Cisco 1841 Site to Site VPN setup

I am setting up my Cisco 1841 router for a site to site using another Cisco 1841 router.

I was able to get both online and I able to ping my routers from both sides.  I was able to get the Cisco 1841 at the  MAIN OFFICE to install Site to Site VPN using the Site to Site VPN Wizard.

On the 1841 from the remote office when I click the "Launch the selected task" button on the Site to Site wizard nothing happens!!  I used Explorer and firefox, i disabled Pop up blockers, I installed and reinstalled CISCO SDM, I reset the router and reconfigured... I did everything I can think of.  What I want to know is the proper process or COMMANDS I need to configure it MANUALLY via a terminal prompt using the CONSOLE port on the router.  I dont know what else to do guys!!  ANY IDEAS???  

Enclosed is a pic...
dontwork.JPG
jerrygomezdotcomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GuruChiuCommented:
is it possible that your 1841 do not have security feature set?
0
Istvan KalmarHead of IT Security Division Commented:
Please provide us 'sh ver' command output.....

0
jerrygomezdotcomAuthor Commented:
On a side note.  If I take the router that does not "work" to the main office and connect it to the MAIN SERVER it WORKS 100% normal.  All the functions work, all buttons click and pop up wizards or windows for additional configuration come up........  I tried 6 computers, VISTA and XP with fresh JAVA installs for the SDM and all of them fail.  I need to configure this router badly.   I can log into the SDM no problem on all computers.. I just dont have full SDM functionality.... I click the Configure WIZARD button in VPN setup and nothing happens!!  WAAAAAAAA!!!!  I click on EDIT setting button on the ETHERNET ports and NOTHING HAPPENS... I click on "ADDITIONAL TASKS" button and nothing happens....  Again, if i take this router and connect it to the server I used to configure the other router, it works fine...??


This is the "SH VER" output:

Cisco IOS Software, 1841 Software (C1841-ADVIPSERVICESK9-M), Version 12.4(15)T12, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 22-Jan-10 00:41 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

yourname uptime is 1 hour, 7 minutes
System returned to ROM by power-on
System image file is "flash:c1841-advipservicesk9-mz.124-15.T12.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, exPort,9distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 1841 (revision 7.0) with 236544K/25600K bytes of memory.
Processor board ID FTX140880WK
2 FastEthernet interfaces
2 Virtual Private Network (VPN) Modules
DRAM configuration is 64 bits wide with parity disabled.
191K bytes of NVRAM.
62720K bytes of ATA CompactFlash (Read/Write)

Configuration register is 0x2102
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Istvan KalmarHead of IT Security Division Commented:
rommon 1 > confreg 0x2102

You must reset or power cycle for new config to take effect

rommon 2 > reset
0
Istvan KalmarHead of IT Security Division Commented:
sorry the upper lines for other topic....
0
jerrygomezdotcomAuthor Commented:
IKALMAR???  "sorry the upper lines for other topic...."  whats that mean?
0
jerrygomezdotcomAuthor Commented:
rommon 1 > confreg 0x2102

You must reset or power cycle for new config to take effect

rommon 2 > reset


what is ROMMON???  You want me to run this on my router through terminal??
0
Istvan KalmarHead of IT Security Division Commented:
forget this comments I've pasted it accedentaly
0
Istvan KalmarHead of IT Security Division Commented:
do you able to configure the router via consol ssh or telnet?
0
jerrygomezdotcomAuthor Commented:
yes I can asses VIA TELNET... but im not sure about the commands....
0
GuruChiuCommented:
Pls telnet to the remote router and post the output of
show run
0
Istvan KalmarHead of IT Security Division Commented:
And please provide us the details about VPN
0
jerrygomezdotcomAuthor Commented:
THIS IS THE "Show Run" of my MAIN Router that is configured already and waiting.

I hope it is configured right..... Below I have the other routers config...


Cisco1#show run
Building configuration...

