Solved

VPN Problem in CISCO 2811

Posted on 2008-10-21
2
654 Views
Last Modified: 2012-05-05
HI,
    I have recently tried to configure Easy VPN Server on CISCO 2811 cia SDM. The problem is that when i try to connect to the router remotly it cant connect. PLease help me. Is there any kind of ACL Issue in this.
Current configuration : 5415 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname MTL_RTR
!
boot-start-marker
boot-end-marker
!
logging buffered 52000 debugging
enable secret 5 $1$3ult$UZIRC2G5Nybzvurjm8q9d.
enable password xxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authentication login sdm_vpn_xauth_ml_4 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
aaa authorization network sdm_vpn_group_ml_2 local 
aaa authorization network sdm_vpn_group_ml_3 local 
aaa authorization network sdm_vpn_group_ml_4 local 
!
aaa session-id common
!
resource policy
!
memory-size iomem 10
!
!
ip cef
!
!
ip name-server 10.16.6.11
ip name-server 10.16.7.12
!
!
!
voice-card 0
 no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!         
!
!
username nasir privilege 15 password 0 xxxxxxxxxxx
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 2
 encr 3des
 group 2
!
crypto isakmp client configuration group Test
 key alaskas
 dns 10.16.6.11 192.168.1.17
 wins 192.168.1.17
 pool SDM_POOL_1
 include-local-lan
crypto isakmp profile sdm-ike-profile-1
   match identity group Test
   client authentication list sdm_vpn_xauth_ml_4
   isakmp authorization list sdm_vpn_group_ml_4
   client configuration address respond
   virtual-template 4
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA 
 set isakmp-profile sdm-ike-profile-1
!
!
crypto map VPN 1 ipsec-isakmp 
 set peer 58.27.232.22
 set transform-set ESP-3DES-SHA 
 match address 150
!
!
!
!
!
interface FastEthernet0/0
 description -------------LAN------------$ETH-LAN$$FW_INSIDE$
 ip address 192.168.1.18 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 duplex auto
 speed auto
!
interface FastEthernet0/1
 description $ETH-WAN$$FW_OUTSIDE$
 ip address xxxxxxxxxx 255.255.255.248
 ip flow ingress
 ip flow egress
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
!         
interface Virtual-Template1 type tunnel
 no ip address
 tunnel mode ipsec ipv4
!
interface Virtual-Template4 type tunnel
 ip unnumbered FastEthernet0/1
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile SDM_Profile1
!
ip local pool SDM_POOL_1 192.168.50.1 192.168.50.10
ip default-gateway 58.27.232.17
ip route 0.0.0.0 0.0.0.0 58.27.232.17
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat source static tcp 192.168.1.11 25 interface FastEthernet0/1 25
ip nat source static tcp 192.168.1.11 110 interface FastEthernet0/1 110
ip nat inside source list 110 interface FastEthernet0/1 overload
ip nat inside source static tcp 192.168.1.11 25 interface FastEthernet0/1 25
ip nat inside source static tcp 192.168.1.11 110 interface FastEthernet0/1 110
ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
ip access-list extended SDM_HTTPS
 remark SDM_ACL Category=1
 permit tcp any any eq 443
ip access-list extended SDM_SHELL
 remark SDM_ACL Category=1
 permit tcp any any eq cmd
ip access-list extended SDM_SSH
 remark SDM_ACL Category=1
 permit tcp any any eq 22
!
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 permit ip 192.168.10.0 0.0.0.255 any
access-list 110 permit ip 192.168.2.0 0.0.0.255 any
access-list 110 permit ip 192.168.3.0 0.0.0.255 any
access-list 110 permit ip 192.168.4.0 0.0.0.255 any
access-list 110 permit ip 192.168.5.0 0.0.0.255 any
access-list 110 permit ip 192.168.6.0 0.0.0.255 any
access-list 110 permit ip 192.168.7.0 0.0.0.255 any
access-list 110 permit ip 192.168.8.0 0.0.0.255 any
access-list 110 permit ip 192.168.9.0 0.0.0.255 any
access-list 110 permit ip 192.168.20.0 0.0.0.255 any
access-list 150 remark VPN
access-list 150 remark SDM_ACL Category=4
access-list 150 remark VPN
access-list 150 permit ip any any log
snmp-server community public RO

Open in new window

0
Comment
Question by:nasirsh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 3

Expert Comment

by:IPFox
ID: 22773626
Hi,
From where you try to connect and how?
Are you trying from any of 192.168.x.x addresses?

0
 
LVL 4

Accepted Solution

by:
nasirsh earned 0 total points
ID: 22773734
No. I am trying to connect from outside like 203.81.x.x
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

As dyndns has reduced the capabilities of the free service, I looked around for other free providers of Dynamic DNS service. After testing several I decided to move my DNS hosting to Hurricane Electric as then domains that require dynamic hostnam…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question