RADIUS and Cisco 2611 router

Similar Messages

• Re - RADIUS and Cisco 2611 router

  Cassandra:
  There is a response to your latest post that would easily be missed.
  The thread has rolled to a second page.
  The response is on the second page, and would be missed if you did not take note of the "Previous and Next" links at the bottom of page one.

  Cassandra:
  There is a response to your latest post that would easily be missed.
  The thread has rolled to a second page.
  The response is on the second page, and would be missed if you did not take note of the "Previous and Next" links at the bottom of page one.

• Novell Radius and Cisco 1841 router

  I tried to setup NW Radius and it all seems to be setup perfectly accoriding to this TID# http://support.novell.com/cgi-bin/se...?/10078616.htm
  But when someone tries to connect throgh my Cisco VPN I get this error:
  [2005-05-19 05:03:26 PM] Access request dropped
  <trusted IP>, <Cisco connect group>, Unkown radius client
  I entered the <trusted ip> as a client in Console One and chose Cisco as the vendor (also tried Generic radius).
  <cisco connect group> is the authentication group I setup in the router, and must be entered before connecting through VPN.
  Any clues would be appreciated.

  Jepe,
  It appears that in the past few days you have not received a response to your posting. That concerns us, and has triggered this automated reply.
  Has your problem been resolved? If not, you might try one of the following options:
  - Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
  - Check all of the other support tools and options available at http://support.novell.com in both the "free product support" and "paid product support" drop down boxes.
  - You could also try posting your message again. Make sure it is posted in the correct newsgroup. (http://support.novell.com/forums)
  If this is a reply to a duplicate posting, please ignore and accept our apologies and rest assured we will issue a stern reprimand to our posting bot.
  Good luck!
  Your Novell Product Support Forums Team
  http://support.novell.com/forums/

• SSLVPN with iPhone Anyconnect and Cisco IOS Router, Certificate Authentication failed

  Hello,
  i have a problem regarding the authentication with a certificate from the iPhone Anyconnect 2.5 Client to a 1802 Cisco Router.
  Cisco 1802 Router:
  Cisco IOS Software, C180X Software (C180X-ADVENTERPRISEK9-M), Version 15.1(1)T, RELEASE SOFTWARE (fc1)
  First i configured SSLVPN with username and password, in this configuration the Anyconnect Client of my iPhone works.
  then i enrolled a certificate from my Windows 2008 R2 CA to the Router with the Attributes: Server Authentication and IPSEC
  and i enrolled a certificate for my iPhone with Client Authentication and IPSEC
  after a bunch of time ( i realy could not find a really good documentation on how to do this) i got it done, in the webvpn context configuration i made this changes here:
  no aaa authentication list default
  authentication certificate
  ca trustpoint CA
  as the "SSL VPN Configuration Guide, Cisco IOS Release 15.1M&T" says: if i want only certificate authentication i had to user the "authentication certificate" command and thats it.
  as i look into the debugs it seems to me that the Router accepts the certificate of the iPhone, but then i receive a window on the iphone that wants an additional username and password authentication, and no matter what i enter there's always the same dialog coming back..
  any ideas what the problem could be???
  here is the configuration:
  webvpn gateway WEBVPN_GW_OFFICE2
  ip interface Dialer0 port 1444
  ssl trustpoint CA
  inservice
  webvpn install svc flash:/webvpn/sslclient-win-1.1.4.179.pkg sequence 1
  webvpn install svc flash:/webvpn/anyconnect-win-3.0.4235-k9.pkg sequence 2
  webvpn install svc flash:/webvpn/anyconnect-dart-win-2.5.3055-k9.pkg sequence 3
  webvpn context WEBVPN_CONTEXT2
  secondary-color white
  title-color #669999
  text-color black
  ssl authenticate verify all
  policy group WEBVPN_POLICY2
     functions svc-enabled
     mask-urls
     svc address-pool "SSLVPN_OFFICE1"
     svc default-domain "domain.internal"
     svc keep-client-installed
     svc split include 192.168.0.0 255.255.0.0
     svc dns-server primary 192.168.53.33
     svc dns-server secondary 192.168.53.35
  virtual-template 3
  default-group-policy WEBVPN_POLICY2
  gateway WEBVPN_GW_OFFICE2
  authentication certificate
  ca trustpoint CA
  inservice
  here is the debug:
  OfficeRouter1# PASSING appctx is [0x89FAFFCC]
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.507: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  Nov 19 22:39:53.607: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x15A07AB8, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:39:53.607: WV: http request: / with no cookie
  Nov 19 22:39:53.607: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:39:53.607: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:39:53.607: WV: Trustpoint match successful
  Nov 19 22:39:53.607: WV: Extracted username:  pass: ?
  Nov 19 22:39:53.607: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x8811FE60
  Nov 19 22:39:53.607: WV: Appl. processing Failed : 2
  Nov 19 22:39:53.607: WV: sslvpn process rcvd context queue event
  BueroRouter1# PASSING appctx is [0x89FAEEC4]
  Nov 19 22:40:24.028: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.032: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:24.132: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x160C4038, len: 469,
        offset: 0, domain: 0)
  Nov 19 22:40:24.132: WV: http request: / with no cookie
  Nov 19 22:40:24.132: WV: validated_tp : CA cert_username :  matched_ctx :
  Nov 19 22:40:24.132: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:24.132: WV: Trustpoint match successful
  Nov 19 22:40:24.132: WV: Extracted username:  pass: ?
  Nov 19 22:40:24.132: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=661 bytes=661 tcb=0x88D11EEC
  Nov 19 22:40:24.136: WV: Appl. processing Failed : 2
  Nov 19 22:40:24.136: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.764: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.880: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event
  Nov 19 22:40:39.892: WV: Entering APPL with Context: 0x86529380,
        Data buffer(buffer: 0x86543A40, data: 0x1616FD38, len: 610,
        offset: 0, domain: 0)
  Nov 19 22:40:39.892: WV: http request: /webvpn.html with domain cookie
  Nov 19 22:40:39.892: WV: validated_tp :  cert_username :  matched_ctx :
  Nov 19 22:40:39.892: WV: Received appinfo
  validated_tp : CA, matched_ctx : ,cert_username :
  Nov 19 22:40:39.892: WV: Trustpoint match successful
  Nov 19 22:40:39.892: WV: Client side Chunk data written..
  buffer=0x86543640 total_len=607 bytes=607 tcb=0x88D11EEC
  Nov 19 22:40:39.892: WV: Appl. processing Failed : 2
  Nov 19 22:40:39.892: WV: sslvpn process rcvd context queue event

  http://www.cisco.com/en/US/products/ps8411/products_qanda_item09186a00809aec31.shtml
  HI,
  Refer to
  AnyConnect VPN Client FAQ
  Q. Is it possible to connect the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router?
  A. No. It is not possible to connect  the iPad, iPod, or iPhone AnyConnect VPN Client to a Cisco IOS router.  AnyConnect on iPad/iPhone can connect only to an ASA that runs version  8.0(3).1 or later. Cisco IOS is not supported by the AnyConnect VPN  Client for Apple iOS. For more information, refer to the Security Appliances and Software Supported section of the Release Notes for Cisco AnyConnect Secure Mobility Client 2.4, Apple iOS 4.2 and 4.3.

• Airport Express and Cisco E1000 router?

    Okay so right now i am using my airport express as my primary router can i use it to extend my cisco E1000 router if i plug back my old Cisco E1000 router if i can how do i do it? Please help.

  You can effectively extend the Cisco's wireless network by creating a roaming network with both routers. Note that this would require that both routers be interconnected by Ethernet. Since the Express will perform a new role, be sure to perform a "factory default" reset on it so that it will be in its "out-of-the-box" configuration.

