romeo310
-
Gesamte Inhalte
79 -
Registriert seit
-
Letzter Besuch
Beiträge erstellt von romeo310
-
-
! crypto isakmp client configuration group xxx key xxx dns 192.168.10.101 domain domain.de pool ippool acl VPNROUTES-CLIENTS crypto isakmp profile VPNclient description VPN Clients Profile match identity group xxx client authentication list clientauth isakmp authorization list groupauthor client configuration address respond crypto isakmp profile l2l description lan-2-lan Configuration for spokes Routers keyring spokes match identity address 0.0.0.0 ! ! crypto ipsec transform-set myset esp-3des esp-sha-hmac ! crypto dynamic-map dynmap 5 set transform-set myset set isakmp-profile VPNclient reverse-route crypto dynamic-map dynmap 10 set transform-set myset set isakmp-profile reverse-route ! ! crypto map mymap 10 ipsec-isakmp dynamic dynmap ! ! ! interface BRI0 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp dialer rotary-group 3 dialer-group 1 isdn switch-type basic-net3 isdn point-to-point-setup no cdp enable ! interface Ethernet0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip route-cache flow half-duplex pppoe enable pppoe-client dial-pool-number 1 no cdp enable crypto map mymap ! interface FastEthernet0 ip address 192.168.10.1 255.255.255.0 no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip route-cache flow no ip mroute-cache speed auto full-duplex ! interface Async5 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer rotary-group 2 dialer-group 1 async mode dedicated ! interface Dialer1 ip address negotiated ip access-group FIREWALL-INCOMING in ip access-group FIREWALL-OUTGOING out no ip redirects no ip unreachables no ip proxy-arp ip mtu 1492 ip nat outside ip inspect internet in ip inspect internet out encapsulation ppp ip route-cache flow dialer pool 1 dialer-group 1 no cdp enable ppp authentication chap pap callin ppp chap hostname xxx ppp chap password 7 xxx ppp pap sent-username xxx password 7 xxx ppp ipcp dns request crypto map mymap ! interface Dialer2 description connected to Dial-inPCs(modem) ip unnumbered FastEthernet0 ip access-group Dialin-modem in ip nat inside encapsulation ppp ip tcp header-compression passive dialer in-band dialer-group 1 peer default ip address pool DIALIN-MODEM no cdp enable ppp authentication chap ! interface Dialer3 description connected to Dial-inPCs(ISDN) ip unnumbered FastEthernet0 ip access-group DIALIN-ISDN in ip nat inside encapsulation ppp no ip split-horizon dialer in-band dialer-group 1 peer default ip address pool DIALIN-ISDN no cdp enable ppp authentication chap pap callin ppp multilink ! router rip version 2 redistribute static passive-interface Dialer1 network 192.168.4.0 network 192.168.10.0 no auto-summary
-
Hi,
hier die config vom Cisco 1720-1 vom 10er Netz. Der 1720-2 hat die gleichen Server und IP Adressen, wie das 10er Netz, nur ist es ein 11er.
Also Netz 10 und 11 ist miteinander identisch, außer domain-name.
