romeo310

! ip local pool DIALIN-MODEM 192.168.10.250 ip local pool DIALIN-ISDN 192.168.10.251 192.168.10.252 ip local pool ippool 192.168.4.1 192.168.4.253 ip nat inside source list TRIGGER-CONNECT interface Dialer1 overload ip nat inside source static tcp 192.168.10.152 20 interface Dialer1 20 ip nat inside source static tcp 192.168.10.152 21 interface Dialer1 21 ip nat inside source static tcp 192.168.10.101 443 interface Dialer1 443 ip nat inside source static tcp 192.168.10.7 5060 interface Dialer1 5060 ip nat inside source static tcp 192.168.10.101 22 interface Dialer1 22 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! ! ip access-list extended FIREWALL-INCOMING permit udp host 131.188.3.223 eq ntp any permit udp host 131.188.3.222 eq ntp any permit udp host 131.188.3.221 eq ntp any permit udp host 131.188.3.220 eq ntp any permit udp any eq 5060 any permit icmp any any echo-reply permit tcp any any eq 22 permit tcp any any eq 443 permit ip 192.168.4.0 0.0.0.255 any permit ip 192.168.10.0 0.0.0.255 any permit udp any any eq isakmp permit udp any any eq non500-isakmp permit esp any any permit tcp any any eq ftp-data permit tcp any any eq ftp deny ip any any log ip access-list extended FIREWALL-OUTGOING permit ip any any deny ip any any log ip access-list extended TRIGGER-CONNECT deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255 deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 any deny ip any any log ip access-list extended VPNROUTES-CLIENTS permit ip any any deny ip any any ip access-list extended VTY-SSH permit ip 192.168.10.0 0.0.0.255 any access-list 10 permit 131.188.3.220 access-list 10 permit 131.188.3.221 access-list 10 permit 131.188.3.222 access-list 10 permit 131.188.3.223 access-list 10 permit 192.168.10.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit ! banner motd #CCCCC ********************************************************************* * WARNING !!!!! * * * * Firewall Router. RESTRICTED ACCESS * * * * No Unauthorised Access. * * * * No Hackers, Phreaks, Crackers or so called security * * experts allowed! * * * * Unauthorized use of this system will be logged and * * prosecuted to the fullest extent of the law ! * * * * Contact: [email]webmaster@domain.de[/email] * * * * We fight against Spam and Hackers !!!! * ********************************************************************* # ! line con 0 exec-timeout 120 0 password 7 xxx line aux 0 line vty 0 4 access-class VTY-SSH in exec-timeout 0 0 password 7 xxx transport input ssh ! ntp clock-period 17042046 ntp access-group peer 10 ntp master 2 ntp server 131.188.3.223 ntp server 131.188.3.222 ntp server 131.188.3.221 ntp server 131.188.3.220 end

! crypto isakmp client configuration group xxx key xxx dns 192.168.10.101 domain domain.de pool ippool acl VPNROUTES-CLIENTS crypto isakmp profile VPNclient description VPN Clients Profile match identity group xxx client authentication list clientauth isakmp authorization list groupauthor client configuration address respond crypto isakmp profile l2l description lan-2-lan Configuration for spokes Routers keyring spokes match identity address 0.0.0.0 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 5 set transform-set myset set isakmp-profile VPNclient reverse-route crypto dynamic-map dynmap 10 set transform-set myset set isakmp-profile reverse-route ! ! crypto map mymap 10 ipsec-isakmp dynamic dynmap ! ! ! interface BRI0 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp dialer rotary-group 3 dialer-group 1 isdn switch-type basic-net3 isdn point-to-point-setup no cdp enable ! interface Ethernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip route-cache flow half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable crypto map mymap ! interface FastEthernet0 ip address 192.168.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow no ip mroute-cache speed auto full-duplex ! interface Async5 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer rotary-group 2 dialer-group 1 async mode dedicated ! interface Dialer1 ip address negotiated ip access-group FIREWALL-INCOMING in ip access-group FIREWALL-OUTGOING out no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip inspect internet in ip inspect internet out encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxx ppp chap password 7 xxx ppp pap sent-username xxx password 7 xxx ppp ipcp dns request crypto map mymap ! interface Dialer2 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip access-group Dialin-modem in ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer-group 1 peer default ip address pool DIALIN-MODEM no cdp enable ppp authentication chap ! interface Dialer3 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip access-group DIALIN-ISDN in ip nat inside encapsulation ppp no ip split-horizon dialer in-band dialer-group 1 peer default ip address pool DIALIN-ISDN no cdp enable ppp authentication chap pap callin ppp multilink ! router rip version 2 redistribute static passive-interface Dialer1 network 192.168.4.0 network 192.168.10.0 no auto-summary

