On my previous posting I got one responce from gconnect. Maybe you can help me with this config. Is there someting wrong with this config or is it completely wrong ?
I have 2 locations with Cisco 826 + IP feature pack. Because this is my first VPN using cisco's, I tried to set up a VPN using parts of the many examples.
The VPN is up and running but the performance is bad and first I could print from a Windows 2000 server on one site to a printer (connected to a HP JetDirect) on the other site.
Config location with Windows 2000 server
Current configuration : 4341 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname admin
!
logging buffered 4096 informational
enable secret 5 xxxxxx
!
username Johnt privilege 15 password 7 xxxxxxxxx
username admin password 7 xxxxxxxxx
ip subnet-zero
no ip source-route
ip host Kampen 99.99.99.99
ip name-server 194.134.5.5
ip name-server 194.134.0.97
ip dhcp excluded-address 192.168.0.38
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name firewall ftp
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 60
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 4
authentication pre-share
crypto isakmp key xxxxxxxxxx123 address 99.99.99.99
!
!
crypto ipsec transform-set encrypt-des esp-des
!
crypto map combined local-address Dialer1
crypto map combined 20 ipsec-isakmp
set peer 99.99.99.99
set transform-set encrypt-des
match address 105
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.0.254-255.255.255.0
ip address 192.168.0.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname yyyyyyy@euronet.nl-512
ppp chap password 7 yyyyyyyyyy
ppp pap sent-username yyyyyyyy@euronet.nl-512 password 7 yyyyyyyyyyyyyyy
crypto map combined
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.38 3389 interface Dialer1 3389
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.0.38 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip pim bidir-enable
!
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.39.0 0.0.0.255
access-list 111 permit tcp any any eq 3389
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit ip 192.168.39.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.39.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 200 permit 0x1323 0x0000
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 150
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
Config location with workstation and printer
Current configuration : 4152 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NSK
!
no logging buffered
enable secret 5 xxxxxxxx
!
username NSK password 7 xxxxxxxxxxx
ip subnet-zero
no ip source-route
ip host Assen 88.88.88.88
ip name-server 192.168.0.38
ip dhcp excluded-address 192.168.39.1
ip dhcp excluded-address 192.168.39.1 192.168.39.128
ip dhcp excluded-address 192.168.39.128
!
ip dhcp pool CLIENT
import all
network 192.168.39.0 255.255.255.0
default-router 192.168.39.1
dns-server 192.168.0.38
domain-name domeinnaam.com
lease 0 2
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name firewall ftp
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 60
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 4
authentication pre-share
crypto isakmp key xxxxxxxxxx123 address 88.88.88.88
!
!
crypto ipsec transform-set encrypt-des esp-des
crypto ipsec df-bit clear
!
crypto map combined local-address Dialer1
crypto map combined 7 ipsec-isakmp
set peer 88.88.88.88
set transform-set encrypt-des
match address 105
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.39.1-255.255.255.0
ip address 192.168.39.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx@euronet.nl-basic
ppp chap password 7 xxxxxxxxxx
ppp pap sent-username xxxxxxx@euronet.nl-basic password 7 xxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map combined
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip pim bidir-enable
!
!
access-list 23 permit 192.168.39.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 105 permit ip 192.168.39.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 150 deny ip 192.168.39.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
match ip address 150
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
I have 2 locations with Cisco 826 + IP feature pack. Because this is my first VPN using cisco's, I tried to set up a VPN using parts of the many examples.
The VPN is up and running but the performance is bad and first I could print from a Windows 2000 server on one site to a printer (connected to a HP JetDirect) on the other site.
Config location with Windows 2000 server
Current configuration : 4341 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname admin
!
logging buffered 4096 informational
enable secret 5 xxxxxx
!
username Johnt privilege 15 password 7 xxxxxxxxx
username admin password 7 xxxxxxxxx
ip subnet-zero
no ip source-route
ip host Kampen 99.99.99.99
ip name-server 194.134.5.5
ip name-server 194.134.0.97
ip dhcp excluded-address 192.168.0.38
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name firewall ftp
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 60
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 4
authentication pre-share
crypto isakmp key xxxxxxxxxx123 address 99.99.99.99
!
!
crypto ipsec transform-set encrypt-des esp-des
!
crypto map combined local-address Dialer1
crypto map combined 20 ipsec-isakmp
set peer 99.99.99.99
set transform-set encrypt-des
match address 105
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.0.254-255.255.255.0
ip address 192.168.0.254 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname yyyyyyy@euronet.nl-512
ppp chap password 7 yyyyyyyyyy
ppp pap sent-username yyyyyyyy@euronet.nl-512 password 7 yyyyyyyyyyyyyyy
crypto map combined
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.0.38 3389 interface Dialer1 3389
ip nat inside source route-map nonat interface Dialer1 overload
ip nat inside source static tcp 192.168.0.38 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip pim bidir-enable
!
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 105 permit ip 192.168.0.0 0.0.0.255 192.168.39.0 0.0.0.255
access-list 111 permit tcp any any eq 3389
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit ip 192.168.39.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 deny ip 192.168.0.0 0.0.0.255 192.168.39.0 0.0.0.255
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
access-list 200 permit 0x1323 0x0000
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 150
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
Config location with workstation and printer
Current configuration : 4152 bytes
!
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname NSK
!
no logging buffered
enable secret 5 xxxxxxxx
!
username NSK password 7 xxxxxxxxxxx
ip subnet-zero
no ip source-route
ip host Assen 88.88.88.88
ip name-server 192.168.0.38
ip dhcp excluded-address 192.168.39.1
ip dhcp excluded-address 192.168.39.1 192.168.39.128
ip dhcp excluded-address 192.168.39.128
!
ip dhcp pool CLIENT
import all
network 192.168.39.0 255.255.255.0
default-router 192.168.39.1
dns-server 192.168.0.38
domain-name domeinnaam.com
lease 0 2
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name firewall ftp
ip inspect name firewall tcp timeout 3600
ip inspect name firewall udp timeout 60
ip ssh time-out 120
ip ssh authentication-retries 3
!
crypto isakmp policy 4
authentication pre-share
crypto isakmp key xxxxxxxxxx123 address 88.88.88.88
!
!
crypto ipsec transform-set encrypt-des esp-des
crypto ipsec df-bit clear
!
crypto map combined local-address Dialer1
crypto map combined 7 ipsec-isakmp
set peer 88.88.88.88
set transform-set encrypt-des
match address 105
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.39.1-255.255.255.0
ip address 192.168.39.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip nat inside
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer0
no ip address
no cdp enable
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
no ip route-cache
no ip mroute-cache
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap pap callin
ppp chap hostname xxxxxxxx@euronet.nl-basic
ppp chap password 7 xxxxxxxxxx
ppp pap sent-username xxxxxxx@euronet.nl-basic password 7 xxxxxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map combined
hold-queue 224 in
!
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip pim bidir-enable
!
!
access-list 23 permit 192.168.39.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 105 permit ip 192.168.39.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 150 deny ip 192.168.39.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 150 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
route-map nonat permit 10
match ip address 150
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
