1. Home
  2. Cisco Systems
  3. Setting up VPN on 1811 router

Setting up VPN on 1811 router

I have a Cisco 1811 as my router. Inside there are 2 VLAN's. One VLAN for my desktops and one VLAN as a DMZ for my servers. Both VLAN's use NAT to map the private internal IPs to the external IP address.

I'd like to add a VPN Server to allow my Mac laptop and iphone to access resources inside my network. I tried adding it via the web GUI however connections aren't working with no errors that it can tell me.

Attached is my running configuration. Can somebody please tell me what I need to add in order to set up the VPN? My preference is to use the IOS CLI and not the Cisco web thing.

! ! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by root ! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by root ! version 12.4 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 debugging logging console critical enable secret 5 $1$45Pl$xpQQD4Z2a6U1RuCAlI5h21 ! aaa new-model ! ! aaa authentication login default local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local ! aaa session-id common ! resource policy ! clock timezone NewYork -5 clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00 mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 ip subnet-zero no ip source-route ! ! ip cef no ip dhcp use vrf connected ip dhcp excluded-address 192.168.1.1 192.168.1.127 ! ip dhcp pool sdm-pool1 import all network 192.168.1.0 255.255.255.0 default-router 192.168.1.1 domain-name scottsavarese.com dns-server 192.168.2.2 ! ip dhcp pool wireless-pool import all network 192.168.3.0 255.255.255.0 default-router 192.168.3.1 domain-name scottsavarese.com dns-server 192.168.2.2 ! ! ip tcp synwait-time 10 no ip bootp server ip domain name ip name-server 192.168.2.2 ip ssh time-out 60 ip ssh authentication-retries 2 ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive no ip ips deny-action ips-interface ip ips notify SDEE ! ! crypto pki trustpoint TP-self-signed-4111549971 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-4111549971 revocation-check none rsakeypair TP-self-signed-4111549971 ! ! crypto pki certificate chain TP-self-signed-4111549971 certificate self-signed 01

quit username root privilege 15 secret 5 username savarese privilege 0 view SDM_EasyVPN_Remote secret 5

! ! class-map match-all nbar class-map match-all p2p match protocol bittorrent class-map match-all voice ! ! crypto isakmp xauth timeout 15

! ! ! interface Dot11Radio0 ip address 192.168.3.1 255.255.255.0 ip access-group wireless-in in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow shutdown ! encryption mode ciphers tkip ! ssid authentication open authentication key-management wpa guest-mode wpa-psk ascii 7 ! speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0

