diegolangamer
Technical User
Hi Everyone!
I have a problem in my environment. I have a Cisco 1841 Configured a Easy VPN Server and a site with a Cisco 877 via ADSL with a Easy VPN configured too. I have a problem with this, the tunnel is working fine, but this sites don´t connect to internet. This problem seems with a routing configuration. To connect correctly, i need to use a proasdxy located on master site in stations to navigate correctly. What´s is going with my environment? Sorry for these questions,but i´m very newbie on Cisco IOS and sorry for my english.
Look below the actually config. of Cisco 877:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sucbsbcrt01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$p/Zt$urlNsWT05So9NVdmx2eMh1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -3
!
crypto pki trustpoint TP-self-signed-1548421111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1548421111
revocation-check none
rsakeypair TP-self-signed-1548421111
!
!
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.5.250 10.0.5.254
ip dhcp excluded-address 10.0.5.251 10.0.5.254
!
ip dhcp pool sdm-pool1
import all
network 10.0.5.0 255.255.255.0
dns-server 200.175.182.139 200.175.5.139
default-router 10.0.5.254
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name bsb.com
ip name-server 200.175.182.139
ip name-server 200.175.5.139
ip name-server 200.222.0.34
ip name-server 200.222.0.35
ip name-server 200.149.55.142
ip name-server 200.165.132.148
ip ddns update method sdm_ddns1
DDNS both
!
!
!
username admin privilege 15 view root secret 5 $************
username bsb privilege 15 secret 5 $***********************
username monitor privilege 3 secret 5 $***************************************
username otto privilege 3 password 7 ***********
username suporte privilege 15 secret 5 $************************************
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
connect auto
group Padrao key *******
mode network-extension
peer xxx.xxx.xxx.xxx
virtual-interface 3
username ******** password ***********
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Virtual-Template3 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.5.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
#ADSL Login and Configuration
ppp authentication pap callin
ppp pap sent-username 6130397372@turbonetpro password 7 1410041F5E51
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.5.0 0.0.0.255
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.17.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.17.0 0.0.0.255 10.0.0.0 0.0.1.255
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 10.0.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end
I have a problem in my environment. I have a Cisco 1841 Configured a Easy VPN Server and a site with a Cisco 877 via ADSL with a Easy VPN configured too. I have a problem with this, the tunnel is working fine, but this sites don´t connect to internet. This problem seems with a routing configuration. To connect correctly, i need to use a proasdxy located on master site in stations to navigate correctly. What´s is going with my environment? Sorry for these questions,but i´m very newbie on Cisco IOS and sorry for my english.
Look below the actually config. of Cisco 877:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname sucbsbcrt01
!
boot-start-marker
boot-end-marker
!
logging buffered 51200
logging console critical
enable secret 5 $1$p/Zt$urlNsWT05So9NVdmx2eMh1
!
aaa new-model
!
!
aaa authentication login default local
aaa authorization exec default local
!
!
aaa session-id common
clock timezone PCTime -3
!
crypto pki trustpoint TP-self-signed-1548421111
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1548421111
revocation-check none
rsakeypair TP-self-signed-1548421111
!
!
dot11 syslog
no ip source-route
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.5.250 10.0.5.254
ip dhcp excluded-address 10.0.5.251 10.0.5.254
!
ip dhcp pool sdm-pool1
import all
network 10.0.5.0 255.255.255.0
dns-server 200.175.182.139 200.175.5.139
default-router 10.0.5.254
!
!
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
no ip bootp server
ip domain name bsb.com
ip name-server 200.175.182.139
ip name-server 200.175.5.139
ip name-server 200.222.0.34
ip name-server 200.222.0.35
ip name-server 200.149.55.142
ip name-server 200.165.132.148
ip ddns update method sdm_ddns1
DDNS both
!
!
!
username admin privilege 15 view root secret 5 $************
username bsb privilege 15 secret 5 $***********************
username monitor privilege 3 secret 5 $***************************************
username otto privilege 3 password 7 ***********
username suporte privilege 15 secret 5 $************************************
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
!
!
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
connect auto
group Padrao key *******
mode network-extension
peer xxx.xxx.xxx.xxx
virtual-interface 3
username ******** password ***********
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.1 point-to-point
description $ES_WAN$$FW_OUTSIDE$
pvc 0/35
pppoe-client dial-pool-number 1
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface Virtual-Template1 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Virtual-Template3 type tunnel
no ip address
tunnel mode ipsec ipv4
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 10.0.5.254 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1412
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1 inside
!
interface Dialer0
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1452
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
#ADSL Login and Configuration
ppp authentication pap callin
ppp pap sent-username 6130397372@turbonetpro password 7 1410041F5E51
crypto ipsec client ezvpn SDM_EZVPN_CLIENT_1
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0 2
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.5.0 0.0.0.255
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.17.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 10.0.17.0 0.0.0.255 10.0.0.0 0.0.1.255
access-list 101 remark SDM_ACL Category=2
access-list 101 permit ip 10.0.5.0 0.0.0.255 any
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map SDM_RMAP_1 permit 1
match ip address 101
!
!
control-plane
!
banner exec ^CC
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
-----------------------------------------------------------------------
^C
banner login ^CCAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
no modem enable
transport output telnet
line aux 0
transport output telnet
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end