Virtually L3-terminate a EoMPLS Tunnel on a ASR1000
Hi all,
I am trying to terminate a EoMPLS Tunnel with a virtual L3 interface on a ASR1000 without any physical port interaction.
We need to send the Traffic from Subinterfaces of some PE's (7600 and ASR9k) to an ASR1000 which sould use ISG functionallity to authorize and bw-limit the subscribers.
On the current setup we terminate the xconnects on a 7600 PE as well, and we send the traffic dot1q tagged to the ISG which is the L3 endpoint for the customers.
To make the switchover from a failed device easier, we now want to terminate everything on the ASR1000. Im my understanding, this shoud be possible with an l2 vfi, with an configured bridge-domain with BDI Interface and an EoMPLS neighbor.
The config I tired on the ASR1000 looks like:
l2 vfi vfi50 manual
vpn id 50
bridge-domain 50
neighbor <PE IP> 103685 encapsulation mpls
interface BDI50
vrf forwarding ISG_TABLE
ip address <Service IP> <netmask>
ip helper-address <DHCP>
load-interval 30
The communication from the Customer Network to the DHCP works, and I can even ping the BDI Interface IP, but I can not get further to the internet. Pinging a public address from the BDI50 Interface however works fine.
When I do a debug ip packet on that range, I can only see broadcasted packets (which get forwarded to the helper address).
However, MAC Adresses and ARP tables and gateway on the client looks good:
ar90.bie005.bb#sh bridge-domain 50
Bridge-domain 50 (2 ports in all)
State: UP Mac learning: Enabled
Aging-Timer: 180 second(s)
BDI50 (up)
vfi vfi50 neighbor <PE IP> 103685
MAC address Policy Tag Age Pseudoport
C84C.75E1.CEBF to_bdi static 0 BDI50
88AE.1DAA.502A forward dynamic 179 vfi50.1020017 #88AE.1DAA.502A = Lab Laptop
ar90.bie005.bb#sh xconnect all
XC ST Segment 1 S1 Segment 2 S2
------+---------------------------------+--+---------------------------------+--
UP pri vfi vfi50 UP mpls <PE IP>:103685 UP
UP pri bd 50 UP vfi vfi50 UP
ar90.bie005.bb#sh ip arp vrf ISG_TABLE
Protocol Address Age (min) Hardware Addr Type Interface
Internet <SERVICE Address> - c84c.75e1.cebf ARPA BDI50
Internet <Lab Laptop IP> 0 88ae.1daa.502a ARPA BDI50
Am I missing something? Is there a limitation I am hitting? In the most documents I found there was always a Service Instance on an Interface involved, which is certainly missing here.
Thaks for any help!
Hi,
yes actually it should be fixed ;-)
It was a bug on the ASR (
CSCub44215), it had somehow problems with that routed vpls scenareo with routes learned from mp-bgp.
I could verify the fix of the problem with an engineering release, however, I did not have time to check the functionallity on Software Version 3.7.1.S / 15.2(4)S1 where the fix of the bug was implemented officially. But I'm very confident that it will work with that version as well.
Regards
Similar Messages
-
Should "ip virtual-reassembly" be enabled on Tunnel Interface?
Hi,
I know that NAT automatically turns on "ip virtual-reassembly".
But I've also seen them on some configurations like:
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
ip virtual-reassembly
tunnel mode ipsec ipv4
tunnel protection ipsec profile VTI
or
interface tunnel 0
ip virtual-reassembly
Are they required on such scenarios?its basically a command for an interface to prevent an attacker from flooding the buffer with incomplete fragment packets that the router keeps trying to reassemble causing resource issues memory etc , this puts a threshold on the interface preventing that ,whether physical or virtual , depends on your network and its requirements whether you want to use it
-
SNMP monitoring for EoMPLS virtual circuit
I am looking to implement SNMP-based monitoring of an MPLS layer-2 tunnel. The desired result would be the same as the output from the following command:
"sh mpls l2transport vc"
I have configured the router to generate SNMP traps based on LDP changes, but this is not specific to the status of the EoMPLS tunnel.
Thanks in advance.Polling to these MIB values would have your task accomplished.
1) VC status <--> cpwVcOperStatus
2) If you need outbound staus <--> pwVcInboundOperStatus
3) Inbound status <--> cpwVcOutboundOperStatus
And here is the link for list of MIB objects for L2VPN.
http://www.cisco.com/en/US/products/ps6441/products_configuration_guide_chapter09186a00808194e1.html
HTH-Cheers,
Swaroop -
CRS-1 support EoMPLS preferred tunnel selection ?
Can anyone help me verify the CRS-1 support EoMpls Tunnel selection function ? or this function is only on the Cisco 12000 router ?
IOS-XR configuration guide 3.6 : have this function , I do not find any restriction.
I check IOS-XR 3.7 config guide, it say :
http://www.cisco.com/en/US/docs/ios_xr_sw/iosxr_r3.7/mpls/configuration/guide/gc37te.html#wp1325561
The following PBTS functions are supported only on the Cisco XR 12000 Series Router:
*L2VPN preferred path selection lets traffic be directed to a particular
TE tunnel.
So , I am not sure CRS-1 support it or not?
Thanks for your help.
MichaelHello Michael,
it says:
>>>The following PBTS functions are supported only on the Cisco XR 12000 Series Router:
â¢L2VPN preferred path selection lets traffic be directed to a particular TE tunnel.
â¢Both Interior Gateway Protocol (IGP) and Label Distribution Protocol (LDP) paths are used as the default path for all traffic that belongs to a class that is not configured on the TE tunnels.
â¢According to the quality-of-service (QoS) policy, tunnel selection is based on the outgoing experimental (EXP) value and the remarked EXP value.
â¢IPv6 traffic for both 6VPE and 6PE scenarios are supported.
My understanding is that the feature is not supported on CRS-1
Hope to help
Giuseppe -
Good morning everyone.... I was wondering if someone could help me out with this?
I have setup a dev lab setup to test some stuff out before I go forward and move to production but I have hit a brick wall...
Here is a general setup Diagram.
HQ_SW-CE
|
HQ_RTR-PE
branch2_rtr branch3_rtr
| |
BR2_SW-CE BR3_SW-CE
Here is the hardware
HQ-2811 with HWIC-4ESW ios adventerprisek9-mz.151-3.T1.bin
Branch2-2811 ios adventerprisek9-mz.151-3.T1.bin
Branch3-1841 ios advipservicesk9-mz.151-4.M.bin
Switches are 3560G but in production will probably be 2960s and 2950s
I started out with L2TPv3 which worked and did not work. If I went to the HQ_SW and show cdp and STP for VLAN 42 which is a MGMT vlan.