version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug uptime service timestamps log uptime service password-encryption service sequence-numbers ! hostname c1720w ! boot-start-marker boot-end-marker ! logging buffered 16384 debugging no logging console enable password 7 xxx ! memory-size iomem 25 clock timezone MEZ 1 clock summer-time MEZ+1 recurring mmi polling-interval 60 no mmi auto-configure no mmi pvc mmi snmp-timeout 180 aaa new-model ! ! aaa authentication login clientauth local aaa authorization network groupauthor local aaa session-id common ip subnet-zero no ip source-route ! ! ip domain name domain.de ip name-server 192.168.10.101 ip dhcp excluded-address 192.168.10.1 ip dhcp excluded-address 192.168.10.2 ip dhcp excluded-address 192.168.10.3 ip dhcp excluded-address 192.168.10.4 ip dhcp excluded-address 192.168.10.5 ip dhcp excluded-address 192.168.10.6 ip dhcp excluded-address 192.168.10.7 ip dhcp excluded-address 192.168.10.8 ip dhcp excluded-address 192.168.10.9 ip dhcp excluded-address 192.168.10.10 ip dhcp excluded-address 192.168.10.11 ip dhcp excluded-address 192.168.10.50 ip dhcp excluded-address 192.168.10.51 ip dhcp excluded-address 192.168.10.52 ip dhcp excluded-address 192.168.10.53 ip dhcp excluded-address 192.168.10.100 ip dhcp excluded-address 192.168.10.101 ip dhcp excluded-address 192.168.10.102 ip dhcp excluded-address 192.168.10.103 ip dhcp excluded-address 192.168.10.104 ip dhcp excluded-address 192.168.10.105 ip dhcp excluded-address 192.168.10.106 ip dhcp excluded-address 192.168.10.107 ip dhcp excluded-address 192.168.10.150 ip dhcp excluded-address 192.168.10.151 ip dhcp excluded-address 192.168.10.152 ip dhcp excluded-address 192.168.10.153 ! ip dhcp pool standard-clients network 192.168.10.0 255.255.255.0 dns-server 192.168.10.52 194.25.2.129 default-router 192.168.10.101 domain-name domain.de ! no ip bootp server ip cef ip inspect max-incomplete low 300 ip inspect max-incomplete high 400 ip inspect one-minute low 150 ip inspect one-minute high 250 ip inspect udp idle-time 35 ip inspect dns-timeout 6 ip inspect tcp idle-time 300 ip inspect tcp finwait-time 6 ip inspect tcp synwait-time 35 ip inspect tcp max-incomplete host 50 block-time 15 ip inspect name internet http timeout 180 ip inspect name internet realaudio timeout 30 ip inspect name internet udp timeout 300 ip inspect name internet tcp timeout 600 ip inspect name internet ftp timeout 60 ip inspect name internet sip timeout 600 ip inspect name internet rtsp timeout 30 ip inspect name internet tftp timeout 30 ip inspect name internet sqlnet timeout 60 ip inspect name internet vdolive timeout 60 ip inspect name internet streamworks timeout 60 ip inspect name internet rcmd timeout 30 ip inspect name internet cuseeme timeout 30 ip audit po max-events 100 vpdn enable ! vpdn-group 1 request-dialin protocol pppoe ! ! isdn switch-type basic-net3 ! username ms2 password 7 xxx ! ! class-map match-all Queue-MediumPrio match dscp af31 class-map match-all Queue-HighPrio match dscp ef ! ! crypto keyring spokes pre-shared-key address 0.0.0.0 0.0.0.0 key xxx ! crypto isakmp policy 10 encr 3des authentication pre-share group 2 crypto isakmp keepalive 30 10 crypto isakmp nat keepalive 30
-
Hi Wordo,
die Pings gehen auf alle Maschinen, auch per DNS-Auflösung, also auch auf den w2k-Server, auf dem VNC läuft und auf den Linux Server, auf dem SSH läuft.
Habe diese Konstellation 2x mit 1720ern realisiert.
Beide Konfigs identisch, außer eben die Netze:
1720-1: 192.168.10.0/24
1720-2: 192.168.11.0/24
Beide haben eben meine VPN Config für Roadwarrior. Wenn ich mich aus dem 192.168.10.0er Netz mit dem Cisco VPN Client bei dem Router des Netzes 192.168.11.0 einlogge, klappt die Anmeldung und die Pings, sowie die Namensauflösung des Linux-Servers, auf dem auch SSH läuft. Das gleiche Spiel, wenn ich z.B. mit Smartsurfer per ISDN Eingewählt bin, also unabhängig der Router (DSL).
Nur kann ich eben keine Applications fahren ???
Beim 1720-2 das gleiche Spiel.
Habe gestern schon wieder annähernd 5 Stunden damit verbracht, eine Lösung zu finden. Leider immer noch ohne Erfolg !
Danke schon mal für weiter Hilfen !
romeo310
-
hi,
gehst du per hardware router ins dsl ??? Hast Du IPSec Passthrough auf dem Router eingeschaltet ?
-
Hallo Cisco Forum Gemeinde,
hat denn keiner im Forum einen Lösungsansatz für mein Problem ?
Ein Lösungsansatz würde mir ja reichen. Nach 7 stündiger konfiguriererei gestern Abend kam ich immer noch nicht weiter.
PLEASE HELP !
