mels

Teil2: logging trap debugging access-list 1 remark INSIDE_IF=Vlan1 access-list 1 remark SDM_ACL Category=2 access-list 1 permit 192.168.16.0 0.0.0.255 access-list 100 remark auto generated by Cisco SDM Express firewall configuration access-list 100 remark SDM_ACL Category=1 access-list 100 deny ip 83.65.127.40 0.0.0.7 any access-list 100 deny ip host 255.255.255.255 any access-list 100 deny ip 127.0.0.0 0.255.255.255 any access-list 100 permit ip any any access-list 101 remark auto generated by Cisco SDM Express firewall configuration access-list 101 remark SDM_ACL Category=1 access-list 101 permit udp host 195.58.161.122 eq domain host 83.65.127.42 access-list 101 permit udp host 195.58.160.194 eq domain host 83.65.127.42 access-list 101 deny ip 192.168.16.0 0.0.0.255 any access-list 101 permit icmp any host 83.65.127.42 echo-reply access-list 101 permit icmp any host 83.65.127.42 time-exceeded access-list 101 permit icmp any host 83.65.127.42 unreachable access-list 101 deny ip 10.0.0.0 0.255.255.255 any access-list 101 deny ip 172.16.0.0 0.15.255.255 any access-list 101 deny ip 192.168.0.0 0.0.255.255 any access-list 101 deny ip 127.0.0.0 0.255.255.255 any access-list 101 deny ip host 255.255.255.255 any access-list 101 deny ip host 0.0.0.0 any access-list 101 deny ip any any no cdp run radius-server attribute 32 include-in-access-req format %h radius-server vsa send accounting control-plane ! line con 0 no modem enable transport preferred all transport output telnet line aux 0 transport preferred all transport output telnet line vty 0 4 privilege level 15 transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler allocate 4000 1000 scheduler interval 500 end

Hallo @Wordo! Danke für Deine Antwort! OK dann poste ich mal meine Konfig! Vielen Dank im Voraus! Teil 1: no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname fm ! boot-start-marker boot-end-marker<textarea></textarea> ! logging buffered 51200 debugging logging console critical aaa new-model aaa group server radius rad_eap ! aaa group server radius rad_mac ! aaa group server radius rad_acct ! aaa group server radius rad_admin ! aaa group server tacacs+ tac_admin ! aaa group server radius rad_pmip ! aaa group server radius dummy ! aaa authentication login eap_methods group rad_eap aaa authentication login mac_methods local aaa authorization ipmobile default group rad_pmip aaa accounting network acct_methods start-stop group rad_acct aaa session-id common ip subnet-zero no ip source-route ! ip cef ip inspect name DEFAULT100 cuseeme ip inspect name DEFAULT100 ftp ip inspect name DEFAULT100 h323 ip inspect name DEFAULT100 icmp ip inspect name DEFAULT100 rcmd ip inspect name DEFAULT100 realaudio ip inspect name DEFAULT100 rtsp ip inspect name DEFAULT100 esmtp ip inspect name DEFAULT100 sqlnet ip inspect name DEFAULT100 streamworks ip inspect name DEFAULT100 tftp ip inspect name DEFAULT100 tcp ip inspect name DEFAULT100 udp ip inspect name DEFAULT100 vdolive ip tcp synwait-time 10 no ip bootp server ip domain name wxxx ip name-server 195.58.160.194 ip name-server 195.58.161.122 ip ssh time-out 60 ip ssh authentication-retries 2 no ftp-server write-enable ! interface FastEthernet0 no ip address no cdp enable ! interface FastEthernet1 no ip address no cdp enable ! interface FastEthernet2 no ip address no cdp enable ! interface FastEthernet3 no ip address no cdp enable ! interface FastEthernet4 description $FW_OUTSIDE$$ES_WAN$ ip address 83.65.127.42 255.255.255.248 ip access-group 101 in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip inspect DEFAULT100 out ip nat outside ip virtual-reassembly ip route-cache flow duplex auto speed auto no cdp enable ! interface Dot11Radio0 no ip address no ip redirects no ip unreachables no ip proxy-arp ip route-cache flow shutdown ! ssid WLanWxxx authentication open ! speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 no cdp enable bridge-group 1 bridge-group 1 subscriber-loop-control bridge-group 1 spanning-disabled bridge-group 1 block-unknown-source no bridge-group 1 source-learning no bridge-group 1 unicast-flooding ! interface Vlan1 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$ ip address 192.168.16.254 255.255.255.0 ip access-group 100 in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow ip tcp adjust-mss 1452 ! ip classless ip route 0.0.0.0 0.0.0.0 83.65.127.41 ! ip http server ip http authentication local ip http secure-server ip http timeout-policy idle 600 life 86400 requests 10000 ip nat inside source list 1 interface FastEthernet4 overload