Current configuration : 7149 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$B1En$osbFKO3sfbDbTqfEi9J/i.
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-954786030
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-954786030
 revocation-check none
 rsakeypair TP-self-signed-954786030
!
!
crypto pki certificate chain TP-self-signed-954786030
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39353437 38363033 30301E17 0D313030 33323630 31323234
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3935 34373836
  30333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B2D65C07 CC747E5F 7188B385 EC32FAF6 720DEE69 4A877346 089BAF25 BE636AAB
  31E1CFEB BE86FDAC 86EE5744 876CA651 18534789 D61F42A8 ED849625 D332DECE
  99E1B24C 0C7BE2A2 FCAF99B6 349CBD09 F97CC756 1275AEB1 F446147B 3F2D741B
  4C29958C 407D866E C14E21AE 97293B2C 20CCD806 775E4D13 9F47DB81 96DFEC4D
  02030100 01A37E30 7C300F06 03551D13 0101FF04 05300301 01FF3029 0603551D
  11042230 20821E43 6973636F 312E6B61 77656168 636F6E74 61696E65 72696E2E
  6C6F6361 6C301F06 03551D23 04183016 80146003 3B5C9C9E DBB4C724 DFEE10C1
  AE9479ED 9D87301D 0603551D 0E041604 1460033B 5C9C9EDB B4C724DF EE10C1AE
  9479ED9D 87300D06 092A8648 86F70D01 01040500 03818100 46705D2C 8B6B835E
  AEA28574 447841D4 3763A0A2 B96EE14F 6F95A108 1C112FB1 EBDC5E85 9B2FB005
  24740277 42E602CA 4BFA1447 1170ADB6 D1789851 A6A582F9 0A87A7F1 2FCB24E2
  CA1B6A25 0B4CAC00 A1738ABE 55194E06 FDC9C8C6 288A97F7 604A245C EAD525F6
  68139475 70F62178 80BE50DA D929E443 AF784111 AAC76EDC
        quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.24
ip dhcp excluded-address 192.168.1.51 192.168.1.254
!
ip dhcp pool ciscodhcp
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 68.94.156.1 68.94.157.1
   default-router 192.168.1.150
!
!
no ip bootp server
ip domain name kaweahcontainerin.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
multilink bundle-name authenticated
!
!
username administrator privilege 15 secret 5 $1$7fv3$eYlFxDKe6hNL3gV1TNgTp.
!
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key k13291c address 64.203.120.36
!        
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to64.203.120.36
 set peer 64.203.120.36
 set transform-set ESP-3DES-SHA3
 match address 104
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!        
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$$ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.150 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer1
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username kwcontainer@sbcglobal.net password 7 00170714505D5E01
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 64.203.120.32 0.0.0.15
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 64.203.120.32 0.0.0.15
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
ntp authentication-key 123654 md5 123654 0
ntp authenticate
ntp trusted-key 123654
ntp update-calendar
ntp server 76.240.232.214 key 123654 source FastEthernet0/0
end

ROUTER #2 (the one i am having trouble with)

yourname#show run
Building configuration...

