/24
  Cisco VPN Client versions 4.x and 5.x (both affected)
  Thanks in advance

  Ken
  It is good to know that it did work in the past and then stopped working. That indicates that something changed. Is it possible that a software upgrade has been done and that the change is behavior is reflecting a different version of IOS? (I suspect that is is possible but not so likely - but we need to ask.)
  My guess is either that there was some change in the routing logic or that the access lists which indicate what traffic is to be protected by the VPN used to include remote to remote but has been changed for some reason.
  Could you post the configuration of the main office 1811?
  Another question that occurs to me is whether the main office 1811 is directly connected to the Internet or does it go through some firewall? If if goes through some firewall is it possible that there has been some change in the firewall rules that is denying the remote to remote traffic?
  HTH
  Rick

• Cisco 28xx easy vpn server & MS NPS (RADIUS server)

  Здравстуйте.
  Имеется LAN (192.168.11.0/24) с граничным роутером cisco 2821 (192.168.11.1), на котором настроен Easy VPN Server с локальной авторизацией удаленных пользователей, использующих для подключения Cisco VPN Client v 5.0. Все работает. В той же LAN имеется MS Windows Server 2012 Essensial в качестве DC AD.
  Возникла необходимость перенести авторизацию удаленных пользователей на RADIUS сервер. В качестве RADIUS сервера хочется использовать MS Network Policy Server (NPS) 2012 Essensial (192.168.11.9).
  На сервере поднята соответствующая политика, NPS сервер зарегистрирован в AD, создан RADIUS-клиент (192.168.11.1), настроена Сетевая политика. В AD создана группа VPN-USERS, в которую помимо удаленных пользователей добавлен служебный пользователь EasyVPN с паролем "cisco".
  Ниже выдежка из сонфига cisco 2821:
  aaa new-model
  aaa authentication login rausrs local
  aaa authentication login VPN-XAUTH group radius
  aaa authorization network ragrps local
  aaa authorization network VPN-GROUP local
  aaa session-id common
  crypto isakmp policy 10
  encr aes 256
  authentication pre-share
  group 2
  crypto isakmp client configuration address-pool local RAPOOL
  crypto isakmp client configuration group ra1grp
  key key-for-remote-access
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp client configuration group EasyVPN
  key qwerty123456
  domain domain.local
  pool RAPOOL
  acl split-acl
  split-dns 192.168.11.9
  crypto isakmp profile RA-profile
     description profile for remote access VPN
     match identity group ra1grp
     client authentication list rausrs
     isakmp authorization list ragrps
     client configuration address respond
  crypto isakmp profile VPN-IKMP-PROFILE
     description profile for remote access VPN via RADIUS
     match identity group EasyVPN
     client authentication list VPN-XAUTH
     isakmp authorization list VPN-GROUP
     client configuration address respond
  crypto ipsec transform-set tset1 esp-aes esp-sha-hmac
  crypto dynamic-map dyn-cmap 100
  set transform-set tset1
  set isakmp-profile RA-profile
  reverse-route
  crypto dynamic-map dyn-cmap 101
  set transform-set tset1
  set isakmp-profile VPN-IKMP-PROFILE
  reverse-route
  crypto map stat-cmap 100 ipsec-isakmp dynamic dyn-cmap
  int Gi0/1
  descrition -- to WAN --
  crypto map stat-cmap
  В результате на cisco вылезает следующая ошибка (выделено жирным):
  RADIUS/ENCODE(000089E0):Orig. component type = VPN_IPSEC
  RADIUS:  AAA Unsupported Attr: interface         [157] 14
  RADIUS:   31 39 34 2E 38 38 2E 31 33 39 2E 31              [194.88.139.1]
  RADIUS(000089E0): Config NAS IP: 192.168.11.1
  RADIUS/ENCODE(000089E0): acct_session_id: 35296
  RADIUS(000089E0): sending
  RADIUS(000089E0): Send Access-Request to 192.168.11.9:1645 id 1645/61, len 103
  RADIUS:  authenticator 4A B1 DB 2D B7 58 B2 BF - 7F 12 6F 96 01 99 32 91
  RADIUS:  User-Name           [1]   9   "EasyVPN"
  RADIUS:  User-Password       [2]   18  *
  RADIUS:  Calling-Station-Id  [31]  16  "aaa.bbb.ccc.137"
  RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
  RADIUS:  NAS-Port            [5]   6   1
  RADIUS:  NAS-Port-Id         [87]  16  "aaa.bbb.ccc.136"
  RADIUS:  Service-Type        [6]   6   Outbound                  [5]
  RADIUS:  NAS-IP-Address      [4]   6   192.168.11.1
  RADIUS: Received from id 1645/61 192.168.11.9:1645, Access-Reject, len 20
  RADIUS:  authenticator A8 08 69 44 44 8B 13 A5 - 06 C2 95 8D B4 C4 E9 01
  RADIUS(000089E0): Received from id 1645/61
  MS NAS выдает ошибку 6273:
  Сервер сетевых политик отказал пользователю в доступе.
  За дополнительными сведениями обратитесь к администратору сервера сетевых политик.
  Пользователь:
      ИД безопасности:            domain\VladimirK
      Имя учетной записи:            VladimirK
      Домен учетной записи:           domain
      Полное имя учетной записи:   domain.local/Users/VladimirK
  Компьютер клиента:
      ИД безопасности:            NULL SID
      Имя учетной записи:            -
      Полное имя учетной записи:    -
      Версия ОС:            -
      Идентификатор вызываемой станции:        -
      Идентификатор вызывающей станции:       aaa.bbb.ccc.137
  NAS:
      Адрес IPv4 NAS:        192.168.11.1
      Адрес IPv6 NAS:        -
      Идентификатор NAS:            -
      Тип порта NAS:            Виртуальная
      Порт NAS:            0
  RADIUS-клиент:
      Понятное имя клиента:        Cisco2821
      IP-адрес клиента:            192.168.11.1
  Сведения о проверке подлинности:
      Имя политики запроса на подключение:    Использовать проверку подлинности Windows для всех пользователей
      Имя сетевой политики:        Подключения к другим серверам доступа
      Поставщик проверки подлинности:        Windows
      Сервер проверки подлинности:        DC01.domain.local
      Тип проверки подлинности:        PAP
      Тип EAP:            -
      Идентификатор сеанса учетной записи:        -
      Результаты входа в систему:            Сведения об учетных данных были записаны в локальный файл журнала.
      Код причины:            66
      Причина:                Пользователь пытался применить способ проверки подлинности, не включенный в соответствующей сетевой политике.
  Игры с Cisco AV Pairs и прочими параметрами настройки Сетевой политики на RADIUS выдают аналогичный результат.
  Штудирование "Network Policy Server Technical Reference" и "Configuring IPSec Between a Cisco IOS Router and a Cisco VPN Client 4.x for Windows Using RADIUS for User Authentication" Document ID: 21060 ответа не дали.
  Если кто практиковал подобное, прошу дать направление для поиска решения.