Hi, hier die config vom Cisco 1720-1 vom 10er Netz. Der 1720-2 hat die gleichen Server und IP Adressen, wie das 10er Netz, nur ist es ein 11er. Also Netz 10 und 11 ist miteinander identisch, außer domain-name. version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log uptime service password-encryption service sequence-numbers ! hostname c1720w ! boot-start-marker boot-end-marker ! logging buffered 16384 debugging no logging console enable password 7 xxx ! memory-size iomem 25 clock timezone MEZ 1 clock summer-time MEZ+1 recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ! ! ip domain name domain.de ip name-server 192.168.10.101 ip dhcp excluded-address 192.168.10.1 ip dhcp excluded-address 192.168.10.2 ip dhcp excluded-address 192.168.10.3 ip dhcp excluded-address 192.168.10.4 ip dhcp excluded-address 192.168.10.5 ip dhcp excluded-address 192.168.10.6 ip dhcp excluded-address 192.168.10.7 ip dhcp excluded-address 192.168.10.8 ip dhcp excluded-address 192.168.10.9 ip dhcp excluded-address 192.168.10.10 ip dhcp excluded-address 192.168.10.11 ip dhcp excluded-address 192.168.10.50 ip dhcp excluded-address 192.168.10.51 ip dhcp excluded-address 192.168.10.52 ip dhcp excluded-address 192.168.10.53 ip dhcp excluded-address 192.168.10.100 ip dhcp excluded-address 192.168.10.101 ip dhcp excluded-address 192.168.10.102 ip dhcp excluded-address 192.168.10.103 ip dhcp excluded-address 192.168.10.104 ip dhcp excluded-address 192.168.10.105 ip dhcp excluded-address 192.168.10.106 ip dhcp excluded-address 192.168.10.107 ip dhcp excluded-address 192.168.10.150 ip dhcp excluded-address 192.168.10.151 ip dhcp excluded-address 192.168.10.152 ip dhcp excluded-address 192.168.10.153 ! ip dhcp pool standard-clients network 192.168.10.0 255.255.255.0 dns-server 192.168.10.52 194.25.2.129 default-router 192.168.10.101 domain-name domain.de ! no ip bootp server ip cef ip inspect max-incomplete low 300 ip inspect max-incomplete high 400 ip inspect one-minute low 150 ip inspect one-minute high 250 ip inspect udp idle-time 35 ip inspect dns-timeout 6 ip inspect tcp idle-time 300 ip inspect tcp finwait-time 6 ip inspect tcp synwait-time 35 ip inspect tcp max-incomplete host 50 block-time 15 ip inspect name internet http timeout 180 ip inspect name internet realaudio timeout 30 ip inspect name internet udp timeout 300 ip inspect name internet tcp timeout 600 ip inspect name internet ftp timeout 60 ip inspect name internet sip timeout 600 ip inspect name internet rtsp timeout 30 ip inspect name internet tftp timeout 30 ip inspect name internet sqlnet timeout 60 ip inspect name internet vdolive timeout 60 ip inspect name internet streamworks timeout 60 ip inspect name internet rcmd timeout 30 ip inspect name internet cuseeme timeout 30 ip audit po max-events 100 vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! isdn switch-type basic-net3 ! username ms2 password 7 xxx ! ! class-map match-all Queue-MediumPrio match dscp af31 class-map match-all Queue-HighPrio match dscp ef ! ! crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key xxx ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp keepalive 30 10 crypto isakmp nat keepalive 30

Hi Wordo, die Pings gehen auf alle Maschinen, auch per DNS-Auflösung, also auch auf den w2k-Server, auf dem VNC läuft und auf den Linux Server, auf dem SSH läuft. Habe diese Konstellation 2x mit 1720ern realisiert. Beide Konfigs identisch, außer eben die Netze: 1720-1: 192.168.10.0/24 1720-2: 192.168.11.0/24 Beide haben eben meine VPN Config für Roadwarrior. Wenn ich mich aus dem 192.168.10.0er Netz mit dem Cisco VPN Client bei dem Router des Netzes 192.168.11.0 einlogge, klappt die Anmeldung und die Pings, sowie die Namensauflösung des Linux-Servers, auf dem auch SSH läuft. Das gleiche Spiel, wenn ich z.B. mit Smartsurfer per ISDN Eingewählt bin, also unabhängig der Router (DSL). Nur kann ich eben keine Applications fahren ??? Beim 1720-2 das gleiche Spiel. Habe gestern schon wieder annähernd 5 Stunden damit verbracht, eine Lösung zu finden. Leider immer noch ohne Erfolg ! Danke schon mal für weiter Hilfen ! romeo310

hi, gehst du per hardware router ins dsl ??? Hast Du IPSec Passthrough auf dem Router eingeschaltet ?