HQ_SW>show cdp ne
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay
Device ID Local Intrfce Holdtme Capability Platform Port ID
HQ_RTR Gig 0/2 178 R S I 2811 Fas 0/2/2
HQ_RTR Gig 0/1 157 R S I 2811 Fas 0/2/1
BRANCH3_SW Gig 0/2 129 R S I WS-C3560G Gig 0/14
BRANCH2_SW Gig 0/1 130 R S I WS-C3560G Gig 0/11
HQ_SW>show spanning-tree vlan 42
VLAN0042
Spanning tree enabled protocol ieee
Root ID Priority 32810
Address 001e.79d1.c880
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 32810 (priority 32768 sys-id-ext 42)
Address 001e.79d1.c880
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec
Interface Role Sts Cost Prio.Nbr Type
Gi0/1 Desg FWD 19 128.1 P2p
Gi0/2 Desg FWD 19 128.2 P2p
Now if if I try and ping 172.42.1.2 (BRANCH 2 INT VLAN 42) I get no where...
HQ_SW>ping 172.42.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.42.1.2, timeout is 2 seconds:
Success rate is 0 percent (0/5)
HQ_SW>ping 172.42.1.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.42.1.3, timeout is 2 seconds:
Success rate is 0 percent (0/5)
Also I Have a mac address table but the l2 MACs for the remote switches do not show up, arps for those ip addresses show up as incomplete as well.
I switched to EoMPLS and had the same issue.
What we are trying to do is setup a backup link for a server should a main link fail. the HQ Router should be able to terminate MANY L2 tunnels. Basically I see that the HQ_PE router almost like a switch and interface 1 will go to NY, int 2 will go to Chicago, int 3 will go to Dallas, etc. Since this is a backup connection we are trying to deploy it as cheaply as possible. We did this with a 4esw/9esw on the HQ router because it will support up to 15 or so sites that we want to do. The issue is that even when the xconnect line is added to the hwic it does not want to pass traffic. EoMPLS is the same thing.... Can anyone help me out? Also does anyone know if I went to a older ME-sw for the HQ if it would support the MPLS commands from the HQ router?
Also the l2tun and mpls all show up see below
BRANCH2#show l2tun
L2TP Tunnel and Session Information Total tunnels 1 sessions 1
LocTunID RemTunID Remote Name State Remote Address Sessn L2TP Class/
Count VPDN Group
1543017164 4034467245 HQ_RTR est 10.0.0.1 1 l2tp_default_cl
LocID RemID TunID Username, Intf/ State Last Chg Uniq ID
Vcid, Circuit
908667366 3759587721 1543017164 104, Fa0/1 est 00:58:18 4I am positive the ipsec tunnel is good to go as I have set them up before tons of times, same with the GRE. Here is the requested information however.
HQ_RTR#show crypto ipsec sa peer 192.168.2.2. The reason you will see two is because of the ACLs i have
Extended IP access list 102
10 permit ip host 10.0.0.1 host 10.0.0.2 (19462 matches)
20 permit ip host 10.0.0.2 host 10.0.0.1
Extended IP access list 103
10 permit ip host 10.0.0.1 host 10.0.0.3 (17404 matches)
20 permit ip host 10.0.0.3 host 10.0.0.1
HQ_RTR#
You should look at only the ACLs witht he matchs so no the first SA but the second for the same peer see below
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4548, #pkts encrypt: 4548, #pkts digest: 4548
#pkts decaps: 5004, #pkts decrypt: 5004, #pkts verify: 5004
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD5EFC998(3589261720)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x692F80B1(1764720817)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390208/1595)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD5EFC998(3589261720)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390276/1595)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
HQ_RTR#ping 10.0.0.2 source lo0
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds:
Packet sent with a source address of 10.0.0.1
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
HQ_RTR#show crypto ipsec sa peer 192.168.2.2
interface: FastEthernet0/0
Crypto map tag: VPN, local addr 192.168.1.2
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x0(0)
PFS (Y/N): N, DH group: none
inbound esp sas:
inbound ah sas:
inbound pcp sas:
outbound esp sas:
outbound ah sas:
outbound pcp sas:
protected vrf: (none)
local ident (addr/mask/prot/port): (10.0.0.1/255.255.255.255/0/0)
remote ident (addr/mask/prot/port): (10.0.0.2/255.255.255.255/0/0)
current_peer 192.168.2.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4583, #pkts encrypt: 4583, #pkts digest: 4583
#pkts decaps: 5042, #pkts decrypt: 5042, #pkts verify: 5042
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 2, #recv errors 0
local crypto endpt.: 192.168.1.2, remote crypto endpt.: 192.168.2.2
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0xD5EFC998(3589261720)
PFS (Y/N): Y, DH group: group2
inbound esp sas:
spi: 0x692F80B1(1764720817)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2003, flow_id: NETGX:3, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390204/1582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xD5EFC998(3589261720)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2004, flow_id: NETGX:4, sibling_flags 80000046, crypto map: VPN
sa timing: remaining key lifetime (k/sec): (4390272/1582)
IV size: 16 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:
HQ_RTR#
HQ_RTR#
Also right now with the L2TPv3 setup I am not using the GRE I had it setup for when I was using EoMPLS. I know the two work as I can see the multicast of the cdp but nothing beyond that.. -
EoMPLS with Catalyst 3750 Metro Switches
Hi,
I am trying to setup an EoMPLS tunnel (VLAN mode) between two 3750 Metro switches. But I am not getting the Status down from the both PEs.Also the 'show mpls l2transport binding' shows no output interface and no label stack is attached. Can anybody in the forum help me out? Is it any IOS related problem.
The IOS version is:c3750me-i5k91-mz.122-25.SEG1.bin
Thank you,
Dabraj Sarkar
Grameenphone Ltd,
Dhaka, BangladeshHi,
can you provide the related config? Without this it is hard to tell anything.
Regards, Martin -
Guys I'm trying to make sense out of the attached Cisco Topology
My test environment consists of, various core (P)and distribution(PE) 7600?s (Sup720 without OSM, SIP-600, SPA). Access node consists of a Ethernet DSLAM (although kind of irrelevant at this point).
I?m focusing on layer 2 Access node ? Distribution (Active/backup) Redundancy (No aggregation layer) to two separate distribution PE?s. It seems as though its describing the classic triangular loop, completed by an inter-distribution EoMPLS PW. It then appears as if packets are been forwarded out of the layer 2 domain by an SVI on both distro?s, using HSRP as the floating gateway. The only issue is implementing PW on an interface and assigning an IP address. Unfortunately I cannot use VFI, though I?m not convinced this would help either. I cannot xconnect from an SVI either (due to restriction on non OSM, SPA modules). I?m guessing bridging using irb would be the only feasible solution (if it does work).
1) Am I way off?
2) Would VFI?s help in any way?
3) What would you suggest?