36.0 48.0 54.0 ! interface Dot11Radio1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0 station-role root ! interface FastEthernet0 description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$ ip address .2 255.255.255.248 secondary ip address .1 255.255.255.248 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect DEFAULT100 out ip virtual-reassembly ip route-cache flow duplex auto speed auto ! interface FastEthernet1 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown duplex auto speed auto ! interface FastEthernet2 shutdown ! interface FastEthernet3 shutdown ! interface FastEthernet4 shutdown ! interface FastEthernet5 description DMZ Interface switchport access vlan 2 ! interface FastEthernet6 shutdown ! interface FastEthernet7 shutdown ! interface FastEthernet8 switchport access vlan 3 ! interface FastEthernet9 description LAN Interface ! interface Vlan1 description Inside LAN ip address 192.168.1.1 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! interface Vlan2 description Inside DMZ ip address 192.168.2.1 255.255.255.0 ip access-group vlan2-in in ip nat inside ip virtual-reassembly ! interface Async1 no ip address no ip redirects no ip unreachables no ip proxy-arp shutdown ! ip classless ip route 0.0.0.0 0.0.0.0 .6 permanent ! ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 5 life 86400 requests 10000 ip nat inside source route-map wireless-rmap interface FastEthernet0 overload ip nat inside source static udp 192.168.2.2 53 interface FastEthernet0 53 ip nat inside source static tcp 192.168.2.2 53 interface FastEthernet0 53 ip nat inside source static tcp 192.168.2.2 993 interface FastEthernet0 993 ip nat inside source static tcp 192.168.2.2 465 interface FastEthernet0 465 ip nat inside source static tcp 192.168.2.2 443 interface FastEthernet0 443 ip nat inside source static tcp 192.168.2.2 25 interface FastEthernet0 25 ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0 overload ip nat inside source static tcp 192.168.2.2 80 interface FastEthernet0 80 ip nat inside source static tcp 192.168.2.2 8080 interface FastEthernet0 8080 ip nat inside source static tcp 192.168.2.2 587 interface FastEthernet0 587 ip nat inside source static tcp 192.168.2.3 443 .2 443 extendable ! ip access-list extended vlan2-in permit tcp 192.168.2.0 0.0.0.255 eq 22 192.168.1.0 0.0.0.255 permit tcp 192.168.2.0 0.0.0.255 eq 22 host 192.168.2.1 permit tcp 192.168.2.0 0.0.0.255 eq smtp 192.168.1.0 0.0.0.255 permit udp host 192.168.2.2 eq domain 192.168.0.0 0.0.255.255 permit tcp host 192.168.2.2 eq domain 192.168.0.0 0.0.255.255 permit tcp 192.168.2.0 0.0.0.255 eq 443 192.168.1.0 0.0.0.255 permit tcp 192.168.2.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255 permit tcp 192.168.2.0 0.0.0.255 eq 465 192.168.1.0 0.0.0.255 permit tcp 192.168.2.0 0.0.0.255 eq 993 192.168.1.0 0.0.0.255 permit udp 192.168.2.0 0.0.0.255 eq 5060 192.168.1.0 0.0.0.255 permit udp 192.168.2.0 0.0.0.255 eq 4569 192.168.1.0 0.0.0.255 permit udp 192.168.2.0 0.0.0.255 eq 5036 192.168.1.0 0.0.0.255 permit udp 192.168.2.0 0.0.0.255 range 10000 20000 192.168.1.0 0.0.0.255 permit udp 192.168.2.0 0.0.0.255 eq 2727 192.168.1.0 0.0.0.255 deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255 deny ip .0 0.0.0.7 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit ip any any ip access-list extended vlan3-in permit ip any any ip access-list extended wireless-in deny ip .0 0.0.0.7 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip any any ip access-list extended wireless-ips permit ip 192.168.3.0 0.0.0.255 any ! logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.1.0 0.0.0.255 access-list 2 remark SDM_ACL Category=2 access-list 2 permit 192.168.2.0 0.0.0.255 access-list 100 remark auto-generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip .0 0.0.0.7 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 permit udp host 64.73.32.134 eq ntp host .1 eq ntp access-list 101 permit udp host 66.96.96.29 eq ntp host .1 eq ntp access-list 101 permit udp host 132.160.49.93 eq ntp host .1 eq ntp access-list 101 permit udp any host .1 eq domain access-list 101 permit tcp any host .1 eq domain access-list 101 permit tcp any host .1 eq 993 access-list 101 permit tcp any host .1 eq 465 access-list 101 permit tcp any host .1 eq 587 access-list 101 permit tcp any host .1 eq 443 access-list 101 permit tcp any host .1 eq www access-list 101 permit tcp any host .1 eq smtp access-list 101 permit ahp any host .1 access-list 101 permit esp any host .1 access-list 101 permit udp any host .1 eq isakmp access-list 101 permit udp any host .1 eq non500- isakmp access-list 101 permit tcp any host .2 eq 443 access-list 101 deny ip any host .2 access-list 101 deny ip 192.168.1.0 0.0.0.255 any access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 permit ip 192.168.1.0 0.0.0.255 any access-list 103 permit ip 192.168.2.0 0.0.0.255 any no cdp run ! route-map wireless-rmap permit 1 match ip address wireless-ips ! route-map SDM_RMAP_1 permit 1 match ip address 102 ! route-map SDM_RMAP_2 permit 1 match ip address 103 ! ! ! ! control-plane ! banner login Authorized access only! Disconnect IMMEDIATELY if you are not an authorized user!

! line con 0 transport output telnet line 1 modem InOut stopbits 1 speed 115200 flowcontrol hardware line aux 0 transport output telnet line vty 0 4 transport input ssh line vty 5 14 transport input ssh line vty 15 transport input ssh parser view SDM_EasyVPN_Remote secret 5 ! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by root ! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by root ! ! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by root ! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by root ! commands interface include all crypto commands interface include all no crypto commands interface include no commands configure include end commands configure include all access-list commands configure include all interface commands configure include all crypto commands configure include ip commands configure include no end commands configure include all no access-list commands configure include all no interface commands configure include all no crypto commands configure include no ip commands configure include no commands exec include dir all-filesystems commands exec include dir commands exec include crypto ipsec client ezvpn connect commands exec include crypto ipsec client ezvpn xauth commands exec include crypto ipsec client ezvpn commands exec include crypto ipsec client commands exec include crypto ipsec commands exec include crypto commands exec include write memory commands exec include write commands exec include all ping ip commands exec include ping commands exec include configure terminal commands exec include configure commands exec include all show commands exec include no commands exec include all debug appfw commands exec include debug commands exec include all clear ! ! scheduler allocate 4000 1000 scheduler interval 500 ntp clock-period 17180139 ntp update-calendar ntp server 64.73.32.134 source FastEthernet0 ntp server 132.160.49.93 source FastEthernet0 ntp server 66.96.96.29 source FastEthernet0 end

Thanks, Scott

Reply to
googlegroups
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.