Current configuration : 9750 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$geKq$C/zBFZNpDasKc4kCLlxB20
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1280786440
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1280786440
 revocation-check none
 rsakeypair TP-self-signed-1280786440
!
!
crypto pki certificate chain TP-self-signed-1280786440
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323830 37383634 3430301E 170D3130 30343035 32323032
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383037
  38363434 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100F941 A0FEFE74 011960B1 77BF83B7 9BFFD0EE 3B455E7B 8357ADB0 45A1002C
  65842028 5BEA3167 7A53FCAA 724B7D51 D8703406 4ACAC02F 7B65D336 B03B600D
  729FA60D 2569ED86 685B6C51 3A8064E1 B11B32EE 95FD2097 7F23C37F 4CD1762C
  ABC936BC 8FB40AF8 345EC65E 0FB81F54 42C72817 1CCAF643 AD5E58B3 3B1C5542
  493D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14780DA0 457BAAB1 79C5CE8C CA295842 25F975BC
  05301D06 03551D0E 04160414 780DA045 7BAAB179 C5CE8CCA 29584225 F975BC05
  300D0609 2A864886 F70D0101 04050003 81810049 BDE745D5 F260A248 F654C313
  D11C4A4D D105C5A7 381943F7 DAC2629F 5FA0D430 B70DE27E 9FB196E6 1DFC9FCC
  E4B8183A ECCD7A82 A0E2D91D 9CE681CA 513EE2BD 76EAA8BB 1E238907 1D04E276
  E7C6716F 3D4E52F4 90405927 B2EC0116 4E1563D7 A9A1C66F 4AF01B3B 82E22B6C
  CDCF1A3B F50265B8 6B16C887 D9DB684C 39E346
        quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.24
ip dhcp excluded-address 192.168.1.76 192.168.1.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 64.192.0.10 64.192.0.11
   default-router 192.168.1.225
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 64.192.0.10
ip name-server 64.192.0.11
!
multilink bundle-name authenticated
!
!
username administrator privilege 15 secret 5 $1$/yBD$XuDoXGIqZrKp1YUzCqyhC.
!
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key k13291c address 76.240.232.214
!        
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to76.240.232.214
 set peer 76.240.232.214
 set transform-set ESP-3DES-SHA1
 match address 105
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 106
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!        
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class class-default
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_WAN$$FW_OUTSIDE$
 ip address 64.203.120.36 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.225 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=16
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 64.203.120.32 0.0.0.15 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 76.240.232.214 any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.1.0 0.0.0.255 76.240.232.208 0.0.0.15
access-list 104 remark CCP_ACL Category=2
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 76.240.232.208 0.0.0.15
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 76.240.232.208 0.0.0.15 192.168.1.0 0.0.0.255
no cdp run
!        
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
end


ALSO, when I create the Tunnels using the wizard, on TRAFFIC TO ENCRYPT section of the wizard. I select the LAN ethernet port 0/1 where the traffic "orginates" from and on DESTINATION where encrypted traffic terminates II input the remote peer IP address... is that correct? or should I input something else on DESTINATION...eg... the Ethernet 0/1 address or my static IP on the WAN?  PLZ let me know what you find....


vpnsetup.JPG
0
GuruChiuCommented:
In both router you have an access class 23 but never define ACL 23.

Pls apply this command in both routers:

no ip http access-class 23
0
jerrygomezdotcomAuthor Commented:
Ok I am adding that as I type... brb I will post new configs....

0
jerrygomezdotcomAuthor Commented:
This is the NEW config for MAIN Router



Cisco1#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco1(config)#no ip http access-class 23
Cisco1(config)#exit
Cisco1#show run
Building configuration...