Hallo @Hr_Rossi! Danke für Deine Antwort! Also dann schreib ich genauer! ;-) Cisco 851 version 12.3 IPAdresse: Standart Getway: 83.65.127.41 interface Vlan1 ip address 192.168.16.254 255.255.255.0 interface FastEthernet4 ip address 83.65.127.42 255.255.255.248 XDSL Internetzugang mit Fixer IP-Adresse Standart Getway ist der Router vom Provider Der Cisco 851 soll also alles was ins Internet geht an diese Router weiterleiten, ich kann aber nirgends dieses Standart Getway einstellen. ich habs zwar schon mit ip classless ip route 0.0.0.0 0.0.0.0 83.65.127.41 Versucht aber das geht leider auch nicht Jetzt hätte ich eben nach einer konfiguration gesucht, wo ich schauen kann wo mein fehler liegt. Hast Du da vieleicht was für mich? Hoffe meine Infos sind ausreichend! Vielen dank im Voraus! mfg mels

Hallo Leute! Ich bin auf der Suche nach Beispiel Konfigurationen für Cisco 851! Wo ich mir mal anschauen kann wie eine Standart Konfiguration aussehen sollte. Gibt es so was? mfg Mels

3. Teil ip access-list extended WAN_in remark Verbindung vom Internet remark SDM_ACL Category=1 permit udp any host xx.xx.xx.xx eq non500-isakmp permit udp any host xx.xx.xx.xx eq isakmp permit esp any host xx.xx.xx.xx permit ahp any host xx.xx.xx.xx permit udp host xx.xx.xx.xx eq domain 192.168.40.0 0.0.0.255 permit udp host xx.xx.xx.xx eq domain 192.168.40.0 0.0.0.255 permit udp host xx.xx.xx.xx eq domain 192.168.40.0 0.0.0.255 permit udp host xx.xx.xx.xx eq ntp host xx.xx.xx.xx eq ntp permit udp host xx.xx.xx.xx eq ntp host xx.xx.xx.xx eq ntp permit ahp host xx.xx.xx.xx host xx.xx.xx.xx permit esp host xx.xx.xx.xx host xx.xx.xx.xx permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp permit ahp host xx.xx.xx.xx host xx.xx.xx.xx permit esp host xx.xx.xx.xx host xx.xx.xx.xx permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq isakmp permit udp host xx.xx.xx.xx host xx.xx.xx.xx eq non500-isakmp permit icmp any host xx.xx.xx.xx echo-reply permit icmp any host xx.xx.xx.xx time-exceeded permit icmp any host xx.xx.xx.xx unreachable permit tcp any host xx.xx.xx.xx eq smtp permit ip 192.168.1.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip 192.168.41.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip 192.168.42.0 0.0.0.255 192.168.40.0 0.0.0.255 permit ip host xx.xx.xx.xx any deny ip 192.168.40.0 0.0.0.255 any deny ip 10.0.0.0 0.255.255.255 any deny ip 172.16.0.0 0.15.255.255 any deny ip 192.168.0.0 0.0.255.255 any deny ip 127.0.0.0 0.255.255.255 any deny ip host 255.255.255.255 any deny ip host 0.0.0.0 any deny ip any any log access-list 1 permit xx.xx.xx.xx access-list 1 remark HTTP Access-class list access-list 1 remark SDM_ACL Category=1 access-list 1 permit 192.168.40.0 0.0.0.255 access-list 1 deny any no cdp run route-map NAT-RMAP permit 10 match ip address NO-NAT1 ! ! control-plane ! banner login ^CCCAuthorized access only! Disconnect IMMEDIATELY if you are not an authorized user!^C ! line con 0 no modem enable transport preferred all transport output telnet line aux 0 transport preferred all transport output telnet line vty 0 4 access-class CFG_vty in privilege level 15 transport preferred all transport input telnet ssh transport output all ! scheduler max-task-time 5000 scheduler interval 500 sntp server 192.5.41.41 sntp server 192.5.41.209 end