Any information related to this would be extremely useful. Many thanks in advance.Hi,
In which mode your 7600 operates? to support MPLS features it should be either PFC3B or PFC3BXL. If you have any OSM module it will operate MPLS over OSM as long as the peer IP address is learned through WAN interface, though its not recommended.
SIP-600 for 7600 comes with 3BXL but if there is any module with DFC3A the system will operate with common denominator which is PFC3A . so you can't run MPLS.
Normally you cannot have both the IP and L2MPLS configuration on the same interface. and on 7600 we are restricted to one VLAN database, (i.e. even you configure routed ports you cannot reuse the same VLAN on two different physical ports under subinterface)
Since we have to create another EoMPLS tunnel to outside we have to emulate a bridge domain and therefore we have to use VPLS where we have to configure VFI.
If we have to configure any first-hop redundancy protocol where we can configure...?
Rgds,
Harin -
Hi I'm on a EoMPLS project. I succed to connect Customer site accross EoMPLS tunnel.
This is my architecture :
LAN1 -- CE1 --- PE1 (7200)---- MPLS backbone --- PE2 (7200) -- CE2 -- LAN2
Now I know how to transport vlan between CE but my problem is to understand the difference.
In my mind, "Vlan-based" use one VLAN operator (So 1 pseudowire) to transmit all frame tagged or not to CE2. And, "QinQ" allow to do the difference between different Customer VLANs and forward accross MPLS backbone frame on different VLAN operator.
2 questions :
1. Have I correctly understand ??
2. If I'm right, Why we need QinQ ?? What QinQ bring it more than VLAN-BASED ??
3. My goal is to create on Site 1 any vlans and with VTP transport them to Site 2. What kind of these two technology based on VLAN use ??
Thanks for answer !Ok thanks for answer.
I understand the principle but PE in my case is a 7200 emulated router. I work with dynagen/dynamips server and only 7200 can be emulated no 7600 !!
I have looked these following links :
http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_9_ea1/configuration/guide/swtunnel.html#wp1010370
http://www.cisco.com/en/US/docs/ios/ios_xe/mpls/configuration/guide/mp_qnq_tunneling_atom_xe.html#wp1001506
In the first link we can see the dot1q tunnel mode with some layer 2 protocol transport CDP, STP, and VTP.
Ideally this is my first goal --> transport VTP on site 2 by EoMPLS but it was only on switch multilayer (like 7600) or with specially cards, I don't know. But what I know it's with my 7200 I don't have command switchport to activate switchport mode dot1q-tunnel and l2protocol-tunnel vtp for example.
Is it true ??
Secondly, in the second link I read I should to be able to transport vlan frame of site 1 to site 2 but simply carry and not propagate different vlan that I created !!!
Again, Have I correctly understand ??
Thanks for help -
I have an EoMPLS tunnel running ok
Then I created a TE tunnel its up and running
Now I want to assign incoming traffic fr a given VLAN to that TE Tunnel, so I added in the xconnect the pseudowire class:
xconnect x.x.x.x VCID encapsulation MPLS pw-class pwname
My problem is im not sure if traffic is passing through the TE tunnel,
How can I verify this?
How can I configure max BW for that TE tunnel?
Sincerely,
NicolasThis can be done by Tunnel selection feature also which is available in 12.0(27) wherein you can map the AToM vc's to a particular TE tunnel.
pseudowire-class pw1
encapsulation mpls
preferred-path interface Tunnel1
Hope this helps. -
2800 w/ site-site tunnel using NAT and user tunnels
I am using a 2800 to terminate a site-site IPSec tunnel using a crypto map. It is also used to terminate several user tunnels.
Because of overlapping private address space there is a source NAT rule in place that overloads addresses prior to routing them across the site-site tunnel.
The problem is that the user tunnels are not able to communicate with any host located on the far end of the site-site tunnel. The site-site tunnel (and it's NAT) works just fine for users coming from any other interface on the 2800.
Does anyone have any ideas? I've gone ahead and attached the existing configuration for those that are brave or incredibly smart :) It is a fairly trashed config though, and I'm still trying to clean it up from where it was.
Thank you VERY much ahead of time,
SteveDuplicate posts. :P
Go here: http://supportforums.cisco.com/discussion/12152361/2nd-site-site-ipsec-tunnel-nat-traversal-setting-fail-establish-however-1st -
Multiple VPN tunnels on Multiple interfaces on PIX
We have a PIX 515 with 5 interfaces in it, I have 2 different ISPs connect to 2 different interfaces on the PIX. I want to create 2 different ipsec tunnels from our office on Toronto. Toronto have 2 different ISPs int there router. How can I create 2 different ipsec tunnels on to different interfaces on a PIX 515?
Thank you for the reply -
So if I had Internet---router---PIX---inside. I have a router for each ISP and then the routers are connected to the PIX. I would then terminate the VPN tunnels on the routers? How would I route the traffic from the inside to the outside for the VPN tunnels? -
Hello all,
Under Class File, (java.io.File), There is a method "void deleteOnExit()"
Which Requests that the file or directory denoted by given abstract pathname be deleted when the virtual machine terminates.
My question is:
When does virtual Machine terminates. ??
I know i am asking very basic and silly question, But, i am confused.
Can any one please explain me? or give me the link where i can get answer. ??
REgards,
AshviniThe simple answer is: when the application the Virtual Machine is running is finished.
For a JSP server, that may be when the server shuts down. In other cases, certain web applications are run in their own JVM, so when that web application is turned off or restarted, then the JVM would end. But that, I guess, is server dependent (if available at all). In either case, barring a crash, it would mean when the administrator brings down the application or application server intentionally (like for routine maintenance). -
Hi all,
I have seen a few questions posted on the forum about EoMPLS issues, but the one I have is different to those already posted and responded too.
I have attached a document which includes the topology, configurations and output from commands to show the problem.
Basically between the two PE routers concerned with the EoMPLS tunnel, I'm receiving labels for the VC from the egress PE, as well as the next hop label. However, the VC will not become active and the next-hop address (shown in one of the outputs) is stating it is an invalid address.
Any ideas?
ThanksHarold,
Many thanks with your reply. Changing it from a VLAN-based EoMPLS configuration to a Port-Based EoMPLS configuration brought the VC up.
I was hoping on using VLAN based so I could try to do VLAN re-writing on the 6509. But not being classed as a router, I wasn't sure if this would even be possible anyway. Any suggestions on the best way to renumber the VLAN over an MPLS network? I'm work for the enterprise and this is a self managed MPLS network so either way the re-mapping of VLANs falls into my basket if we have to do it outside the MPLS network. It is just alot cleaner with MPLS...
Regards
Steve -
L2TP and fixed Framed IP Address for VPN user
Hi,
I have a running L2TP/IPsec VPN setup with authentification against a radius server (freeradius2 witch mysql). I would like to have some of my VPN users get a fixed IP address instead of the dynamically assigned IP Pool.