Current configuration : 7125 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Cisco1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$B1En$osbFKO3sfbDbTqfEi9J/i.
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-954786030
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-954786030
 revocation-check none
 rsakeypair TP-self-signed-954786030
!
!
crypto pki certificate chain TP-self-signed-954786030
 certificate self-signed 01
  30820254 308201BD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 39353437 38363033 30301E17 0D313030 33323630 31323234
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3935 34373836
  30333030 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
  B2D65C07 CC747E5F 7188B385 EC32FAF6 720DEE69 4A877346 089BAF25 BE636AAB
  31E1CFEB BE86FDAC 86EE5744 876CA651 18534789 D61F42A8 ED849625 D332DECE
  99E1B24C 0C7BE2A2 FCAF99B6 349CBD09 F97CC756 1275AEB1 F446147B 3F2D741B
  4C29958C 407D866E C14E21AE 97293B2C 20CCD806 775E4D13 9F47DB81 96DFEC4D
  02030100 01A37E30 7C300F06 03551D13 0101FF04 05300301 01FF3029 0603551D
  11042230 20821E43 6973636F 312E6B61 77656168 636F6E74 61696E65 72696E2E
  6C6F6361 6C301F06 03551D23 04183016 80146003 3B5C9C9E DBB4C724 DFEE10C1
  AE9479ED 9D87301D 0603551D 0E041604 1460033B 5C9C9EDB B4C724DF EE10C1AE
  9479ED9D 87300D06 092A8648 86F70D01 01040500 03818100 46705D2C 8B6B835E
  AEA28574 447841D4 3763A0A2 B96EE14F 6F95A108 1C112FB1 EBDC5E85 9B2FB005
  24740277 42E602CA 4BFA1447 1170ADB6 D1789851 A6A582F9 0A87A7F1 2FCB24E2
  CA1B6A25 0B4CAC00 A1738ABE 55194E06 FDC9C8C6 288A97F7 604A245C EAD525F6
  68139475 70F62178 80BE50DA D929E443 AF784111 AAC76EDC
        quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.24
ip dhcp excluded-address 192.168.1.51 192.168.1.254
!
ip dhcp pool ciscodhcp
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 68.94.156.1 68.94.157.1
   default-router 192.168.1.150
!
!
no ip bootp server
ip domain name kaweahcontainerin.local
ip name-server 68.94.156.1
ip name-server 68.94.157.1
!
multilink bundle-name authenticated
!
!
username administrator privilege 15 secret 5 $1$7fv3$eYlFxDKe6hNL3gV1TNgTp.
!
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key k13291c address 64.203.120.36
!        
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to64.203.120.36
 set peer 64.203.120.36
 set transform-set ESP-3DES-SHA3
 match address 104
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!        
interface FastEthernet0/0
 description $ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_OUTSIDE$$ETH-WAN$
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 pppoe enable group global
 pppoe-client dial-pool-number 1
 no mop enabled
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.150 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
 duplex auto
 speed auto
 no mop enabled
!
interface Dialer1
 ip address negotiated
 ip mtu 1452
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp pap sent-username kwcontainer@sbcglobal.net password 7 00170714505D5E01
 crypto map SDM_CMAP_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface Dialer1 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=2
access-list 101 remark IPSec Rule
access-list 101 deny   ip 192.168.1.0 0.0.0.255 64.203.120.32 0.0.0.15
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 remark SDM_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 103 remark SDM_ACL Category=4
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=4
access-list 104 remark IPSec Rule
access-list 104 permit ip 192.168.1.0 0.0.0.255 64.203.120.32 0.0.0.15
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
ntp authentication-key 123654 md5 123654 0
ntp authenticate
ntp trusted-key 123654
ntp update-calendar
ntp server 76.240.232.214 key 123654 source FastEthernet0/0
end



I am doing the same to the other router as I write this...
0
jerrygomezdotcomAuthor Commented:
router #2  (I AM configuring both of these on the SAME computer... Its the only one that connects to both of them with NO problems.  After I am done configuring these and I am reasonably sure they are correct and configured properly, I will take ROUTER #2 to the remote office 15miles away, connect and CROSS my fingers....)  Now concerning VPN, I configured them BOTH using the VPN SITE to SITE wizard independently,  I dont have to GENERATE a MIRROR config file to copy to one after I setup the other do I?  I just did both of them using the wizard....)




yourname#config t
Enter configuration commands, one per line.  End with CNTL/Z.
yourname(config)#no ip http access-class 23
yourname(config)#ecit
                  ^
% Invalid input detected at '^' marker.

yourname(config)#exit
yourname#show run
Building configuration...

