VPN client connect to CISCO 887 VPN Server bat they stop at router!!
Hi
my scenario is as follows
SERVER1 on lan (192.168.5.2/24)
|
|
CISCO-887 (192.168.5.4) with VPN server
|
|
INTERNET
|
|
VPN Cisco client on xp machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN.
They can ping only router!!!
They are configured with Cisco VPN client (V5.0.007) with "Enabled Trasparent Tunnelling" and "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Peraps ACL problem?
Building configuration...
Current configuration : 5019 bytes
! Last configuration change at 05:20:37 UTC Tue Apr 24 2012 by adm
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname gate
boot-start-marker
boot-end-marker
no logging buffered
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki token default removal timeout 0
crypto pki trustpoint TP-self-signed-453216506
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-453216506
revocation-check none
rsakeypair TP-self-signed-453216506
crypto pki certificate chain TP-self-signed-453216506
certificate self-signed 01
quit
ip name-server 212.216.112.222
ip cef
no ipv6 cef
password encryption aes
license udi pid CISCO887VA-K9 sn ********
username adm privilege 15 secret 5 *****************
username user1 secret 5 ******************
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key 6 *********\*******
dns 192.168.5.2
wins 192.168.5.2
domain domain.local
pool SDM_POOL_1
save-password
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Loopback0
ip address 10.10.10.10 255.255.255.0
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 8/35
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.5.4 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ******@*******.****
ppp chap password 0 alicenewag
ppp pap sent-username ******@*******.**** password 0 *********
ip local pool SDM_POOL_1 192.168.5.20 192.168.5.50
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.5.0 0.0.0.255
access-list 100 remark CCP_ACL Category=4
access-list 100 permit ip 192.168.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
line con 0
line aux 0
line vty 0 4
transport input all
end
Hello,
Your pool of VPN addresses is overlapping with the interface vlan1.
Since proxy-arp is disabled on that interface, it will never work
2 solutions
1- Pool uses a different network than 192.168.5
2- Enable ip proxy-arp on interface vlan1
Cheers,
Olivier
Similar Messages
-
VPN client connect to CISCO 887 VPN Server but I can't ping Local LAN
Hi
my scenario is as follows
SERVER1 on lan (192.168.1.4)
|
|
CISCO-887 (192.168.1.254)
|
|
INTERNET
|
|
VPN Cisco client on windows 7 machine
My connection have public ip address assegned by ISP, after ppp login.
I've just configured (with Cisco Configuration Professional) the ADSL connection and VPN Server (Easy VPN).
All the PC on LAN surf internet and remote PC connect to VPN Cisco server via cisco VPN client.
But all remote PC after connection to Cisco VPN server don't ping SERVER1 in lan and therefore don't see SERVER1 and every other resource in LAN. I can't even ping the gateway 192.168.1.254
I'm using Cisco VPN client (V5.0.07) with "IPSec over UDP NAT/PAT".
What is wrong in my attached configuration? (I've alspo tried to bind Virtual-Template1 both to unnambered Dialer0 and to Loopback0 but without luck)
Perhaps ACL problem?
Building configuration...
Current configuration : 4921 bytes
! Last configuration change at 14:33:06 UTC Sun Jan 26 2014 by NetasTest
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname TestLab
boot-start-marker
boot-end-marker
enable secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
aaa new-model
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login ciscocp_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network ciscocp_vpn_group_ml_2 local
aaa session-id common
memory-size iomem 10
crypto pki trustpoint TP-self-signed-3013130599
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3013130599
revocation-check none
rsakeypair TP-self-signed-3013130599
crypto pki certificate chain TP-self-signed-3013130599
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33303133 31333035 3939301E 170D3134 30313236 31333333
35305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30313331
33303539 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100A873 940DE7B9 112D7C1E CEF53553 ED09B479 24721449 DBD6F559 1B9702B7
9087E94B 50CBB29F 6FE9C3EC A244357F 287E932F 4AB30518 08C2EAC1 1DF0C521
8D0931F7 6E7F7511 7A66FBF1 A355BB2A 26DAD318 5A5A7B0D A261EE22 1FB70FD1
C20F1073 BF055A86 D621F905 E96BD966 A4E87C95 8222F1EE C3627B9A B5963DCE
AE7F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14E37481 4AAFF252 197AC35C A6C1E8E1 E9DF5B35 27301D06
03551D0E 04160414 E374814A AFF25219 7AC35CA6 C1E8E1E9 DF5B3527 300D0609
2A864886 F70D0101 05050003 81810082 FEE61317 43C08637 F840D6F8 E8FA11D5
AA5E49D4 BA720ECB 534D1D6B 1A912547 59FED1B1 2B68296C A28F1CD7 FB697048
B7BF52B8 08827BC6 20B7EA59 E029D785 2E9E11DB 8EAF8FB4 D821C7F5 1AB39B0D
B599ECC1 F38B733A 5E46FFA8 F0920CD8 DBD0984F 2A05B7A0 478A1FC5 952B0DCC
CBB28E7A E91A090D 53DAD1A0 3F66A3
quit
no ip domain lookup
ip cef
no ipv6 cef