Hallo Cisco Forum Gemeinde, hat denn keiner im Forum einen Lösungsansatz für mein Problem ? Ein Lösungsansatz würde mir ja reichen. Nach 7 stündiger konfiguriererei gestern Abend kam ich immer noch nicht weiter. PLEASE HELP ! THX

Moin, habe einige Threads weiter unten ein VPN Problem gehabt. Ging kein ping ( http://www.mcseboard.de/showthread.php?t=86048 ). Nun klappt alles mit ping und Namensauflösung, aber ich kann, wenn ich mich authentifiziert habe, keine VNC Verbindung zu einem Windows Server und keine SSH Verbindung zu einem Linux Server aufbauen. Wie gesagt. Konfig wie im Link des o.g. Threads, ping und Nameserverauflösung ok ! Please Help ! THX romeo310

FEHLER GEFUNDEN !!!!!!!!!!!!!!!!!!! Obere Konfiguration ist 1a mit allen Features. Habe nur das NAT-Transparency disabled gehabt. Bedeutet die Zeile: no crypto ipsec nat-transparency udp-encaps aus der Config raus. Funzt alles wunderbar, mit DHCP, Inet usw....

Hi, danke erst mal für Antwort. Habe ich neach meinem Wissensstand doch mit dem Trigger-Connect eingebaut: schnipp ip access-list extended TRIGGER-CONNECT deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255 deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 any deny ip any any log schnapp ??? Oder liege ich da falsch ?

! banner motd #CCCCC ********************************************************************* * WARNING !!!!! * * * * Firewall Router. RESTRICTED ACCESS * * * * No Unauthorised Access. * * * * No Hackers, Phreaks, Crackers or so called security * * experts allowed! * * * * Unauthorized use of this system will be logged and * * prosecuted to the fullest extent of the law ! * * * * Contact: webmaster@domain.de * * * * We fight against Spam and Hackers !!!! * ********************************************************************* # ! line con 0 exec-timeout 120 0 password 7 xxx line aux 0 line vty 0 4 access-class VTY-SSH in exec-timeout 0 0 password 7 xxx transport input ssh ! ntp clock-period 17042046 ntp access-group peer 10 ntp master 2 ntp server 131.188.3.223 ntp server 131.188.3.222 ntp server 131.188.3.221 ntp server 131.188.3.220 end

interface Dialer1 ip address negotiated ip access-group FIREWALL-INCOMING in ip access-group FIREWALL-OUTGOING out no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip inspect internet in ip inspect internet out encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxx ppp chap password 7 xxx ppp pap sent-username xxx password 7 xxx ppp ipcp dns request crypto map mymap ! interface Dialer2 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip access-group Dialin-modem in ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer-group 1 peer default ip address pool DIALIN-MODEM no cdp enable ppp authentication chap ! interface Dialer3 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip access-group DIALIN-ISDN in ip nat inside encapsulation ppp no ip split-horizon dialer in-band dialer-group 1 peer default ip address pool DIALIN-ISDN no cdp enable ppp authentication chap pap callin ppp multilink ! router rip version 2 redistribute static passive-interface Dialer1 network 192.168.4.0 network 192.168.10.0 no auto-summary ! ip local pool DIALIN-MODEM 192.168.10.250 ip local pool DIALIN-ISDN 192.168.10.251 192.168.10.252 ip local pool ippool 192.168.4.1 192.168.4.253 ip nat inside source list TRIGGER-CONNECT interface Dialer1 overload ip nat inside source static tcp 192.168.10.152 20 interface Dialer1 20 ip nat inside source static tcp 192.168.10.152 21 interface Dialer1 21 ip nat inside source static tcp 192.168.10.101 443 interface Dialer1 443 ip nat inside source static tcp 192.168.10.7 5060 interface Dialer1 5060 ip nat inside source static tcp 192.168.10.101 22 interface Dialer1 22 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server no ip http secure-server ! ! ! ip access-list extended FIREWALL-INCOMING permit udp host 131.188.3.223 eq ntp any permit udp host 131.188.3.222 eq ntp any permit udp host 131.188.3.221 eq ntp any permit udp host 131.188.3.220 eq ntp any permit udp any eq 5060 any permit icmp any any echo-reply permit tcp any any eq 22 permit tcp any any eq 443 permit ip 192.168.4.0 0.0.0.255 any permit ip 192.168.10.0 0.0.0.255 any permit udp any any eq isakmp permit udp any any eq non500-isakmp permit esp any any permit tcp any any eq ftp-data permit tcp any any eq ftp deny ip any any log ip access-list extended FIREWALL-OUTGOING permit ip any any deny ip any any log ip access-list extended TRIGGER-CONNECT deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255 deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255 permit ip 192.168.10.0 0.0.0.255 any deny ip any any log ip access-list extended VPNROUTES-CLIENTS permit ip any any deny ip any any ip access-list extended VTY-SSH permit ip 192.168.10.0 0.0.0.255 any access-list 10 permit 131.188.3.220 access-list 10 permit 131.188.3.221 access-list 10 permit 131.188.3.222 access-list 10 permit 131.188.3.223 access-list 10 permit 192.168.10.0 0.0.0.255 dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit

