Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cisco 2800 - redundant internet and Easy VPN

Status
Not open for further replies.

bregan

MIS
May 25, 2007
2
US
I'm having some difficulty getting the 2nd default route to take over when S0/1/0:0 goes down. Also, when connecting to Easy VPN, I cannot ping anything on the local network. I know its something simple I am just overlooking. I've added some stuff that may seem strange to just try some things, so I don't think any of the access-lists are *causing* a problem, but who knows... i need a fresh set of eyes..


Current configuration : 7107 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Samarion
!
boot-start-marker
boot-end-marker
!
no logging buffered
logging console critical
enable secret 5 $1$mP2G$7Uhdwb.dBF4MQ.Wq5zjRS0
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 group radius local
aaa authentication login sdm_vpn_xauth_ml_3 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa authorization network sdm_vpn_group_ml_2 group radius local
aaa authorization network sdm_vpn_group_ml_3 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -6
clock summer-time PCTime date Apr 6 2003 2:00 Oct 26 2003 2:00
no network-clock-participate wic 1
ip subnet-zero
no ip source-route
ip tcp synwait-time 10
!
!
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.10.1 10.0.10.99
ip dhcp excluded-address 10.0.10.221 10.0.10.254
!
ip dhcp pool sdm-pool1
import all
network 10.0.10.0 255.255.255.0
default-router 10.0.10.1
dns-server 10.0.10.15 24.93.41.126
!
!
no ip bootp server
no ip domain lookup
ip domain name XX.com
ip name-server 24.93.41.125
ip name-server 24.93.41.126
ip name-server 207.189.0.2
!
!
!
crypto pki trustpoint TP-self-signed-3432777059
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3432777059
revocation-check none
rsakeypair TP-self-signed-3432777059
!
crypto pki trustpoint tti
revocation-check crl
rsakeypair tti
!
!
crypto pki certificate chain TP-self-signed-3432777059
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33343332 37373730 3539301E 170D3036 31303233 31363039
32355A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 34333237
37373035 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100CEFB 10AB6A85 B50E8A44 0060AD30 8380EAC6 C883A8A8 6B3E4F0D BC2DD465
C5C3550D F443E9D5 AC675967 DE316BDD EAA9BE93 B0E995E2 846519BE D424A2AA
66008756 0C9FC171 429836A4 6E659687 54BCAF68 4527D463 5271ABA0 D58A9731
73F5853C DEE54F85 5E4FD0D6 FBAB2952 8A2C6715 99FB9191 F0495F32 B6858244
825B0203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 1553616D 6172696F 6E2E7361 6D617269 6F6E2E63 6F6D301F
0603551D 23041830 16801489 8476DCB9 9E7AF97D 70511C1E B08ECB71 71E14030
1D060355 1D0E0416 04148984 76DCB99E 7AF97D70 511C1EB0 8ECB7171 E140300D
06092A86 4886F70D 01010405 00038181 00B45A45 021CCEC7 968B2CB5 2781B055
868D7297 82185C3C B8D42018 56B3EFF7 54387379 F4C6DB89 4E7B0BC5 014DA7FB
991785C9 6583F8B5 5CD8CF02 D9AC6E19 776161B8 E824C344 62A07EF4 1768C866
9762E049 31182D16 89DC084C AB7AAEE0 BD849077 8D842849 AAAB1BE3 278D5F99
9158AAC4 729EC1B8 FDBB0C8A 784AD689 C9
quit
crypto pki certificate chain tti
username admin privilege 15 secret 5 XX
username Remote_user secret 5 XX
!
!
controller T1 0/1/0
framing esf
linecode b8zs
channel-group 0 timeslots 1-24
description t-1 from att
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local SDM_VPN
crypto isakmp xauth timeout 60

!
crypto isakmp client configuration group Samarion_remote
key V#1R3m0te
dns 10.0.10.15
pool SDM_VPN
acl 102
include-local-lan
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_3
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_3
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
interface FastEthernet0/0
description $ETH-SW-LAUNCH$$INTF-INFO-FE 0/0$$ES_LAN$$FW_INSIDE$$ETH-LAN$
ip address 10.0.10.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface FastEthernet0/1
description $ETH-WAN$
ip address X.X.23.214 255.255.255.252
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
no mop enabled
!
interface Serial0/1/0:0
ip address X.X.175.102 255.255.255.252
ip nat outside
ip virtual-reassembly
crypto map SDM_CMAP_1
!
ip local pool SDM_POOL_1 10.0.10.100 10.0.10.220
ip local pool SDM_VPN 10.0.10.221 10.0.10.254
ip classless
ip route 0.0.0.0 0.0.0.0 X.X.175.101
ip route 0.0.0.0 0.0.0.0 FastEthernet0/1 150
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map ISP1 interface Serial0/1/0:0 overload
ip nat inside source route-map ISP2 interface FastEthernet0/1 overload
!
logging trap debugging
access-list 100 permit ip any 10.0.10.0 0.0.0.255
access-list 100 permit ip any 10.0.11.0 0.0.0.255
access-list 100 deny ip host 255.255.255.255 any
access-list 100 permit ip any any
access-list 100 permit ip 10.0.11.0 0.0.0.255 any
access-list 100 permit ip 10.0.10.0 0.0.0.255 any
access-list 100 permit ip 10.0.0.0 0.255.255.255 10.0.0.0 0.255.255.255
access-list 102 deny ip 10.0.10.0 0.0.0.255 10.0.10.0 0.0.0.255
access-list 102 permit ip 10.0.10.0 0.0.0.255 any
access-list 110 permit ip 10.0.10.0 0.0.0.255 any
access-list 110 permit ip any 10.0.10.0 0.0.0.255
no cdp run
route-map ISP2 permit 10
match ip address 110
match interface FastEthernet0/1
!
route-map nonat permit 10
match ip address 102
!
route-map ISP1 permit 10
match ip address 110
match interface Serial0/1/0:0
!
!
radius-server host 10.0.10.15 auth-port 1645 acct-port 1646 key 7 141B171F01012325
!
control-plane
!
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
line aux 0
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end
 
All I see is that dhcp will give addresses for 10.0.10.100 thru .220, but local SDM_POOL_1 for VPN addresses are .100 thru .220...the way I have mine set is that I have only 10.0.0.15 and 10.0.0.16 available for VPN addresses, and I put these two addresses as excluded from the DHCP pool. I am not sure if the IP addresses that are used for when the VPN connects need to be excluded from the DHCP pool, but mine works, so I don't know...just a thought. If it has nothing to do with this,, please let me know---my best area is NOT VPN's!

Burt
 
Hello All,

Can any body tell how to setup Common access card login on cisco vpn 3000 concentrator?


Thanks in advance.

 
I had to change the first default route to point to the interface name instead of the ip address.

I never did get the VPN working, I used VPDN instead.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top