license udi pid CISCO887VA-K9 sn ***********
username ******* secret 4 5ioUNqNjoCPaFZIVNAyYuHFA2e9v8Ivuc7a7UlyQ3Zw
username ******* secret 4 Qf/16YMe96arcCpYI46YRa.3.7HcUGTBeJB3ZyRxMtE
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group EXTERNALS
key NetasTest
dns 8.8.4.4
pool VPN-Pool
acl 120
crypto isakmp profile ciscocp-ike-profile-1
match identity group EXTERNALS
client authentication list ciscocp_vpn_xauth_ml_2
isakmp authorization list ciscocp_vpn_group_ml_2
client configuration address respond
virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA1
set isakmp-profile ciscocp-ike-profile-1
interface Ethernet0
no ip address
shutdown
interface ATM0
no ip address
no atm ilmi-keepalive
hold-queue 224 in
pvc 8/35
pppoe-client dial-pool-number 1
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip address 192.168.2.1 255.255.255.0
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
interface Vlan1
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname ****
ppp chap password 0 *********
ppp pap sent-username ****** password 0 *******
no cdp enable
ip local pool VPN-Pool 192.168.2.210 192.168.2.215
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 100 remark
access-list 100 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 100 remark
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
access-list 120 remark
access-list 120 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
line con 0
exec-timeout 5 30
password ******
no modem enable
line aux 0
line vty 0 4
password ******
transport input all
end
Best Regards,I've updated ios to c870-advipservicesk9-mz.124-24.T8.bin and tried to ping from rv320 to 871 and vice versa. Ping stil not working.
router#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: Dialer0
Uptime: 00:40:37
Session status: UP-ACTIVE
Peer: 93.190.178.205 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 192.168.1.100
Desc: (none)
IKE SA: local 93.190.177.103/500 remote 93.190.178.205/500 Active
Capabilities:(none) connid:2001 lifetime:07:19:22
IPSEC FLOW: permit ip 10.1.1.0/255.255.255.0 10.1.2.0/255.255.255.0
Active SAs: 4, origin: dynamic crypto map
Inbound: #pkts dec'ed 0 drop 30 life (KB/Sec) 4500544/1162
Outbound: #pkts enc'ed 5 drop 0 life (KB/Sec) 4500549/1162 -
Remote access VPN clients connected to Internet from VPN
Greetings,
I need to let remote VPN clients to connect to Internet from the same ASA VPN server
" client connects to ASA through VPN tunnel from outside interface then access Internet from the same ASA from outside interface again
thanksyou'll need to configure 'same-security-traffic permit intra-interface' on the ASA .
Also, need to setup the corresponding nat statements for your clients pool range.
i.e.
global (outside) 1 interface
nat (outside) 1 access-list anyconnectacl
where anyconnectacl is the pool for your clients:
access-list anyconnectacl permit ip 172.16.1.0 255.255.255.0 any -
Will Nortel's Contivity VPN Client work with Cisco's VPN 3000 concentrator?
Hi, need help. We have VPN 3000 concentrator and a number of VPN clients (these are using Cisco VPN client).
We have one user that wants to use Nortel's Contivity VPN Client. Will this work with the Cisco COncentrator 3000?Tricky question - in theory yes, if the nortel client follows all the ISPEC RFC's.
I did try to get the cisco VPN client working on a Nortel Contivity once - did not get it working - but did'nt have that much time to test and get it working.
My advise - Configure, TEST DEBUG TEST DEBUG! -
Which ports to open in PIX for outgoing Cisco VPN client connections ?
I have Cisco vpn clients behind the PIX and i want them to connect to a vpn 3005 which i behind another PIX . Can anybody tell me which ports i have to open on both the PIX firewalls ?
It depends on how you have deployed your VPN Remote Access users.
By default, if you enable IPSec-Over-TCP or IPSec-over-UDP, then port 10000 is used for both, these methods are Cisco Proprietary and can be changed.
If you use NAT-T (NAT Traversal), the Standards-based implementation, then it uses UDP-4500).
either way, the operation of the VPN depends on:
1) Whether these service have been enable on the VPN Concentrator
2) Enabling the relevant transport settings on the VPN Client connection Properties.
Regarding the PIX infront of the VPNC3005, you will need to allow these above ports inbound to your VPNC3005 Public interface.
Locally, it depends if you filter outbound connections through your PIX. If you don't, then the PIX will allow the connection for the VPN Client attempting to access the remote VPNC3005 -
Mac Lion VPN client connectivity
We are looking to get VPN client connectivity from Mac Lion laptops to a Cisco ASA. Windows users work ok, and Mac can connect but they will not resolve internal dns addresses so they will not pass any data. Is there any special configuration needed on the ASA or MAC?
Hi
Could you post the log from the client and the router please? -
VPN client connected to VPN but can't ping or access to server
HI ,
i need help urgently, had been troubleshooting for a day, but have no ideal what wrong with the config.