Current configuration : 9726 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200
logging console critical
enable secret 5 $1$geKq$C/zBFZNpDasKc4kCLlxB20
!
no aaa new-model
clock timezone PCTime -8
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
!
crypto pki trustpoint TP-self-signed-1280786440
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1280786440
 revocation-check none
 rsakeypair TP-self-signed-1280786440
!
!
crypto pki certificate chain TP-self-signed-1280786440
 certificate self-signed 01
  3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31323830 37383634 3430301E 170D3130 30343035 32323032
  35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32383037
  38363434 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100F941 A0FEFE74 011960B1 77BF83B7 9BFFD0EE 3B455E7B 8357ADB0 45A1002C
  65842028 5BEA3167 7A53FCAA 724B7D51 D8703406 4ACAC02F 7B65D336 B03B600D
  729FA60D 2569ED86 685B6C51 3A8064E1 B11B32EE 95FD2097 7F23C37F 4CD1762C
  ABC936BC 8FB40AF8 345EC65E 0FB81F54 42C72817 1CCAF643 AD5E58B3 3B1C5542
  493D0203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
  551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
  301F0603 551D2304 18301680 14780DA0 457BAAB1 79C5CE8C CA295842 25F975BC
  05301D06 03551D0E 04160414 780DA045 7BAAB179 C5CE8CCA 29584225 F975BC05
  300D0609 2A864886 F70D0101 04050003 81810049 BDE745D5 F260A248 F654C313
  D11C4A4D D105C5A7 381943F7 DAC2629F 5FA0D430 B70DE27E 9FB196E6 1DFC9FCC
  E4B8183A ECCD7A82 A0E2D91D 9CE681CA 513EE2BD 76EAA8BB 1E238907 1D04E276
  E7C6716F 3D4E52F4 90405927 B2EC0116 4E1563D7 A9A1C66F 4AF01B3B 82E22B6C
  CDCF1A3B F50265B8 6B16C887 D9DB684C 39E346
        quit
dot11 syslog
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.1 192.168.1.24
ip dhcp excluded-address 192.168.1.76 192.168.1.254
!
ip dhcp pool ccp-pool1
   import all
   network 192.168.1.0 255.255.255.0
   dns-server 64.192.0.10 64.192.0.11
   default-router 192.168.1.225
!
!
no ip bootp server
ip domain name yourdomain.com
ip name-server 64.192.0.10
ip name-server 64.192.0.11
!
multilink bundle-name authenticated
!
!
username administrator privilege 15 secret 5 $1$/yBD$XuDoXGIqZrKp1YUzCqyhC.
!
!
crypto isakmp policy 1
 encr 3des
 group 2
!
crypto isakmp policy 2
 encr 3des
 authentication pre-share
 group 2
crypto isakmp key k13291c address 76.240.232.214
!        
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
!
crypto map SDM_CMAP_1 1 ipsec-isakmp
 description Tunnel to76.240.232.214
 set peer 76.240.232.214
 set transform-set ESP-3DES-SHA1
 match address 105
!
archive
 log config
  hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
class-map type inspect match-all sdm-cls-VPNOutsideToInside-1
 match access-group 103
class-map type inspect match-all sdm-cls-VPNOutsideToInside-2
 match access-group 106
class-map type inspect match-any SDM_AH
 match access-group name SDM_AH
class-map type inspect match-any SDM_ESP
 match access-group name SDM_ESP
class-map type inspect match-any SDM_VPN_TRAFFIC
 match protocol isakmp
 match protocol ipsec-msft
 match class-map SDM_AH
 match class-map SDM_ESP
class-map type inspect match-all SDM_VPN_PT
 match access-group 102
 match class-map SDM_VPN_TRAFFIC
class-map type inspect match-any ccp-cls-insp-traffic
 match protocol cuseeme
 match protocol dns
 match protocol ftp
 match protocol h323
 match protocol https
 match protocol icmp
 match protocol imap
 match protocol pop3
 match protocol netshow
 match protocol shell
 match protocol realmedia
 match protocol rtsp
 match protocol smtp extended
 match protocol sql-net
 match protocol streamworks
 match protocol tftp
 match protocol vdolive
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-insp-traffic
 match class-map ccp-cls-insp-traffic
class-map type inspect match-any ccp-cls-icmp-access
 match protocol icmp
 match protocol tcp
 match protocol udp
class-map type inspect match-all ccp-invalid-src
 match access-group 100
class-map type inspect match-all ccp-icmp-access
 match class-map ccp-cls-icmp-access
class-map type inspect match-all ccp-protocol-http
 match protocol http
!
!        
policy-map type inspect ccp-permit-icmpreply
 class type inspect ccp-icmp-access
  inspect
 class class-default
  pass
policy-map type inspect sdm-pol-VPNOutsideToInside-1
 class type inspect sdm-cls-VPNOutsideToInside-1
  inspect
 class type inspect sdm-cls-VPNOutsideToInside-2
  inspect
 class class-default
policy-map type inspect ccp-inspect
 class type inspect ccp-invalid-src
  drop log
 class type inspect ccp-protocol-http
  inspect
 class type inspect ccp-insp-traffic
  inspect
 class class-default
policy-map type inspect ccp-permit
 class type inspect SDM_VPN_PT
  pass
 class class-default
!
zone security out-zone
zone security in-zone
zone-pair security ccp-zp-self-out source self destination out-zone
 service-policy type inspect ccp-permit-icmpreply
zone-pair security ccp-zp-in-out source in-zone destination out-zone
 service-policy type inspect ccp-inspect
zone-pair security ccp-zp-out-self source out-zone destination self
 service-policy type inspect ccp-permit
zone-pair security sdm-zp-VPNOutsideToInside-1 source out-zone destination in-zone
 service-policy type inspect sdm-pol-VPNOutsideToInside-1
!
!
!
interface FastEthernet0/0
 description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$ES_WAN$$FW_OUTSIDE$
 ip address 64.203.120.36 255.255.255.240
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 zone-member security out-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
 crypto map SDM_CMAP_1
!
interface FastEthernet0/1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.1.225 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 zone-member security in-zone
 ip route-cache flow
 duplex auto
 speed auto
 no mop enabled
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0/0 overload
!
ip access-list extended SDM_AH
 remark SDM_ACL Category=1
 permit ahp any any
ip access-list extended SDM_ESP
 remark SDM_ACL Category=1
 permit esp any any
!
logging trap debugging
access-list 1 remark INSIDE_IF=FastEthernet0/1
access-list 1 remark SDM_ACL Category=16
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 remark CCP_ACL Category=128
access-list 100 permit ip host 255.255.255.255 any
access-list 100 permit ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip 64.203.120.32 0.0.0.15 any
access-list 101 remark SDM_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 remark SDM_ACL Category=128
access-list 102 permit ip host 76.240.232.214 any
access-list 103 remark SDM_ACL Category=0
access-list 103 remark IPSec Rule
access-list 103 permit ip 192.168.1.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 104 remark SDM_ACL Category=2
access-list 104 remark IPSec Rule
access-list 104 deny   ip 192.168.1.0 0.0.0.255 76.240.232.208 0.0.0.15
access-list 104 remark CCP_ACL Category=2
access-list 104 permit ip 192.168.1.0 0.0.0.255 any
access-list 105 remark SDM_ACL Category=4
access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 76.240.232.208 0.0.0.15
access-list 106 remark SDM_ACL Category=0
access-list 106 remark IPSec Rule
access-list 106 permit ip 76.240.232.208 0.0.0.15 192.168.1.0 0.0.0.255
no cdp run
!
!        
!
route-map SDM_RMAP_1 permit 1
 match ip address 104
!
!
!
!
control-plane
!
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
 