• Site to Site VPN between ASA 5505 and Cisco 800 router

  Evening all,
  Hoping that someboy can see the error of my ways.  It seems very like the problem that i read here: https://supportforums.cisco.com/thread/2016300
  We have a cisco 800 in a remote site which we wanted to use for a site to site vpn.  Went through the steps on the ASA 5505 and the 800 and have got to the stage were the tunnel is up and connected.  Getting traffic through it is another matter.  Remote network is 172.20.224.0/20 and the server network behind the ASA is 192.168.168.0/24. The tunnel does intiate when you send traffic from 172 ......to 192.......  Both the ASA and 800 report the tunnel is up.  If i look at the stats using ccp on the 800 i can see the encapsulation packets graph shooting up but nothing cominbg back.  I did packet captures on the 5505 and could not see anything coming from the tunnel so i dont belive its making it to the ASA.  Here is the config from the 800:
  Building configuration...
  Current configuration : 6488 bytes
  version 12.4
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname hhp-sty-backup
  boot-start-marker
  boot-end-marker
  logging message-counter syslog
  logging buffered 4096
  enable secret 5 $1$jI1i$/kZbRk2WHD5h0HtfuQVej1
  aaa new-model
  aaa authentication login default local
  aaa authorization exec default local
  aaa authorization auth-proxy default local
  aaa session-id common
  crypto pki trustpoint TP-self-signed-1347488939
  enrollment selfsigned
  subject-name cn=IOS-Self-Signed-Certificate-1347488939
  revocation-check none
  rsakeypair TP-self-signed-1347488939
  crypto pki certificate chain TP-self-signed-1347488939
  certificate self-signed 02
    30820255 308201BE A0030201 02020102 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31333437 34383839 3339301E 170D3032 30333031 30313336
    33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 33343734
    38383933 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100E714 7B0ADB41 19F60528 A8A5C43B 5CD2D1CD DCCF2E08 8B38D444 36EAB9B7
    0E93CEF7 660F979E E27915B9 E44812A5 794EA03D BA66752B FD0F7EBF D6342513
    D6410E4E 098CE838 C3BADD0A 5F3505FE 22CA776F 89B19510 F0852225 3600F046
    4D57D2E2 FE4AAD1E 8BE4BF80 7B27369E BFA65160 BC769BC9 00A13741 E336D0EA
    8A810203 010001A3 7D307B30 0F060355 1D130101 FF040530 030101FF 30280603
    551D1104 21301F82 1D686870 2D737479 2D626163 6B75702E 796F7572 646F6D61
    696E2E63 6F6D301F 0603551D 23041830 168014FA 4A8C4DF6 629638DE 87D7B60A
    0F5BB40F EA6AED30 1D060355 1D0E0416 0414FA4A 8C4DF662 9638DE87 D7B60A0F
    5BB40FEA 6AED300D 06092A86 4886F70D 01010405 00038181 00BBE577 6EF63FE7
    789766D5 37841812 298D4885 1CD06D07 4C625369 C3403106 89EE1398 73495432
    66C49CB1 36A5B2F8 D77A8C46 5AFE4112 EA5917D9 81542640 80EF2D36 54A85CC6
    C3FFFFB8 39A648DD 2ABA2B13 4137BE07 760E46C0 74401DA7 482E3FA2 A64B70FF
    447AA1B2 52E37240 29987085 532BBE3B C2E2E54A 54CA1D13 0E
              quit
  dot11 syslog
  ip source-route
  ip dhcp excluded-address 10.10.10.1
  ip dhcp pool inside
  ip dhcp pool lan_network
     network 172.20.224.0 255.255.240.0
     dns-server 8.8.8.8 8.8.4.4
     default-router 172.20.224.1
     lease 7
  ip cef
  no ip domain lookup
  ip domain name yourdomain.com
  password encryption aes
  username pix privilege 15 secret 5 $1$Z.wA$lBmj36AJx/cbK1RjmfGJh1
  username admin privilege 15 password 0 434Zaty
  crypto isakmp policy 1
  encr 3des
  authentication pre-share
  group 2
  crypto isakmp key password address 217.36.32.222
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto map SDM_CMAP_1 1 ipsec-isakmp
  description Tunnel to217.36.32.222
  set peer 217.36.32.222
  set transform-set ESP-3DES-SHA
  match address 100
  archive
  log config
    hidekeys
  interface ATM0
  no ip address
  no atm ilmi-keepalive
  pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
  dsl operating-mode auto
  interface FastEthernet0
  interface FastEthernet1
  interface FastEthernet2
  interface FastEthernet3
  interface Vlan1
  description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
  ip address 172.20.224.1 255.255.240.0
  ip nat inside
  ip virtual-reassembly
  ip tcp adjust-mss 1452
  interface Dialer0
  ip address negotiated
  ip nat outside
  ip virtual-reassembly
  encapsulation ppp
  dialer pool 1
  no cdp enable
  ppp authentication chap callin
  ppp chap hostname B6*******.btclick.com
  ppp chap password 0 H*******
  crypto map SDM_CMAP_1
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer0
  ip http server
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
  access-list 1 remark CCP_ACL Category=16
  access-list 1 permit 172.4.0.0 0.240.255.255
  access-list 10 permit 195.12.1.35
  access-list 10 permit 172.4.0.0 0.240.255.255
  access-list 100 remark CCP_ACL Category=4
  access-list 100 remark IPSec Rule
  access-list 100 permit ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
  access-list 101 remark CCP_ACL Category=2
  access-list 101 remark IPSec Rule
  access-list 101 deny   ip 172.20.224.0 0.0.15.255 192.168.168.0 0.0.0.255
  access-list 101 permit ip 172.4.0.0 0.240.255.255 any
  route-map SDM_RMAP_1 permit 1
  match ip address 101
  control-plane
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you have
  already used the username "cisco" to login to the router and your IOS image
  supports the "one-time" user option, then this username has already expired.
  You will not be able to login to the router with this username after you exit
  this session.
  It is strongly suggested that you create a new username with a privilege level
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you
  want to use.
  ^C
  banner login ^C
  Cisco Configuration Professional (Cisco CP) is installed on this device.
  This feature requires the one-time use of the username "cisco" with the
  password "cisco". These default credentials have a privilege level of 15.
  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE 
  PUBLICLY-KNOWN CREDENTIALS
  Here are the Cisco IOS commands.
  username <myuser>  privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want
  to use.
  IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
  NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
  For more information about Cisco CP please follow the instructions in the
  QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
  ^C
  line con 0
  no modem enable
  stopbits 1
  line aux 0
  line vty 0 4
  access-class 10 in
  privilege level 15
  password 434Zaty
  transport input telnet ssh
  scheduler max-task-time 5000
  end
  Any help will be most gratefully recieved.