The radius server is returning the correct parameters, I think.
I hope someone can help me.
It´s a Cisco 892 Integrated Service Router.
Router Config:
=============================================================
Current configuration : 8239 bytes
! Last configuration change at 10:44:26 CEST Fri Mar 30 2012 by root
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
service internal
hostname vpngw2
boot-start-marker
boot config usbflash0:CVO-BOOT.CFG
boot-end-marker
logging buffered 51200 warnings
enable secret 5 secret
aaa new-model
aaa authentication login default local group radius
aaa authentication login userauthen local group radius
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network groupauthor local
aaa accounting delay-start
aaa accounting update newinfo
aaa accounting exec default
action-type start-stop
group radius
aaa accounting network default
action-type start-stop
group radius
aaa accounting resource default
action-type start-stop
group radius
aaa session-id common
clock timezone CET 1 0
clock summer-time CEST recurring last Sun Mar 2:00 last Sun Oct 3:00
ip domain name aspect-online.de
ip name-server 10.28.1.31
ip inspect WAAS flush-timeout 10
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip cef
no ipv6 cef
virtual-profile if-needed
multilink bundle-name authenticated
async-bootp dns-server 10.28.1.31
async-bootp nbns-server 10.28.1.31
vpdn enable
vpdn authen-before-forward
vpdn authorize directed-request
vpdn-group L2TP
! Default L2TP VPDN group
accept-dialin
protocol l2tp
virtual-template 1
no l2tp tunnel authentication
license udi pid -K9 sn FCZ
username root password 7 secret
ip ssh source-interface FastEthernet8
ip ssh version 2
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
crypto isakmp key mykey address 0.0.0.0 no-xauth
crypto ipsec transform-set configl2tp esp-3des esp-sha-hmac
mode transport
crypto dynamic-map config-map-l2tp 10
set nat demux
set transform-set configl2tp
crypto map vpnl2tp 10 ipsec-isakmp dynamic config-map-l2tp
interface BRI0
no ip address
encapsulation hdlc
shutdown
isdn termination multidrop
interface FastEthernet0
no ip address
spanning-tree portfast
interface FastEthernet1
no ip address
spanning-tree portfast
<snip>
interface FastEthernet7
no ip address
spanning-tree portfast
interface FastEthernet8
ip address 10.28.1.97 255.255.255.0
ip access-group vpn_to_lan out
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
interface Virtual-Template1
ip unnumbered GigabitEthernet0
ip access-group vpn_to_inet_lan in
ip nat inside
ip virtual-reassembly in
peer default ip address pool l2tpvpnpool
ppp encrypt mppe 128
ppp authentication chap
interface GigabitEthernet0
description WAN Port
ip address x.x.x.39 255.255.255.0
ip access-group from_inet in
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map vpnl2tp
interface Vlan1
no ip address
shutdown
ip local pool l2tpvpnpool 192.168.252.3 192.168.252.199
ip local pool remotepool 192.168.252.240 192.168.252.243
ip forward-protocol nd
no ip http server
no ip http secure-server
ip nat log translations syslog
ip nat inside source route-map natmap interface GigabitEthernet0 overload
ip route 0.0.0.0 0.0.0.0 x.x.x.33
ip access-list extended from_inet
<snip>
ip access-list extended nat_clients
permit ip 192.168.252.0 0.0.0.255 any
ip access-list extended vpn_to_inet_lan
<snip>
ip access-list extended vpn_to_lan
<snip>
deny ip any any log-input
logging trap debugging
logging facility local2
logging 10.28.1.42
no cdp run
route-map natmap permit 10
match ip address nat_clients
radius-server attribute 8 include-in-access-req
radius-server host 10.27.1.228 auth-port 1812 acct-port 1813
radius-server key 7 mykey
radius-server vsa send accounting
radius-server vsa send authentication
control-plane
mgcp profile default
banner login ^C
Hostname: vpngw2
Model: Cisco 892 Integrated Service Router
Description: L2TP/IPsec VPN Gateway with Radius Auth
^C
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
=============================================================
User Config in Radius (tying multiple attributes):
=============================================================
Attribute | op | Value
Service-Type | = | Framed-User
Cisco-AVPair | = | vpdn:ip-addresses=192.168.252.220
Framed-IP-Address | := | 192.168.252.221
Cisco-AVPair | = | ip:addr-pool=remotepool
=============================================================
Debug Log from freeradius2:
=============================================================
rad_recv: Access-Request packet from host 10.28.1.97 port 1645, id=7, length=100
Framed-Protocol = PPP
User-Name = "me1"
CHAP-Password = 0x01b8b897de00317a75c68ee9ce473cf8b8
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
# Executing section authorize from file /etc/raddb/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 172
++[files] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'me1' ORDER BY id
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'me1' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'me1' ORDER BY priority
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
Found Auth-Type = CHAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group CHAP {...}
[chap] login attempt by "me1" with CHAP password
[chap] Using clear text password "test" for user me1 authentication.
[chap] chap user me1 authenticated succesfully
++[chap] returns ok
Login OK: [me1/<CHAP-Password>] (from client vpngw2 port 10007)
# Executing section post-auth from file /etc/raddb/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 7 to 10.28.1.97 port 1645
Framed-Protocol = PPP
Framed-Compression = Van-Jacobson-TCP-IP
Framed-IP-Address := 192.168.252.221
Cisco-AVPair = "vpdn:ip-addresses=192.168.252.220"
Service-Type = Framed-User
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=19, length=213
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
User-Name = "me1"
Cisco-AVPair = "connect-progress=LAN Ses Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:07 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: INSERT INTO radacct (acctsessionid, acctuniqueid, username, realm, nasipaddress, nasportid, nasporttype, acctstarttime, acctstoptime, acctsessiontime, acctauthentic, connectinfo_start, connectinfo_stop, acctinputoctets, acctoutputoctets, calledstationid, callingstationid, acctterminatecause, servicetype, framedprotocol, framedipaddress, acctstartdelay, acctstopdelay, xascendsessionsvrkey) VALUES ('%{Acct-Session-Id}', '%{Acct-Unique-Session-Id}', '%{SQL-User-Name}', '%{Realm}', '%{NAS-IP-Address}', '%{NAS-Port}', '%{NAS-Port-Type}', '%S', NULL, '0', '%{Acct-Authentic}', '%{Connect-Info}', '', '0', '0', '%{Called-Station-Id}', '%{Calling-Station-Id}', '', '%{Service-Type}', '%{Framed-Protocol}', '%{Framed-IP-Address}',
rlm_sql (sql): Reserving sql socket id: 3
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 19 to 10.28.1.97 port 1646
Finished request 1.
