BDMP
asked on
Problem with VPN connection with a Cisco 831
Here is my config file. I can connect to my VPN but can't access anything on the 192.168.0.0 network. I also can not connect to a telnet session now on either interface
I also added
route-map nonat permit 10
match ip address 103
Any ideas on the problem?
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip name-server 207.5.128.9
ip name-server 207.5.128.10
!
ip dhcp pool CLIENT
import all
network 192.168.0.0 255.255.255.0
domain-name suscom-maine.net
default-router 192.168.0.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *****
key 0 ********
dns 192.168.0.10
domain nmaec.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 122 out
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
crypto map clientmap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool ippool 192.168.1.100 192.168.1.110
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip any any
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end
I also added
route-map nonat permit 10
match ip address 103
Any ideas on the problem?
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip name-server 207.5.128.9
ip name-server 207.5.128.10
!
ip dhcp pool CLIENT
import all
network 192.168.0.0 255.255.255.0
domain-name suscom-maine.net
default-router 192.168.0.1
lease 0 2
!
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group *****
key 0 ********
dns 192.168.0.10
domain nmaec.com
pool ippool
acl 108
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 192.168.0.1 255.255.255.0
ip access-group 122 out
ip nat inside
no cdp enable
hold-queue 32 in
!
interface Ethernet1
ip address dhcp client-id Ethernet1
ip access-group 111 in
ip nat outside
ip inspect myfw out
duplex auto
no cdp enable
crypto map clientmap
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
ip local pool ippool 192.168.1.100 192.168.1.110
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source route-map nonat interface Ethernet1 overload
ip classless
ip http server
no ip http secure-server
!
access-list 102 permit ip 192.168.0.0 0.0.0.255 any
access-list 103 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 permit ip any any
access-list 108 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit tcp any any eq telnet
access-list 111 permit icmp any any administratively-prohibite
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
no cdp run
!
line con 0
no modem enable
line aux 0
line vty 0 4
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
4.6 is better anyway - try it. I had 4.x working wirelessly. Can't remember if 3.5.1 worked or didnt work, but I can't think of why it would be picky.
ASKER