• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 337
  • Last Modified:

Cisco 1721 VPN

I need to get VPN working and can't seem to see the issue.  Have Cisco 1721 with 2 WICS to different ISP's with failover working.  Want to be able to VPN to at least the 208.x.x.x ip, and perhaps the 24.x.x.x ip as well.  All users will be using vpn clients.  Safenet's softremote!  Can someone have a look see and tell me what I have too much of or not enough of?

Cheers,

Running Config Below

Current configuration : 3819 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$4kPF$CvEeShPvIRhKPzCqgmRuu.
enable password 7 104704470B1243
!
username crabs privilege 15 password 7 030D5655080A70
username john654 password 7 130616021905527C7D
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
!
track 100 rtr 1 reachability
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpngroup
 key cisco123
 dns 192.168.3.249
 domain mydomain.com
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 description ISP1
 ip address 208.181.196.33 255.255.255.248
 ip nat outside
 half-duplex
 crypto map clientmap
!
interface Ethernet1
 description ISP2
 ip address 24.70.4.234 255.255.252.0
 ip nat outside
 full-duplex
 crypto map clientmap
!
interface FastEthernet0
 description Local LAN
 ip address 192.168.193.1 255.255.255.0 secondary
 ip address 192.168.3.1 255.255.252.0
 ip nat inside
 speed 100
 full-duplex
!
ip local pool ippool 192.168.123.200 192.168.123.250
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
ip nat inside source route-map ROUTE-NAT2 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.231 25 24.70.4.234 25 extendable
ip nat inside source static tcp 192.168.3.250 80 24.70.4.234 80 extendable
ip nat inside source static tcp 192.168.0.231 25 208.181.196.33 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 208.181.196.38 track 100
ip route 0.0.0.0 0.0.0.0 24.70.4.1 200
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
ip route 204.50.49.20 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.114 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.119 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.120 255.255.255.255 192.168.3.2 permanent
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny   ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit tcp any any established
!
route-map ROUTE-NAT2 permit 10
 match ip address 110
 match interface Ethernet1
!
route-map FAIL-OVER permit 10
 match ip address 120
 set interface Ethernet0 Null0
 set ip next-hop 208.181.196.38
!
route-map ROUTE-NAT permit 10
 match ip address 110
 match interface Ethernet0
!
!
control-plane
!
rtr 1
 type echo protocol ipIcmpEcho 208.181.196.38
rtr schedule 1 start-time now life forever
!
line con 0
 exec-timeout 15 0
line aux 0
line vty 0 4
 exec-timeout 30 0
 privilege level 15
 password 7 030D5655080A70
 login
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login
 transport input telnet ssh
!
!
end
0
dgratton1085
Asked:
dgratton1085
  • 4
  • 2
1 Solution
 
lrmooreCommented:
Your config is straight out of the Cisco document:
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml
I don't see any discrepancies.

The document is meant for using the Cisco VPN client, there are no guarantees that it will work with any other client like Safenet..

Have you tried this config with the Cisco client?


     
0
 
dgratton1085Author Commented:
I can't seem to get my hands on it!
0
 
lrmooreCommented:
If you have a CCO login, you should be able to download it..
http://www.cisco.com/kobayashi/sw-center/vpn/client/
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
dgratton1085Author Commented:
i don't
0
 
lrmooreCommented:
Contact TAC. If you have the IPSEC feature set on your router, you should be able to convince them to give you access to download it.
0
 
harbor235Commented:
You are missing the  "crypto isakmp client configuration address-pool local ippool" command under the "crypto isakmp policy 3" configuration mode. Aslo, take a look at http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080189111.shtml

harbor235
0
 
lrmooreCommented:
Do you need more information?
Have you resolved this problem?
Can you close this question?
http://www.experts-exchange.com/help.jsp#hs5

Thanks!
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now