Cleaning up request 1 ID 19 with timestamp +53
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.28.1.97 port 1646, id=20, length=407
Acct-Session-Id = "00000011"
Tunnel-Type:0 = L2TP
Tunnel-Medium-Type:0 = IPv4
Tunnel-Server-Endpoint:0 = "x.x.x.39"
Tunnel-Client-Endpoint:0 = "x.x.x.34"
Tunnel-Assignment-Id:0 = "L2TP"
Tunnel-Client-Auth-Id:0 = "me1"
Tunnel-Server-Auth-Id:0 = "vpngw2"
Framed-Protocol = PPP
Framed-IP-Address = 192.168.252.9
Cisco-AVPair = "ppp-disconnect-cause=Received LCP TERMREQ from peer"
User-Name = "me1"
Acct-Authentic = RADIUS
Cisco-AVPair = "connect-progress=LAN Ses Up"
Cisco-AVPair = "nas-tx-speed=100000000"
Cisco-AVPair = "nas-rx-speed=100000000"
Acct-Session-Time = 5
Acct-Input-Octets = 5980
Acct-Output-Octets = 120
Acct-Input-Packets = 47
Acct-Output-Packets = 11
Acct-Terminate-Cause = User-Request
Cisco-AVPair = "disc-cause-ext=PPP Receive Term"
Acct-Status-Type = Stop
Connect-Info = "100000000"
NAS-Port-Type = Sync
NAS-Port = 10007
NAS-Port-Id = "Uniq-Sess-ID7"
Service-Type = Framed-User
NAS-IP-Address = 10.28.1.97
Acct-Delay-Time = 0
# Executing section preacct from file /etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 10007,Client-IP-Address = 10.28.1.97,NAS-IP-Address = 10.28.1.97,Acct-Session-Id = "00000011",User-Name = "me1"'
[acct_unique] Acct-Unique-Session-ID = "1fdd95abea6cfac2".
++[acct_unique] returns ok
[suffix] No '@' in User-Name = "me1", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
# Executing section accounting from file /etc/raddb/sites-enabled/default
+- entering group accounting {...}
[detail] expand: %{Packet-Src-IP-Address} -> 10.28.1.97
[detail] expand: /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d -> /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] /var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d expands to /var/log/radius/radacct/10.28.1.97/detail-20120330
[detail] expand: %t -> Fri Mar 30 11:20:12 2012
++[detail] returns ok
++[unix] returns ok
[radutmp] expand: /var/log/radius/radutmp -> /var/log/radius/radutmp
[radutmp] expand: %{User-Name} -> me1
++[radutmp] returns ok
[sql] expand: %{User-Name} -> me1
[sql] sql_set_user escaped user --> 'me1'
[sql] expand: %{Acct-Input-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Input-Octets} -> 5980
[sql] expand: %{Acct-Output-Gigawords} ->
[sql] ... expanding second conditional
[sql] expand: %{Acct-Output-Octets} -> 120
[sql] expand: %{Acct-Delay-Time} -> 0
[sql] expand: UPDATE radacct SET acctstoptime = '%S', acctsessiontime = '%{Acct-Session-Time}', acctinputoctets = '%{%{Acct-Input-Gigawords}:-0}' << 32 | '%{%{Acct-Input-Octets}:-0}', acctoutputoctets = '%{%{Acct-Output-Gigawords}:-0}' << 32 | '%{%{Acct-Output-Octets}:-0}', acctterminatecause = '%{Acct-Terminate-Cause}', acctstopdelay = '%{%{Acct-Delay-Time}:-0}', connectinfo_stop = '%{Connect-Info}' WHERE acctsessionid = '%{Acct-Session-Id}' AND username = '%{SQL-User-Name}' AND nasipaddress = '%{NAS-IP-Address}' -> UPDATE radacct SET acctstoptime = '2012-03-30 11:20:12', acctsessiontime = '5', acctinputoctets = '0' << 32 | '5980', acctoutputoctets = '0' << 32 |
rlm_sql (sql): Reserving sql socket id: 2
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[exec] returns noop
[attr_filter.accounting_response] expand: %{User-Name} -> me1
attr_filter: Matched entry DEFAULT at line 12
++[attr_filter.accounting_response] returns updated
Sending Accounting-Response of id 20 to 10.28.1.97 port 1646
Finished request 2.
Cleaning up request 2 ID 20 with timestamp +58
Going to the next request
Waking up in 0.1 seconds.
Cleaning up request 0 ID 7 with timestamp +53
Ready to process requests.
=============================================================
Log From Cisco Router:
=============================================================
Mar 30 11:20:07 vpngw2 1217: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1218: Mar 30 09:21:51.414: RADIUS: DSL line rate attributes successfully added
Mar 30 11:20:07 vpngw2 1219: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1220: Mar 30 09:21:51.414: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1221: Mar 30 09:21:51.414: RADIUS/ENCODE: No idb found! Framed IP Addr might not be included
Mar 30 11:20:07 vpngw2 1222: Mar 30 09:21:51.414: RADIUS/ENCODE(00000015): acct_session_id: 17
Mar 30 11:20:07 vpngw2 1223: Mar 30 09:21:51.414: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1224: Mar 30 09:21:51.418: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1225: Mar 30 09:21:51.418: RADIUS(00000015): Send Access-Request to 10.27.1.228:1812 id 1645/7, len 100
Mar 30 11:20:07 vpngw2 1226: Mar 30 09:21:51.418: RADIUS: authenticator DE 5F 2E 3E EF BF 50 F4 - 49 C3 4F BE 1A 66 72 22
Mar 30 11:20:07 vpngw2 1227: Mar 30 09:21:51.418: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1228: Mar 30 09:21:51.418: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1229: Mar 30 09:21:51.418: RADIUS: CHAP-Password [3] 19 *
Mar 30 11:20:07 vpngw2 1230: Mar 30 09:21:51.418: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1231: Mar 30 09:21:51.418: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1232: Mar 30 09:21:51.418: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:07 vpngw2 1233: Mar 30 09:21:51.418: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:07 vpngw2 1234: Mar 30 09:21:51.418: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1235: Mar 30 09:21:51.418: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:07 vpngw2 1236: Mar 30 09:21:51.418: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:07 vpngw2 1237: Mar 30 09:21:51.418: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:07 vpngw2 1238: Mar 30 09:21:51.422: RADIUS: Received from id 1645/7 10.27.1.228:1812, Access-Accept, len 85
Mar 30 11:20:07 vpngw2 1239: Mar 30 09:21:51.422: RADIUS: authenticator 25 CD 93 D5 78 2C F4 4F - F2 66 2C 45 8D D4 E1 16
Mar 30 11:20:07 vpngw2 1240: Mar 30 09:21:51.422: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1241: Mar 30 09:21:51.422: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