2. Teil interface Null0 no ip unreachables ! interface Ethernet0 description ip address 192.168.40.3 255.255.255.0 ip access-group LAN_in in no ip redirects no ip unreachables no ip proxy-arp ip nat inside ip virtual-reassembly ip route-cache flow no cdp enable ! interface Ethernet1 description ip address xx.xxx.xxx.xx 255.255.255.240 ip access-group WAN_in in ip verify unicast reverse-path no ip redirects no ip unreachables no ip proxy-arp ip nat outside ip inspect MyFW out ip virtual-reassembly no ip route-cache cef no ip route-cache no ip mroute-cache duplex auto no cdp enable crypto map SDM_CMAP_1 ! interface FastEthernet1 no ip address duplex auto speed auto ! interface FastEthernet2 no ip address duplex auto speed auto ! interface FastEthernet3 no ip address duplex auto speed auto ! interface FastEthernet4 no ip address duplex auto speed auto ! ip local pool SDM_POOL_1 192.168.41.1 ip local pool SDM_POOL_2 192.168.41.2 192.168.41.254 ip classless ip route 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx ip http server ip http access-class 1 ip http authentication local ip http secure-server ! ip nat inside source route-map NAT-RMAP interface Ethernet1 overload ip nat inside source static tcp 192.168.40.2 25 interface Ethernet1 25 ! ! ip access-list extended CFG_vty remark SDM_ACL Category=1 permit ip host xx.xxx.xxx.xx any permit ip 192.168.40.0 0.0.0.255 any ip access-list extended LAN_in remark Verbindung LAN Stadt remark SDM_ACL Category=1 deny ip xxx.xxx.xxx.xx 0.0.0.3 any deny ip host 255.255.255.255 any deny ip 127.0.0.0 0.255.255.255 any permit tcp host 192.168.40.2 any permit udp host 192.168.40.2 any eq domain permit udp host 192.168.40.2 any eq ntp permit tcp host 192.168.40.4 any permit udp host 192.168.40.4 any eq domain permit udp host 192.168.40.4 any eq ntp permit tcp host 192.168.40.5 any permit udp host 192.168.40.5 any eq domain permit udp host 192.168.40.5 any eq ntp permit tcp host 192.168.40.108 any permit udp host 192.168.40.108 any eq domain permit udp host 192.168.40.108 any eq ntp permit ip 192.168.40.0 0.0.0.255 host xxx.xxx.xx.xx.xx permit ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255 permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq telnet permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq 22 permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq www permit tcp 192.168.40.0 0.0.0.255 host 192.168.40.3 eq 443 deny ip any any log ip access-list extended NO-NAT1 remark SDM_ACL Category=2 deny ip 192.168.40.0 0.0.0.255 xx.xx.xxx.xx 0.0.0.3 deny ip 192.168.40.0 0.0.0.255 host xx.xxx.xx.xx.xx deny ip 192.168.40.0 0.0.0.255 host xx.xx.xx.xx.xx deny ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255 deny ip 192.168.40.0 0.0.0.255 192.168.41.0 0.0.0.255 deny ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255 permit ip 192.168.40.0 0.0.0.255 any ip access-list extended VPN-B remark VPN b remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 host xx.xx.xx.xx.x ip access-list extended VPN-L remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 192.168.42.0 0.0.0.255 ip access-list extended VPN-M remark VPN M remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 host xx.xx.xx.xx ip access-list extended VPN-V remark VPN zu V remark SDM_ACL Category=4 permit ip 192.168.40.0 0.0.0.255 192.168.1.0 0.0.0.255