no ip bootp server ip cef ip inspect max-incomplete low 300 ip inspect max-incomplete high 400 ip inspect one-minute low 150 ip inspect one-minute high 250 ip inspect udp idle-time 35 ip inspect dns-timeout 6 ip inspect tcp idle-time 300 ip inspect tcp finwait-time 6 ip inspect tcp synwait-time 35 ip inspect tcp max-incomplete host 50 block-time 15 ip inspect name internet http timeout 180 ip inspect name internet realaudio timeout 30 ip inspect name internet udp timeout 300 ip inspect name internet tcp timeout 600 ip inspect name internet ftp timeout 60 ip inspect name internet sip timeout 600 ip inspect name internet rtsp timeout 30 ip inspect name internet tftp timeout 30 ip inspect name internet sqlnet timeout 60 ip inspect name internet vdolive timeout 60 ip inspect name internet streamworks timeout 60 ip inspect name internet rcmd timeout 30 ip inspect name internet cuseeme timeout 30 ip audit po max-events 100 vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! isdn switch-type basic-net3 ! username ms2 password 7 xxx ! ! class-map match-all Queue-MediumPrio match dscp af31 class-map match-all Queue-HighPrio match dscp ef ! ! crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key xxx ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp keepalive 30 10 crypto isakmp nat keepalive 30 ! crypto isakmp client configuration group xxx key xxx dns 192.168.10.101 domain domain.de pool ippool acl VPNROUTES-CLIENTS crypto isakmp profile VPNclient description VPN Clients Profile match identity group xxx client authentication list clientauth isakmp authorization list groupauthor client configuration address respond crypto isakmp profile l2l description lan-2-lan Configuration for spokes Routers keyring spokes match identity address 0.0.0.0 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto dynamic-map dynmap 5 set transform-set myset set isakmp-profile VPNclient reverse-route crypto dynamic-map dynmap 10 set transform-set myset set isakmp-profile reverse-route ! ! crypto map mymap 10 ipsec-isakmp dynamic dynmap ! ! ! interface BRI0 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp dialer rotary-group 3 dialer-group 1 isdn switch-type basic-net3 isdn point-to-point-setup no cdp enable ! interface Ethernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip route-cache flow half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable crypto map mymap ! interface FastEthernet0 ip address 192.168.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow no ip mroute-cache speed auto full-duplex ! interface Async5 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer rotary-group 2 dialer-group 1 async mode dedicated

