1. Home
  2. Cisco Systems
  3. access to win domain w/ easy vpn

access to win domain w/ easy vpn

Hi,

I have a Cisco 800 router w/ easy vpn. It is setup to allow IP access from outside to inside the network using ip address only.

However now i need to have my users

1) authenticate via the Windows Domain controller (PDC) on connection. 2) once authenticated, they need to be identified by the network as Domain\\User and not have to reenter the username and password when accessing network shares 3) users need to be able to access computers via thier netbios name i.e. "ping foobar"

is this doable ? where can i find info how to do this. attached is my config file. am i may blocking something w/ my firewall ? would i need to change a lot to get it working ?

thanx !

adam#sh running-config Building configuration...

Current configuration : 5339 bytes ! version 12.3 no service pad service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname foo ! no logging buffered no logging console enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXX ! username CRWS_Giri privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXX username XXXXX password 7 XXXXXXXXXXXXXXXXX username sdm privilege 15 password 7 XXXXXXXXXXXXXX aaa new-model ! ! aaa authentication password-prompt "Enter your password now:" aaa authentication username-prompt "Enter your name here:" aaa authentication login default local aaa authentication login userlist local aaa authentication ppp default local aaa authorization network grouplist local aaa session-id common ip subnet-zero ip dhcp excluded-address 10.10.10.1 ip dhcp excluded-address 10.10.10.129 10.10.10.254 ! ip dhcp pool CLIENT import all network 10.10.10.0 255.255.255.0 default-router 10.10.10.1 lease infinite ! ip inspect name myfw cuseeme timeout 3600 ip inspect name myfw ftp timeout 3600 ip inspect name myfw rcmd timeout 3600 ip inspect name myfw realaudio timeout 3600 ip inspect name myfw smtp timeout 3600 ip inspect name myfw tftp timeout 30 ip inspect name myfw udp timeout 15 ip inspect name myfw tcp timeout 3600 ip inspect name myfw h323 timeout 3600 ip inspect name myfw icmp ip audit notify log ip audit po max-events 100 ip ssh break-string foo no ftp-server write-enable ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 2 encr 3des hash md5 authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des authentication pre-share ! crypto isakmp policy 4 encr 3des hash md5 authentication pre-share ! crypto isakmp client configuration group vpn_group key XXXXXXX domain local pool vpnclients acl 129 ! ! crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac ! crypto dynamic-map vpnusers 1 description Client to Site VPN Users set transform-set tr-des-md5 tr-des-sha tr-3des-sha ! ! crypto map cm-cryptomap client authentication list userlist crypto map cm-cryptomap isakmp authorization list grouplist crypto map cm-cryptomap client configuration address respond crypto map cm-cryptomap 99 ipsec-isakmp dynamic vpnusers ! ! ! ! interface Ethernet0 ip address 10.10.10.1 255.255.255.0 ip nat inside no ip mroute-cache hold-queue 100 out ! interface ATM0 no ip address no ip mroute-cache atm vc-per-vp 64 no atm ilmi-keepalive pvc 8/48 encapsulation aal5mux ppp dialer dialer pool-member 1 ! dsl operating-mode auto dsl power-cutback 1 ! interface Dialer0 no ip address ! interface Dialer1 ip address negotiated ip access-group 111 in ip nat outside ip inspect myfw out encapsulation ppp no ip mroute-cache dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname XXXXXXXXXXXXX ppp chap password 7 XXXXXXXXXXXX ppp pap sent-username XXXXXXXXXXXXX password 7 XXXXXXXXXXXXX ppp ipcp dns request ppp ipcp wins request crypto map cm-cryptomap hold-queue 224 in ! ip local pool vpnclients 192.168.10.1 192.168.10.254 ip nat inside source route-map nonat interface Dialer1 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server ip http authentication local no ip http secure-server !

access-list 23 permit 10.10.10.0 0.0.0.255 access-list 111 permit icmp any any administratively-prohibited access-list 111 permit icmp any any echo access-list 111 permit icmp any any echo-reply access-list 111 permit icmp any any packet-too-big access-list 111 permit icmp any any time-exceeded access-list 111 permit icmp any any traceroute access-list 111 permit icmp any any unreachable access-list 111 permit udp any eq bootps any eq bootpc access-list 111 permit udp any eq bootps any eq bootps access-list 111 permit udp any eq domain any access-list 111 permit esp any any access-list 111 permit udp any any eq isakmp access-list 111 permit udp any any eq 10000 access-list 111 permit tcp any any eq 1723 access-list 111 permit tcp any any eq 139 access-list 111 permit udp any any eq netbios-ns access-list 111 permit udp any any eq netbios-dgm access-list 111 permit gre any any access-list 111 permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255 access-list 111 permit udp any any eq non500-isakmp access-list 129 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 deny ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255 access-list 150 permit ip 10.10.10.0 0.0.0.255 any dialer-list 1 protocol ip permit route-map nonat permit 10 match ip address 150 ! banner motd ^CWelcome To The Machine.^C ! line con 0 exec-timeout 120 0 no modem enable transport preferred all transport output all stopbits 1 line aux 0 transport preferred all transport output all line vty 0 4 access-class 23 in exec-timeout 120 0 length 0 transport preferred all transport input all transport output all ! scheduler max-task-time 5000 ! end

Reply to
Absolut Newbie
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.