THX
-
Moin,
habe einige Threads weiter unten ein VPN Problem gehabt. Ging kein ping ( http://www.mcseboard.de/showthread.php?t=86048 ). Nun klappt alles mit ping und Namensauflösung, aber ich kann, wenn ich mich authentifiziert habe, keine VNC Verbindung zu einem Windows Server und keine SSH Verbindung zu einem Linux Server aufbauen.
Wie gesagt. Konfig wie im Link des o.g. Threads, ping und Nameserverauflösung ok !
Please Help !
THX romeo310
-
FEHLER GEFUNDEN !!!!!!!!!!!!!!!!!!!
Obere Konfiguration ist 1a mit allen Features. Habe nur das NAT-Transparency disabled gehabt.
Bedeutet die Zeile:
no crypto ipsec nat-transparency udp-encaps
aus der Config raus.
Funzt alles wunderbar, mit DHCP, Inet usw....
-
Hi,
danke erst mal für Antwort. Habe ich neach meinem Wissensstand doch mit dem Trigger-Connect eingebaut:
schnipp
ip access-list extended TRIGGER-CONNECT
deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
deny ip any any log
schnapp
???
Oder liege ich da falsch ?
-
!
banner motd #CCCCC
*********************************************************************
* WARNING !!!!! *
* *
* Firewall Router. RESTRICTED ACCESS *
* *
* No Unauthorised Access. *
* *
* No Hackers, Phreaks, Crackers or so called security *
* experts allowed! *
* *
* Unauthorized use of this system will be logged and *
* prosecuted to the fullest extent of the law ! *
* *
* Contact: webmaster@domain.de *
* *
* We fight against Spam and Hackers !!!! *
*********************************************************************
#
!
line con 0
exec-timeout 120 0
password 7 xxx
line aux 0
line vty 0 4
access-class VTY-SSH in
exec-timeout 0 0
password 7 xxx
transport input ssh
!
ntp clock-period 17042046
ntp access-group peer 10
ntp master 2
ntp server 131.188.3.223
ntp server 131.188.3.222
ntp server 131.188.3.221
ntp server 131.188.3.220
end
-
interface Dialer1
ip address negotiated
ip access-group FIREWALL-INCOMING in
ip access-group FIREWALL-OUTGOING out
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip inspect internet in
ip inspect internet out
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxx
ppp chap password 7 xxx
ppp pap sent-username xxx password 7 xxx
ppp ipcp dns request
crypto map mymap
!
interface Dialer2
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet0
ip access-group Dialin-modem in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer-group 1
peer default ip address pool DIALIN-MODEM
no cdp enable
ppp authentication chap
!
interface Dialer3
description connected to Dial-inPCs(ISDN)
ip unnumbered FastEthernet0
ip access-group DIALIN-ISDN in
ip nat inside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer-group 1
peer default ip address pool DIALIN-ISDN
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
router rip
version 2
redistribute static
passive-interface Dialer1
network 192.168.4.0
network 192.168.10.0
no auto-summary
!
ip local pool DIALIN-MODEM 192.168.10.250
ip local pool DIALIN-ISDN 192.168.10.251 192.168.10.252
ip local pool ippool 192.168.4.1 192.168.4.253
ip nat inside source list TRIGGER-CONNECT interface Dialer1 overload
ip nat inside source static tcp 192.168.10.152 20 interface Dialer1 20
ip nat inside source static tcp 192.168.10.152 21 interface Dialer1 21
ip nat inside source static tcp 192.168.10.101 443 interface Dialer1 443
ip nat inside source static tcp 192.168.10.7 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.10.101 22 interface Dialer1 22
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
no ip http secure-server
!
!