Basically there is 2 set of VPN configured, one is site to site IPSEC VPN and another one is connect via VPN client software coexist in same router.
This recently we having problem on client can't access or ping to internal server which is 192.168.6.3 from VPN client software.
VPN client will connect to VPN ip pool as10.20.1.0 to 10.20.1.100
Software itself shown connected but request time out when ping.
Below is the config. Some of the command might be extra as when i did some test, but end up didn't work.
aaa new-model
aaa authentication login userauthen local
aaa authorization network adminmap group VPNClient
aaa authorization network groupauthor local
aaa authorization network map-singapore local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key emptyspace address 203.142.83.218 no-xauth
crypto isakmp keepalive 15 periodic
crypto isakmp client configuration address-pool local ippool
crypto isakmp client configuration group map-singapore
key cisco123
dns 192.168.6.3
domain cisco.com
pool ippool
acl 102
crypto isakmp profile VPNclient
match identity address 27.54.43.210 255.255.255.255
match identity group vpnclient
client authentication list userauthen
client configuration address respond
crypto ipsec security-association idle-time 86400
crypto ipsec transform-set REMSET esp-3des esp-md5-hmac
crypto ipsec transform-set DYNSET esp-aes esp-md5-hmac
crypto ipsec transform-set esp-3des-sha esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set DYNSET
set isakmp-profile VPNclient
reverse-route
crypto map VPNMAP client authentication list userauthen
crypto map VPNMAP isakmp authorization list map-singapore
crypto map VPNMAP client configuration address respond
crypto map VPNMAP 10 ipsec-isakmp dynamic dynmap
crypto map VPNMAP 11 ipsec-isakmp
description VPN to ASA5520
set peer 203.142.83.218
set security-association lifetime kilobytes 14608000
set security-association lifetime seconds 86400
set transform-set REMSET
match address 100
interface GigabitEthernet0/0
ip address 27.54.43.210 255.255.255.240
ip nat outside
no ip virtual-reassembly
duplex full
speed 100
crypto map VPNMAP
interface GigabitEthernet0/1
ip address 192.168.6.1 255.255.255.0
ip nat inside
no ip virtual-reassembly
duplex full
speed 100
interface GigabitEthernet0/2
description $ES_LAN$
no ip address
shutdown
duplex auto
speed auto
ip local pool ippool 10.20.1.0 10.20.1.100
ip forward-protocol nd
ip pim bidir-enable
no ip http server
ip http authentication local
no ip http secure-server
ip nat inside source list 1 interface GigabitEthernet0/0 overload
ip nat inside source list 101 interface GigabitEthernet0/0 overload
ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
ip nat inside source static 192.168.6.3 27.54.43.212
ip route 0.0.0.0 0.0.0.0 27.54.43.209
ip route 192.168.1.0 255.255.255.0 27.54.43.209
ip route 192.168.151.0 255.255.255.0 192.168.6.151
ip route 192.168.208.0 255.255.255.0 27.54.43.209
ip access-list extended RA_SING
permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
permit ip 10.0.0.0 0.255.255.255 192.168.6.0 0.0.0.255
permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
permit ip 10.20.1.1 0.0.0.100 192.168.6.0 0.0.0.255
permit ip 10.20.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip any any log
access-list 1 remark Local Network
access-list 1 permit 192.168.6.0 0.0.0.255
access-list 1 permit 192.168.102.0 0.0.0.255
access-list 1 permit 192.168.151.0 0.0.0.255
access-list 2 remark VPNClient-range
access-list 2 permit 10.0.0.0 0.255.255.255
access-list 10 permit 192.168.6.0 0.0.0.255
access-list 10 permit 192.168.102.0 0.0.0.255
access-list 10 permit 192.168.151.0 0.0.0.255
access-list 10 permit 10.0.0.0 0.255.255.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.102.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 100 permit ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
access-list 100 permit ip host 192.168.6.7 host 192.168.208.48
access-list 101 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.0.0.0 0.255.255.255 any
access-list 101 permit ip 192.168.6.0 0.0.0.255 any
access-list 102 permit ip 10.0.0.0 0.255.255.255 any
access-list 120 deny ip any any log
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.1.0 0.0.0.255 log
access-list 120 deny ip 192.168.6.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 120 deny ip 192.168.6.0 0.0.0.255 192.168.208.0 0.0.0.255
no cdp run
route-map nonat permit 10
match ip address 120
control-plane
alias isakmp-profile sh crypto isakmp sa
alias exec ipsec sh crypto ipsec sa
banner motd ^CC^CI did not try to ping 4.2.2.2. I just know I can not ping comcasts dns servers. I have updated the firmware on the router and it did not work. The computer was able to access the internet until about a week ago, I don't understand what could have changed that I would now need a static DNS.
-
Hii frnds,
here is the configuration in my router C1841..for the cisco ipsec remote access vpn..i was able to establish a vpn session properly...but there after i can only reach up to the inside interfaces of the router..but not to the lan devices...
Below is the out put from the router
r1#sh run
Building configuration...