Mar 30 11:20:07 vpngw2 1242: Mar 30 09:21:51.422: RADIUS: Framed-IP-Address [8] 6 192.168.252.221
Mar 30 11:20:07 vpngw2 1243: Mar 30 09:21:51.422: RADIUS: Vendor, Cisco [26] 41
Mar 30 11:20:07 vpngw2 1244: Mar 30 09:21:51.422: RADIUS: Cisco AVpair [1] 35 "vpdn:ip-addresses=192.168.252.220"
Mar 30 11:20:07 vpngw2 1245: Mar 30 09:21:51.422: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:07 vpngw2 1246: Mar 30 09:21:51.426: RADIUS(00000015): Received from id 1645/7
Mar 30 11:20:07 vpngw2 1247: Mar 30 09:21:51.438: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1248: Mar 30 09:21:51.442: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to up
Mar 30 11:20:07 vpngw2 1249: Mar 30 09:21:51.478: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:07 vpngw2 1250: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:07 vpngw2 1251: Mar 30 09:21:51.478: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:07 vpngw2 1252: Mar 30 09:21:51.478: RADIUS(00000015): sending
Mar 30 11:20:07 vpngw2 1253: Mar 30 09:21:51.478: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:07 vpngw2 1254: Mar 30 09:21:51.478: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/19, len 213
Mar 30 11:20:07 vpngw2 1255: Mar 30 09:21:51.478: RADIUS: authenticator 1B E0 A3 DF 16 7F F1 8D - E5 7F BD 88 50 01 73 53
Mar 30 11:20:07 vpngw2 1256: Mar 30 09:21:51.478: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:07 vpngw2 1257: Mar 30 09:21:51.478: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:07 vpngw2 1258: L2TP [3]
Mar 30 11:20:07 vpngw2 1259: Mar 30 09:21:51.478: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:07 vpngw2 1260: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:07 vpngw2 1261: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:07 vpngw2 1262: Mar 30 09:21:51.478: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:07 vpngw2 1263: Mar 30 09:21:51.478: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:07 vpngw2 1264: Mar 30 09:21:51.478: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:07 vpngw2 1265: Mar 30 09:21:51.478: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:07 vpngw2 1266: Mar 30 09:21:51.478: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:07 vpngw2 1267: Mar 30 09:21:51.478: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:07 vpngw2 1268: Mar 30 09:21:51.478: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:07 vpngw2 1269: Mar 30 09:21:51.478: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:07 vpngw2 1270: Mar 30 09:21:51.478: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:07 vpngw2 1271: Mar 30 09:21:51.482: RADIUS: Acct-Status-Type [40] 6 Start [1]
Mar 30 11:20:07 vpngw2 1272: Mar 30 09:21:51.482: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:07 vpngw2 1273: Mar 30 09:21:51.482: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:07 vpngw2 1274: Mar 30 09:21:51.482: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:08 vpngw2 1275: Mar 30 09:21:51.482: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:08 vpngw2 1276: Mar 30 09:21:51.482: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:08 vpngw2 1277: Mar 30 09:21:51.482: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:08 vpngw2 1278: Mar 30 09:21:51.482: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:08 vpngw2 1279: Mar 30 09:21:51.482: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:08 vpngw2 1280: Mar 30 09:21:51.482: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:08 vpngw2 1281: Mar 30 09:21:51.486: RADIUS: Received from id 1646/19 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:08 vpngw2 1282: Mar 30 09:21:51.486: RADIUS: authenticator 73 5E 95 46 5B 57 B1 4A - 44 4F 7C 71 F0 26 AA A4
Mar 30 11:20:12 vpngw2 1283: Mar 30 09:21:56.282: RADIUS/ENCODE(00000015):Orig. component type = VPDN
Mar 30 11:20:12 vpngw2 1284: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IP: 0.0.0.0
Mar 30 11:20:12 vpngw2 1285: Mar 30 09:21:56.282: RADIUS(00000015): Config NAS IPv6: ::
Mar 30 11:20:12 vpngw2 1286: Mar 30 09:21:56.282: RADIUS(00000015): sending
Mar 30 11:20:12 vpngw2 1287: Mar 30 09:21:56.282: RADIUS/ENCODE: Best Local IP-Address 10.28.1.97 for Radius-Server 10.27.1.228
Mar 30 11:20:12 vpngw2 1288: Mar 30 09:21:56.286: RADIUS(00000015): Send Accounting-Request to 10.27.1.228:1813 id 1646/20, len 407
Mar 30 11:20:12 vpngw2 1289: Mar 30 09:21:56.286: RADIUS: authenticator 26 7A 27 91 EB 3F 34 C6 - DB 2D 88 F8 B1 A4 C1 12
Mar 30 11:20:12 vpngw2 1290: Mar 30 09:21:56.286: RADIUS: Acct-Session-Id [44] 10 "00000011"
Mar 30 11:20:12 vpngw2 1291: Mar 30 09:21:56.286: RADIUS: Tunnel-Type [64] 6 00:
Mar 30 11:20:12 vpngw2 1292: L2TP [3]
Mar 30 11:20:12 vpngw2 1293: Mar 30 09:21:56.286: RADIUS: Tunnel-Medium-Type [65] 6 00:IPv4 [1]
Mar 30 11:20:12 vpngw2 1294: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Endpoi[67] 16 "x.x.x.39"
Mar 30 11:20:12 vpngw2 1295: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Endpoi[66] 16 "x.x.x.34"
Mar 30 11:20:12 vpngw2 1296: Mar 30 09:21:56.286: RADIUS: Tunnel-Assignment-Id[82] 6 "L2TP"
Mar 30 11:20:12 vpngw2 1297: Mar 30 09:21:56.286: RADIUS: Tunnel-Client-Auth-I[90] 5 "me1"
Mar 30 11:20:12 vpngw2 1298: Mar 30 09:21:56.286: RADIUS: Tunnel-Server-Auth-I[91] 8 "vpngw2"
Mar 30 11:20:12 vpngw2 1299: Mar 30 09:21:56.286: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 30 11:20:12 vpngw2 1300: Mar 30 09:21:56.286: RADIUS: Framed-IP-Address [8] 6 192.168.252.9
Mar 30 11:20:12 vpngw2 1301: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 59
Mar 30 11:20:12 vpngw2 1302: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 53 "ppp-disconnect-cause=Received LCP TERMREQ from peer"
Mar 30 11:20:12 vpngw2 1303: Mar 30 09:21:56.286: RADIUS: User-Name [1] 5 "me1"
Mar 30 11:20:12 vpngw2 1304: Mar 30 09:21:56.286: RADIUS: Acct-Authentic [45] 6 RADIUS [1]
Mar 30 11:20:12 vpngw2 1305: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 35