!
ip access-list extended FIREWALL-INCOMING
permit udp host 131.188.3.223 eq ntp any
permit udp host 131.188.3.222 eq ntp any
permit udp host 131.188.3.221 eq ntp any
permit udp host 131.188.3.220 eq ntp any
permit udp any eq 5060 any
permit icmp any any echo-reply
permit tcp any any eq 22
permit tcp any any eq 443
permit ip 192.168.4.0 0.0.0.255 any
permit ip 192.168.10.0 0.0.0.255 any
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
permit tcp any any eq ftp-data
permit tcp any any eq ftp
deny ip any any log
ip access-list extended FIREWALL-OUTGOING
permit ip any any
deny ip any any log
ip access-list extended TRIGGER-CONNECT
deny ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
deny ip 192.168.10.0 0.0.0.255 192.168.4.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
deny ip any any log
ip access-list extended VPNROUTES-CLIENTS
permit ip any any
deny ip any any
ip access-list extended VTY-SSH
permit ip 192.168.10.0 0.0.0.255 any
access-list 10 permit 131.188.3.220
access-list 10 permit 131.188.3.221
access-list 10 permit 131.188.3.222
access-list 10 permit 131.188.3.223
access-list 10 permit 192.168.10.0 0.0.0.255
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
-
no ip bootp server
ip cef
ip inspect max-incomplete low 300
ip inspect max-incomplete high 400
ip inspect one-minute low 150
ip inspect one-minute high 250
ip inspect udp idle-time 35
ip inspect dns-timeout 6
ip inspect tcp idle-time 300
ip inspect tcp finwait-time 6
ip inspect tcp synwait-time 35
ip inspect tcp max-incomplete host 50 block-time 15
ip inspect name internet http timeout 180
ip inspect name internet realaudio timeout 30
ip inspect name internet udp timeout 300
ip inspect name internet tcp timeout 600
ip inspect name internet ftp timeout 60
ip inspect name internet sip timeout 600
ip inspect name internet rtsp timeout 30
ip inspect name internet tftp timeout 30
ip inspect name internet sqlnet timeout 60
ip inspect name internet vdolive timeout 60
ip inspect name internet streamworks timeout 60
ip inspect name internet rcmd timeout 30
ip inspect name internet cuseeme timeout 30
ip audit po max-events 100
vpdn enable
!
vpdn-group 1
request-dialin
protocol pppoe
!
!
isdn switch-type basic-net3
!
username ms2 password 7 xxx
!
!
class-map match-all Queue-MediumPrio
match dscp af31
class-map match-all Queue-HighPrio
match dscp ef
!
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key xxx
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 30 10
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group xxx
key xxx
dns 192.168.10.101
domain domain.de
pool ippool
acl VPNROUTES-CLIENTS
crypto isakmp profile VPNclient
description VPN Clients Profile
match identity group xxx
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
crypto isakmp profile l2l
description lan-2-lan Configuration for spokes Routers
keyring spokes
match identity address 0.0.0.0
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile
reverse-route
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface BRI0
description connected to Dial-inPCs(ISDN)
ip unnumbered FastEthernet0
ip nat inside
encapsulation ppp
dialer rotary-group 3
dialer-group 1
isdn switch-type basic-net3
isdn point-to-point-setup
no cdp enable
!
interface Ethernet0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip route-cache flow
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no cdp enable
crypto map mymap
!
interface FastEthernet0
ip address 192.168.10.1 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip route-cache flow
no ip mroute-cache
speed auto
full-duplex
!
interface Async5
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet0
ip nat inside
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer rotary-group 2
dialer-group 1
async mode dedicated
-
Hi,
habe meinen 1720 nochmal komplett von vorne konfiguriert:
Leider hauts hier auch nur mit der Verbindung der Road-Warriors hin. Verbindung steht, kann aber nichts auf der Gegenseite anpingen oder auf irgendeinen Server zugreifen...
Steh eben acht auf´m Schlauch.......
Hier nochmal die neue (bis jetzt meine beste :) ) Konf:
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug uptime
service timestamps log uptime
service password-encryption
service sequence-numbers
!
hostname c1720w
!
boot-start-marker
boot-end-marker
!
logging buffered 16384 debugging
no logging console
enable password 7 xxx
!
memory-size iomem 25
clock timezone MEZ 1
clock summer-time MEZ+1 recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
no ip source-route
!