  Rick,
  Thanks for replying.  Here is the output from the 800 Show Crypto command:
  interface: Dialer0
      Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
     remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
     current_peer 217.36.32.222 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 2, #recv errors 0
       local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
       path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
       current outbound spi: 0x0(0)
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
  interface: Virtual-Access2
      Crypto map tag: SDM_CMAP_1, local addr 81.136.160.237
     protected vrf: (none)
     local  ident (addr/mask/prot/port): (172.20.224.0/255.255.240.0/0/0)
     remote ident (addr/mask/prot/port): (192.168.168.0/255.255.255.0/0/0)
     current_peer 217.36.32.222 port 500
       PERMIT, flags={origin_is_acl,}
      #pkts encaps: 10928, #pkts encrypt: 10928, #pkts digest: 10928
      #pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 0, #pkts compr. failed: 0
      #pkts not decompressed: 0, #pkts decompress failed: 0
      #send errors 2, #recv errors 0
       local crypto endpt.: 81.136.160.237, remote crypto endpt.: 217.36.32.222
       path mtu 1500, ip mtu 1500, ip mtu idb Virtual-Access2
       current outbound spi: 0x0(0)
       inbound esp sas:
       inbound ah sas:
       inbound pcp sas:
       outbound esp sas:
       outbound ah sas:
       outbound pcp sas:
  and this is the running config frm our ASA at HQ:
  Result of the command: "sh run"
  : Saved
  ASA Version 8.2(1)
  hostname secure-access
  domain-name hhp.com
  enable password UWWykvGjAPmxufUo encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Vlan1
  nameif inside
  security-level 100
  ip address 192.168.168.1 255.255.255.0
  interface Vlan2
  nameif outside
  security-level 0
  pppoe client vpdn group BT
  ip address 217.36.32.222 255.255.255.255 pppoe
  interface Vlan12
  nameif DMZ
  security-level 50
  ip address 192.168.169.1 255.255.255.0
  interface Vlan22
  nameif Wireless_HHP
  security-level 100
  ip address 172.16.36.1 255.255.254.0
  interface Vlan32
  nameif CNES
  security-level 100
  ip address 187.187.168.1 255.255.0.0
  interface Ethernet0/0
  switchport access vlan 2
  interface Ethernet0/1
  interface Ethernet0/2
  switchport access vlan 12
  interface Ethernet0/3
  switchport access vlan 22
  interface Ethernet0/4
  switchport access vlan 32
  interface Ethernet0/5
  switchport access vlan 12
  interface Ethernet0/6
  switchport access vlan 12
  interface Ethernet0/7
  ftp mode passive
  dns domain-lookup inside
  dns domain-lookup outside
  dns domain-lookup DMZ
  dns domain-lookup Wireless_HHP
  dns domain-lookup CNES
  dns server-group DefaultDNS
  name-server 192.168.168.2
  domain-name hhp.com
  same-security-traffic permit inter-interface
  same-security-traffic permit intra-interface
  object-group network NET-cnes_HHP-Sty
  network-object 172.20.224.0 255.255.240.0
  object-group network NET-cnes_HHP-Balivanich
  network-object 172.20.192.0 255.255.240.0
  object-group network Oak-DC1
  network-object 192.168.168.2 255.255.255.255
  object-group network Maple-DC2
  network-object 192.168.168.3 255.255.255.255
  object-group network HHP_Domain_Controllers
  group-object Oak-DC1
  group-object Maple-DC2
  object-group network PC-Support
  network-object 187.187.60.1 255.255.255.255
  network-object 187.187.60.2 255.255.255.254
  network-object 187.187.60.4 255.255.255.254
  network-object 187.187.60.6 255.255.255.255
  object-group network ELM-ActiveH
  network-object 192.168.168.6 255.255.255.255
  object-group network Pine-GP
  network-object 192.168.168.12 255.255.255.255
  object-group network HHP_Application_Servers
  group-object ELM-ActiveH
  group-object Pine-GP
  object-group network Fern-TS1
  network-object 192.168.168.4 255.255.255.255
  object-group network Fir-TS2
  network-object 192.168.168.5 255.255.255.255
  object-group network HHP_Terminal_Servers
  group-object Fern-TS1
  group-object Fir-TS2
  object-group service Global_Catalog_LDAP
  description (Generated by Cisco SM from Object "Global Catalog LDAP")
  service-object tcp eq 3268
  object-group service Global_Catalog_LDAP_SSL
  description (Generated by Cisco SM from Object "Global Catalog LDAP SSL")
  service-object tcp eq 3269
  object-group service UDP-389
  description UDP port for LDAP
  service-object udp eq 389
  object-group service TCP-88
  description TCP Port 88
  service-object tcp eq 88
  object-group service TCP-445
  description SMB
  service-object tcp eq 445
  object-group network John_-_Laptop
  description John's Laptop
  network-object 187.187.10.65 255.255.255.255
  object-group network Graham_-_PC
  description Graham Morrison's PC
  network-object 187.187.10.90 255.255.255.255
  object-group network john_test
  network-object 187.187.40.7 255.255.255.255
  object-group network Iain_PC
  description Iain Macaulay IT
  network-object 187.187.10.19 255.255.255.255
  object-group network John_-_PC
  description John MacPhail's PC
  network-object 187.187.10.7 255.255.255.255
  object-group network it-alahen-lap
  network-object 187.187.10.230 255.255.255.255
  object-group network Catriona_-_Laptop
  description Catriona's Laptop
  network-object 187.187.10.60 255.255.255.255
  object-group network Graham_-_Laptop
  network-object 187.186.10.120 255.255.255.255
  object-group network it-innive-xp
  description Innes MacIver's PC
  network-object 187.187.10.14 255.255.255.255
  object-group network it-alahen-xp
  description Desktop
  network-object 187.187.10.229 255.255.255.255
  object-group network Cat_-_PC
  description Catriona Macmillan's PC
  network-object 187.187.10.4 255.255.255.255
  object-group network it-davdon-xp
  description Desktop
  network-object 187.187.160.7 255.255.255.255
  object-group network cat-laptop
  description Catriona's Laptop addresses
  network-object 187.187.77.81 255.255.255.255
  network-object 187.187.77.82 255.255.255.255
  object-group network Catriona_old_pc
  network-object 187.187.10.44 255.255.255.255
  object-group network cat-tablet
  description Catriona's Tablet ip address's
  network-object 187.187.77.78 255.255.255.254
  object-group network DSO-SQLServer
  description Task Database Server
  network-object 187.187.1.33 255.255.255.255
  object-group network it-finfernew-xp
  description Findlay Ferguson PC
  network-object 187.187.10.153 255.255.255.255
  object-group network PC_Support
  group-object John_-_Laptop
  group-object Graham_-_PC
  group-object john_test
  group-object Iain_PC
  group-object John_-_PC
  group-object it-alahen-lap
  group-object Catriona_-_Laptop
  group-object Graham_-_Laptop
  group-object it-alahen-xp
  group-object Cat_-_PC
  group-object it-davdon-xp
  group-object cat-laptop
  group-object Catriona_old_pc
  group-object cat-tablet
  group-object it-innive-xp
  network-object 187.187.1.128 255.255.255.255
  network-object 187.187.10.76 255.255.255.255
  group-object DSO-SQLServer
  network-object 187.187.15.234 255.255.255.255
  network-object 187.187.4.60 255.255.255.255
  network-object 187.187.10.134 255.255.255.255
  network-object 172.18.194.22 255.255.255.255
  group-object it-finfernew-xp
  object-group network Entire_CNE
  description Entire CNE range
  network-object 187.0.0.0 255.0.0.0
  object-group network NET-cnes_HHP-Sty-Staff
  network-object 172.20.225.0 255.255.255.0
  object-group network NET-cnes_HHP-Balivanich-staff
  network-object 172.20.193.0 255.255.255.0
  object-group network Alder-Intranet
  network-object 192.168.168.13 255.255.255.255
  object-group network Aspen-ISA
  network-object 192.168.168.10 255.255.255.255
  object-group service tcp-8080
  description TCP Port 8080
  service-object tcp eq 8080
  object-group network Beech-External
  network-object 217.36.32.210 255.255.255.255
  object-group network it-csm
  description cisco security manager
  network-object 187.187.1.72 255.255.255.255
  object-group network Juniper-External
  description Internet Server
  network-object 217.36.32.211 255.255.255.255
  object-group network HHP_Server_Network
  network-object 192.168.168.0 255.255.255.0
  object-group network Messagelabs_Incoming_HHP
  network-object 67.219.240.0 255.255.240.0
  network-object 95.131.104.0 255.255.248.0
  network-object 193.109.254.0 255.255.254.0
  network-object 195.245.230.0 255.255.254.0
  network-object 216.82.240.0 255.255.240.0
  network-object 85.158.136.0 255.255.248.0
  network-object 117.120.16.0 255.255.248.0
  network-object 194.106.220.0 255.255.254.0
  object-group network Angus-Maclean-PC
  network-object 187.187.10.250 255.255.255.255
  object-group service RDP
  service-object tcp eq 3389
  object-group network it-dbserver
  description Database Server (Live)
  network-object 187.187.1.65 255.255.255.255
  object-group network it-sql-test
  description Test SQL / database server
  network-object 187.187.1.81 255.255.255.255
  object-group service DNS-Resolving
  description Domain Name Server
  service-object tcp eq domain
  service-object udp eq domain
  object-group network Beech-Exchange
  network-object 192.168.168.91 255.255.255.255
  object-group network Messagelabs_-_Incoming
  description List of MessageLab addresses that SMTP connections are accepted from
  network-object 212.125.75.0 255.255.255.224
  network-object 216.82.240.0 255.255.240.0
  network-object 195.216.16.211 255.255.255.255
  network-object 194.205.110.128 255.255.255.224
  network-object 194.106.220.0 255.255.254.0
  network-object 193.109.254.0 255.255.254.0
  network-object 62.231.131.0 255.255.255.0
  network-object 62.173.108.208 255.255.255.240
  network-object 62.173.108.16 255.255.255.240