Hallo Wordo! Danke für Deine Hilfe! Anbei die Konfig 1 Teil! !This is the running config of the router: 192.168.40.3 !---------------------------------------------------------------------------- !version 12.3 no service pad service tcp-keepalives-in service tcp-keepalives-out service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service password-encryption service sequence-numbers ! hostname fw ! boot-start-marker boot-end-marker ! security authentication failure rate 3 log security passwords min-length 6 logging buffered 51200 warnings ! clock timezone UTC1 1 clock summer-time UTC1sum recurring last Sun Mar 2:00 last Sun Oct 3:00 aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local aaa session-id common ip subnet-zero no ip source-route ! ! ip cef ip domain name domain.com ip name-server xxx.xx.xxx.xx ip name-server xxx.xx.xx.xx no ip bootp server ip inspect name MyFW cuseeme ip inspect name MyFW ftp ip inspect name MyFW h323 ip inspect name MyFW netshow ip inspect name MyFW rcmd ip inspect name MyFW realaudio ip inspect name MyFW rtsp ip inspect name MyFW smtp ip inspect name MyFW sqlnet ip inspect name MyFW streamworks ip inspect name MyFW tftp ip inspect name MyFW tcp ip inspect name MyFW udp ip inspect name MyFW vdolive ip inspect name MyFW icmp ip ips po max-events 100 no ftp-server write-enable ! ! ! ! ! crypto isakmp policy 3 encr 3des hash md5 authentication pre-share group 2 lifetime 7800 ! crypto isakmp policy 5 encr 3des authentication pre-share group 2 ! crypto isakmp client configuration group vpn-grp1 key $vpn dns xx.xxx.xxx.xx domain win.domain.com pool SDM_POOL_1 ! ! crypto ipsec transform-set c-3des-md5 esp-3des esp-md5-hmac crypto ipsec transform-set c-3des-sha esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set c-3des-sha match address VPN-Land crypto dynamic-map SDM_DYNMAP_1 2 set transform-set c-3des-sha reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 2 ipsec-isakmp description VPN-b set peer xx.xx.xx.xx set transform-set c-3des-sha match address VPN-B crypto map SDM_CMAP_1 3 ipsec-isakmp description Tunnel to V mit set peer xx.xx.xxx.xx set transform-set c-3des-md5 set pfs group2 match address VPN-V crypto map SDM_CMAP_1 5 ipsec-isakmp description VPN-M set peer xx.xxx.xx.xx.xx set transform-set c-3des-sha match address VPN-M crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! !

Hallo Leute! Ich habe einen Cisco C831 Router. IOS Version 12.3(11)T3 habe eine VPN-Verbindung eingerichtet. Wenn ich mich jetzt mit dem Cisco VPN-Client zu verbinden versuche, bekomme ich auf dem Router überhaupt keine Reaktion und im Client Log kommt Folgende Fehlermeldung: 176 08:13:12.296 07/13/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "85.xxx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING" Was kann ich machen oder ausprobieren! Bin für jeden Tip Dankbar mfg mels Nachstehend das ganze Log: Cisco Systems VPN Client Version 4.7.00.0533 Copyright © 1998-2005 Cisco Systems, Inc. All Rights Reserved. Client Type(s): Windows, WinNT Running on: 5.1.2600 Service Pack 2 171 08:12:51.531 07/13/06 Sev=Info/4 CM/0x63100002 Begin connection process 172 08:12:51.546 07/13/06 Sev=Info/4 CM/0x63100004 Establish secure connection using Ethernet 173 08:12:51.546 07/13/06 Sev=Info/4 CM/0x63100024 Attempt connection with server "80.120.35.26" 174 08:12:51.796 07/13/06 Sev=Info/4 IPSEC/0x63700008 IPSec driver successfully started 175 08:12:51.796 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 176 08:13:12.296 07/13/06 Sev=Info/4 CM/0x63100014 Unable to establish Phase 1 SA with server "85.xxx.xx.xx" because of "DEL_REASON_PEER_NOT_RESPONDING" 177 08:13:12.296 07/13/06 Sev=Info/5 CM/0x63100025 Initializing CVPNDrv 178 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 179 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 180 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x63700014 Deleted all keys 181 08:13:12.328 07/13/06 Sev=Info/4 IPSEC/0x6370000A IPSec driver successfully stopped