  Going through your post, I could see that radius is sending access-reject because radius access-request is sending a vpn group name in the user name field. I was in a discussion of same problem few days before and that got resolved by making 2 changes.
  replace the authorization from radius to local
  and
  changing the encryption type in transform set
  However, in your configuration, your configuration already have those changes.
  Here you can check the same : https://supportforums.cisco.com/thread/2226065
  Could you please tell me what exactly radius server complaining? Can you please paste the error you're getting on the radius server.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Best solution for managing 50 remote sites via cisco vpn

  At the moment my support organisation use the cisco vpn client on their windows pc's to provide remote support to our customers. I want to know if there is a solution from cisco that would support nialing up the 30 connections all the time without having to use clients on individual pc's. I know there will be issues because some of the sites will have conflicting lan ip address ranges. We would like to offer improved support to our customers for example using nagios to monitor their servers but this is not possible if vpn connection if not nialled up.
  Please help with the best solution.

  L2L vpns solution is suitable for your scenario, depending on your traffic load for each site u would have to do assesment on that, any asa5510 or higher in an active/standby architecture with stateful failover sure can do the job. As for conflicting LAN ips there is ways to work around that by using NAT or Policy NAT.
  ASA product line
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  Perhaps for monitoring/managing Ipsec tunels CSM Cisco Security manager
  http://www.cisco.com/en/US/products/ps6498/index.html