  network-object 212.125.74.44 255.255.255.255
  network-object 195.245.230.0 255.255.254.0
  network-object 85.158.136.0 255.255.248.0
  object-group network MIS_Support
  network-object 192.168.168.250 255.255.255.254
  object-group network it-donadon-xp
  description Donald Macdonald's PC
  network-object 187.187.10.13 255.255.255.255
  object-group network Angela_PC
  network-object 187.187.10.155 255.255.255.255
  object-group network Katie_PC
  network-object 187.187.10.151 255.255.255.255
  object-group network Pauline_PC
  network-object 187.187.10.12 255.255.255.255
  object-group network it-paye-net
  network-object 187.187.1.92 255.255.255.255
  object-group network MessageLabs-Towers
  description Message Labs IP Address ranges
  network-object 216.82.240.0 255.255.240.0
  network-object 67.219.240.0 255.255.240.0
  network-object 85.158.136.0 255.255.248.0
  network-object 95.131.104.0 255.255.248.0
  network-object 117.120.16.0 255.255.248.0
  network-object 193.109.254.0 255.255.254.0
  network-object 194.106.220.0 255.255.254.0
  network-object 195.245.230.0 255.255.254.0
  network-object 62.231.131.0 255.255.255.0
  network-object 212.125.75.16 255.255.255.240
  object-group network NET_cnes-castlebay-staff
  network-object 172.19.17.0 255.255.255.0
  object-group network NET_cnes_tarbert_staff
  description NET_cnes_tarbert_staff
  network-object 172.19.33.0 255.255.255.0
  object-group network Juniper
  network-object 192.168.169.5 255.255.255.255
  object-group network HHP_DMZ_Network
  network-object 192.168.169.0 255.255.255.0
  object-group network Ash
  network-object 192.168.168.100 255.255.255.255
  object-group service UDP-445
  service-object udp eq 445
  object-group service tcp-udp-135-139
  service-object tcp-udp range 135 139
  object-group network HHP-ELM
  description HHP's ELM ActiveH server
  network-object 187.187.1.203 255.255.255.255
  object-group network CNES-Ext-GW
  description CNES External Address
  network-object 194.83.245.242 255.255.255.255
  object-group service IPSEC
  description IPSEC
  service-object 57
  service-object ah
  service-object esp
  service-object udp eq isakmp
  object-group network Alamur-PC
  network-object 187.187.10.15 255.255.255.255
  object-group network Iain-Nicolson-PC
  network-object 187.187.10.159 255.255.255.255
  object-group network HHP_Remote_Access_Pool
  network-object 192.168.168.200 255.255.255.248
  network-object 192.168.168.208 255.255.255.240
  network-object 192.168.168.224 255.255.255.252
  network-object 192.168.168.228 255.255.255.254
  object-group network Holly-AV
  network-object 192.168.168.9 255.255.255.255
  object-group service AVG_Ports
  description For AVG server to HHP PCs
  service-object tcp-udp eq 6150
  service-object tcp-udp eq 6051
  service-object tcp-udp eq 445
  service-object tcp-udp eq 138
  service-object tcp-udp eq 135
  service-object tcp-udp eq 6054
  service-object tcp-udp eq 4158
  service-object tcp-udp eq 139
  service-object tcp-udp eq 137
  object-group network CNES_Access
  network-object 192.168.168.230 255.255.255.254
  network-object 192.168.168.232 255.255.255.248
  network-object 192.168.168.240 255.255.255.248
  network-object 192.168.168.248 255.255.255.254
  object-group network HHP-068
  description BACS PC
  network-object 172.20.225.6 255.255.255.255
  object-group network Banyan
  network-object 192.168.168.105 255.255.255.255
  object-group service TCP81
  description TCP Port 81
  service-object tcp eq 81
  object-group network Gavin_-_new_PC
  network-object 187.187.10.150 255.255.255.255
  object-group network Secudoors
  network-object 172.20.224.4 255.255.255.255
  access-list outside_access_in remark Time sync to external ntp server
  access-list outside_access_in extended permit udp host 192.108.114.23 object-group HHP_Domain_Controllers eq ntp
  access-list outside_access_in extended permit tcp object-group MessageLabs-Towers object-group Beech-External eq smtp
  access-list outside_access_in extended permit ip host 81.136.160.237 object-group HHP_Server_Network
  access-list outside_access_in extended permit ip object-group CNES_Access object-group HHP_Server_Network
  access-list outside_access_in extended permit ip object-group MIS_Support object-group HHP_Server_Network
  access-list outside_access_in extended permit ip object-group HHP_Remote_Access_Pool object-group HHP_Server_Network
  access-list outside_access_in extended permit tcp any object-group Juniper-External eq www
  access-list outside_access_in extended permit tcp any object-group Juniper-External eq https
  access-list outside_access_in extended deny ip any any
  access-list outside_access_in_1 extended permit ip any any
  access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Balivanich object-group HHP_Server_Network
  access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group NET-cnes_HHP-Sty object-group HHP_Server_Network
  access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq www
  access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq domain
  access-list CSM_FW_ACL_Wireless_HHP extended permit udp object-group HHP-068 any eq domain
  access-list CSM_FW_ACL_Wireless_HHP extended permit tcp object-group HHP-068 any eq https
  access-list CSM_FW_ACL_Wireless_HHP extended permit object-group DNS-Resolving object-group HHP-068 any
  access-list CSM_FW_ACL_Wireless_HHP extended permit object-group tcp-8080 object-group HHP-068 any
  access-list CSM_FW_ACL_Wireless_HHP extended permit ip host 172.20.193.53 object-group CNES-Ext-GW
  access-list CSM_FW_ACL_Wireless_HHP extended permit ip object-group Secudoors any
  access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Balivanich
  access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
  access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Application_Servers object-group PC_Support
  access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Domain_Controllers object-group PC_Support
  access-list CSM_FW_ACL_inside extended permit ip object-group HHP_Terminal_Servers object-group PC_Support
  access-list CSM_FW_ACL_inside extended permit tcp object-group Oak-DC1 any eq domain
  access-list CSM_FW_ACL_inside extended permit udp object-group Oak-DC1 any eq domain
  access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Oak-DC1 any
  access-list CSM_FW_ACL_inside extended permit tcp object-group Maple-DC2 any eq domain
  access-list CSM_FW_ACL_inside extended permit udp object-group Maple-DC2 any eq domain
  access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Maple-DC2 any
  access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq www
  access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq domain
  access-list CSM_FW_ACL_inside extended permit udp object-group Aspen-ISA any eq domain
  access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA any eq https
  access-list CSM_FW_ACL_inside extended permit object-group DNS-Resolving object-group Aspen-ISA any
  access-list CSM_FW_ACL_inside extended permit object-group tcp-8080 object-group Aspen-ISA any
  access-list CSM_FW_ACL_inside remark For Symantec Liveupdates
  access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq ftp
  access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq www
  access-list CSM_FW_ACL_inside extended permit tcp object-group Banyan any eq https
  access-list CSM_FW_ACL_inside remark IPSec VPN access from ELm to CNES
  access-list CSM_FW_ACL_inside extended permit object-group IPSEC object-group ELM-ActiveH object-group CNES-Ext-GW
  access-list CSM_FW_ACL_inside extended permit udp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
  access-list CSM_FW_ACL_inside extended permit tcp object-group ELM-ActiveH object-group CNES-Ext-GW eq 4500
  access-list CSM_FW_ACL_inside extended permit icmp object-group HHP_Server_Network object-group HHP_DMZ_Network
  access-list CSM_FW_ACL_inside remark Time sync to external ntp server
  access-list CSM_FW_ACL_inside extended permit udp object-group HHP_Domain_Controllers host 192.108.114.23 eq ntp
  access-list CSM_FW_ACL_inside extended permit tcp object-group Beech-Exchange object-group Messagelabs_-_Incoming eq smtp
  access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq www
  access-list CSM_FW_ACL_inside extended permit tcp object-group Aspen-ISA object-group Juniper eq https
  access-list CSM_FW_ACL_inside extended permit ip object-group Holly-AV object-group Juniper
  access-list CSM_FW_ACL_inside extended deny ip any any
  access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_Server_Network
  access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group HHP_DMZ_Network
  access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Balivanich
  access-list CSM_FW_ACL_CNES extended permit ip object-group PC_Support object-group NET-cnes_HHP-Sty
  access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq ssh
  access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq www
  access-list CSM_FW_ACL_CNES extended permit tcp object-group it-csm any eq https
  access-list CSM_FW_ACL_CNES remark Aim's access to Active H server: DSO SQL
  access-list CSM_FW_ACL_CNES remark server's access (Task)
  access-list CSM_FW_ACL_CNES remark IT Ops - mapped drive for FTP transfer to and from E450/Elm of Entitlement Adjustments
  access-list CSM_FW_ACL_CNES remark and Tenancy Changes
  access-list CSM_FW_ACL_CNES extended permit ip object-group it-sql-test object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit ip object-group DSO-SQLServer object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit ip object-group it-paye-net object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit ip object-group Angela_PC object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit ip object-group Katie_PC object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit ip object-group Pauline_PC object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES remark donald and Findlay RDP access to Active H