!
ip domain name domain.de
ip name-server 192.168.10.101
ip dhcp excluded-address 192.168.10.1
ip dhcp excluded-address 192.168.10.2
ip dhcp excluded-address 192.168.10.3
ip dhcp excluded-address 192.168.10.4
ip dhcp excluded-address 192.168.10.5
ip dhcp excluded-address 192.168.10.6
ip dhcp excluded-address 192.168.10.7
ip dhcp excluded-address 192.168.10.8
ip dhcp excluded-address 192.168.10.9
ip dhcp excluded-address 192.168.10.10
ip dhcp excluded-address 192.168.10.11
ip dhcp excluded-address 192.168.10.50
ip dhcp excluded-address 192.168.10.51
ip dhcp excluded-address 192.168.10.52
ip dhcp excluded-address 192.168.10.53
ip dhcp excluded-address 192.168.10.100
ip dhcp excluded-address 192.168.10.101
ip dhcp excluded-address 192.168.10.102
ip dhcp excluded-address 192.168.10.103
ip dhcp excluded-address 192.168.10.104
ip dhcp excluded-address 192.168.10.105
ip dhcp excluded-address 192.168.10.106
ip dhcp excluded-address 192.168.10.107
ip dhcp excluded-address 192.168.10.150
ip dhcp excluded-address 192.168.10.151
ip dhcp excluded-address 192.168.10.152
ip dhcp excluded-address 192.168.10.153
!
ip dhcp pool standard-clients
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.52 194.25.2.129
default-router 192.168.10.101
domain-name domain.de
!
-
sollte es dann evtl. so aussehen ???
-------------------schnipp-----------------------
access-list 103 permit icmp any any echo-reply
access-list 103 permit tcp any any eq 22
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 103 permit udp any eq 5060 any
access-list 103 permit esp any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit tcp any any eq 443
----------------neu-------------------------------
access-list 103 permit ip 10.5.5.0 any
---------------neu--------------------------------
access-list 103 deny ip any any
oder liege ich da wieder falsch ???
??? :) :) :)
-
d.h. ich müsste dann die VPN ACL für die Clients in die acl 103 auf Dialer1 mit einbinden ?
Oder verstehe ich dass auch falsch ?
Stehe eben immer noch auf´m Schlach :(
-
hmmmmmm, denke, dass damit die VPN Clients für das interne Netz definiert sind.
Die acl hatte ich auch schon mal komplett aus der conf genommen. Selbe Ergebnis :(
-
!
interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
ip inspect FastEthernet_0 out
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname <removed>
ppp chap password 7 <removed>
ppp pap sent-username <removed> password 7 <removed>
crypto map mymap
!
interface Dialer2
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet0
ip access-group 101 in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer-group 1
peer default ip address pool Cisco1720-Group-2
no cdp enable
ppp authentication chap
!
interface Dialer3
description connected to Dial-inPCs(ISDN)
ip unnumbered FastEthernet0
ip access-group 100 in
ip nat inside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer-group 1
peer default ip address pool Cisco1720-Group-3
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
interface Dialer4
no ip address
!
router rip
version 2
passive-interface Dialer1
network 192.168.10.0
no auto-summary
!
ip local pool Cisco1720-Group-2 192.168.10.250
ip local pool Cisco1720-Group-3 192.168.10.251 192.168.10.252
ip local pool ippool 10.5.5.1 10.5.5.253
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.52 443 interface Dialer1 443
ip nat inside source static udp 192.168.10.7 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.10.52 22 interface Dialer1 22
ip nat inside source static tcp 192.168.10.101 21 interface Dialer1 21
ip nat inside source static tcp 192.168.10.101 20 interface Dialer1 20
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
no ip http server
ip http authentication local
ip http secure-server
!
!
!
ip access-list extended VPNROUTES-CLIENTS
permit ip any any
deny ip any any
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 deny ip any any log
access-list 101 permit udp any eq rip any eq rip
access-list 101 deny ip any any log
access-list 102 permit ip any any
access-list 102 deny ip any any log
access-list 103 permit icmp any any echo-reply
access-list 103 permit tcp any any eq 22
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 103 permit udp any eq 5060 any
access-list 103 permit esp any any
access-list 103 permit udp any any eq isakmp
access-list 103 permit udp any any eq non500-isakmp
access-list 103 permit tcp any any eq 443
access-list 103 deny ip any any
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
banner motd
*********************************************************
** **
* WARNING ! *
* System ist RESTRICTED to authorized personnell ONLY ! *
* *
* Unauthorized use of this System will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system *
* LOG OFF NOW ! *
* *
* We fight against SPAM an HACKERS ! *
*********************************************************
!