Hi, habe meinen 1720 nochmal komplett von vorne konfiguriert: Leider hauts hier auch nur mit der Verbindung der Road-Warriors hin. Verbindung steht, kann aber nichts auf der Gegenseite anpingen oder auf irgendeinen Server zugreifen... Steh eben acht auf´m Schlauch....... Hier nochmal die neue (bis jetzt meine beste :) ) Konf: version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log uptime service password-encryption service sequence-numbers ! hostname c1720w ! boot-start-marker boot-end-marker ! logging buffered 16384 debugging no logging console enable password 7 xxx ! memory-size iomem 25 clock timezone MEZ 1 clock summer-time MEZ+1 recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ! ! ip domain name domain.de ip name-server 192.168.10.101 ip dhcp excluded-address 192.168.10.1 ip dhcp excluded-address 192.168.10.2 ip dhcp excluded-address 192.168.10.3 ip dhcp excluded-address 192.168.10.4 ip dhcp excluded-address 192.168.10.5 ip dhcp excluded-address 192.168.10.6 ip dhcp excluded-address 192.168.10.7 ip dhcp excluded-address 192.168.10.8 ip dhcp excluded-address 192.168.10.9 ip dhcp excluded-address 192.168.10.10 ip dhcp excluded-address 192.168.10.11 ip dhcp excluded-address 192.168.10.50 ip dhcp excluded-address 192.168.10.51 ip dhcp excluded-address 192.168.10.52 ip dhcp excluded-address 192.168.10.53 ip dhcp excluded-address 192.168.10.100 ip dhcp excluded-address 192.168.10.101 ip dhcp excluded-address 192.168.10.102 ip dhcp excluded-address 192.168.10.103 ip dhcp excluded-address 192.168.10.104 ip dhcp excluded-address 192.168.10.105 ip dhcp excluded-address 192.168.10.106 ip dhcp excluded-address 192.168.10.107 ip dhcp excluded-address 192.168.10.150 ip dhcp excluded-address 192.168.10.151 ip dhcp excluded-address 192.168.10.152 ip dhcp excluded-address 192.168.10.153 ! ip dhcp pool standard-clients network 192.168.10.0 255.255.255.0 dns-server 192.168.10.52 194.25.2.129 default-router 192.168.10.101 domain-name domain.de !

sollte es dann evtl. so aussehen ??? -------------------schnipp----------------------- access-list 103 permit icmp any any echo-reply access-list 103 permit tcp any any eq 22 access-list 103 permit tcp any any eq ftp access-list 103 permit tcp any any eq ftp-data access-list 103 permit udp any eq 5060 any access-list 103 permit esp any any access-list 103 permit udp any any eq isakmp access-list 103 permit udp any any eq non500-isakmp access-list 103 permit tcp any any eq 443 ----------------neu------------------------------- access-list 103 permit ip 10.5.5.0 any ---------------neu-------------------------------- access-list 103 deny ip any any oder liege ich da wieder falsch ??? ??? :) :) :)

d.h. ich müsste dann die VPN ACL für die Clients in die acl 103 auf Dialer1 mit einbinden ? Oder verstehe ich dass auch falsch ? Stehe eben immer noch auf´m Schlach :(

hmmmmmm, denke, dass damit die VPN Clients für das interne Netz definiert sind. Die acl hatte ich auch schon mal komplett aus der conf genommen. Selbe Ergebnis :(

! interface Dialer1 description connected to Internet ip address negotiated ip access-group 103 in ip mtu 1492 ip nat outside ip inspect FastEthernet_0 out encapsulation ppp dialer pool 1 dialer-group 2 ppp authentication chap pap callin ppp chap hostname <removed> ppp chap password 7 <removed> ppp pap sent-username <removed> password 7 <removed> crypto map mymap ! interface Dialer2 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip access-group 101 in ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer-group 1 peer default ip address pool Cisco1720-Group-2 no cdp enable ppp authentication chap ! interface Dialer3 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip access-group 100 in ip nat inside encapsulation ppp no ip split-horizon dialer in-band dialer-group 1 peer default ip address pool Cisco1720-Group-3 no cdp enable ppp authentication chap pap callin ppp multilink ! interface Dialer4 no ip address ! router rip version 2 passive-interface Dialer1 network 192.168.10.0 no auto-summary ! ip local pool Cisco1720-Group-2 192.168.10.250 ip local pool Cisco1720-Group-3 192.168.10.251 192.168.10.252 ip local pool ippool 10.5.5.1 10.5.5.253 ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 192.168.10.52 443 interface Dialer1 443 ip nat inside source static udp 192.168.10.7 5060 interface Dialer1 5060 ip nat inside source static tcp 192.168.10.52 22 interface Dialer1 22 ip nat inside source static tcp 192.168.10.101 21 interface Dialer1 21 ip nat inside source static tcp 192.168.10.101 20 interface Dialer1 20 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 no ip http server ip http authentication local ip http secure-server ! ! ! ip access-list extended VPNROUTES-CLIENTS permit ip any any deny ip any any access-list 1 permit 192.168.10.0 0.0.0.255 access-list 100 permit udp any eq rip any eq rip access-list 100 deny ip any any log access-list 101 permit udp any eq rip any eq rip access-list 101 deny ip any any log access-list 102 permit ip any any access-list 102 deny ip any any log access-list 103 permit icmp any any echo-reply access-list 103 permit tcp any any eq 22 access-list 103 permit tcp any any eq ftp access-list 103 permit tcp any any eq ftp-data access-list 103 permit udp any eq 5060 any access-list 103 permit esp any any access-list 103 permit udp any any eq isakmp access-list 103 permit udp any any eq non500-isakmp access-list 103 permit tcp any any eq 443 access-list 103 deny ip any any dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit ! banner motd ********************************************************* ** ** * WARNING ! * * System ist RESTRICTED to authorized personnell ONLY ! * * * * Unauthorized use of this System will be logged and * * prosecuted to the fullest extent of the law. * * * * If you are NOT authorized to use this system * * LOG OFF NOW ! * * * * We fight against SPAM an HACKERS ! * ********************************************************* ! line con 0 exec-timeout 0 0 password 7 <removed> line aux 0 modem InOut transport input all autoselect during-login autoselect ppp stopbits 1 speed 38400 flowcontrol hardware line vty 0 4 ! ntp clock-period 17042045 ntp access-group peer 10 ntp master 2 ntp server 131.188.3.223 ntp server 131.188.3.222 ntp server 131.188.3.221 ntp server 131.188.3.220 ! end