  access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-donadon-xp object-group HHP_Terminal_Servers
  access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group ELM-ActiveH
  access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group it-finfernew-xp object-group HHP_Terminal_Servers
  access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Alder-Intranet
  access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC host 192.168.168.17
  access-list CSM_FW_ACL_CNES extended permit ip object-group Angus-Maclean-PC object-group Juniper
  access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Alder-Intranet
  access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC host 192.168.168.17
  access-list CSM_FW_ACL_CNES extended permit ip object-group Iain-Nicolson-PC object-group Juniper
  access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Alder-Intranet
  access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp host 192.168.168.17
  access-list CSM_FW_ACL_CNES extended permit ip object-group it-davdon-xp object-group Juniper
  access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Alder-Intranet
  access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC host 192.168.168.17
  access-list CSM_FW_ACL_CNES extended permit ip object-group Alamur-PC object-group Juniper
  access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Alder-Intranet
  access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC host 192.168.168.17
  access-list CSM_FW_ACL_CNES extended permit ip object-group Gavin_-_new_PC object-group Juniper
  access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes-castlebay-staff object-group HHP_Server_Network
  access-list CSM_FW_ACL_CNES extended permit object-group RDP object-group NET_cnes_tarbert_staff object-group HHP_Server_Network
  access-list MIS_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
  access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.250 255.255.255.254
  access-list inside_nat0_outbound extended permit ip object-group HHP_Server_Network 192.168.168.224 255.255.255.224
  access-list CSM_FW_ACL_DMZ extended permit ip object-group HHP_DMZ_Network object-group PC_Support
  access-list CSM_FW_ACL_DMZ extended permit icmp object-group HHP_DMZ_Network object-group HHP_Server_Network
  access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Angus-Maclean-PC
  access-list CSM_FW_ACL_DMZ extended permit ip object-group Juniper object-group Holly-AV
  access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group Beech-Exchange eq smtp
  access-list CSM_FW_ACL_DMZ extended permit tcp object-group Juniper object-group HHP_Domain_Controllers eq domain
  access-list CSM_FW_ACL_DMZ extended permit udp object-group Juniper object-group HHP_Domain_Controllers eq domain
  access-list CSM_FW_ACL_DMZ remark for backups to USB drive on ASH
  access-list CSM_FW_ACL_DMZ extended permit object-group TCP-445 object-group Juniper object-group Ash
  access-list CSM_FW_ACL_DMZ extended permit object-group UDP-445 object-group Juniper object-group Ash
  access-list CSM_FW_ACL_DMZ extended permit object-group tcp-udp-135-139 object-group Juniper object-group Ash
  access-list CSM_FW_ACL_DMZ extended deny ip any any
  access-list CNES_Support_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
  access-list RemoteAccess_splitTunnelAcl standard permit 192.168.168.0 255.255.255.0
  access-list outside_cryptomap extended permit ip object-group HHP_Server_Network object-group NET-cnes_HHP-Sty
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1492
  mtu DMZ 1500
  mtu Wireless_HHP 1500
  mtu CNES 1500
  ip local pool CNES_Access 192.168.168.230-192.168.168.249
  ip local pool MIS_Support 192.168.168.250-192.168.168.251
  ip local pool OLM-VPN-Pool 192.168.168.252
  ip local pool HHP_Remote_Access_Pool 192.168.168.200-192.168.168.229
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  no asdm history enable
  arp timeout 14400
  nat-control
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  nat (Wireless_HHP) 1 172.20.193.53 255.255.255.255
  nat (Wireless_HHP) 1 172.20.225.0 255.255.255.0
  static (inside,CNES) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
  static (CNES,inside) 187.187.0.0 255.255.0.0 netmask 255.255.0.0
  static (Wireless_HHP,inside) 172.20.224.0 172.20.224.0 netmask 255.255.240.0
  static (inside,Wireless_HHP) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
  static (CNES,Wireless_HHP) 187.187.0.0 187.187.0.0 netmask 255.255.0.0
  static (inside,outside) 217.36.32.210 192.168.168.91 netmask 255.255.255.255
  static (DMZ,outside) 217.36.32.211 192.168.169.5 netmask 255.255.255.255
  static (inside,DMZ) 192.168.168.0 192.168.168.0 netmask 255.255.255.0
  static (CNES,DMZ) 187.0.0.0 187.0.0.0 netmask 255.0.0.0
  access-group CSM_FW_ACL_inside in interface inside
  access-group outside_access_in_1 in interface outside control-plane
  access-group outside_access_in in interface outside
  access-group CSM_FW_ACL_DMZ in interface DMZ
  access-group CSM_FW_ACL_Wireless_HHP in interface Wireless_HHP
  access-group CSM_FW_ACL_CNES in interface CNES
  route outside 0.0.0.0 0.0.0.0 81.148.0.157 1
  route Wireless_HHP 172.20.192.0 255.255.240.0 172.16.36.3 1
  route Wireless_HHP 172.20.224.0 255.255.240.0 172.16.36.2 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server HHP protocol ldap
  aaa-server HHP (inside) host 192.168.168.2
  timeout 5
  ldap-base-dn dc=hhp,dc=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn cn=gramor,cn=users,dc=hhp,dc=com
  server-type microsoft
  aaa-server HHP_1 protocol ldap
  aaa-server HHP_1 (inside) host 192.168.168.2
  timeout 5
  ldap-base-dn dc=hhp,dc=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
  server-type microsoft
  aaa-server HHP_3 protocol ldap
  aaa-server HHP_3 (inside) host 192.168.168.2
  timeout 5
  ldap-base-dn dc=hhp,dc=com
  ldap-scope subtree
  ldap-naming-attribute sAMAccountName
  ldap-login-password *
  ldap-login-dn cn=administrator,cn=users,dc=hhp,dc=com
  server-type microsoft
  aaa authentication ssh console LOCAL
  aaa authentication http console LOCAL
  http server enable
  http 192.168.1.0 255.255.255.0 inside
  http 192.168.168.0 255.255.255.0 inside
  http 0.0.0.0 0.0.0.0 outside
  http 194.83.245.242 255.255.255.255 outside
  http 187.187.1.72 255.255.255.255 CNES
  http 187.187.10.90 255.255.255.255 CNES
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set pfs group1
  crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto dynamic-map outside_map_dynamic 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 1 match address outside_cryptomap
  crypto map outside_map 1 set peer 81.136.160.237
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 30001 ipsec-isakmp dynamic outside_map_dynamic
  crypto map outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
  crypto map outside_map interface outside
  crypto ca trustpoint ASDM_TrustPoint0
  enrollment terminal
  fqdn none
  subject-name O=Hebridean Housing Partnership Limited,CN=secure-access.hebrideanhousing.co.uk,L=Isle of Lewis,ST=Scotland,C=GB
  keypair SSL_Certificate
  crl configure
  crypto ca trustpoint ASDM_TrustPoint1
  enrollment terminal
  fqdn none
  crl configure
  crypto ca certificate chain ASDM_TrustPoint0
  certificate 0100000000012790a5c005
      30820530 30820418 a0030201 02020b01 00000000 012790a5 c005300d 06092a86
      4886f70d 01010505 00306a31 23302106 0355040b 131a4f72 67616e69 7a617469
      6f6e2056 616c6964 6174696f 6e204341 31133011 06035504 0a130a47 6c6f6261
      6c536967 6e312e30 2c060355 04031325 476c6f62 616c5369 676e204f 7267616e
      697a6174 696f6e20 56616c69 64617469 6f6e2043 41301e17 0d313030 33323431
      34313835 385a170d 31333033 32343134 31383534 5a308197 310b3009 06035504
      06130247 42311130 0f060355 04081308 53636f74 6c616e64 31163014 06035504
      07130d49 736c6520 6f66204c 65776973 312e302c 06035504 0a132548 65627269
      6465616e 20486f75 73696e67 20506172 746e6572 73686970 204c696d 69746564
      312d302b 06035504 03132473 65637572 652d6163 63657373 2e686562 72696465
      616e686f 7573696e 672e636f 2e756b30 82012230 0d06092a 864886f7 0d010101
      05000382 010f0030 82010a02 82010100 def181d9 c34c58a8 9abcc849 7d8ad0a9
      3c64c77f f3126c81 30911f41 5903a92c 81fb374b 2fe2680e 10b26dce 81ca0c23
      af2c9f9a 52295e8c d2223fa6 7c4c386d 51c6fb16 a47688e6 e47e2410 b0283503
      fd72abd3 e59d3b02 cd47706e babf948c 4e0282a3 5f789ff7 8041b2db ceac64eb
      3e163b38 3a8ecc25 0c4802a8 d17fecd9 f1a36288 29202df4 b20ae891 f95ce055
      6e670559 3d075024 7f3ac7ef 26218154 a7f6a399 34c43c4a 97c2c88c c4588ee4
      77cc2ad8 b1bd868d d55c2b9b 727e9904 66d0fb52 c212abd7 a06f28f1 ad2aa04b
      3d7b3094 c59c00d4 cf51fefb d8bfa101 8ba9c4ba 5cf629ff c50716d3 71019a98
      8fa55b83 6b158b6d 1043f092 646ef07d 02030100 01a38201 a7308201 a3301f06
      03551d23 04183016 80147d6d 2aec66ab a75136ab 0269f170 8fc4590b 9a1f3049
      06082b06 01050507 0101043d 303b3039 06082b06 01050507 3002862d 68747470
      3a2f2f73 65637572 652e676c 6f62616c 7369676e 2e6e6574 2f636163 6572742f
      6f726776 312e6372 74303f06 03551d1f 04383036 3034a032 a030862e 68747470
      3a2f2f63 726c2e67 6c6f6261 6c736967 6e2e6e65 742f4f72 67616e69 7a617469
      6f6e5661 6c312e63 726c301d 0603551d 0e041604 14d398d5 ddf29355 15b04750
      baccc6b3 0f97a6c9 94302f06 03551d11 04283026 82247365 63757265 2d616363
      6573732e 68656272 69646561 6e686f75 73696e67 2e636f2e 756b3009 0603551d
      13040230 00300e06 03551d0f 0101ff04 04030205 a0302906 03551d25 04223020