line con 0
exec-timeout 0 0
password 7 <removed>
line aux 0
modem InOut
transport input all
autoselect during-login
autoselect ppp
stopbits 1
speed 38400
flowcontrol hardware
line vty 0 4
!
ntp clock-period 17042045
ntp access-group peer 10
ntp master 2
ntp server 131.188.3.223
ntp server 131.188.3.222
ntp server 131.188.3.221
ntp server 131.188.3.220
!
end
-
hier meine konf:
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname c1720g
!
boot-start-marker
boot-end-marker
!
enable password 7 <remove>
!
memory-size iomem 25
clock timezone MEZ 1
clock summer-time MEZ+1 recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login clientauth local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
ip name-server 192.168.10.52
ip dhcp excluded-address 192.168.10.1 192.168.10.252
!
ip dhcp pool standard-clients
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.52 192.168.10.1
domain-name domaene.de
default-router 192.168.10.52
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 cuseeme
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 h323
ip inspect name FastEthernet_0 rcmd
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 streamworks
ip inspect name FastEthernet_0 vdolive
ip inspect name FastEthernet_0 sqlnet
ip inspect name FastEthernet_0 tftp
ip inspect name FastEthernet_0 sip
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
isdn switch-type basic-net3
!
username <removed> password 7 <removed>
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
!
crypto isakmp keepalive 30 10
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group mobil
key <removed>
dns 192.168.10.52 194.25.2.129
pool ippool
reverse-route
acl VPNROUTES-CLIENTS
crypto isakmp profile VPNClient
description VPN Clients Profile
match identity group clientgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNClient
reverse-route
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface BRI0
description connected to Dial-inPCs(ISDN)
no ip address
ip nat inside
encapsulation ppp
dialer rotary-group 3
dialer-group 1
isdn switch-type basic-net3
isdn point-to-point-setup
no cdp enable
!
interface Ethernet0
description connected to Internet
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no keepalive
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip inspect FastEthernet_0 in
ip tcp adjust-mss 1452
speed auto
full-duplex
no keepalive
!
interface Async5
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet0
ip nat inside
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer rotary-group 2
dialer-group 1
async mode dedicated
!
interface Dialer0
no ip address
-
Moin,
habe einen Cisco 1720 am Start. Habe nun mal VPN konfiguriert. Einwahl mit dem Cisco VPN Client 4.03 geht 1a.
Das Problem: Der Client bekommt auf dem VPN Adapter die IP 10.1.1.5-10.1.1.253.
Geht.
Versuche ich nun den Router mit einer 10.1.1.x Adresse oder der Intranetadresse 192.168.10.1 an zu pingen, NIX.
Auch andere Maschinen erreiche ich trotz Verbindungaufbau nicht.
Was mache ich falsch ??? Hab ich einen Fehler übersehen ?
-
!
ip local pool Cisco1720-Group-2 192.168.10.250
ip local pool Cisco1720-Group-3 192.168.10.251 192.168.10.252
ip nat inside source list 1 interface Dialer1 overload
ip nat inside source static tcp 192.168.10.101 20 interface Dialer1 20
ip nat inside source static tcp 192.168.10.101 21 interface Dialer1 21
ip nat inside source static tcp 192.168.10.52 22 interface Dialer1 22
ip nat inside source static udp 192.168.10.7 5060 interface Dialer1 5060
ip nat inside source static tcp 192.168.10.52 443 interface Dialer1 443
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
!
!
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 100 permit udp any eq rip any eq rip
access-list 100 deny ip any any log
access-list 101 permit udp any eq rip any eq rip
access-list 101 deny ip any any log
access-list 102 permit ip any any
access-list 102 deny ip any any log
access-list 103 permit icmp any any echo-reply
access-list 103 permit tcp any any eq 22
access-list 103 permit tcp any any eq ftp
access-list 103 permit tcp any any eq ftp-data
access-list 103 permit udp any eq 5060 any
access-list 103 permit esp any any
access-list 103 permit tcp any any eq 443
access-list 103 deny ip any any log
dialer-list 1 protocol ip permit
dialer-list 2 protocol ip permit
!