hier meine konf: ! version 12.3 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname c1720g ! boot-start-marker boot-end-marker ! enable password 7 <remove> ! memory-size iomem 25 clock timezone MEZ 1 clock summer-time MEZ+1 recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local aaa session-id common ip subnet-zero ! ! ip name-server 192.168.10.52 ip dhcp excluded-address 192.168.10.1 192.168.10.252 ! ip dhcp pool standard-clients network 192.168.10.0 255.255.255.0 dns-server 192.168.10.52 192.168.10.1 domain-name domaene.de default-router 192.168.10.52 ! ip cef ip inspect max-incomplete high 1100 ip inspect one-minute high 1100 ip inspect name FastEthernet_0 tcp ip inspect name FastEthernet_0 udp ip inspect name FastEthernet_0 cuseeme ip inspect name FastEthernet_0 ftp ip inspect name FastEthernet_0 h323 ip inspect name FastEthernet_0 rcmd ip inspect name FastEthernet_0 realaudio ip inspect name FastEthernet_0 streamworks ip inspect name FastEthernet_0 vdolive ip inspect name FastEthernet_0 sqlnet ip inspect name FastEthernet_0 tftp ip inspect name FastEthernet_0 sip ip audit po max-events 100 vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ! ! isdn switch-type basic-net3 ! username <removed> password 7 <removed> ! ! ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 ! crypto isakmp keepalive 30 10 crypto isakmp nat keepalive 30 ! crypto isakmp client configuration group mobil key <removed> dns 192.168.10.52 194.25.2.129 pool ippool reverse-route acl VPNROUTES-CLIENTS crypto isakmp profile VPNClient description VPN Clients Profile match identity group clientgroup client authentication list clientauth isakmp authorization list groupauthor client configuration address respond ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto dynamic-map dynmap 5 set transform-set myset set isakmp-profile VPNClient reverse-route ! ! crypto map mymap 10 ipsec-isakmp dynamic dynmap ! ! ! interface BRI0 description connected to Dial-inPCs(ISDN) no ip address ip nat inside encapsulation ppp dialer rotary-group 3 dialer-group 1 isdn switch-type basic-net3 isdn point-to-point-setup no cdp enable ! interface Ethernet0 description connected to Internet no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 no keepalive ! interface FastEthernet0 description connected to EthernetLAN ip address 192.168.10.1 255.255.255.0 ip nat inside ip inspect FastEthernet_0 in ip tcp adjust-mss 1452 speed auto full-duplex no keepalive ! interface Async5 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer rotary-group 2 dialer-group 1 async mode dedicated ! interface Dialer0 no ip address

Moin, habe einen Cisco 1720 am Start. Habe nun mal VPN konfiguriert. Einwahl mit dem Cisco VPN Client 4.03 geht 1a. Das Problem: Der Client bekommt auf dem VPN Adapter die IP 10.1.1.5-10.1.1.253. Geht. Versuche ich nun den Router mit einer 10.1.1.x Adresse oder der Intranetadresse 192.168.10.1 an zu pingen, NIX. Auch andere Maschinen erreiche ich trotz Verbindungaufbau nicht. Was mache ich falsch ??? Hab ich einen Fehler übersehen ?