      06082b06 01050507 03010608 2b060105 05070302 060a2b06 01040182 370a0303
      304b0603 551d2004 44304230 4006092b 06010401 a0320114 30333031 06082b06
      01050507 02011625 68747470 3a2f2f77 77772e67 6c6f6261 6c736967 6e2e6e65
      742f7265 706f7369 746f7279 2f301106 09608648 0186f842 01010404 030206c0
      300d0609 2a864886 f70d0101 05050003 82010100 8af3be01 c4830d83 9b347355
      de7496ef bd76b86c ee92f32f 1157ef11 6ad949b6 611537ad 81f06408 73ec6fe2
      6466675c cf31a80f bead422d ec574f95 55fe0b7a 97e271e7 0220c7b1 53376843
      ff7f7280 f9bfdee6 3584e123 00c37d9f 5004b766 9469ead5 f002744c fd50271c
      6bcdb54c e5db85aa 9760a330 d72464a2 bc8ecdff d80bbc27 7551e97c ee9b7078
      9207f9d6 b969a47a 6df722b6 14ce803d 8d4bb9e9 4695e8e6 d453950e 06506594
      ec7652ea 365cdf94 90e2f7ee 855dadb5 c0459d73 bb6d01a8 3c076718 7f80de40
      c5eb9e0e 17c93087 fd5c5fc1 fd6401fe 7e5038b1 3da1d250 01ccd8be 964d5557
      b320c4c1 0015d1b7 daad7527 930b0c90 7711704f
    quit
  crypto ca certificate chain ASDM_TrustPoint1
  certificate ca 0400000000011e44a5f52a
      30820467 3082034f a0030201 02020b04 00000000 011e44a5 f52a300d 06092a86
      4886f70d 01010505 00305731 0b300906 03550406 13024245 31193017 06035504
      0a131047 6c6f6261 6c536967 6e206e76 2d736131 10300e06 0355040b 1307526f
      6f742043 41311b30 19060355 04031312 476c6f62 616c5369 676e2052 6f6f7420
      4341301e 170d3037 30343131 31323030 30305a17 0d313730 34313131 32303030
      305a306a 31233021 06035504 0b131a4f 7267616e 697a6174 696f6e20 56616c69
      64617469 6f6e2043 41311330 11060355 040a130a 476c6f62 616c5369 676e312e
      302c0603 55040313 25476c6f 62616c53 69676e20 4f726761 6e697a61 74696f6e
      2056616c 69646174 696f6e20 43413082 0122300d 06092a86 4886f70d 01010105
      00038201 0f003082 010a0282 010100a1 2fc4bcce 8703e967 c189c8e5 93fc7db4
      ad9ef663 4e6ae89c 2c7389a2 01f48f21 f8fd259d 58166d86 f6ee4957 757e75ea
      22117e3d fbc74241 dcfcc50c 9155807b eb64331d 9bf9ca38 e9abc625 43512540
      f4e47e18 556aa98f 103a401e d65783ef 7f2f342f 2dd2f653 c2190db7 edc981f5
      462cb423 425e9d13 0375ecea 6afc577c c936973b 98dc1313 ecec41fa 5d34eab9
      93e71016 65cc9c92 fdf5c59d 3e4ab909 fce45f1e 695f4df4 567244b1 1d2303c8
      36f66588 c8bf3916 458e1e26 6c5116c5 2a0038c5 a4136995 7dab013b a8c414b4
      80daac1a 4420d5fe a9067b14 27afe030 21dd90f4 a9d52319 2e1e03e6 c1df9529
      e4c19443 dd3e90aa cb4bc9be 8ad33902 03010001 a382011f 3082011b 300e0603
      551d0f01 01ff0404 03020106 30120603 551d1301 01ff0408 30060101 ff020100
      301d0603 551d0e04 1604147d 6d2aec66 aba75136 ab0269f1 708fc459 0b9a1f30
      4b060355 1d200444 30423040 06092b06 010401a0 32011430 33303106 082b0601
      05050702 01162568 7474703a 2f2f7777 772e676c 6f62616c 7369676e 2e6e6574
      2f726570 6f736974 6f72792f 30330603 551d1f04 2c302a30 28a026a0 24862268
      7474703a 2f2f6372 6c2e676c 6f62616c 7369676e 2e6e6574 2f726f6f 742e6372
      6c301106 09608648 0186f842 01010404 03020204 30200603 551d2504 19301706
      0a2b0601 04018237 0a030306 09608648 0186f842 0401301f 0603551d 23041830
      16801460 7b661a45 0d97ca89 502f7d04 cd34a8ff fcfd4b30 0d06092a 864886f7
      0d010105 05000382 01010079 47fc15d7 4c79df0f 7a9eced4 7c4b63c9 89b57b3f
      9912e89c 8c9a492f e04e954a edc7bcbe f1a2db8e 931dba71 54aa4bd9 89222487
      c504a8ac 8252a052 f8b8e14f a1276663 214a39e7 c7c54e5f b2d61d13 6d30e9ce
      d7a21cbc 290a733c 5b2349fe d6ffcab0 4ff5f267 98c04711 f8b748a6 9009d642
      beeab1b9 5342c39c 20c9fba1 5bb5566d 8781c860 acc4b972 270a8e1e a8b12ecd
      32a27857 b09cf895 bb438e8c 31866e53 0dc61205 ba416ea8 35300918 1d0261ff
      fdee35de 6ac33bd0 4d4b4e50 b256360c 445dda1a 652ae698 56a96333 2e04e7ae
      e8f48eb7 b2da7dc0 c8e2aea6 282fe3c9 73bdfc07 4134b7aa 6eeea7db d1933ced
      90ec3292 88d9c823 6c7421
    quit
  crypto isakmp identity hostname
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 2
  lifetime 86400
  crypto isakmp policy 30
  authentication pre-share
  encryption 3des
  hash sha
  group 1
  lifetime 86400
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh 187.187.1.41 255.255.255.255 inside
  ssh 187.187.1.72 255.255.255.255 inside
  ssh 187.187.77.81 255.255.255.255 inside
  ssh 187.187.10.19 255.255.255.255 inside
  ssh 187.187.10.229 255.255.255.255 inside
  ssh 187.187.160.7 255.255.255.255 inside
  ssh 187.187.1.41 255.255.255.255 outside
  ssh 187.187.1.72 255.255.255.255 outside
  ssh 187.187.77.81 255.255.255.255 outside
  ssh 187.187.10.19 255.255.255.255 outside
  ssh 187.187.10.229 255.255.255.255 outside
  ssh 187.187.160.7 255.255.255.255 outside
  ssh timeout 15
  console timeout 0
  vpdn group BT request dialout pppoe
  vpdn group BT localname B*******.btclick.com
  vpdn group BT ppp authentication chap
  vpdn username B*******@hg39.btclick.com password *********
  dhcpd auto_config outside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  ssl trust-point ASDM_TrustPoint0 outside
  ssl trust-point ASDM_TrustPoint0 outside vpnlb-ip
  webvpn
  enable inside
  enable outside
  group-policy HHP_Remote_Access_1 internal
  group-policy HHP_Remote_Access_1 attributes
  wins-server value 192.168.168.2 192.168.168.2
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value CNES_Support_splitTunnelAcl
  group-policy HHP_Remote_Access internal
  group-policy HHP_Remote_Access attributes
  wins-server value 192.168.168.2 192.168.168.2
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value CNES_Support_splitTunnelAcl
  group-policy Omfax internal
  group-policy Omfax attributes
  wins-server value 192.168.168.2 192.168.168.3
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec webvpn
  webvpn
    svc ask none default webvpn
  group-policy MIS_1 internal
  group-policy MIS_1 attributes
  wins-server value 192.168.168.2 192.168.168.3
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value MIS_splitTunnelAcl
  default-domain value hhp.com
  group-policy RemoteAccess internal
  group-policy RemoteAccess attributes
  wins-server value 192.168.168.2 192.168.168.3
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value RemoteAccess_splitTunnelAcl
  group-policy CNES_Access internal
  group-policy CNES_Access attributes
  wins-server value 192.168.168.2 192.168.168.3
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value CNES_Support_splitTunnelAcl
  group-policy HHP internal
  group-policy HHP attributes
  dhcp-network-scope none
  vpn-access-hours none
  vpn-idle-timeout none
  vpn-session-timeout none
  vpn-filter none
  vpn-tunnel-protocol IPSec webvpn
  password-storage disable
  ip-comp disable
  re-xauth disable
  group-lock none
  pfs disable
  ipsec-udp disable
  split-tunnel-policy tunnelall
  split-tunnel-network-list none
  split-dns none
  secure-unit-authentication disable
  user-authentication disable
  user-authentication-idle-timeout none
  ip-phone-bypass disable
  leap-bypass disable
  nem disable
  backup-servers keep-client-config
  client-firewall none
  webvpn
    url-list value Severs
    filter none
    homepage none
    port-forward disable
    http-proxy disable
    sso-server none
    svc dtls none
    svc keep-installer none
    svc rekey time none
    svc rekey method none
    svc dpd-interval client none
    svc dpd-interval gateway none
    svc compression none
    svc modules none
    svc profiles none
    svc ask none default webvpn
    customization none
    http-comp none
    user-storage none
    storage-key none
    hidden-shares none
    smart-tunnel disable
    activex-relay disable
    file-entry disable
    file-browsing disable
    url-entry disable
    deny-message none
  group-policy MIS internal
  group-policy MIS attributes
  wins-server value 192.168.168.2 192.168.168.3
  dns-server value 192.168.168.2 192.168.168.3
  vpn-tunnel-protocol IPSec
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value MIS_splitTunnelAcl
  username test password Kg/Rgy23do7gPGTv encrypted privilege 0
  username test attributes
  vpn-group-policy HHP_Remote_Access
  username catneil password yOgiHCGobUNIkjcN encrypted privilege 0
  username omfax password pvUaCLwilGmQVifd encrypted privilege 0
  username backup password IHQbl.JAoESlM9Jv encrypted privilege 0
  username misadmin password 8IZXmHa67HIJYHK1 encrypted
  username misadmin attributes
  service-type remote-access
  username gramor password ne829U0rGFVEedhY encrypted privilege 15
  username gramor attributes
  vpn-group-policy HHP_Remote_Access
  webvpn
    url-list value Severs
  username aim_user password 5OQaWCdB18qiHlOn encrypted privilege 0
  username aim_user attributes
  vpn-group-policy CNES_Support
  username katask password 2WsX.HoqKXuiqkDk encrypted privilege 0
  username katask attributes
  vpn-group-policy CNES_Support
  username janboyd password ZEUyykwzME6hII2i encrypted privilege 0
  username marmor password C5n48AiRLXwxAeBQ encrypted privilege 0
  username marste password amwTL584WdiT87Tb encrypted privilege 0
  username helmah password RvU8c.3w0H3/MJz4 encrypted privilege 0
  username anglea password wGlUJDBrmJI.uz./ encrypted privilege 0
  username anglea attributes
  vpn-group-policy CNES_Support
  username fiobuc password 5Uispw90wqvDYerQ encrypted privilege 0
  tunnel-group DefaultRAGroup general-attributes
  authentication-server-group HHP_1
  tunnel-group DefaultWEBVPNGroup general-attributes
  authentication-server-group HHP_1
  default-group-policy HHP
  tunnel-group DefaultWEBVPNGroup webvpn-attributes
  nbns-server 192.168.168.2 timeout 2 retry 2
  nbns-server 192.168.168.3 timeout 2 retry 2
  tunnel-group WebVPN type remote-access
  tunnel-group WebVPN general-attributes
  authentication-server-group HHP_3
  default-group-policy HHP
  username-from-certificate UID
  tunnel-group CNES_Access

