• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 817
  • Last Modified:

Cisco 877 VPN Configuration

Hi, please help to verify why my configuration for VPN on cisco router 877 doesn't work.

Thanks, Danny

This is the configuration.

Building configuration...

Current configuration : 5550 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ROUTER-R1
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login userauthen local
aaa authorization exec default local
aaa authorization network grourauthor local
!
aaa session-id common
!
resource policy
!
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.29
ip dhcp excluded-address 192.168.1.51 192.168.1.254
!
ip dhcp pool sdm-pool
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 165.21.83.88 165.21.100.88
!
!
no ip domain lookup
ip domain name uni.local
ip name-server 165.21.83.88
ip name-server 165.21.100.88
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 http
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 imap
ip inspect name DEFAULT100 pop3
ip inspect name DEFAULT100 https
ip inspect name DEFAULT100 isakmp
!
!
crypto pki trustpoint TP-self-signed-3676577292
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3676577292
 revocation-check none
 rsakeypair TP-self-signed-3676577292
!
!
crypto pki certificate chain TP-self-signed-3676577292
 certificate self-signed 01
  30820251 308201BA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33363736 35373732 3932301E 170D3032 30333031 30333538
  34315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 36373635
  37373239 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81009991 3672EC68 8A087165 E16F163B F49B474A EFF6BC10 90FA2E4B 8D395125
  3E38792B EB91C653 91867011 9C170651 7644CDB8 5B008BE9 EEFD3F91 FFB0BBAA
  57759795 ED6F6B1E E2E522A4 56BF9D63 D4B79ABA 09841BD4 83A7F376 C0BEEA59
  80A62CC4 F3EFC467 F2CF51A4 C8D4698E C7801A77 4351563F 97CE07DE 856144EF
  24B70203 010001A3 79307730 0F060355 1D130101 FF040530 030101FF 30240603
  551D1104 1D301B82 19424155 52414E44 2D52312E 796F7572 646F6D61 696E2E63
  6F6D301F 0603551D 23041830 168014F3 F5887629 6E35A43F 4E268DE9 74CBCE19
  46E1BA30 1D060355 1D0E0416 0414F3F5 8876296E 35A43F4E 268DE974 CBCE1946
  E1BA300D 06092A86 4886F70D 01010405 00038181 008DC91F 4E5AD35C 53971EFF
  5E1F2A07 52E4E1E8 076C3960 EC57ABA9 0CB0376A 1BC25273 487AAB3B 1CE398E8
  CE5BDB65 6237AD88 A0F00979 14D64961 874261F7 582F8357 1C5995EA 51E773C3
  7B50A994 7DFF2631 349035F5 09A31742 0FC875F9 AF57A3B8 589C212D 3C49F47C
  E54F5D63 C91FE5B0 C6E57E71 368A9605 C0A3F4C7 62
  quit
username ****** privilege 15 secret 5 $1$XNxQ$KI6aEg/i7tPMlaI7RfMFa.

!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group baurand
 key ********
 dns 192.168.1.1 192.168.1.5
 domain uni.local
 pool vpn-pool
 acl vpn-acl
 include-local-lan
crypto isakmp profile vpn-profile
   match identity group baurand
   client authentication list userauthen
   isakmp authorization list groupauthor
   client configuration address respond
!
!
crypto ipsec transform-set 3DES-SHA esp-3des esp-sha-hmac
!
!
crypto dynamic-map vpn-dynmap 1
 set transform-set 3DES-SHA
 set isakmp-profile vpn-profile
 reverse-route
!
!
!
crypto map vpn-map 1 ipsec-isakmp dynamic vpn-dynmap
!
!
!
!
interface ATM0
 description BIZLINK 2MBPS [00053553SNG/63921057]
 ip address XXX.XXX.XXX.XXX 255.255.255.252
 ip nat outside
 ip inspect DEFAULT100 out
 ip virtual-reassembly
 no atm ilmi-keepalive
 pvc 8/35
  protocol ip XXX.XXX.XXX.XXX broadcast
  encapsulation aal5snap
 !
 dsl operating-mode auto
 crypto map vpn-map
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address 115.42.159.49 255.255.255.240 secondary
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Dialer0
 no ip address
 no cdp enable
!
ip local pool vpn-pool 192.168.10.100 192.168.10.119
ip route 0.0.0.0 0.0.0.0 XXX.XXX.XXX.XXX
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source list 100 interface ATM0 overload

