Solved

Cisco 877 VPN

Posted on 2010-08-24
5
772 Views
Last Modified: 2012-05-10
hi all,

I have 2 Cisco routers:

1. Cisco 837 Series
2. Cisco 877 Series

Currently Cisco 837 is in production working ok with ipsec VPN tunnel back to Head Office.

i Want to replace 837 with 877 but when i change routers i can browse the internet but there is no VPN tunnel.

Attached is config for 837 which is working fine



Building configuration...

Current configuration : 5650 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname TA-LouisVuitton
!
enable secret 5 $1$N2bB$GJVEdUVIm6ba.uaO5SJdQ/
!
username securecom password 7 09194B0A0C1742585A

u
clock timezone nzst 12
clock summer-time +1300 recurring 1 Sun Oct 2:00 2 Sun Mar 3:00
aaa new-model
!
!
aaa session-id common
ip subnet-zero
no ip source-route
no ip domain lookup
ip domain name rugby11.com
ip name-server 202.27.184.3
ip name-server 202.27.184.5
!
!
no ip bootp server
ip cef
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp
ip inspect name CBACFilter udp
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key 0 mysecret address 203.97.x.x
crypto isakmp identity hostname
!
!
crypto ipsec transform-set sharks esp-des esp-md5-hmac
!
crypto map nolan 11 ipsec-isakmp
 set peer 203.97.x.x
 set transform-set sharks
 match address TAVPN
!
!
!
!
interface Ethernet0
 description Connection to LAN
 ip address 192.168.1.254 255.255.255.0
 ip access-group InternetOutbound in
 ip nat inside
 ip inspect CBACFilter out
 no ip mroute-cache
 no cdp enable
 hold-queue 100 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 bundle-enable
 dsl operating-mode auto
 dsl power-cutback 30
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer0
 description ADSL connection to the Internet via Xtra
 ip address negotiated previous
 ip access-group InternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip inspect CBACFilter out
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username xadsl@xtra.co.nz password 7 0835594B1A1D040E
42
 ppp ipcp dns accept
 crypto map nolan
!
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static tcp 192.168.1.2 22 interface Dialer0 22
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
!
!
ip access-list extended InternetInbound
 permit icmp any any
 remark allow VNC from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
 remark allow RDP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
 remark allow MS SQL from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 1433
 remark allow TELNET from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
 remark allow FTP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq ftp
 remark allowes NTP time server
 permit tcp 192.168.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq 123
ip access-list extended InternetOutbound
 permit ip any any
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
 permit icmp any any
 remark allowes WebMarshal
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 8080
 remark allowes Outlook Web Access
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
 remark allowes MS SQL
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 1433
 remark allowes RDP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
 remark allowes VNC
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
 remark allowes FTP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq ftp
 remark allowes TELNET
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
 remark allowes NTP time server
 permit tcp 192.168.0.0 0.0.255.255 192.168.1.0 0.0.0.255 eq 123
ip access-list extended TAVPN
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
logging trap debugging
access-list 1 remark Local LAN
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit any
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 150 remark NAT bypass for VPN traffic
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
 match ip address 150 130
!
banner motd ^CCC


------------------------------


Unauthorised access prohibited
All access is logged

^C
!
line con 0
 exec-timeout 120 0
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 access-class 23 in
 exec-timeout 120 0
 login authentication local
 length 0
 transport input telnet
 transport output telnet ssh
!
scheduler max-task-time 5000
!
end

Open in new window

0
Comment
Question by:aucklandnz
  • 2
  • 2
5 Comments
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
here is config for 877 which isnt working


Building configuration...