! ip local pool Cisco1720-Group-2 192.168.10.250 ip local pool Cisco1720-Group-3 192.168.10.251 192.168.10.252 ip nat inside source list 1 interface Dialer1 overload ip nat inside source static tcp 192.168.10.101 20 interface Dialer1 20 ip nat inside source static tcp 192.168.10.101 21 interface Dialer1 21 ip nat inside source static tcp 192.168.10.52 22 interface Dialer1 22 ip nat inside source static udp 192.168.10.7 5060 interface Dialer1 5060 ip nat inside source static tcp 192.168.10.52 443 interface Dialer1 443 ip classless ip route 0.0.0.0 0.0.0.0 Dialer1 ip http server ip http authentication local no ip http secure-server ! ! access-list 1 permit 192.168.10.0 0.0.0.255 access-list 100 permit udp any eq rip any eq rip access-list 100 deny ip any any log access-list 101 permit udp any eq rip any eq rip access-list 101 deny ip any any log access-list 102 permit ip any any access-list 102 deny ip any any log access-list 103 permit icmp any any echo-reply access-list 103 permit tcp any any eq 22 access-list 103 permit tcp any any eq ftp access-list 103 permit tcp any any eq ftp-data access-list 103 permit udp any eq 5060 any access-list 103 permit esp any any access-list 103 permit tcp any any eq 443 access-list 103 deny ip any any log dialer-list 1 protocol ip permit dialer-list 2 protocol ip permit ! banner motd # ********************************************************* ** ** * WARNING ! * * System ist RESTRICTED to authorized personnell ONLY ! * * * * Unauthorized use of this System will be logged and * * prosecuted to the fullest extent of the law. * * * * If you are NOT authorized to use this system * * LOG OFF NOW ! * * * * We fight against SPAM an HACKERS ! * *********************************************************# ! line con 0 exec-timeout 0 0 password 7 password login line aux 0 login local modem InOut transport input all autoselect during-login autoselect ppp stopbits 1 speed 38400 flowcontrol hardware line vty 0 4 login ! end Hoffe. es kann mir jemand HELFEN !!!! PLEASE !!!!!!!!!!!!!!!!!!!!!

Moin Mädels, möchte in meine Konfig eine VPN Verbindung einbauen, um von Remote per Cisco VPN-Client auf mein Netzwerk zugreifen zu können. Habe schon mehrere Ansätze gehabt, leider ohne Erfolg. Kann mir keiner in dem Forum Helfen ? Internet mit Firewall, SIP un dem ganzen Kram klappt, ebenso die RAS Einwahl in mein Netz per ISDN oder AUX Post(Modem analog), nur eben dieser ****e VPN-Client will nicht.............. Please HELP !!!!!!!!!!!!!! Hier meine Konfig: ! version 12.3 service timestamps debug uptime service timestamps log uptime service password-encryption ! hostname c1720g ! boot-start-marker boot-end-marker ! enable password 7 password ! memory-size iomem 25 clock timezone MEZ 1 clock summer-time MEZ+1 recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 no aaa new-model ip subnet-zero ! ! ip name-server 192.168.10.52 ip dhcp excluded-address 192.168.10.1 192.168.10.249 ! ip dhcp pool standard-clients network 192.168.10.0 255.255.255.0 dns-server 192.168.10.52 192.168.10.1 default-router 192.168.10.1 domain-name domäne.de ! ip cef ip inspect max-incomplete high 1100 ip inspect one-minute high 1100 ip inspect name FastEthernet_0 tcp ip inspect name FastEthernet_0 udp ip inspect name FastEthernet_0 cuseeme ip inspect name FastEthernet_0 ftp ip inspect name FastEthernet_0 h323 ip inspect name FastEthernet_0 rcmd ip inspect name FastEthernet_0 realaudio ip inspect name FastEthernet_0 streamworks ip inspect name FastEthernet_0 vdolive ip inspect name FastEthernet_0 sqlnet ip inspect name FastEthernet_0 tftp ip inspect name FastEthernet_0 sip ip audit po max-events 100 vpdn enable ! vpdn-group pppoe request-dialin protocol pppoe ! ! isdn switch-type basic-net3 ! username localuser password 7 password ! ! ! ! ! interface BRI0 description connected to Dial-inPCs(ISDN) no ip address ip nat inside encapsulation ppp dialer rotary-group 3 dialer-group 1 isdn switch-type basic-net3 isdn point-to-point-setup no cdp enable ! interface Ethernet0 description connected to Internet no ip address half-duplex pppoe enable pppoe-client dial-pool-number 1 no keepalive ! interface FastEthernet0 description connected to EthernetLAN ip address 192.168.10.1 255.255.255.0 ip nat inside ip inspect FastEthernet_0 in ip tcp adjust-mss 1452 speed auto full-duplex no keepalive ! interface Async5 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer rotary-group 2 dialer-group 1 async mode dedicated ! interface Dialer0 no ip address ! interface Dialer1 description connected to Internet ip address negotiated ip access-group 103 in ip mtu 1492 ip nat outside ip inspect FastEthernet_0 out encapsulation ppp dialer pool 1 dialer-group 2 ppp authentication chap pap callin ppp chap hostname ispuser ppp chap password 7 isppassword ppp pap sent-username ispuser password 7 isppassword ! interface Dialer2 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip access-group 101 in ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer-group 1 peer default ip address pool Cisco1720-Group-2 no cdp enable ppp authentication chap ! interface Dialer3 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip access-group 100 in ip nat inside encapsulation ppp no ip split-horizon dialer in-band dialer-group 1 peer default ip address pool Cisco1720-Group-3 no cdp enable ppp authentication chap pap callin ppp multilink ! interface Dialer4 no ip address ! router rip version 2 passive-interface Dialer1 network 192.168.10.0 no auto-summary