• LMS , AAA via Radius and cisco AV pair

  We are trying to authenticate users on a Ciscoworks LMS server 2.6 using Radius.
  Is there a radius vendor specific attribute that can be used to make the authenticated user part of the admin groups ?
  Ex : a Cisco-AV-pair , ?LMS?:groups="Network Administrator"
  I have tried a few, but none seem to work. And i havent found documentation on this.

  No, It is pure authentication that is done.
  There is not way to select a role in LMS based on an AV pair.
  With tacacs+ something like that is possible.
  Cheers,
  Michel

• Connection issue between Cisco 515 Pix and Cisco 1841 router

  Hi,
  I am having a problem getting a Cisco Pix 515 communicating to a Cisco 1841. I am currently studying for CCNA so forgive me if it's obvious to the rest of you where the problem lies.
  The client currently has an ISDN service which is being moved over to a 2MB E1 connection.
  I have configured the 1841 router with G.703 WIC according to the information given to me by the ISP. I have configured the 1841 to have the same internal IP as the ISDN Cisco 800 series router, hoping for a simple swap over. The Pix 515 sits behind the ISDN at present and will be behind the 1841 when it is active.
  Once I unplug the 800 series ISDN router and plug the 1841 into the pix, I cannot get any response what so ever. I have tried changing the ethernet connection speeds between the pix and 1841 hoping it would be as simple as that without success. Can't get ping responses from either end but I can when the ISDN service is plugged in. Both ISDN and E1 link are supplied by the same ISP, Telstra Australia and the fixed IP's are able to move over to the E1 service.
  I have not touched the pix in any way. A seperate company configured the router a couple of years ago.
  I have included the configurations of the existing ISDN, Pix and the 1841 for you to review. Any advise/solutions would be greatly appreciated.
  Thanks in Advance,

  Hi,
  The outside interface on your PIX is configured as 10BaseT which would be fine when using the original 800 series ISDN router.
  Now with your new 1841, the interface that the PIX connects to is Fast Ethernet so you need to change your outside interface on the PIX to the same
  If you want to use auto negotiation between the PIX and router then the command to do this on the PIX is
  interface ethernet0 auto
  I recommend using hard coded settings between the PIX and router and the command to do this on this PIX is
  interface ethernet0 100full
  You will also need to change your router as:
  interface FastEthernet0/0
  speed 100
  duplex full
  If you can't configure the PIX as you mentioned an external company did it, then i guess you could change your Fast Ethernet interface to "speed 10", "duplex half".
  This won't create a bottleneck as you only have a 2 MB connection to your ISP
  Everything else looks good, don't worry about asking questions on the forum, this is what its for.
  HTH
  Paddy

• IPSEC between Netscreen SSG-140 and Cisco 3640 Router

  The symptoms are that the NS will try to build the IKE session and time out. Even with the Cisco debugging enabled I get no IKE nor IPSEC SA trying to build on the 3640. What am I doing wrong or what can I try?
  Enclosed is the configuration and a brief description of my environment.
  172.30.0.0/16 -> 172.30.20.254 | Netscreen SSG-140 | 192.168.1.254 -> private net -> 192.168.3.5 | 3640 | 172.20.0.220 -> 172.20.0.0/16
  The configurations are enclosed

  Hi
  I think you need to apply the crypto map to the interface FastEthernet0/0.
  crypto map nsmap
  Please rate if this helps.
  Regards MJ

• VPN between WRVS4400N and CISCO 857 router

  Hi ALL,
  Am trying to VPN the two and have setup the WRVS4400N side using IPSec (seems easy enough). Has anyone any experience on the 857 router side? Would you kindly show how that can be configured? Or just point me to any good source doing it will be good too. Thanks!

  ip nat inside source route-map nonat interface FastEthernet0 overload
  access-list 110 deny ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  access-list 110 permit ip 10.20.10.0 0.0.0.255 any
  route-map nonat permit 10
  match ip address 110
  or better (if you have for example the IP public 1.2.3.5)
  ip nat pool 1.2.3.5 1.2.3.5 1.2.3.5 prefix-length 30
  ip nat inside source list nat-to-internet pool 1.2.3.5 overload
  ip access-list extended nat-to-internet
  deny   ip 10.20.10.0 0.0.0.255 10.10.10.0 0.0.0.255
  permit ip 10.20.10.0 0.0.0.255 any
  deny   ip any any

• Safari 6.0.1/OS X 10.8.2 and Cisco RV180 router

  Safari 6.0.1 does not work with this router. The "run setup wizard" does not work. Firefox works fine.

  Hi Petteri,
  Could it be this:
  CSCtz59747 Unable to establish a connection when OSX 10.7 has ISATAP setup
  i.e. do you haev ISATAP configured on the Mac?
  Herbert

• Cisco IP 7960 and Cisco Router 2611....

  Greetings,
  I currently have 2 IP phones and a 2611 series router running 2600-ik902s2-mz.122-15.t5 IOS... Can anyone point me in the right direction on where/or how to start building a mini voice network? Any links, tutorials, info, advice would be greatly appreciated.
  Thanks,
  Gabe

  Hi
  The best thing to setup a mini voip network would be to use the ITS solution where your IP phones will register directly with the 2611 router. The 2611 would act as a mini call manager where these ip phones talk to the router through skinny protocol and your outgoing calls can still go out through your FXO or digital port to the PSTN.
  I would suggest to review the following doc. It is fairly complete.
  http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide_book09186a008017fd13.html
  If you dont have voice mail, you dont have to worry about that. The above URL is for ITS version 2.1. If you want to run the lates ITS version (3.0) you would need 12.2.15ZJ1 IOS on the router and the information can be found at:
  http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide_book09186a00801812e4.html
  Hope that helps.