!
ip access-list extended nat-list
 deny   ip 192.168.1.0 0.0.0.255 192.168.10.0 0.0.0.255
 permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn-acl
 permit ip 192.168.1.0 0.0.0.255 any
!
access-list 23 permit any
access-list 100 deny   ip host 192.168.1.2 any
access-list 100 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
!
!
route-map vpn-rmap permit 1
 match ip address nat-list
!
!
control-plane
!
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
!
webvpn context Default_context
 ssl authenticate verify all
 !
 no inservice
!
end
0
DannyGoh68
Asked:
DannyGoh68
  • 7
  • 7
1 Solution
 
tim1128Commented:
0
 
memo_tntCommented:
hi

what error you got?



any ways use the following configuration , it's working fine

!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group ISS
 key ***************
 dns 192.168.1.1 192.168.1.5
 domain ISS-Group.local
 pool SDM_POOL_1
 acl 105
 netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group ISS
   client authentication list sdm_vpn_xauth_ml_1
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile SDM_Profile1
 set transform-set ESP-3DES-SHA
 set isakmp-profile sdm-ike-profile-1
!



ip local pool SDM_POOL_1 192.168.1.200 192.168.1.240

access-list 105 remark SDM_ACL Category=4
access-list 105 permit ip 192.168.1.0 0.0.0.255 any




0
 
DannyGoh68Author Commented:
There is no error but I am unable to connect and there is no logon prompt for me to logon.
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
memo_tntCommented:
Are you using cisco VPN client top connect ??
use my above configuration ,,
or try first to change the VPN acl to

ip access-list extended vpn-acl
 permit ip 192.168.1.0 0.0.0.255 any
 permit ip 192.168.10.0 0.0.0.255 any

0
 
DannyGoh68Author Commented:
I have added permit ip 192.168.10.0 0.0.0.255 any to vpn-acl but the login prompt still doesn't appear.
should the crypto map vpn-map configure at ATM0?
0
 
memo_tntCommented:
it should by assigned to your WAN interface .. are you trying from external your network or internal ??
what's this IP
ip address 115.42.159.49 255.255.255.240 secondary

?

do you have internet ??
0
 
DannyGoh68Author Commented:
ip address 115.42.159.49 255.255.255.240 secondary is the public LAN IP by the service provider
ATM0 IP is the provider WAN IP
0
 
memo_tntCommented:
can you explain step by step how you try to connect to your VPN ??

if you post also snapshot it would be better ..
0
 
DannyGoh68Author Commented:
I am using cisco vpn client 4.8 to connect.
vpn-client.jpg
0
 
memo_tntCommented:
hi

from your picture , you are trying to connect to the ip assigned to your internal interface
so set the crypto map to that interface not to the wan interface

interface ATM0
no crypto map vpn-map


interface Vlan1
crypto map vpn-map

try now
0
 
DannyGoh68Author Commented:
The IP in the ATM 0 is the service provider assign to our router WAN IP.
The Vlan 1 IP range is the additional public IP for our other usage.

I have try putting the crypto map vpn-map in VLAN 1 but same results, no response
0
 
memo_tntCommented:
did you try my sample configuration in my 1st post above ?????
0
 
DannyGoh68Author Commented:
I think my issue is that the internet service provider has assign a WAN IP (ATM 0) and a range of public IP (VLAN 1) and I do not know which interface should the crypto map be sitting in and to connect to. I tried both interface but still not working. Do u think i need Loopback interface for such issues?
0
 
memo_tntCommented:
Hi
 
 please update status regarding this issue ..
 
 is it solved ??
0
 
DannyGoh68Author Commented:
no, it is not solve, i have no choice but to use the Windows 2008 RRAS instead.

U may close this problem since no one can help...

Thanks for all the effort.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now