banner motd #
*********************************************************
** **
* WARNING ! *
* System ist RESTRICTED to authorized personnell ONLY ! *
* *
* Unauthorized use of this System will be logged and *
* prosecuted to the fullest extent of the law. *
* *
* If you are NOT authorized to use this system *
* LOG OFF NOW ! *
* *
* We fight against SPAM an HACKERS ! *
*********************************************************#
!
line con 0
exec-timeout 0 0
password 7 password
login
line aux 0
login local
modem InOut
transport input all
autoselect during-login
autoselect ppp
stopbits 1
speed 38400
flowcontrol hardware
line vty 0 4
login
!
end
Hoffe. es kann mir jemand HELFEN !!!! PLEASE !!!!!!!!!!!!!!!!!!!!!
-
Moin Mädels,
möchte in meine Konfig eine VPN Verbindung einbauen, um von Remote per Cisco VPN-Client auf mein Netzwerk zugreifen zu können. Habe schon mehrere Ansätze gehabt, leider ohne Erfolg. Kann mir keiner in dem Forum Helfen ?
Internet mit Firewall, SIP un dem ganzen Kram klappt, ebenso die RAS Einwahl in mein Netz per ISDN oder AUX Post(Modem analog), nur eben dieser ****e VPN-Client will nicht..............
Please HELP !!!!!!!!!!!!!!
Hier meine Konfig:
!
version 12.3
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname c1720g
!
boot-start-marker
boot-end-marker
!
enable password 7 password
!
memory-size iomem 25
clock timezone MEZ 1
clock summer-time MEZ+1 recurring
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
ip name-server 192.168.10.52
ip dhcp excluded-address 192.168.10.1 192.168.10.249
!
ip dhcp pool standard-clients
network 192.168.10.0 255.255.255.0
dns-server 192.168.10.52 192.168.10.1
default-router 192.168.10.1
domain-name domäne.de
!
ip cef
ip inspect max-incomplete high 1100
ip inspect one-minute high 1100
ip inspect name FastEthernet_0 tcp
ip inspect name FastEthernet_0 udp
ip inspect name FastEthernet_0 cuseeme
ip inspect name FastEthernet_0 ftp
ip inspect name FastEthernet_0 h323
ip inspect name FastEthernet_0 rcmd
ip inspect name FastEthernet_0 realaudio
ip inspect name FastEthernet_0 streamworks
ip inspect name FastEthernet_0 vdolive
ip inspect name FastEthernet_0 sqlnet
ip inspect name FastEthernet_0 tftp
ip inspect name FastEthernet_0 sip
ip audit po max-events 100
vpdn enable
!
vpdn-group pppoe
request-dialin
protocol pppoe
!
!
isdn switch-type basic-net3
!
username localuser password 7 password
!
!
!
!
!
interface BRI0
description connected to Dial-inPCs(ISDN)
no ip address
ip nat inside
encapsulation ppp
dialer rotary-group 3
dialer-group 1
isdn switch-type basic-net3
isdn point-to-point-setup
no cdp enable
!
interface Ethernet0
description connected to Internet
no ip address
half-duplex
pppoe enable
pppoe-client dial-pool-number 1
no keepalive
!
interface FastEthernet0
description connected to EthernetLAN
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip inspect FastEthernet_0 in
ip tcp adjust-mss 1452
speed auto
full-duplex
no keepalive
!
interface Async5
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet0
ip nat inside
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer rotary-group 2
dialer-group 1
async mode dedicated
!
interface Dialer0
no ip address
!
interface Dialer1
description connected to Internet
ip address negotiated
ip access-group 103 in
ip mtu 1492
ip nat outside
ip inspect FastEthernet_0 out
encapsulation ppp
dialer pool 1
dialer-group 2
ppp authentication chap pap callin
ppp chap hostname ispuser
ppp chap password 7 isppassword
ppp pap sent-username ispuser password 7 isppassword
!
interface Dialer2
description connected to Dial-inPCs(modem)
ip unnumbered FastEthernet0
ip access-group 101 in
ip nat inside
encapsulation ppp
ip tcp header-compression passive
dialer in-band
dialer-group 1
peer default ip address pool Cisco1720-Group-2
no cdp enable
ppp authentication chap
!