Mar 30 11:20:12 vpngw2 1306: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 29 "connect-progress=LAN Ses Up"
Mar 30 11:20:12 vpngw2 1307: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1308: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-tx-speed=100000000"
Mar 30 11:20:12 vpngw2 1309: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 30
Mar 30 11:20:12 vpngw2 1310: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 24 "nas-rx-speed=100000000"
Mar 30 11:20:12 vpngw2 1311: Mar 30 09:21:56.286: RADIUS: Acct-Session-Time [46] 6 5
Mar 30 11:20:12 vpngw2 1312: Mar 30 09:21:56.286: RADIUS: Acct-Input-Octets [42] 6 5980
Mar 30 11:20:12 vpngw2 1313: Mar 30 09:21:56.286: RADIUS: Acct-Output-Octets [43] 6 120
Mar 30 11:20:12 vpngw2 1314: Mar 30 09:21:56.286: RADIUS: Acct-Input-Packets [47] 6 47
Mar 30 11:20:12 vpngw2 1315: Mar 30 09:21:56.286: RADIUS: Acct-Output-Packets [48] 6 11
Mar 30 11:20:12 vpngw2 1316: Mar 30 09:21:56.286: RADIUS: Acct-Terminate-Cause[49] 6 user-request [1]
Mar 30 11:20:12 vpngw2 1317: Mar 30 09:21:56.286: RADIUS: Vendor, Cisco [26] 39
Mar 30 11:20:12 vpngw2 1318: Mar 30 09:21:56.286: RADIUS: Cisco AVpair [1] 33 "disc-cause-ext=PPP Receive Term"
Mar 30 11:20:12 vpngw2 1319: Mar 30 09:21:56.286: RADIUS: Acct-Status-Type [40] 6 Stop [2]
Mar 30 11:20:12 vpngw2 1320: Mar 30 09:21:56.286: RADIUS: Connect-Info [77] 11 "100000000"
Mar 30 11:20:12 vpngw2 1321: Mar 30 09:21:56.286: RADIUS: NAS-Port-Type [61] 6 Sync [1]
Mar 30 11:20:12 vpngw2 1322: Mar 30 09:21:56.286: RADIUS: NAS-Port [5] 6 10007
Mar 30 11:20:12 vpngw2 1323: Mar 30 09:21:56.286: RADIUS: NAS-Port-Id [87] 15 "Uniq-Sess-ID7"
Mar 30 11:20:12 vpngw2 1324: Mar 30 09:21:56.286: RADIUS: Service-Type [6] 6 Framed [2]
Mar 30 11:20:12 vpngw2 1325: Mar 30 09:21:56.286: RADIUS: NAS-IP-Address [4] 6 10.28.1.97
Mar 30 11:20:12 vpngw2 1326: Mar 30 09:21:56.286: RADIUS: Acct-Delay-Time [41] 6 0
Mar 30 11:20:12 vpngw2 1327: Mar 30 09:21:56.286: RADIUS(00000015): Sending a IPv4 Radius Packet
Mar 30 11:20:12 vpngw2 1328: Mar 30 09:21:56.286: RADIUS(00000015): Started 5 sec timeout
Mar 30 11:20:12 vpngw2 1329: Mar 30 09:21:56.294: RADIUS: Received from id 1646/20 10.27.1.228:1813, Accounting-response, len 20
Mar 30 11:20:12 vpngw2 1330: Mar 30 09:21:56.294: RADIUS: authenticator E1 09 A6 6D 91 C6 B1 B3 - 78 00 FF 4F 25 32 C6 B5
Mar 30 11:20:12 vpngw2 1331: Mar 30 09:21:56.406: %LINK-3-UPDOWN: Interface Virtual-Access3, changed state to down
Mar 30 11:20:12 vpngw2 1332: Mar 30 09:21:56.410: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
=============================================================I found the failure.
In the cisco config it must be
aaa authorization network default group radius local
not
aaa authorization network groupauthor local -
VPN connection works but VPN traffic is blocked
I have an 881w in a central site which remote users VPN into with desktop client then initiate RDP connection to machines at central site. I configured this mostly with the Easy VPN tool since I am a complete novice with Cisco equipment. We just upgraded to this from Linksys running DD-WRT since we were running the CPU on it at 100%.
Details
Remote clients can ping the gateway but nothing else and can't RDP to machines.
Clients cannot be pinged from central site.
Configuration Professional shows active connections.
The network at the central site is 192.168.10.0/24.
The network at the remote sites is unknown, but it is not the same as the central site.
Can someone help me figure out what I'm doing wrong?
Thank you for looking. The config is posted below.
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881w01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$j49H$gGfj5TWFFbg/fc0sAc1rN/
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-2923777556
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2923777556
revocation-check none
rsakeypair TP-self-signed-2923777556
crypto pki certificate chain TP-self-signed-2923777556
certificate self-signed 01
EDITED OUT
quit
no ip source-route
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.10.251 192.168.10.254
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.10.2
domain-name EDITED OUT
ip cef
no ip bootp server
ip domain name EDITED OUT
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method ccp_ddns1
HTTP
add http://EDITED [email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
remove http://EDITED [email protected]/nic/update?system=dyndns&hostname=<h>&myip=<a>
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn FTX162683LX
username EDITED OUT privilege 15 secret 5 $1$BK.5$K7ODMYoskU8zBrozUoXj..
username EDITED OUT secret 5 $1$pG2b$aAEaz1JagmxNQHmqTMEBe0
username EDITED OUT secret 5 $1$ySKe$rqvLbt.LeSu83HKmCdaSN1
username EDITED OUT secret 5 $1$btT6$P24XxPBSQRrGD4BtvYJbo0
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EDITED OUT
key EDITED OUT
dns 208.67.222.222 208.67.220.220
domain accnet.com
pool SDM_POOL_2
acl 102
save-password
max-logins 5
crypto isakmp profile ciscocp-ike-profile-1
match identity group EZVPNGroup
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN link$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description VPN virtual interface
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 30.30.30.10 30.30.30.30
ip local pool SDM_POOL_2 192.168.10.10 192.168.10.29
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500Thank you for the respnse Jennifer. I have made the suggested changes, but no change in behavior on either end.
Does anything else stand out as a potential problem? The current running-config is below:
I'll take a stab at what I think the problem could be, but this is an uneducated guess.
I think I need acl 150 instead of acl 102 under
"crypto isakmp client configuration group EZVPNGroup"
I also think I can get rid of SDM_POOL_1 since it appears to not be used, but I don't think this is actually causing any issue.
Building configuration...
