Cisco 1721 VPN
I need to get VPN working and can't seem to see the issue. Have Cisco 1721 with 2 WICS to different ISP's with failover working. Want to be able to VPN to at least the 208.x.x.x ip, and perhaps the 24.x.x.x ip as well. All users will be using vpn clients. Safenet's softremote! Can someone have a look see and tell me what I have too much of or not enough of?
Cheers,
Running Config Below
Current configuration : 3819 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$4kPF$CvEeShPvIRhKPzCqgm
enable password 7 104704470B1243
!
username crabs privilege 15 password 7 030D5655080A70
username john654 password 7 130616021905527C7D
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
!
track 100 rtr 1 reachability
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key cisco123
dns 192.168.3.249
domain mydomain.com
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description ISP1
ip address 208.181.196.33 255.255.255.248
ip nat outside
half-duplex
crypto map clientmap
!
interface Ethernet1
description ISP2
ip address 24.70.4.234 255.255.252.0
ip nat outside
full-duplex
crypto map clientmap
!
interface FastEthernet0
description Local LAN
ip address 192.168.193.1 255.255.255.0 secondary
ip address 192.168.3.1 255.255.252.0
ip nat inside
speed 100
full-duplex
!
ip local pool ippool 192.168.123.200 192.168.123.250
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
ip nat inside source route-map ROUTE-NAT2 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.231 25 24.70.4.234 25 extendable
ip nat inside source static tcp 192.168.3.250 80 24.70.4.234 80 extendable
ip nat inside source static tcp 192.168.0.231 25 208.181.196.33 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 208.181.196.38 track 100
ip route 0.0.0.0 0.0.0.0 24.70.4.1 200
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
ip route 204.50.49.20 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.114 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.119 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.120 255.255.255.255 192.168.3.2 permanent
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit tcp any any established
!
route-map ROUTE-NAT2 permit 10
match ip address 110
match interface Ethernet1
!
route-map FAIL-OVER permit 10
match ip address 120
set interface Ethernet0 Null0
set ip next-hop 208.181.196.38
!
route-map ROUTE-NAT permit 10
match ip address 110
match interface Ethernet0
!
!
control-plane
!
rtr 1
type echo protocol ipIcmpEcho 208.181.196.38
rtr schedule 1 start-time now life forever
!
line con 0
exec-timeout 15 0
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
password 7 030D5655080A70
login
transport input telnet ssh
line vty 5 15
privilege level 15
login
transport input telnet ssh
!
!
end
Cheers,
Running Config Below
Current configuration : 3819 bytes
!
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname GATEWAY
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$4kPF$CvEeShPvIRhKPzCqgm
enable password 7 104704470B1243
!
username crabs privilege 15 password 7 030D5655080A70
username john654 password 7 130616021905527C7D
no aaa new-model
ip subnet-zero
!
!
!
!
ip cef
ip audit notify log
ip audit po max-events 100
!
track 100 rtr 1 reachability
no ftp-server write-enable
no scripting tcl init
no scripting tcl encdir
!
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpngroup
key cisco123
dns 192.168.3.249
domain mydomain.com
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
description ISP1
ip address 208.181.196.33 255.255.255.248
ip nat outside
half-duplex
crypto map clientmap
!
interface Ethernet1
description ISP2
ip address 24.70.4.234 255.255.252.0
ip nat outside
full-duplex
crypto map clientmap
!
interface FastEthernet0
description Local LAN
ip address 192.168.193.1 255.255.255.0 secondary
ip address 192.168.3.1 255.255.252.0
ip nat inside
speed 100
full-duplex
!
ip local pool ippool 192.168.123.200 192.168.123.250
ip nat inside source route-map ROUTE-NAT interface Ethernet0 overload
ip nat inside source route-map ROUTE-NAT2 interface Ethernet1 overload
ip nat inside source static tcp 192.168.0.231 25 24.70.4.234 25 extendable
ip nat inside source static tcp 192.168.3.250 80 24.70.4.234 80 extendable
ip nat inside source static tcp 192.168.0.231 25 208.181.196.33 25 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 208.181.196.38 track 100
ip route 0.0.0.0 0.0.0.0 24.70.4.1 200
ip route 192.168.60.0 255.255.255.0 192.168.0.2
ip route 192.168.61.0 255.255.255.0 192.168.0.2
ip route 192.168.62.0 255.255.255.0 192.168.0.2
ip route 192.168.63.0 255.255.255.0 192.168.0.2
ip route 192.168.64.0 255.255.255.0 192.168.0.2
ip route 192.168.65.0 255.255.255.0 192.168.0.2
ip route 192.168.66.0 255.255.255.0 192.168.0.2
ip route 192.168.67.0 255.255.255.0 192.168.0.2
ip route 192.168.68.0 255.255.255.0 192.168.0.2
ip route 192.168.69.0 255.255.255.0 192.168.0.2
ip route 192.168.70.0 255.255.255.0 192.168.0.2
ip route 192.168.71.0 255.255.255.0 192.168.0.2
ip route 204.50.49.20 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.114 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.119 255.255.255.255 192.168.3.2 permanent
ip route 216.95.175.120 255.255.255.255 192.168.3.2 permanent
no ip http server
no ip http secure-server
!
!
!
access-list 110 deny ip 192.168.0.0 0.0.3.255 192.168.123.0 0.0.0.255
access-list 110 permit ip 192.168.0.0 0.0.255.255 any
access-list 120 permit tcp any any established
!
route-map ROUTE-NAT2 permit 10
match ip address 110
match interface Ethernet1
!
route-map FAIL-OVER permit 10
match ip address 120
set interface Ethernet0 Null0
set ip next-hop 208.181.196.38
!
route-map ROUTE-NAT permit 10
match ip address 110
match interface Ethernet0
!
!
control-plane
!
rtr 1
type echo protocol ipIcmpEcho 208.181.196.38
rtr schedule 1 start-time now life forever
!
line con 0
exec-timeout 15 0
line aux 0
line vty 0 4
exec-timeout 30 0
privilege level 15
password 7 030D5655080A70
login
transport input telnet ssh
line vty 5 15
privilege level 15
login
transport input telnet ssh
!
!
end
ASKER
I can't seem to get my hands on it!
If you have a CCO login, you should be able to download it..
http://www.cisco.com/kobayashi/sw-center/vpn/client/
http://www.cisco.com/kobayashi/sw-center/vpn/client/
ASKER
i don't
Contact TAC. If you have the IPSEC feature set on your router, you should be able to convince them to give you access to download it.
You are missing the "crypto isakmp client configuration address-pool local ippool" command under the "crypto isakmp policy 3" configuration mode. Aslo, take a look at http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/ns27/networking_solutions_white_paper09186a0080189111.shtml
harbor235
harbor235
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.cisco.com/en/US/tech/tk59/technologies_configuration_example09186a00800a393b.shtml
I don't see any discrepancies.
The document is meant for using the Cisco VPN client, there are no guarantees that it will work with any other client like Safenet..
Have you tried this config with the Cisco client?