interface Dialer3
description connected to Dial-inPCs(ISDN)
ip unnumbered FastEthernet0
ip access-group 100 in
ip nat inside
encapsulation ppp
no ip split-horizon
dialer in-band
dialer-group 1
peer default ip address pool Cisco1720-Group-3
no cdp enable
ppp authentication chap pap callin
ppp multilink
!
interface Dialer4
no ip address
!
router rip
version 2
passive-interface Dialer1
network 192.168.10.0
no auto-summary
-
sofern du eine wic1enet karte in dem router hast, benötigst du auf jeden fall eine IP Plus IOS.
erst das Plus ermöglicht es, per wic1enet pppoe zu fahren.
romeo310
-
Moin,
kämpfe schon seit Wochen damit, meinen 1720er als VPN Server ans laufen zu bekommen, damit ich als Roadwarrior mit dem Cisco VPN Client (Software) verschlüsselt eine VPN VErbindung aufbauen kann. Leider ohne Erfolg. Hat jemand hier im Board eine brauchbare config für diesen Zweck ?
hier meine rein auf VPN bezogene Konfig:
!
username User1 password 7 xxx
username User2 password 7 xxx
username User3 password 7 xxx
clock timezone MEZ 1
clock summer-time MEZ+1 recurring
aaa new-model
!
!
aaa authentication login clientauth local
aaa authentication login userlist local
aaa authorization network groupauthor local
aaa session-id common
!
ip dhcp pool standard-clients
network 192.168.10.0 255.255.255.0
dns 192.168.10.52 192.168.10.1 194.25.2.129
default-router 192.168.10.1
!
ip flow-cache feature-accelerate
!
crypto keyring spokes
pre-shared-key address 0.0.0.0 0.0.0.0 key *Passwort*
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key *Passwort* address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 30 10
crypto isakmp nat keepalive 30
!
crypto isakmp client configuration group clientgroup
key *Passwort*
dns 192.168.10.52 192.168.10.1 194.25.2.129
pool ippool
acl VPNROUTES-CLIENTS
crypto isakmp profile L2L
description LAN-2-LAN Configuration for Spokes Routers
keyring spokes
match identity address 0.0.0.0
crypto isakmp profile VPNclient
description VPN Clients Profile
match identity group clientgroup
client authentication list clientauth
isakmp authorization list groupauthor
client configuration address respond
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
no crypto ipsec nat-transparency udp-encaps
!
crypto dynamic-map dynmap 5
set transform-set myset
set isakmp-profile VPNclient
reverse-route
crypto dynamic-map dynmap 10
set transform-set myset
set isakmp-profile L2L
reverse-route
!
!
crypto map mymap 10 ipsec-isakmp dynamic dynmap
!
interface Ethernet0
ip route-cache flow
crypto map mymap
!
interface Dialer1
crypto map mymap
!
ip local pool ippool 192.168.10.250 192.168.10.254
!
ip access-list extended FIREWALL-INCOMING
permit udp any any eq isakmp
permit udp any any eq non500-isakmp
permit esp any any
deny ip any any log
!
!
ip access-list extended VPNROUTES-CLIENTS
permit ip any any
deny ip any any log
!
!
ntp clock-period 17042045
ntp access-group peer 10
ntp master 2
ntp server 131.188.3.223
ntp server 131.188.3.222
ntp server 131.188.3.221
ntp server 131.188.3.220
!
end
THX für Antworten. Wäre echt dringend, die Lösung !
romeo310
-
Dir fehlt noch ein "ip inspect name ethernetin sip" ist wie schon in Deinen anderen Threads geschrieben vom IOS abhängig. Ich fahre ein 12.3(13a).
Ohne is nicht.
-
@ Rob_67: Nein, an den TAC habe ich mich noch nicht gewendet. Habe aber jetzt auch von mehreren Bekannten gehört, dass das 7905 nicht so doll mit SIP laufen, zumindest in Bezug auf 1und1
@ ShiningStar: Beschreibe Dein Problem doch nochmal mit Deinem Sipgate vorhaben. Evtl. Post der Firewall-Config und der nat und acl´s (vom Router) und die Conf vom Cisco Phone.
Welche IOS Release hast Du auf Deinem Router ?
Cisco 1720 VPN, kein VNC, kein SHH usw...
in Cisco Forum — Allgemein
Geschrieben