Current configuration : 11362 bytes
! Last configuration change at 09:07:22 PCTime Sun Aug 5 2012 by 881wmin
version 15.0
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
hostname 881w01
boot-start-marker
boot-end-marker
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 EDITED
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
crypto pki trustpoint TP-self-signed-EDITED
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-EDITED
revocation-check none
rsakeypair TP-self-signed-EDITED
crypto pki certificate chain TP-self-signed-EDITED
certificate self-signed 01
EDITED
quit
no ip source-route
ip dhcp excluded-address 192.168.10.1 192.168.10.200
ip dhcp excluded-address 192.168.10.251 192.168.10.254
ip dhcp pool ccp-pool1
import all
network 192.168.10.0 255.255.255.0
dns-server 208.67.222.222 208.67.220.220
default-router 192.168.10.2
domain-name EDITED
ip cef
no ip bootp server
ip domain name EDITED
ip name-server 208.67.222.222
ip name-server 208.67.220.220
ip ddns update method ccp_ddns1
HTTP
add http:/[email protected]/nic/update?system=dyndns&hostname=&myip=
remove http://[email protected]/nic/update?system=dyndns&hostname=&myip=
no ipv6 cef
license udi pid CISCO881W-GN-A-K9 sn FTX162683LX
username EDITED
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
class-map type inspect match-any SDM_BOOTPC
match access-group name SDM_BOOTPC
class-map type inspect match-any SDM_DHCP_CLIENT_PT
match class-map SDM_BOOTPC
class-map type inspect match-any SDM_AH
match access-group name SDM_AH
class-map type inspect match-any sdm-cls-bootps
match protocol bootps
class-map type inspect match-any ccp-cls-insp-traffic
match protocol cuseeme
match protocol dns
match protocol ftp
match protocol h323
match protocol https
match protocol icmp
match protocol imap
match protocol pop3
match protocol netshow
match protocol shell
match protocol realmedia
match protocol rtsp
match protocol smtp
match protocol sql-net
match protocol streamworks
match protocol tftp
match protocol vdolive
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-insp-traffic
match class-map ccp-cls-insp-traffic
class-map type inspect match-any SDM_IP
match access-group name SDM_IP
class-map type inspect match-any SDM_ESP
match access-group name SDM_ESP
class-map type inspect match-any SDM_EASY_VPN_SERVER_TRAFFIC
match protocol isakmp
match protocol ipsec-msft
match class-map SDM_AH
match class-map SDM_ESP
class-map type inspect match-all SDM_EASY_VPN_SERVER_PT
match class-map SDM_EASY_VPN_SERVER_TRAFFIC
class-map type inspect match-any ccp-cls-icmp-access
match protocol icmp
match protocol tcp
match protocol udp
class-map type inspect match-all ccp-icmp-access
match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-invalid-src
match access-group 100
class-map type inspect match-all ccp-protocol-http
match protocol http
policy-map type inspect ccp-permit-icmpreply
class type inspect sdm-cls-bootps
pass
class type inspect ccp-icmp-access
inspect
class class-default
pass
policy-map type inspect ccp-inspect
class type inspect ccp-invalid-src
drop log
class type inspect ccp-protocol-http
inspect
class type inspect ccp-insp-traffic
inspect
class class-default
drop
policy-map type inspect ccp-permit
class type inspect SDM_EASY_VPN_SERVER_PT
pass
class type inspect SDM_DHCP_CLIENT_PT
pass
class class-default
drop
policy-map type inspect sdm-permit-ip
class type inspect SDM_IP
pass
class class-default
drop log
zone security out-zone
zone security in-zone
zone security ezvpn-zone
zone-pair security ccp-zp-self-out source self destination out-zone
service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
service-policy type inspect ccp-permit
zone-pair security sdm-zp-in-ezvpn1 source in-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-out-ezpn1 source out-zone destination ezvpn-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-out1 source ezvpn-zone destination out-zone
service-policy type inspect sdm-permit-ip
zone-pair security sdm-zp-ezvpn-in1 source ezvpn-zone destination in-zone
service-policy type inspect sdm-permit-ip
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EZVPNGroup
key EDITED
dns 208.67.222.222 208.67.220.220
domain EDITED
pool SDM_POOL_2
acl 102
save-password
max-users 20
max-logins 5
crypto isakmp profile ciscocp-ike-profile-1
match identity group EZVPNGroup
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface FastEthernet0
interface FastEthernet1
interface FastEthernet2
interface FastEthernet3
interface FastEthernet4
description WAN link$FW_OUTSIDE$$ES_WAN$$ETH-WAN$
ip address dhcp client-id FastEthernet4
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
zone-member security out-zone
duplex auto
speed auto
interface Virtual-Template1 type tunnel
description VPN virtual interface
ip unnumbered FastEthernet4
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
arp timeout 0
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.10.2 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat inside
ip virtual-reassembly
zone-member security in-zone
ip tcp adjust-mss 1452
ip local pool SDM_POOL_1 30.30.30.10 30.30.30.30
ip local pool SDM_POOL_2 192.168.80.10 192.168.80.29
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 150 interface FastEthernet4 overload
ip access-list extended SDM_AH
remark CCP_ACL Category=1
permit ahp any any
ip access-list extended SDM_BOOTPC
remark CCP_ACL Category=0
permit udp any any eq bootpc
ip access-list extended SDM_ESP
remark CCP_ACL Category=1
permit esp any any
ip access-list extended SDM_IP
remark CCP_ACL Category=1
permit ip any any
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 101 remark CCP_ACL Category=4
access-list 101 permit ip 192.168.10.0 0.0.0.255 any
access-list 102 remark CCP_ACL Category=4
access-list 102 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 deny ip 192.168.10.0 0.0.0.255 192.168.80.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 any
no cdp run
control-plane
banner exec ^C
% Password expiration warning.
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username privilege 15 secret 0
Replace and with the username and password you
want to use.
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
Maybe you are looking for
-
How to populate complete E_text structure of BAPI_ALM_ORDER_GET_DETAIL???
Dear All, I want E_text structure of BAPI_ALM_ORDER_GET_DETAIL to be completely populated with data.Currently I am getting data in below fields: ORDERID LANGU LANGU_ISO TEXTSTART TEXTEND But not getting data in below given fields: ACTIVITY SUB_A
-
Element Alignment Back-to-Back
Using: FM 8.0I am not sure if this is even possible but is there a way to keep multiple Elements on the same line that allow TEXT entry? For example, if I had this structure, keep in mind I am trying to represent what I see when FM View is set to Ele
-
how do i do it's zen micro.. help please!!
-
Plug ins have crashed...No video can be shown
Hello; Thanks for help pages. I updated my computer with software updates..now I get a message that PLUG INS have crashed...so I cannot play any videos. Firefox works on its' own though..going to Ebay and websites..but, PLUG INS have crashed. I have
-
J2SE 1.6 onwards runs really slowly ?
Hi, I'm using the DrJava IDE with j@SE 1.5 and I just updated to J2SE 1.6 update 3, then rolled back to 1.6 update 2 and am having reduced problems than with update 3, but it's still slow like a snail The dialog boxes when changing directories are ex