Solved

VPN Problem in CISCO 2811

Posted on 2008-10-21
2
650 Views
Last Modified: 2012-05-05
HI,
    I have recently tried to configure Easy VPN Server on CISCO 2811 cia SDM. The problem is that when i try to connect to the router remotly it cant connect. PLease help me. Is there any kind of ACL Issue in this.
Current configuration : 5415 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname MTL_RTR

!

boot-start-marker

boot-end-marker

!

logging buffered 52000 debugging

enable secret 5 $1$3ult$UZIRC2G5Nybzvurjm8q9d.

enable password xxxxxxxx

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authentication login sdm_vpn_xauth_ml_2 local

aaa authentication login sdm_vpn_xauth_ml_3 local

aaa authentication login sdm_vpn_xauth_ml_4 local

aaa authorization exec default local 

aaa authorization network sdm_vpn_group_ml_1 local 

aaa authorization network sdm_vpn_group_ml_2 local 

aaa authorization network sdm_vpn_group_ml_3 local 

aaa authorization network sdm_vpn_group_ml_4 local 

!

aaa session-id common

!

resource policy

!

memory-size iomem 10

!

!

ip cef

!

!

ip name-server 10.16.6.11

ip name-server 10.16.7.12

!

!

!

voice-card 0

 no dspfarm

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!         

!

!

username nasir privilege 15 password 0 xxxxxxxxxxx

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 2

 encr 3des

 group 2

!

crypto isakmp client configuration group Test

 key alaskas

 dns 10.16.6.11 192.168.1.17

 wins 192.168.1.17

 pool SDM_POOL_1

 include-local-lan

crypto isakmp profile sdm-ike-profile-1

   match identity group Test

   client authentication list sdm_vpn_xauth_ml_4

   isakmp authorization list sdm_vpn_group_ml_4

   client configuration address respond

   virtual-template 4

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

!

crypto ipsec profile SDM_Profile1

 set transform-set ESP-3DES-SHA 

 set isakmp-profile sdm-ike-profile-1

!

!

crypto map VPN 1 ipsec-isakmp 

 set peer 58.27.232.22

 set transform-set ESP-3DES-SHA 

 match address 150

!

!

!

!

!

interface FastEthernet0/0

 description -------------LAN------------$ETH-LAN$$FW_INSIDE$

 ip address 192.168.1.18 255.255.255.0

 ip nat inside

 ip virtual-reassembly

 duplex auto

 speed auto

!

interface FastEthernet0/1

 description $ETH-WAN$$FW_OUTSIDE$

 ip address xxxxxxxxxx 255.255.255.248

 ip flow ingress

 ip flow egress

 ip nat outside

 ip virtual-reassembly

 duplex auto

 speed auto

!         

interface Virtual-Template1 type tunnel

 no ip address

 tunnel mode ipsec ipv4

!

interface Virtual-Template4 type tunnel

 ip unnumbered FastEthernet0/1

 tunnel mode ipsec ipv4

 tunnel protection ipsec profile SDM_Profile1

!

ip local pool SDM_POOL_1 192.168.50.1 192.168.50.10

ip default-gateway 58.27.232.17

ip route 0.0.0.0 0.0.0.0 58.27.232.17

!

!

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip nat source static tcp 192.168.1.11 25 interface FastEthernet0/1 25

ip nat source static tcp 192.168.1.11 110 interface FastEthernet0/1 110

ip nat inside source list 110 interface FastEthernet0/1 overload

ip nat inside source static tcp 192.168.1.11 25 interface FastEthernet0/1 25

ip nat inside source static tcp 192.168.1.11 110 interface FastEthernet0/1 110

ip nat inside source static tcp 192.168.1.4 22 interface FastEthernet0/1 22

!

ip access-list extended SDM_AH

 remark SDM_ACL Category=1

 permit ahp any any

ip access-list extended SDM_ESP

 remark SDM_ACL Category=1

 permit esp any any

ip access-list extended SDM_HTTPS

 remark SDM_ACL Category=1

 permit tcp any any eq 443

ip access-list extended SDM_SHELL

 remark SDM_ACL Category=1

 permit tcp any any eq cmd

ip access-list extended SDM_SSH

 remark SDM_ACL Category=1

 permit tcp any any eq 22

!

access-list 110 permit ip 192.168.1.0 0.0.0.255 any

access-list 110 permit ip 192.168.10.0 0.0.0.255 any

access-list 110 permit ip 192.168.2.0 0.0.0.255 any

access-list 110 permit ip 192.168.3.0 0.0.0.255 any

access-list 110 permit ip 192.168.4.0 0.0.0.255 any

access-list 110 permit ip 192.168.5.0 0.0.0.255 any

access-list 110 permit ip 192.168.6.0 0.0.0.255 any

access-list 110 permit ip 192.168.7.0 0.0.0.255 any

access-list 110 permit ip 192.168.8.0 0.0.0.255 any

access-list 110 permit ip 192.168.9.0 0.0.0.255 any

access-list 110 permit ip 192.168.20.0 0.0.0.255 any

access-list 150 remark VPN

access-list 150 remark SDM_ACL Category=4

access-list 150 remark VPN

access-list 150 permit ip any any log

snmp-server community public RO

Open in new window

0
Comment
Question by:nasirsh
2 Comments
 
LVL 3

Expert Comment

by:IPFox
ID: 22773626
Hi,
From where you try to connect and how?
Are you trying from any of 192.168.x.x addresses?

0
 
LVL 4

Accepted Solution

by:
nasirsh earned 0 total points
ID: 22773734
No. I am trying to connect from outside like 203.81.x.x
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now