Current configuration : 3488 bytes
! Last configuration change at 20:07:20 UTC Tue Apr 23 2013 by ramana
! NVRAM config last updated at 11:53:16 UTC Sun Apr 21 2013 by ramana
version 15.1
service config
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname r1
boot-start-marker
boot-end-marker
enable secret 5 $1$6RzF$L6.zOaswedwOESNpkY0Gb.
aaa new-model
aaa authentication login local-console local
aaa authentication login userauth local
aaa authorization network groupauth local
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip domain name r1.com
multilink bundle-name authenticated
license udi pid CISCO1841 sn FHK145171DM
username ramana privilege 15 secret 5 $1$UE7J$u9nuCPGaAasL/k7CxtNMj.
username giet privilege 15 secret 5 $1$esE5$FD9vbBwTgHERdRSRod7oD.
redundancy
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group ra-vpn
key xxxxxx
domain r1.com
pool vpn-pool
acl 150
save-password
include-local-lan
max-users 10
crypto ipsec transform-set my-vpn esp-3des esp-md5-hmac
crypto dynamic-map RA 1
set transform-set my-vpn
reverse-route
crypto map ra-vpn client authentication list userauth
crypto map ra-vpn isakmp authorization list groupauth
crypto map ra-vpn client configuration address respond
crypto map ra-vpn 1 ipsec-isakmp dynamic RA
interface Loopback0
ip address 10.2.2.2 255.255.255.255
interface FastEthernet0/0
bandwidth 8000000
ip address 117.239.xx.xx 255.255.255.240
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map ra-vpn
interface FastEthernet0/1
description $ES_LAN$
ip address 192.168.10.252 255.255.255.0 secondary
ip address 10.10.10.1 255.255.252.0 secondary
ip address 172.16.0.1 255.255.252.0 secondary
ip address 10.10.7.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
ip local pool vpn-pool 172.18.1.1 172.18.1.100
ip forward-protocol nd
ip http server
ip http authentication local
no ip http secure-server
ip dns server
ip nat pool INTERNETPOOL 117.239.xx.xx 117.239.xx.xx netmask 255.255.255.240
ip nat inside source list 100 pool INTERNETPOOL overload
ip route 0.0.0.0 0.0.0.0 117.239.xx.xx
access-list 100 permit ip 10.10.7.0 0.0.0.255 any
access-list 100 permit ip 10.10.10.0 0.0.1.255 any
access-list 100 permit ip 172.16.0.0 0.0.3.255 any
access-list 100 permit ip 192.168.10.0 0.0.0.255 any
access-list 150 permit ip 10.10.7.0 0.0.0.255 172.18.0.0 0.0.255.255
access-list 150 permit ip host 10.2.2.2 172.18.1.0 0.0.0.255
access-list 150 permit ip 192.168.10.0 0.0.0.255 172.18.1.0 0.0.0.255
control-plane
line con 0
login authentication local-console
line aux 0
line vty 0 4
login authentication local-console
transport input telnet ssh
scheduler allocate 20000 1000
end
r1>sh ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is 117.239.xx.xx to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 117.239.xx.xx
10.0.0.0/8 is variably subnetted, 5 subnets, 3 masks
C 10.2.2.2/32 is directly connected, Loopback0
C 10.10.7.0/24 is directly connected, FastEthernet0/1
L 10.10.7.1/32 is directly connected, FastEthernet0/1
C 10.10.8.0/22 is directly connected, FastEthernet0/1
L 10.10.10.1/32 is directly connected, FastEthernet0/1
117.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 117.239.xx.xx/28 is directly connected, FastEthernet0/0
L 117.239.xx.xx/32 is directly connected, FastEthernet0/0
172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks
C 172.16.0.0/22 is directly connected, FastEthernet0/1
L 172.16.0.1/32 is directly connected, FastEthernet0/1
172.18.0.0/32 is subnetted, 1 subnets
S 172.18.1.39 [1/0] via 49.206.59.86, FastEthernet0/0
192.168.10.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.10.0/24 is directly connected, FastEthernet0/1
L 192.168.10.252/32 is directly connected, FastEthernet0/1
r1#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
117.239.xx.xx 49.206.59.86 QM_IDLE 1043 ACTIVE
IPv6 Crypto ISAKMP SA
r1 #sh crypto ipsec sa
interface: FastEthernet0/0
Crypto map tag: giet-vpn, local addr 117.239.xx.xx
protected vrf: (none)
local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
remote ident (addr/mask/prot/port): (172.18.1.39/255.255.255.255/0/0)
current_peer 49.206.59.86 port 50083
PERMIT, flags={}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 2, #pkts decrypt: 2, #pkts verify: 2
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 117.239.xx.xx, remote crypto endpt.: 49.206.xx.xx
path mtu 1500, ip mtu 1500, ip mtu idb FastEthernet0/0
current outbound spi: 0x550E70F9(1427009785)
PFS (Y/N): N, DH group: none
inbound esp sas:
spi: 0x5668C75(90606709)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2089, flow_id: FPGA:89, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550169/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0x550E70F9(1427009785)
transform: esp-3des esp-md5-hmac ,
in use settings ={Tunnel UDP-Encaps, }
conn id: 2090, flow_id: FPGA:90, sibling_flags 80000046, crypto map: ra-vpn
sa timing: remaining key lifetime (k/sec): (4550170/3437)
IV size: 8 bytes
replay detection support: Y
Status: ACTIVE
outbound ah sas:
outbound pcp sas:hi Maximilian Schojohann..
