Cisco 827

An 827 wil support VPN traffic to a maximum of around 350k at 3des, it all depends how much traffic you will put thru the vpn, how many users will use this link?

I am not concerned here with traffic volumes, simply that I can simaltaneously have one group of users accessing resources over a VPN and another group have internet access hrough the DSL connection.

I have he solution running on PIX's in a couple of other offices hrough leaded lines, however am beginning to think that it isn't possible with the 827

It is possible, but it cannot handle loads of traffic, if you want a sample config let me know.

I would kill for a working sample :) I know I am not far out with what I have, however close just ain't good enough :(

Thanks in advance
Stuart

I will award points - probably a lot more - once I run it up wih any success
Thanks though for the help here

I think I am closer, however I have looked at this so long now I can not see the wood from the trees! Can you see what I have wrong in this

I am on the 192.168.129.0/24 subnet, the other end is 10.9.8.0/24 The peering addresses are okay

version 12.2
no parser cache
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
no logging buffered
enable secret <SNIP>
!
username Router password 7 0822455D0A16
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
ip subnet-zero
no ip domain lookup
!
ip inspect name outboundtraffic http
ip inspect name outboundtraffic ftp
ip inspect name outboundtraffic tcp
ip inspect name outboundtraffic udp
ip urlfilter alert
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key clubbing address x.x.x.146
!
!
crypto ipsec transform-set mySet esp-des esp-md5-hmac
!
crypto map ICNmap 10 ipsec-isakmp
 set peer x.x.x.146
 set transform-set mySet
 match address 101
!
partition flash 2 6 2
!
!
!
!
interface Loopback0
 description Loopback
 no ip address
!
interface Ethernet0
 description LAN
 ip address 192.168.129.254 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip inspect outboundtraffic in
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 description ADSL
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 dsl power-cutback 0
!
interface Dialer1
 description "BT Openworld"
 bandwidth 512
 ip address 217.x.x.249 255.255.255.240
 ip access-group 111 in
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <SNIP>
 ppp chap password <SNIP>
 ppp pap sent-username <SNIP> password <SNIP>
 crypto map ICNmap
 hold-queue 224 in
!
ip nat inside source list 106 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 <Assigned gateway>
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.129.0 0.0.0.255
access-list 11 deny   any
access-list 11 permit 192.168.129.0 0.0.0.255
access-list 101 permit ip 192.168.129.0 0.0.0.255 10.9.8.0 0.0.0.255
access-list 102 permit ip 192.168.129.0 0.0.0.255 any
access-list 102 permit ip 10.9.8.0 0.0.0.255 any
access-list 106 deny   ip 192.168.129.0 0.0.0.255 10.9.8.0 0.0.0.255
access-list 106 permit ip 192.168.129.0 0.0.0.255 any
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq ftp
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq 443
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq domain
access-list 110 permit udp 192.168.129.0 0.0.0.255 any eq domain
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq 2095
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit ip 10.9.8.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
!
!
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 access-class 11 in
 exec-timeout 0 0
 password <snip>
 login local
 length 0
!
scheduler max-task-time 5000
end

I think I am closer, however I have looked at this so long now I can not see the wood from the trees! Can you see what I have wrong in this

I am on the 192.168.129.0/24 subnet, the other end is 10.9.8.0/24 The peering addresses are okay

version 12.2
no parser cache
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Router
!
no logging buffered
enable secret <SNIP>
!
username Router password 7 0822455D0A16
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
ip subnet-zero
no ip domain lookup
!
ip inspect name outboundtraffic http
ip inspect name outboundtraffic ftp
ip inspect name outboundtraffic tcp
ip inspect name outboundtraffic udp
ip urlfilter alert
!
!
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp key clubbing address x.x.x.146
!
!
crypto ipsec transform-set mySet esp-des esp-md5-hmac
!
crypto map MyMap 10 ipsec-isakmp
 set peer x.x.x.146
 set transform-set mySet
 match address 101
!
partition flash 2 6 2
!
!
!
!
interface Loopback0
 description Loopback
 no ip address
!
interface Ethernet0
 description LAN
 ip address 192.168.129.254 255.255.255.0
 ip access-group 110 in
 ip nat inside
 ip inspect outboundtraffic in
 no ip mroute-cache
 hold-queue 100 out
!
interface ATM0
 description ADSL
 no ip address
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
 dsl power-cutback 0
!
interface Dialer1
 description "BT Openworld"
 bandwidth 512
 ip address 217.x.x.249 255.255.255.240
 ip access-group 111 in
 ip nat outside
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 no fair-queue
 no cdp enable
 ppp authentication chap pap callin
 ppp chap hostname <SNIP>
 ppp chap password <SNIP>
 ppp pap sent-username <SNIP> password <SNIP>
 crypto map MyMap
 hold-queue 224 in
!
ip nat inside source list 106 interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 <Assigned gateway>
no ip http server
no ip http secure-server
!
!
access-list 1 permit 192.168.129.0 0.0.0.255
access-list 11 deny   any
access-list 11 permit 192.168.129.0 0.0.0.255
access-list 101 permit ip 192.168.129.0 0.0.0.255 10.9.8.0 0.0.0.255
access-list 102 permit ip 192.168.129.0 0.0.0.255 any
access-list 102 permit ip 10.9.8.0 0.0.0.255 any
access-list 106 deny   ip 192.168.129.0 0.0.0.255 10.9.8.0 0.0.0.255
access-list 106 permit ip 192.168.129.0 0.0.0.255 any
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq ftp
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq 443
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq domain
access-list 110 permit udp 192.168.129.0 0.0.0.255 any eq domain
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq www
access-list 110 permit tcp 192.168.129.0 0.0.0.255 any eq 2095
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit ip 10.9.8.0 0.0.0.255 192.168.129.0 0.0.0.255
access-list 111 deny   ip any any
dialer-list 1 protocol ip permit
!
!
!
line con 0
 exec-timeout 120 0
 stopbits 1
line vty 0 4
 access-class 11 in
 exec-timeout 0 0
 password <snip>
 login local
 length 0
!
scheduler max-task-time 5000
end

So the tunnels come ok? If so remove the access lists from the inside and outside interface and see if that makes a difference.

I am at my head office (where the PIX end is) the tunnel is created absolutely fine, then for some reason once created the 827 then sends a delete request through!? As you say, I will tear down the ACL's

Thanks for your input