sofern du eine wic1enet karte in dem router hast, benötigst du auf jeden fall eine IP Plus IOS. erst das Plus ermöglicht es, per wic1enet pppoe zu fahren. romeo310

Moin, kämpfe schon seit Wochen damit, meinen 1720er als VPN Server ans laufen zu bekommen, damit ich als Roadwarrior mit dem Cisco VPN Client (Software) verschlüsselt eine VPN VErbindung aufbauen kann. Leider ohne Erfolg. Hat jemand hier im Board eine brauchbare config für diesen Zweck ? hier meine rein auf VPN bezogene Konfig: ! username User1 password 7 xxx username User2 password 7 xxx username User3 password 7 xxx clock timezone MEZ 1 clock summer-time MEZ+1 recurring aaa new-model ! ! aaa authentication login clientauth local aaa authentication login userlist local aaa authorization network groupauthor local aaa session-id common ! ip dhcp pool standard-clients network 192.168.10.0 255.255.255.0 dns 192.168.10.52 192.168.10.1 194.25.2.129 default-router 192.168.10.1 ! ip flow-cache feature-accelerate ! crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key *Passwort* ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp key *Passwort* address 0.0.0.0 0.0.0.0 crypto isakmp keepalive 30 10 crypto isakmp nat keepalive 30 ! crypto isakmp client configuration group clientgroup key *Passwort* dns 192.168.10.52 192.168.10.1 194.25.2.129 pool ippool acl VPNROUTES-CLIENTS crypto isakmp profile L2L description LAN-2-LAN Configuration for Spokes Routers keyring spokes match identity address 0.0.0.0 crypto isakmp profile VPNclient description VPN Clients Profile match identity group clientgroup client authentication list clientauth isakmp authorization list groupauthor client configuration address respond ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac no crypto ipsec nat-transparency udp-encaps ! crypto dynamic-map dynmap 5 set transform-set myset set isakmp-profile VPNclient reverse-route crypto dynamic-map dynmap 10 set transform-set myset set isakmp-profile L2L reverse-route ! ! crypto map mymap 10 ipsec-isakmp dynamic dynmap ! interface Ethernet0 ip route-cache flow crypto map mymap ! interface Dialer1 crypto map mymap ! ip local pool ippool 192.168.10.250 192.168.10.254 ! ip access-list extended FIREWALL-INCOMING permit udp any any eq isakmp permit udp any any eq non500-isakmp permit esp any any deny ip any any log ! ! ip access-list extended VPNROUTES-CLIENTS permit ip any any deny ip any any log ! ! ntp clock-period 17042045 ntp access-group peer 10 ntp master 2 ntp server 131.188.3.223 ntp server 131.188.3.222 ntp server 131.188.3.221 ntp server 131.188.3.220 ! end THX für Antworten. Wäre echt dringend, die Lösung ! romeo310

Dir fehlt noch ein "ip inspect name ethernetin sip" ist wie schon in Deinen anderen Threads geschrieben vom IOS abhängig. Ich fahre ein 12.3(13a). Ohne is nicht.

@ Rob_67: Nein, an den TAC habe ich mich noch nicht gewendet. Habe aber jetzt auch von mehreren Bekannten gehört, dass das 7905 nicht so doll mit SIP laufen, zumindest in Bezug auf 1und1 @ ShiningStar: Beschreibe Dein Problem doch nochmal mit Deinem Sipgate vorhaben. Evtl. Post der Firewall-Config und der nat und acl´s (vom Router) und die Conf vom Cisco Phone. Welche IOS Release hast Du auf Deinem Router ?