First i would like to Thank you for showing interest in solving my issue...After some research i found that desabling the " IP CEF" will solve the issue...when i desable i was able to communicate success fully with the router lan..But when i desable " IP CEF " Router cpu processer goes to 99% and hangs...
In the output of " sh process cpu" it shows 65% of utilization from "IP INPUT"
so plz give me an alternate solution ....thanks in advance.... -
IOS VPN will not respond to Cisco VPN Client connections.
Hi all,
I am about to set my routers on fire here.
I have two 2921 ISRs both with Security licenses on separate leased lines. I have configured one to accept VPN connections from our Cisco VPN Client remote workers.
I have followed the set up process I used on another site with an 1841/Sec router and the same clients and I have also checked against the config given in the latest IOS15 EasyVPN guide.
With all debugs active, all I see is
038062: Dec 8 14:03:04.519: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (N) NEW SA
038063: Dec 8 14:03:04.519: ISAKMP: Created a peer struct for x.y.z.z, peer port 60225
038064: Dec 8 14:03:04.519: ISAKMP: New peer created peer = 0x3972090C peer_handle = 0x8001D881
038065: Dec 8 14:03:04.523: ISAKMP: Locking peer struct 0x3972090C, refcount 1 for crypto_isakmp_process_block
038066: Dec 8 14:03:04.523: ISAKMP:(0):Setting client config settings 3E156D70
038067: Dec 8 14:03:10.027: ISAKMP (0): received packet from x.y.z.z dport 500 sport 60225 Global (R) MM_NO_STATE
Below is the abridged config.
System image file is "flash0:c2900-universalk9-mz.SPA.154-1.T1.bin"
aaa new-model
aaa authentication login default local
aaa authentication login VPNAUTH local
aaa authorization exec default local
aaa authorization network VPN local
aaa session-id common
crypto isakmp policy 10
encr aes
authentication pre-share
group 14
crypto isakmp client configuration group VPN
key ****-****-****-****
dns 192.168.177.207 192.168.177.3
domain xxx.local
pool VPNADDRESSES
acl REVERSEROUTE
crypto ipsec transform-set HASH esp-aes esp-sha-hmac
mode tunnel
crypto ipsec profile IPSECPROFILE
set transform-set HASH
crypto dynamic-map VPN 1
set transform-set HASH
reverse-route
crypto map VPN client authentication list VPNAUTH
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 65535 ipsec-isakmp dynamic VPN
ip local pool VPNADDRESSES 172.16.198.16 172.16.198.31
ip access-list extended REVERSEROUTE
permit ip 192.168.0.0 0.0.255.255 any
permit ip 10.0.0.0 0.0.0.255 any
ip access-list extended FIREWALL
2 permit udp any host a.b.c.d eq non500-isakmp
3 permit udp any host a.b.c.d eq isakmp
4 permit ahp any host a.b.c.d
5 permit esp any host a.b.c.d
If anyone can see anything wrong, I would be so pleased and it would save the destruction of an ostensibly innocent router.
Thanks,
Paul> I actually love you. Thank you so much.
Sorry, I'm married ... ;-)
> Im not using a virtual template. Can I get away without the Crypto Map if I use one...? All my tunnels are VTIs
oh yes, I could have seen that ...