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
 
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
 
username <myuser> privilege 15 secret 0 <mypassword>
 
Replace <myuser> and <mypassword> with the username and password you want to
use.
 
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 login local
 transport output telnet
line aux 0
 login local
 transport output telnet
line vty 0 4
 privilege level 15
 login local
 transport input telnet ssh
line vty 5 15
 privilege level 15
 login local
 transport input telnet ssh
!
scheduler allocate 4000 1000
end

yourname#
0
GuruChiuCommented:
Can you work on the remote router using SDM now?
0
jerrygomezdotcomAuthor Commented:
YES I can work on the remote router using SDM, because I have it here with me at the MAIN office site.  It works NORMAL here.  Thats is why I am here at the main office.  I am hoping if you guys help me as I go, I can configure it while I am here then go to the remote office and connect it.  PLZ help me!! thanx a bunch!!

What do you want me to do?  Let me know STAT!! thanx
0
GuruChiuCommented:
Another problem you have is both router 1 and router 2 are on the same 192.168.1.0/24 subnet. You need to give a different subnet for your router #2.

You configure the routers independantly. Make sure you understand the source and destination address patterns, as those will be exactly opposite for the two routers:

Assuming your main office is 192.168.1.0/24 and your remote office is 192.168.2.0/24, the source for router 1 is 192.168.1.0/24 and destination is 192.168.2.0/24. For router 2, the source is 192.168.2.0/24 and destination is 192.168.1.0/24.