Current configuration : 8875 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname airportnz
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$TP.u$eVGh8rHFQdC8BrO.4LRex1
enable password vccvcvcvc
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-3005635415
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-3005635415
 revocation-check none
 rsakeypair TP-self-signed-3005635415
!
!
crypto pki certificate chain TP-self-signed-3005635415
 certificate self-signed 01
  30820250 308201B9 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 33303035 36333534 3135301E 170D3032 30333031 30313139
  30385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 30303536
  33353431 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  8100B1FC DAC316EC F6BFEC9F A0519D21 A4712918 CCCF9C7A A033B6D1 E36A8F9F
  348E2C48 C452678B A43E0CE6 5DF6D157 A3EF7E8F 6FD51B31 08A4A9DC 3DF75DD4
  63411709 3A860AD1 B77E12EF F3AE111C 797BBCFD F466E774 3DD25C73 A462BF45
  09CDB483 EEF592E6 4CA9E283 86410956 9D862A9C 1E01C73E 16A9A8CE 4B2AF5A6
  A8230203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
  551D1104 1C301A82 18616972 706F7274 6E7A2E79 6F757264 6F6D6169 6E2E636F
  6D301F06 03551D23 04183016 80144CAB 397AC4CC EA6B88A3 D4F738EF 7EE1777B
  6218301D 0603551D 0E041604 144CAB39 7AC4CCEA 6B88A3D4 F738EF7E E1777B62
  18300D06 092A8648 86F70D01 01040500 03818100 4339F3AD 5C207D80 5A5D758E
  AE0A0CB9 6845C7E2 4B5B572A 2CE99AF3 1D160277 BF92120A 48551F2F 4388B5EC
  A1DCA101 D4A59C93 4734E6C5 1D6524A3 667AC058 09D9B62F C585356A 35742971
  83825450 265470AF 3930889C 426E9F9D 5B1BE06D E1F85880 4D632455 59B6F64C
  03DA3C7D F39D0D06 C60B71BD 3267732E CAAC6C32
        quit
dot11 syslog
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool ccp-pool
   import all
   network 10.10.10.0 255.255.255.248
   default-router 10.10.10.1
   lease 0 2
!
!
ip inspect tcp synwait-time 300
ip inspect tcp max-incomplete host 200 block-time 3
ip inspect name CBACFilter tcp timeout 300
ip inspect name CBACFilter udp timeout 300
ip inspect name CBACFilter http java-list 51 timeout 3600
ip inspect name CBACFilter cuseeme
ip inspect name CBACFilter ftp
ip inspect name CBACFilter h323
ip inspect name CBACFilter realaudio
ip inspect name CBACFilter smtp
ip inspect name CBACFilter icmp alert on audit-trail on
ip inspect name FIRE-IN tcp timeout 300
ip inspect name FIRE-IN udp timeout 300
no ip bootp server
no ip domain lookup
ip domain name yourdomain.com
ip name-server 202.27.158.40
ip name-server 202.27.156.72
!
!
!
username aucklandnz privilege 15 secret 5 $1$YzNp$WIB2WP/.xtqZw9f/4C/UA1
username admin privilege 15 secret 5 $1$aZTy$QOqCHsSkXtgUAvXN4DkSy.
!
!
crypto isakmp policy 11
 hash md5
 authentication pre-share
crypto isakmp key mysecret address 203.97.x.x
crypto isakmp identity hostname
!
!
crypto map nolan 11 ipsec-isakmp
 set peer 203.97.x.x
 match address TAVPN
!
archive
 log config
  hidekeys
!
!
!
!
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
 hold-queue 224 in
!
interface ATM0.1 point-to-point
 pvc 0/100
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Vlan1
 description Local LAN
 ip address 192.168.1.200 255.255.255.0
 ip inspect CBACFilter out
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1360
 no ip mroute-cache
 hold-queue 100 out
!
interface Dialer0
 description ADSL connection to the Internet via Xtra
 ip address negotiated previous
 ip access-group InternetInbound in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect CBACFilter out
 ip nat outside
 ip virtual-reassembly
 encapsulation ppp
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp pap sent-username tourismauck1.xadsl@xtra.co.nz password 0 tuesday0
 ppp ipcp dns accept
 crypto map nolan
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat inside source route-map nonat interface Dialer0 overload
!
ip access-list standard host
!
ip access-list extended InternetInbound
 permit icmp any any
 remark allowes Head office full access
 permit ip host 203.97.x.x any
 remark allowes Telnet from Head Office
 permit tcp host 203.97.x.x any eq telnet
 remark allow VNC from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 5900
 remark allow RDP from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq 3389
 remark allow TELNET from Head Office
 permit tcp 192.168.0.0 0.0.0.255 192.168.0.0 0.0.255.255 eq telnet
 
ip access-list extended InternetOutbound
 permit ip any any
 permit icmp any any
 remark allowes WWW
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq www
 remark allowes RDP
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 3389
 remark allowes VNC
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq 5900
 remark allowes TELNET
 permit tcp 192.168.0.0 0.0.255.255 192.168.0.0 0.0.0.255 eq telnet
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.255.255
ip access-list extended TAVPN
 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
!
logging trap debugging
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 150 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip 192.168.1.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community public RO
snmp-server enable traps tty
snmp-server host 192.168.1.1 255.255.255.0
no cdp run
!
!
route-map nonat permit 10
 match ip address 150 130
!
!
control-plane
!
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------

Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for  one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.

It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.

username <myuser> privilege 15 secret 0 <mypassword>

Replace <myuser> and <mypassword> with the username and password you
want to use.

-----------------------------------------------------------------------
^C
banner login ^C
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device.
This feature requires the one-time use of the username "cisco" with the
password "cisco". These default credentials have a privilege level of 15.

YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE
PUBLICLY-KNOWN CREDENTIALS

Here are the Cisco IOS commands.

username <myuser>  privilege 15 secret 0 <mypassword>
no username cisco

Replace <myuser> and <mypassword> with the username and password you want
to use.

IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL
NOT BE ABLE TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.

For more information about Cisco CP please follow the instructions in the
QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
-----------------------------------------------------------------------
^C
!
line con 0
 login local
 no modem enable
line aux 0
 transport input telnet
 transport output telnet ssh
 stopbits 1
line vty 0 4
 access-class 23 in
 privilege level 15
 login local
 terminal-type telnet
 length 0
 transport input telnet ssh
 transport output telnet ssh
!
scheduler max-task-time 5000
ntp server 218.185.224.8
end

Open in new window

0
 
LVL 14

Accepted Solution

by:
anoopkmr earned 500 total points
Comment Utility
try like this on 877

ip access-list extended InternetInbound
permit esp any any
permit udp any any eq 500


crypto ipsec transform-set sharks esp-des esp-md5-hmac

crypto map nolan 11 ipsec-isakmp
 
 set transform-set sharks

+
kindly show the output of

show crypto isakmp
show crypto ipsec sa
0
 
LVL 9

Expert Comment

by:ffleisma
Comment Utility
you don't seem to  have the following command on your 877

crypto ipsec transform-set sharks esp-des esp-md5-hmac

that would also mean you lack

set transform-set sharks

on your

crypto map nolan 11 ipsec-isakmp

create the transform set and apply in on the appropriate interface, tell me how it goes.

Hope this helps :-)
0
 
LVL 3

Author Comment

by:aucklandnz
Comment Utility
@anoopkmr:

i have added
crypto ipsec transform-set sharks esp-des esp-md5-hmac

crypto map nolan 11 ipsec-isakmp
 
 set transform-set sharks

and i have VPN up

thanks a lot

do i still have to input

ip access-list extended InternetInbound
permit esp any any
permit udp any any eq 500
0
 
LVL 14

Expert Comment

by:anoopkmr
Comment Utility
if its working then no need
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now