crypto isakmp profile VPN-RA
match identity group VPN
client authentication list VPNAUTH
isakmp authorization list VPN
client configuration address respond
virtual-template 1
interface Virtual-Template1 type tunnel
description Tunnel fuer Cisco VPN-Client
ip unnumbered GigabitEthernet0/0
ip virtual-reassembly in
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSECPROFILE
Your isakmp-config and ipsec profile stays the same. -
No Internet access after cisco vpn client connection
Hi Experts,
Kindly check below config.the problem is vpn is connected but no internet access
on computer after connecting vpn
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.240 255.255.2
55.240
pager lines 24
mtu inside 1500
mtu outside 1500
ip local pool testpool 192.168.14.240-192.168.14.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list INSIDE_nat0_outbound
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
username testuser password IqY6lTColo8VIF24 encrypted
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:059363cdf78583da4e3324e8dfcefbf0
: end
ciscoasa#Hi Harish,
Please check the o/ps below and route print in attached file
Latest ASA Config
ASA Version 8.0(2)
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
ip address 192.168.10.10 255.255.255.0
interface Ethernet0/1
nameif inside
security-level 100
ip address 192.168.14.12 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
shutdown
no nameif
no security-level
no ip address
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list dubai_splitTunnelAcl standard permit 192.168.14.0 255.255.255.0
access-list INSIDE_nat0_outbound extended permit ip any 192.168.14.0 255.255.255
.0
pager lines 24
mtu outside 1500
mtu inside 1500
ip local pool testpool 192.168.15.240-192.168.15.250
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 192.168.10.12 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.14.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set setFirstSet esp-3des esp-md5-hmac
crypto dynamic-map dyn1 1 set transform-set setFirstSet
crypto dynamic-map dyn1 1 set reverse-route
crypto map mymap 1 ipsec-isakmp dynamic dyn1
crypto map mymap interface outside
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 43200
crypto isakmp policy 65535
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
group-policy mphone internal
group-policy mphone attributes
split-tunnel-policy tunnelspecified
split-tunnel-network-list value dubai_splitTunnelAcl
username testuser password IqY6lTColo8VIF24 encrypted privilege 15
username testuser attributes
vpn-group-policy mphone
username khans password X5bLOVudYKsK1JS/ encrypted privilege 15
username khans attributes
vpn-group-policy mphone
tunnel-group mphone type remote-access
tunnel-group mphone general-attributes
address-pool testpool
tunnel-group mphone ipsec-attributes
pre-shared-key *
prompt hostname context
Cryptochecksum:12308d7ff6c6df3d71181248e8d38ba8
: end
ciscoasa#
Route Print after vpn connection
C:\>route print
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x40003 ...00 24 01 a2 e6 f1 ...... D-Link DFE-520TX PCI Fast Ethernet Adapter -
Packet Scheduler Miniport
0x250004 ...00 05 9a 3c 78 00 ...... Cisco Systems VPN Adapter - Packet Schedule
r Miniport
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.10.1 192.168.10.211 20
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.10.0 255.255.255.0 192.168.10.211 192.168.10.211 20
192.168.10.211 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.10.255 255.255.255.255 192.168.10.211 192.168.10.211 20
192.168.14.0 255.255.255.0 192.168.15.1 192.168.15.240 1
192.168.15.0 255.255.255.0 192.168.15.240 192.168.15.240 20
192.168.15.240 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.15.255 255.255.255.255 192.168.15.240 192.168.15.240 20
213.42.233.97 255.255.255.255 192.168.10.1 192.168.10.211 1
224.0.0.0 240.0.0.0 192.168.10.211 192.168.10.211 20
224.0.0.0 240.0.0.0 192.168.15.240 192.168.15.240 20
255.255.255.255 255.255.255.255 192.168.10.211 192.168.10.211 1
255.255.255.255 255.255.255.255 192.168.15.240 192.168.15.240 1
Default Gateway: 192.168.10.1
===========================================================================
Persistent Routes:
None
C:\>
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : asu
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Unknown
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
Ethernet adapter Local Area Connection 7:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : D-Link DFE-520TX PCI Fast Ethernet A
dapter
Physical Address. . . . . . . . . : 00-24-01-A2-E6-F1
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.10.211
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.10.1
DNS Servers . . . . . . . . . . . : 213.42.20.20
195.229.241.222
Ethernet adapter Local Area Connection 8:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Cisco Systems VPN Adapter
Physical Address. . . . . . . . . : 00-05-9A-3C-78-00
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.15.240
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : -
Cisco VPN Client connects, but doesn't....
Have an issue where the workstation connects to the remote router using Cisco VPN Client successfully, but cannot receive traffic, but can...... I can see the connection with sh cry isa sa, and can see the packets encrypt/decrypt via sh cry ipse sa, as well as see the encrypt/decrypt in the VPN Client status, these numbers match up with the number of pings that are sent across the tunne. I can also see the ougoing and incoming packets with wireshark on the Cisco adapter on the workstation that is connected over the tunnel, icmp to:x.x.x.37 from:x.x.x.100, icmp from:x.x.x.100 to:x.x.x.37. Even with wireshark seeing the traffic, the requests time out. Any ideas?
Matthew,
If you are seeing packets encrypted/decrypted on both sites, but not getting an actual response, it sounds like tough one.
Have you tried disabling the client's firewall?
Also, you to discard a possible problem with the VPN virtual adapter have you tried to uninstall/reinstall the VPN Client?
Sorry, the suggetions I'm giving you are very basic but it definetely sounds kind of a weird problem...
Let me know how it goes.
Raga -
Cisco VPN Client - Connects but no shares
My Windows IT folks configured Cisco VPN Client 4.9.0.1 (0100) on both the XP and Mac side of my MacBook Pro.
Authentication works fine from both sides but none of the shared drives or folders mount on the Mac side. They do mount via Windows Explorer from the XP side. The configurations are exactly the same.
From the Mac side using Terminal I am able to ping the various shared drives on the company server. How can I get them to mount.Hi KW and Welcome to Apple Discussions...
You will receive more "views" to your post if you reposted in the Leopard forum... go here: http://discussions.apple.com/category.jspa?categoryID=235
Carolyn -
Mavericks Server VPN client connection won't work
I have read many of the problems regarding remote clients not being able to connect to Mavericks Server 3.0 via L2TP outside of the network.
