1. Home
  2. Cisco Systems
  3. cisco 837 with vpn nomade

cisco 837 with vpn nomade

hello,

apologise for my english i'm french,

my conf for a cisco 837 ios 123.4T2 not fonctionnaly with a nomade VPN

the VPN connect but my client can not connect to server. also my server connect correctly with my client.

i think an error with ACL.

Can you see my conf and tell me where are errors

xxx.xxx.xxx.103 public address

192.168.72.254 lan router address 192.168.72.0 lan zzz.zzz.zzz.zzz and xxx.xxx.xxx.xxx host for administration sdm and telnet router

thank's

!This is the running config of the router: 192.168.72.254 !---------------------------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname ***** ! boot-start-marker boot-end-marker ! no logging buffered logging console critical enable secret 5 ********** ! username tibco privilege 15 secret 5 ************* clock timezone PCTime 1 clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00 aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authentication login sdm_vpn_xauth_ml_2 local aaa authentication login sdm_vpn_xauth_ml_3 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa authorization network sdm_vpn_group_ml_2 local aaa authorization network sdm_vpn_group_ml_3 local aaa session-id common ip subnet-zero no ip source-route ip tcp synwait-time 10 ip domain name yourdomain.com ip name-server 80.10.246.2 ip name-server 80.10.246.129 ! ! no ip bootp server ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 netshow ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 smtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip audit notify log ip audit po max-events 100 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 ! crypto isakmp policy 3 encr 3des group 2 ! crypto isakmp client configuration group nomade key ***** pool SDM_POOL_1 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface Ethernet0 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-Ethernet

10/100$$ES_LAN$$FW_INSIDE$ ip address 192.168.72.254 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow ip tcp adjust-mss 1452 no cdp enable hold-queue 100 out ! interface ATM0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow no atm ilmi-keepalive dsl operating-mode auto ! interface ATM0.1 point-to-point description $ES_WAN$$FW_OUTSIDE$ pvc 8/35 oam-pvc manage pppoe-client dial-pool-number 1 ! ! interface Dialer0 description $FW_OUTSIDE$ ip address xxx.xxx.xxx.103 255.255.255.0 ip access-group 101 in no ip redirects no ip unreachables no ip proxy-arp ip mtu 1452 ip nat outside ip inspect DEFAULT100 out encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 ppp authentication chap pap callin ppp chap hostname ****** ppp chap password 7 ******* ppp pap sent-username ***** password 7 ******* crypto map SDM_CMAP_1 ! ip local pool SDM_POOL_1 192.168.1.1 192.168.1.2 ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload ip classless ip route 0.0.0.0 0.0.0.0 Dialer0 ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ! ! logging trap debugging access-list 1 remark INSIDE_IF=Ethernet0 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.72.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp host 192.168.72.254 eq www host 192.168.72.254 gt 1024 access-list 100 permit ip any any access-list 100 deny ip xxx.xxx.xxx.0 0.0.0.255 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 remark acces yyyy sdm access-list 101 permit ip host yyy.yyy.yyy.yyy host xxx.xxx.xxx.103 access-list 101 remark acces zzz access-list 101 permit ip host zzz.zzz.zzz.zzz host xxx.xxx.xxx.103 access-list 101 permit udp host 80.10.246.129 eq domain any access-list 101 permit udp host 80.10.246.2 eq domain any access-list 101 permit ip 192.168.1.0 0.0.0.3 any access-list 101 permit udp any host xxx.xxx.xxx.103 eq non500-isakmp access-list 101 permit udp any host xxx.xxx.xxx.103 eq isakmp access-list 101 permit esp any host xxx.xxx.xxx.103 access-list 101 permit ahp any host xxx.xxx.xxx.103 access-list 101 permit ip 192.168.72.0 0.0.0.255 any access-list 101 permit icmp any host xxx.xxx.xxx.103 echo-reply access-list 101 permit icmp any host xxx.xxx.xxx.103 time-exceeded access-list 101 permit icmp any host xxx.xxx.xxx.103 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any access-list 102 remark SDM_ACL Category=2 access-list 102 deny ip any 192.168.1.0 0.0.0.3 access-list 102 permit ip 192.168.72.0 0.0.0.255 any dialer-list 1 protocol ip permit no cdp run route-map SDM_RMAP_1 permit 1 match ip address 102 ! ! control-plane ! banner login ^CAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport preferred all transport output telnet line aux 0 transport preferred all transport output telnet line vty 0 4 transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler interval 500 ! end
Reply to
Y.E.
Loading thread data ...

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.