Hi,
I have some trouble with the VPN on an cisco 871.
Here it is the different IP:
Small business server 2008: 192.168.10.4
BVI1: 192.168.10.1
Int fa4: 192.168.2.2
ADSL BOX: 192.168.2.1
I can connect the VPN but the traffic is not forwarded, when I delete "ip nat inside source list 1 interface FastEthernet4 overload" it works fine but I loose internet connection inside the network.
But with this line VPN doesn't work.
I post the conf file if someone have an idea.
Really need help for this configuration !!
PS: I have some tips for SIP configuration on cisco 8xx, if someone need!
I have some trouble with the VPN on an cisco 871.
Here it is the different IP:
Small business server 2008: 192.168.10.4
BVI1: 192.168.10.1
Int fa4: 192.168.2.2
ADSL BOX: 192.168.2.1
I can connect the VPN but the traffic is not forwarded, when I delete "ip nat inside source list 1 interface FastEthernet4 overload" it works fine but I loose internet connection inside the network.
But with this line VPN doesn't work.
I post the conf file if someone have an idea.
Really need help for this configuration !!
PS: I have some tips for SIP configuration on cisco 8xx, if someone need!
Code:
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname yourname
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$yBLO$RcUDZwDCoVzHQRcaqznmh.
!
no aaa new-model
clock timezone PCTime 1
clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
!
crypto pki trustpoint TP-self-signed-3284050759
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3284050759
revocation-check none
rsakeypair TP-self-signed-3284050759
!
!
crypto pki certificate chain TP-self-signed-3284050759
certificate self-signed 01
3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33323834 30353037 3539301E 170D3032 30333031 30303339
31335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 32383430
35303735 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008D45 358B22C0 D8CCC5E1 E19B7A54 173D5508 A3DBCA21 38CBF569 9846B1D1
E2C969E0 4822DD69 E9DE9B73 F469DD98 ACB49A71 26517AC4 EE8DCA2B 8B73464A
3AF7107C 9CC48D3C 4D0526E1 8AE66C72 7EF8B2B7 C68678D1 669FDB64 FDBD4021
BD47B50E 439BE16B AB730D1F 6E6E50F1 77F4D91D E9CCC28D CA322399 957BF81B
3EA90203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
301F0603 551D2304 18301680 145B082A 364ECF6B 196DE94F EE194870 9C672CFE
DF301D06 03551D0E 04160414 5B082A36 4ECF6B19 6DE94FEE 1948709C 672CFEDF
300D0609 2A864886 F70D0101 04050003 81810030 90A604EE 99A126FA 07304434
5478217F 27BB89FB 3FE905AE 5D1CC9CC BADA4D2D ABFEDB6F 443516C9 BB4D3368
6C43A520 7E152514 DF35BC49 5755A51D F5B86F19 9B281396 806CD7F5 373CE4F7
4A8647B9 831E3468 383C47EF D599B4B1 61F07998 2AAABBD7 ABA0A97D BD3DE3FE
15F403C1 A7051795 D0A38A25 241BDA32 962DF4
quit
dot11 syslog
!
dot11 ssid xxxxx
vlan 1
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 0 xxxxxxx
!
ip cef
!
!
ip domain name yourdomain.com
ip name-server 80.10.246.130
ip name-server 81.253.149.10
!
!
!
username xxxxxxx privilege 15 secret 5 $1$HsD3$ni563UfVDCAmVAco0.LcC/
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10 periodic
!
crypto isakmp client configuration group mekong
key xxxxxxx
dns 192.168.10.4 (SBS 2008)
wins 192.168.10.4 (SBS 2008)
pool mypool
acl split
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set ESP-3DES-SHA
!
!
crypto map mymap client authentication list userauthen
crypto map mymap isakmp authorization list groupauthor
crypto map mymap client configuration address respond
crypto map mymap 65535 ipsec-isakmp dynamic dynmap
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
description $ES_WAN$
ip address 192.168.2.2 255.255.255.0
ip nat outside
ip virtual-reassembly
ip tcp adjust-mss 1412
duplex auto
speed auto
crypto map mymap
!
interface Dot11Radio0
no ip address
!
encryption vlan 1 mode ciphers tkip
!
ssid mekong
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
no ip address
ip tcp adjust-mss 1452
bridge-group 1
!
interface BVI1
description $ES_LAN$
ip address 192.168.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1412
!
ip local pool mypool 192.168.239.1 192.168.239.20
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.2.1
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface FastEthernet4 overload
ip nat inside source route-map NAT interface Vlan1 overload
ip nat inside source static tcp 192.168.10.4 80 192.168.2.2 80 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 143 192.168.2.2 143 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 443 192.168.2.2 443 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 444 192.168.2.2 444 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 993 192.168.2.2 993 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 1723 192.168.2.2 1723 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 3389 192.168.2.2 3389 route-map NAT extendable
ip nat inside source static udp 192.168.10.4 4569 192.168.2.2 4569 route-map NAT extendable
ip nat inside source static tcp 192.168.10.4 80 192.168.2.2 9876 route-map NAT extendable
!
ip access-list extended NAT
deny ip 192.168.10.0 0.0.0.255 192.168.239.0 0.0.0.255
permit ip 192.168.10.0 0.0.0.255 any
ip access-list extended split
permit ip 192.168.10.0 0.0.0.255 192.168.239.0 0.0.0.255
!
access-list 1 remark INSIDE_IF=BVI1
access-list 1 remark CCP_ACL Category=2
access-list 1 permit 192.168.10.0 0.0.0.255
access-list 1 permit 192.168.239.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
!
!
route-map NAT permit 10
match ip address NAT
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
banner exec ^C
% Password expiration warning.
-----------------------------------------------------------------------
Cisco Configuration Professional (Cisco CP) is installed on this device
and it provides the default username "cisco" for one-time use. If you have
already used the username "cisco" to login to the router and your IOS image
supports the "one-time" user option, then this username has already expired.
You will not be able to login to the router with this username after you exit
this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you
want to use.
-----------------------------------------------------------------------
^C
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input telnet ssh
!
scheduler max-task-time 5000
end
yourname#