My understanding that Apple has fixed this with 3.02 update.
Since the update, I tried to setup my first time VPN connection and am having similar problems to the noted prior issues.
Mavericks Server has DNS, OD, and VPN setup and running with most current update as of 2/4/14.
My Airport Extreme router is managed via Server App and has VPN ports opened. Have shutoff Back to My Mac and Find my Mac also on the server. I have also put in my hostname miniserver."example".com into the DNS on my Fatcow registrar pointing to my public IP address. "example" obviously being my domain name.
My Mavericks Macbook Pro has been setup with VPN client/shared secret and the public ip address of my router. The Macbook will connect to the VPN inside the network, but will not connect outside of the local network. Have tried setting up my home Mavericks iMac with the same result.
Have read other discussions regarding copying the old racoon vpn from mountain lion server, but understand that shouldn't be necessary as Apple has allegedly fixed the problem. Also do not want to have to redo everytime Apple pushes out a Server update.
First time I have ever setup VPN and seems close, but not quite, to working.
Thanks.....Select the Network tab in AirPort Utility and click Network Options. In the sheet that opens, check the box marked
Allow incoming IPSec authentication
if it's not already checked, and save the change. -
I can connect my cisco mobile vpn but can't ping & access internal IP
Hi somebody,
i've configured mobile vpn configuration in cisco 7200 with GNS3. i can connect VPN to my cisco router with cisco vpn client software from outside. but i can't ping to internal ip and can't access internal resources.
My Internal IP is 192.168.1.x . And IP for mobile VPN client from outside is 172.60.1.x.
Your advise will be appreciate.
here is my configuration with cisco 7200 in GNS 3,
OfficeVPN_Router#sh run
Building configuration...
Current configuration : 2186 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip any any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end
OfficeVPN_Router#sh ver
Cisco IOS Software, 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Tue 21-Apr-09 18:50 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-A3JK9S-M), Version 12.4(25), RELEASE SOFTWARE (fc2)
OfficeVPN_Router uptime is 30 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE400) processor (revision A) with 245760K/16384K bytes of memory.
Processor board ID 4279256517
R7000 CPU at 150MHz, Implementation 39, Rev 2.1, 256KB L2 Cache
6 slot VXR midplane, Version 2.1
Last reset from power-on
PCI bus mb0_mb1 (Slots 0, 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb0_mb1 has a total of 600 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4, 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
3 FastEthernet interfaces
125K bytes of NVRAM.
65536K bytes of ATA PCMCIA card at slot 0 (Sector size 512 bytes).
8192K bytes of Flash internal SIMM (Sector size 256K).
Configuration register is 0x2102
OfficeVPN_Router#Dear Javier ,
Thanks for your info. i already tested as you say. but still i can't use & ping to my internal IP which is behind cisco VPN router. i posted my config file.
OfficeVPN_Router(config)#ip access-list resequence 111 10 10
OfficeVPN_Router(config)#do sh run
Building configuration...
Current configuration : 2201 bytes
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname OfficeVPN_Router
boot-start-marker
boot-end-marker
enable secret 5 $1$E0Gz$U8UzNtHOXy2CeoEFj30by0
aaa new-model
aaa authentication login userlist local
aaa authorization network grouplist local
aaa session-id common
ip cef
no ip domain lookup
username asm privilege 15 password 0 pncsadmin
username user privilege 15 password 0 pncsadmin
username user1 privilege 15 password 0 pncsadmin
username cisco123 secret 5 $1$lCOc$Db.e8AFd/0f02ZI4/aeV./
crypto isakmp policy 10
encr aes
authentication pre-share
group 2
crypto isakmp client configuration group MWG
key cisco
dns 165.21.83.88
pool vpnpool
acl 101
netmask 255.255.0.0
crypto ipsec transform-set myset esp-aes esp-sha-hmac
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
crypto map mymap client authentication list userlist
crypto map mymap isakmp authorization list grouplist
crypto map mymap client configuration address initiate
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface FastEthernet0/0
no ip address
shutdown
duplex half
interface FastEthernet1/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex full
speed 100
interface FastEthernet1/1
ip address 200.200.200.200 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map mymap
ip local pool vpnpool 172.60.1.10 172.60.1.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 200.200.200.201
no ip http server
no ip http secure-server
ip nat inside source list 111 interface FastEthernet1/1 overload
access-list 101 permit ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 deny ip 192.168.1.0 0.0.0.255 172.60.0.0 0.0.255.255
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
control-plane
gatekeeper
shutdown
line con 0
exec-timeout 0 0
password cisco123
logging synchronous
stopbits 1
line aux 0
stopbits 1
line vty 0 4
password cisco123
end -
WLC 5508 7.0.98.0 has vpn client connection issues
Hi
my guest ssid is set to L2 security none and L3 Web policy and authentication local. clients that need to connect to some vpn server (internet) are reporting disconnection issues with the vpn session but not the wireless network. as soon as they get connected via another wireless internet connection the vpn connection gets stable. that makes me thing is in deed the my wireless network the one causing issues. is there a know issues with the web authentication WLAN and vpn clients? no firewall in the middle.