• Cisco 877W router and external ADSL modem

  Cisco 877W router and external ADSL modem
  In order to support ADSL2+ on a pre ADSL2+ router and in preparation for a later migration to BT infinity I am trying to configure the Router using an external adsl2+ modem appropriately.
  The original configuration had 3 ports configured as one (internal lan) vlan and bridge group together with one wireless sub-interface, the remaining port configured a second vlan and bridge group with a second wireless sub- interface. The Dialer was a member of the second bridge group. This way the second wireless interface and associated bridge group provided a kind of DMZ for outbound access.
  The configuration I am attempting is similar the lan ports remain the same, but port 0 as a member of the vlan and bridge group (now a pppoe client) associated with one of the wireless sub interfaces as per above. The ATM interface is downed. This nearly works except that if the wireless subinterface on this bridge group is configured the dialer no longer dials giving a 'no dialer string' error. If I do not configure that wireless sub interface all works well.
  If anyone is interested to look I would appreciate any comments. I enclose a sanitised config in which you will note the 'commented out' wireless subnet interface (in red).
  version 12.4
  no service pad
  service tcp-keepalives-in
  service tcp-keepalives-out
  service timestamps debug datetime msec localtime show-timezone
  service timestamps log datetime msec localtime show-timezone
  service password-encryption
  service sequence-numbers
  hostname xxxxxxxxxxxxxxxxxxxxx
  boot-start-marker
  boot-end-marker
  logging buffered 4096 warnings
  enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
  aaa new-model
  aaa group server radius sdm-vpn-server-group-2
  aaa group server radius rad_eap
   server 192.168.253.1 auth-port 1812 acct-port 1813
   server 192.168.253.1 auth-port 1645 acct-port 1646
  aaa group server radius rad_mac
  aaa group server radius rad_acct
  aaa group server radius rad_admin
  aaa group server tacacs+ tac_admin
  aaa group server radius rad_pmip
  aaa group server radius dummy
  aaa authentication login default local
  aaa authentication login sdm_vpn_xauth_ml_2 group sdm-vpn-server-group-2
  aaa authentication login eap_methods group rad_eap
  aaa authentication login mac_methods local
  aaa authorization exec default local
  aaa authorization ipmobile default group rad_pmip
  aaa authorization network sdm_vpn_group_ml_2 local
  aaa accounting network acct_methods start-stop group rad_acct
  aaa session-id common
  clock timezone PCTime 0
  clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
  crypto pki trustpoint TP-self-signed-2834265337
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-2834265337
   revocation-check none
   rsakeypair TP-self-signed-2834265337
  crypto pki certificate chain TP-self-signed-2834265337
   certificate self-signed 01 nvram:IOS-Self-Sig#2F.cer
  dot11 syslog
  dot11 ssid GuestAP
     vlan 101
     authentication open
     authentication key-management wpa
     mbssid guest-mode
     wpa-psk ascii 7 113B162712001F4A2D2B25
  dot11 ssid LanAP
     vlan 100
     authentication open eap eap_methods
     authentication network-eap eap_methods
     authentication key-management wpa
     mbssid guest-mode
  no ip source-route
  ip cef
  no ip dhcp use vrf connected
  ip dhcp excluded-address 10.10.10.1
  ip dhcp excluded-address 192.168.252.1 192.168.252.8
  ip dhcp excluded-address 192.168.252.15 192.168.252.254
  ip dhcp pool sdm-pool1
     import all
     network 192.168.252.0 255.255.255.0
     domain-name XXX.Local
     dns-server xxx.xxx.xxx.xxx
     default-router 192.168.252.254
  ip auth-proxy max-nodata-conns 3
  ip admission max-nodata-conns 3
  no ip bootp server
  no ip domain lookup
  ip domain name XXX.Local
  ip name-server xxx.xxx.xxx.xxx
  ip name-server xxx.xxx.xxx.xxx
  ip reflexive-list timeout 120
  vpdn enable
  vpdn-group 1
   request-dialin
    protocol pppoe
  username administrator privilege 15 secret 5 £££££££££££££££££££££
  class-map type inspect match-any IN_to_OUT_CLASS
   match protocol tcp
   match protocol udp
   match protocol icmp
  class-map type inspect match-any OUT_to_IN_CLASS
   match protocol https
   match protocol smtp extended
  class-map type inspect match-any DMZ_to_IN_CLASS
   match protocol http
   match protocol https
   match protocol smtp extended
  policy-map type inspect DMZ_to_IN_POL
   class type inspect DMZ_to_IN_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect IN_to_OUT_POL
   class type inspect IN_to_OUT_CLASS
    inspect
   class class-default
    drop log
  policy-map type inspect OUT_to_IN_POL
   class type inspect OUT_to_IN_CLASS
    inspect
   class class-default
    drop log
  zone security INSIDE
  zone security OUTSIDE
  zone security DMZ
  zone-pair security OUT_TO_IN source OUTSIDE destination INSIDE
   service-policy type inspect OUT_to_IN_POL
  zone-pair security IN_TO_OUT source INSIDE destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_OUT source DMZ destination OUTSIDE
   service-policy type inspect IN_to_OUT_POL
  zone-pair security DMZ_TO_IN source DMZ destination INSIDE
   service-policy type inspect DMZ_to_IN_POL
  bridge irb
  interface Loopback0
   no ip address
  interface Null0
   no ip unreachables
  interface ATM0
   no ip address
   shutdown
   no atm ilmi-keepalive
   dsl operating-mode auto
  interface FastEthernet0
   description Outside Interface (PPPoE)
  interface FastEthernet1
   description Inside Interface
   switchport access vlan 10
  interface FastEthernet2
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface FastEthernet3
   description Inside Interface
   switchport access vlan 10
   spanning-tree portfast
  interface Dot11Radio0
   no ip address
   no ip route-cache cef
   no ip route-cache
   encryption vlan 100 mode ciphers aes-ccm tkip
   encryption vlan 101 mode ciphers aes-ccm tkip
   ssid GuestAP
   ssid LanAP
   mbssid
   speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
   channel 2437
   station-role root
  interface Dot11Radio0.100
   description LanAP
   encapsulation dot1Q 100
   no ip route-cache
   no cdp enable
   bridge-group 10
   bridge-group 10 subscriber-loop-control
   bridge-group 10 spanning-disabled
   bridge-group 10 block-unknown-source
   no bridge-group 10 source-learning
   no bridge-group 10 unicast-flooding
  !interface Dot11Radio0.101
  ! description GuestAP
  ! encapsulation dot1Q 101
  ! no ip route-cache
  ! no cdp enable
  ! bridge-group 1
  ! bridge-group 1 subscriber-loop-control
  ! bridge-group 1 spanning-disabled
  ! bridge-group 1 block-unknown-source
  ! no bridge-group 1 source-learning
  ! no bridge-group 1 unicast-flooding
  interface Vlan1
   description $ES_LAN$
   no ip address
   ip virtual-reassembly
   pppoe enable group global
   pppoe-client dial-pool-number 1
   bridge-group 1
  interface Vlan10
   no ip address
   ip virtual-reassembly
   bridge-group 10
  interface Dialer1
   description $FW_OUTSIDE$
   ip address negotiated
   no ip redirects
   no ip unreachables
   no ip proxy-arp
   ip mtu 1452
   ip nat outside
   ip virtual-reassembly
   zone-member security OUTSIDE
   encapsulation ppp
   ip route-cache flow
   dialer pool 1
   dialer-group 1
   ppp authentication chap pap callin
   ppp chap hostname XXXXXXX
   ppp chap password 7 xxxxxxxxxxxxxxxxxxx
   ppp pap sent-username xxxxxxxxxxxxxxxxxx password 7 xxxxxxxxxxxxxxxxxxxxx
   ppp ipcp dns request
   ppp ipcp wins request
   hold-queue 224 in
  interface Dialer0
   no ip address
  interface BVI10
   description Inside Interface
   ip address 192.168.253.254 255.255.255.0
   ip access-group 101 in
   ip helper-address 192.168.253.1
   ip nat inside
   ip virtual-reassembly
   zone-member security INSIDE
  interface BVI1
   description DMZ Interface
   ip address 192.168.252.254 255.255.255.0
   ip nat inside
   ip virtual-reassembly
   zone-member security DMZ
  ip local pool SDM_POOL_1 192.168.20.9 192.168.20.14
  ip forward-protocol nd
  ip route 0.0.0.0 0.0.0.0 Dialer1
  ip http server
  ip http access-class 1
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 600 life 86400 requests 10000
  ip nat inside source list Inside_Clients_NAT interface Dialer1 overload
  ip nat inside source static 192.168.253.10 xxx.xxx.xxx.xxx
  ip access-list extended DMZ_to_IN_POL
   remark SDM_ACL Category=128
   permit ip any any
  ip access-list extended Inside_Clients_NAT
   remark SDM_ACL Category=2
   permit ip 192.168.253.0 0.0.0.255 any
  logging 192.168.253.10
  access-list 1 remark Auto generated by SDM Management Access feature
  access-list 1 remark SDM_ACL Category=1
  access-list 1 permit 192.168.253.0 0.0.0.255
  access-list 100 remark VTY Access-class list
  access-list 100 remark SDM_ACL Category=1
  access-list 100 permit ip 192.168.253.0 0.0.0.255 any
  access-list 100 deny   ip any any
  access-list 101 remark Auto generated by SDM Management Access feature
  access-list 101 remark SDM_ACL Category=1
  access-list 101 remark Auto generated by SDM for NTP (123) xxx.xxx.xxx.xxx
  access-list 101 permit udp host xxx.xxx.xxx.xxx eq ntp host 192.168.253.254 eq ntp
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq telnet
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 22
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq www
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq 443
  access-list 101 permit tcp 192.168.253.0 0.0.0.255 host 192.168.253.254 eq cmd
  access-list 101 deny   tcp any host 192.168.253.254 eq telnet
  access-list 101 deny   tcp any host 192.168.253.254 eq 22
  access-list 101 deny   tcp any host 192.168.253.254 eq www
  access-list 101 deny   tcp any host 192.168.253.254 eq 443
  access-list 101 deny   tcp any host 192.168.253.254 eq cmd
  access-list 101 deny   udp any host 192.168.253.254 eq snmp
  access-list 101 permit ip any any
  access-list 199 permit ip any host 10.1.1.1
  dialer-list 1 protocol ip permit
  no cdp run
  radius-server attribute 32 include-in-access-req format %h
  radius-server host 192.168.253.1 auth-port 1812 acct-port 1813 key 7 XXXXXXXXXXXXXXXXXX
  radius-server host 192.168.253.1 auth-port 1645 acct-port 1646 key 7 XXXXXXXXXXXXXXXXXX
  radius-server vsa send accounting
  control-plane
  bridge 1 protocol ieee
  bridge 1 route ip
  bridge 10 protocol ieee
  bridge 10 route ip
  banner login C Border Router
  line con 0
   no modem enable
   transport output telnet
  line aux 0
   transport output telnet
  line vty 0 4
   access-class 100 in
   privilege level 15
   length 0
   transport input telnet ssh
  scheduler max-task-time 5000
  scheduler interval 500
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  ntp server xxx.xxx.xxx.xxx source Dialer0 prefer
  sntp server xxx.xxx.xxx.xxx
  end

  Hi Jody,
  Apologies delay in replying. I have done the following:
  Made two of the FE ports vlan1,BVI1 (for LAN traffic)
  Left one port as VLAN10 as the pppoe client conected to the externalmodem
  Made the last port VLAN10 as well and gave it an IP addess as for a DMZ client.
  I have DHCP configured to serve the DMZ  addresses.
  This all works for LAN clients and also works for a client attachedto that physical DMZ port.
  When I added a dot11radio sub interface into VLAN 10 the wireless client did not get an IP lease. Everything else continued to work.
  I had never thought about this before, but if a dot11radio interface is on the same vlan (but not being part ofa bridge group) why are DHCP broadcasts not propogating to all the vlan members as I would have expected. I recognise that this isa limit in my understanding.
  If I then made VLAN10 a member of a new Bridge Group, I lost WAN connectivity as per original posting.
  I cannot add another VLAN due to the 2 vlan limit in this image.
  Finally regarding your comment about giving it what it wants, what exactly did you have in mind. The dialer already has a dial string parameters configured.
  Think I am about to give upon this.
  Regards,

• Turn Cisco 877 Router into RADIUS Server?

  Hi Guys,
  I was just wondering if it was possible to turn a cisco 887 Router into a RADIUS Server. What i wanted to do was setup my wireless AP to authenticate using RADIUS, but didn't want to setup another server for the purpose.
  Any ideas?
  Thanks
  Peter

  Nope, but you can turn a wireless AP into a radius server your AP could be the client and the server at the same time
  P.S. Cisco autonomous AP that is

• VPN Client and AAA services on a Cisco ISR Router

  Hi, my name is Jim, and I was just promoted as a trainer for the company I work for.  Part of my new challenge is understanding how the configuration files in both my Terminal Services/VPN Router and Core Router work, so for many of you, these questions are going to seem very fundamental, but please help, I am an instructor in training.  I hold a CCNA, CCNA-Wireless, and a CCSI cert, but I have little working experience in building and maintaining a lab....hence the need for this inquiry.
  So to my questions. In our lab environment, we have a router that acts as our terminal services router and VPN router.  Each laptop that connects to the lab has the Cisco VPN client loaded onto it, as well as my laptop that I teach from.  My questions are these:
  1.  What parts of the AAA output of the running configuration tell me how to configure the VPN clients on my laptops?
  2.  I am using crypto key generate RSA at 1024 bits on the VPN/TS router, so does that tell me how to configure some part of the client?
  3.  In our lab, we are going to use a direct connection to an AP to get connected to the network, and how will the absence of an Internet connection affect the settings on the VPN client, or will they?
  4.  Are there helpful articles I can read that will answer some or all of these questions? 
  Thanks in advance,
  Jim

  Hi Jim,
  congratulations
  Assuming a basic setup, your router will have something like this:
  crypto isakmp client configuration group MyGroup
    key cisco123
  So on the client, you configure it to use MyGroup as the group name, and cisco123 as the (group) password.
  I'm not sure I understand your question #3 and what you mean by "AP" (Access Point? So WiFi?). In any case you don't need Internet access per se, as long as you have network (IP) connectivity between the host running the vpnclient and the VPN router.
  Does this help?
  Herbert