0
jerrygomezdotcomAuthor Commented:
is the access-class 23 configured right now?
0
jerrygomezdotcomAuthor Commented:
omg, thanx for the SOURCE and destination part.. I am fixing that right now..

what else?
0
jerrygomezdotcomAuthor Commented:
so u want me to put the ROUTER #2 LAN side on 192.168.2.0 whatever etc... and keep Router#1 on 192.168.1.0 etc... correct?
0
GuruChiuCommented:
I just realized that you have both routers at main office. Obviously by changing the subnet on router2, you will also need to change the DHCP settings (pool and exclude) on router 2, as well as the interface IP address. Once it is done, confirm router 2 is working by connecting it to a switch and connect a PC to the same switch. The PC should get an IP address in the subnet 192.168.2.0/24.

Once this is successful, bring it to the remote site and install it there. At the remote site, you should be able to ping both routers, telnet to both routers, and use SDM to manage both routers. Then you can work on the VPN.

0
GuruChiuCommented:
You don't need to configure ACL23 for now. You just remove it so that you can manage both routers at either locations. There is a security implication, but very minor. You can leave it this way without ACL 23 to make your life simple until you fully compenhand how these things work.

Unless you have other plan, put the ROUTER #2 LAN side on 192.168.2.0 and keep Router#1 on 192.168.1.0. Pls post your final configuration when u are done to make sure you didn't miss anything.

 
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jerrygomezdotcomAuthor Commented:
Guru, you are a God send bro. Thanx so much... I ask that you kindly keep an eye out on this QUESTION during the day to help me out man.  I know exactly how to change the IP to the new one as well as DHCP.  I will do so, post new configs up and go to the remote office.  It just sucks that I dont have a PC that can run SDM properly over there...  I do have SECURE CRT to login to the router VIA the blue Console cable to run commands... so if i can do that it would be awesome with your assistance...  

Ok, I am making the changes to Router#2 now, i will post the config in a few mins...
0
jerrygomezdotcomAuthor Commented:
how do I remove the ACL 23?  what is the command?  I am about to save the settings on ROUTER#2....
0
jerrygomezdotcomAuthor Commented:
Guru, if you help me get this up and running today, I am a man of my word... I will pay you or buy you Dinner.... whichever.... Thanx man... email me if you want personal info or my cell # ??  gomezpcs@yahoo.com  I dont want to post my Cell # on here
0
jerrygomezdotcomAuthor Commented:
It's cool if u just want to help me on here only... No problem....
0
GuruChiuCommented:
Sorry, I was in meeting until now.

You don't have to remove ACL23, you actually do not have it. The problem is you are still refering to it that's why I ask u to remove those.

When u are done, post the config one more time and I will prove read it.
0
jerrygomezdotcomAuthor Commented:
I am having trouble with the STUPID router #2 at the remote site.. I can only access it VIA terminal and make changes VIA commands.... uggh..... I SUCK big time.... i dont know all the commands to do it manually.....  I think I need to just RESTORE the darn router to defaults and rebuild this one from scratch....

Router #1 is fine, I also can log into via SDM from the Remote Site...
0
jerrygomezdotcomAuthor Commented:
i think im going to go BACK to the main site now, NUKE this router and rebuild it.... brb
0
GuruChiuCommented:
don't give up so early yet. If you want, I can remote it and take a look. I will send you email to contact me by phone.
0
jerrygomezdotcomAuthor Commented:
ok
0
Istvan KalmarHead of IT Security Division Commented:
Why do you configure for PUBLIC ip VPN?

access-list 105 remark IPSec Rule
access-list 105 permit ip 192.168.1.0 0.0.0.255 76.240.232.208 0.0.0.15
0
jerrygomezdotcomAuthor Commented:
I dont know what im doing thats y... I need ur experts help...
0
jerrygomezdotcomAuthor Commented:
Thank GuruChiu !!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Routers

From novice to tech pro — start learning today.