Exclusionlist.................................... Disabled
Session Timeout.................................. Infinity
CHD per WLAN..................................... Enabled
Webauth DHCP exclusion........................... Disabled
Interface........................................ xxxxxxxxxxxxxxxx
WLAN ACL......................................... unconfigured
DHCP Server...................................... Default
DHCP Address Assignment Required................. Disabled
--More or (q)uit current module or <ctrl-z> to abort
Quality of Service............................... Bronze (background)
Scan Defer Priority.............................. 4,5,6
Scan Defer Time.................................. 100 milliseconds
WMM.............................................. Allowed
Media Stream Multicast-direct.................... Disabled
CCX - AironetIe Support.......................... Enabled
CCX - Gratuitous ProbeResponse (GPR)............. Disabled
CCX - Diagnostics Channel Capability............. Disabled
Dot11-Phone Mode (7920).......................... Disabled
Wired Protocol................................... None
IPv6 Support..................................... Disabled
Passive Client Feature........................... Disabled
Peer-to-Peer Blocking Action..................... Disabled
Radio Policy..................................... All
DTIM period for 802.11a radio.................... 1
DTIM period for 802.11b radio.................... 1
Radius Servers
Authentication................................ Disabled
Accounting.................................... Disabled
Dynamic Interface............................. Disabled
Local EAP Authentication......................... Disabled
Security
802.11 Authentication:........................ Open System
Static WEP Keys............................... Disabled
802.1X........................................ Disabled
Wi-Fi Protected Access (WPA/WPA2)............. Disabled
CKIP ......................................... Disabled
Web Based Authentication...................... Enabled
ACL............................................. Unconfigured
Web Authentication server precedence:
1............................................... local
Web-Passthrough............................... Disabled
Conditional Web Redirect...................... Disabled
Splash-Page Web Redirect...................... Disabled
Auto Anchor................................... Disabled
H-REAP Local Switching........................ Disabled
H-REAP Learn IP Address....................... Enabled
Client MFP.................................... Optional but inactive (WPA2 not configured)
Tkip MIC Countermeasure Hold-down Timer....... 60
Call Snooping.................................... Disabled
Roamed Call Re-Anchor Policy..................... Disabled
Band Select...................................... Disabled
Load Balancing................................... DisabledThanks Scott,
We have two controllers and all the APs (50) are associated with the primary Controller,what is the best path to follow for the upgrade.
we don't have Field recoversy image installed on our controller, do we have to do the FSU upgrade?
(Cisco Controller) >show sysinfo
Manufacturer's Name.............................. Cisco Systems Inc.
Product Name..................................... Cisco Controller
Product Version.................................. 7.0.98.0
Bootloader Version............................... 1.0.1
Field Recovery Image Version..................... N/A
Firmware Version................................. FPGA 1.3, Env 1.6, USB console 1.27
Build Type....................................... DATA + WPS
System Name...................................... Airespace_01
System Location..................................
System Contact...................................
System ObjectID.................................. 1.3.6.1.4.1.9.1.1069
IP Address....................................... 10.0.0.201
Last Reset....................................... Power on reset
System Up Time................................... 9 days 2 hrs 57 mins 21 secs
System Timezone Location......................... (GMT -6:00) Central Time (US and Canada)
Current Boot License Level....................... base
Current Boot License Type........................ Permanent
Next Boot License Level.......................... base
Next Boot License Type........................... Permanent
Configured Country............................... Multiple Countries:US,CN,DE,TW,HK
Is the below Upgrade Path make sense ?
1. Upgrade the Primary controller and reboot- wait till all APs associate with primary controller and download the new image
2. Upgrade the secondary controller and reboot
3. Failover the APs to secondary controller and test
Siddhartha
Maybe you are looking for
-
Mappings Creation Performance Issue:
Mappings Creation Performance Issue I am having a performance problem when linking attributes from Splitter Transformation (has app. 80 input ports and 9 different filter condition for 9 target tables) to other transformations. It takes app. 6 minute
-
HT204370 my digital copy of a film downloaded but there's no sound or picture when it plays?
I downloaded a digital copy of a film but when I tried to play it, there was no picture of sound on the itunes player. Can anyone help please?
-
Report painter un balanced in balance sheet
Dear Experts, can you please help me When i run report painter In T C : GRR3, i saw balance sheet balance is unbalanced that is liablities is not matched to assets . it shows out of balance . How i can verify this unbalanced amount Regards Bhaskar
-
Why is m y serial number not being accepted by Adobe?
I just downloaded Photoshop CS6 and when it comes to adding the serial that was sent to me, I get this mesage "The serial number you entered is invalid. Please try again. What can I do. I just paid a bundle for this download. Wes
-
Creating a brush stroke or stamp from a logo
I recently upgraded from 6 to 8 because my computer containing 6 crashed. On 6, I was able to convert my photo logo into a brush stroke with a little help from my daughter who uses Photoshop 7 at school and was able to click on the brush stroke and