Problem with VPN's on Router Cisco - Non Cisco

Unanswered Question
Apr 30th, 2010

Hello

Recently the  company where I work received a Cisco router, and am trying to configure  the various Cisco VPN's.

Please find attached a drawing of the  current structure of the network.

I'm using optical  fiber.

Here is the actual configuration:

#################################################################################################

Current configuration : 11608 bytes
!
! Last configuration change at 12:00:23 PT Fri Apr 30 2010 by patricios
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime msec localtime
service password-encryption
!
hostname Router-Patricios
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$Ksti$bIlSETZm.e4ay5gkqmOsJ.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login ciscocp_vpn_xauth_ml_1 local
aaa authentication login fiaverde_xauth local
aaa authentication login friends_xauth local
aaa authentication enable default enable
aaa authentication ppp default local
aaa authorization exec default local
aaa authorization network ciscocp_vpn_group_ml_1 local
aaa authorization network fiaverde_group local
aaa authorization network friends_group local
!
!
aaa session-id common
clock timezone PT 0
clock summer-time PT recurring last Sun Mar 1:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-3983758723
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3983758723
revocation-check none
rsakeypair TP-self-signed-3983758723

!
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.0.1 192.168.0.5
ip dhcp excluded-address 192.168.0.11 192.168.0.254
!
ip dhcp pool ccp-pool1
   network 192.168.0.0 255.255.255.0
   default-router 192.168.0.5
!
!
ip domain name gestao.ptprime.pt
ip name-server 62.48.131.10
ip name-server 62.48.131.11
ip inspect name FW-INET tcp
ip inspect name FW-INET udp
ip inspect name FW-INET ftp
ip inspect name FW-INET icmp
ip inspect name FW-INET tftp
ip inspect name FW-INET realaudio
ip inspect name FW-INET esmtp
login block-for 300 attempts 5 within 60
login quiet-mode access-class 7
login on-failure log
login on-success log
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group fiaverde.dyndns.org
! Default PPTP VPDN group
accept-dialin
  protocol pptp
  virtual-template 2
!
vpdn-group patfriendsargoncilhe.dyndns.org
accept-dialin
  protocol pptp
  virtual-template 5
!
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
group 2
!
crypto isakmp client configuration group patricios.dyndns.org
key 256pat1968
pool SDM_POOL_1
!
crypto isakmp client configuration group fiaverde.dyndns.org
key 256pat1968
pool fiaverde_pool
!
crypto isakmp client configuration group patfriendsargoncilhe.dyndns.org
key 256pat1968
domain patfriendsargoncilhe.dyndns.org
pool friends_pool
crypto isakmp profile ciscocp-ike-profile-1
   match identity group patricios.dyndns.org
   client authentication list ciscocp_vpn_xauth_ml_1
   isakmp authorization list ciscocp_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto isakmp profile fiaverde_profile
   match identity group fiaverde.dyndns.org
   client authentication list fiaverde_xauth
   isakmp authorization list fiaverde_group
   client configuration address respond
   virtual-template 2
crypto isakmp profile friends_profile
   match identity group patfriendsargoncilhe.dyndns.org
   client authentication list friends_xauth
   isakmp authorization list friends_group
   client configuration address respond
   virtual-template 5
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA2 esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA3 esp-3des esp-sha-hmac
!
crypto ipsec profile CiscoCP_Profile1
set transform-set ESP-3DES-SHA
set isakmp-profile ciscocp-ike-profile-1
!
crypto ipsec profile Fiaverde_Profile
set transform-set ESP-3DES-SHA
set isakmp-profile fiaverde_profile
!
crypto ipsec profile Friends_Profile
set transform-set ESP-3DES-SHA
set isakmp-profile friends_profile
!
!
crypto dynamic-map FIAVERDE_MAP 1
reverse-route
!
!
crypto map FIAVERDE_VPN 100 ipsec-isakmp dynamic FIAVERDE_MAP
!
archive
log config
  hidekeys
!
!
vlan 33
name EW00942
!
!
!
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
dsl operating-mode auto
!
interface BRI0
no ip address
encapsulation hdlc
shutdown
!
interface FastEthernet0
description == Circuito ETH-MPLS / 1001412608 ==
no ip address
no ip proxy-arp
no ip mroute-cache
speed 100
full-duplex
no cdp enable
!
interface FastEthernet0.33
description == ETHERWEB / 1009409123 ==
encapsulation dot1Q 33
ip address 62.28.161.26 255.255.255.252
ip access-group 111 in
ip nat outside
ip virtual-reassembly
traffic-shape rate 9500000 95000 95000 1000
no cdp enable
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface Virtual-Template1 type tunnel
ip unnumbered FastEthernet0.33
tunnel mode ipsec ipv4
tunnel protection ipsec profile CiscoCP_Profile1
!
interface Virtual-Template2 type tunnel
ip unnumbered FastEthernet0.33
tunnel mode ipsec ipv4
tunnel protection ipsec profile Fiaverde_Profile
!
interface Virtual-Template5 type tunnel
ip unnumbered FastEthernet0.33
tunnel mode ipsec ipv4
tunnel protection ipsec profile Friends_Profile
!
interface Vlan1
description == LAN Privada ==
ip address 192.168.0.5 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect FW-INET in
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
!
interface Vlan2
description == LAN Fiaverde ==$ES_LAN$
ip address 192.168.2.5 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect FW-INET in
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
!
interface Vlan5
description == LAN Friends ==
ip address 192.168.5.5 255.255.255.0
no ip proxy-arp
ip nat inside
ip inspect FW-INET in
ip virtual-reassembly
ip tcp adjust-mss 1452
no ip mroute-cache
!
ip local pool SDM_POOL_1 10.10.10.10 10.10.10.20
ip local pool fiaverde_pool 10.10.10.21 10.10.10.29
ip local pool friends_pool 10.10.10.40 10.10.10.49
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 62.28.161.25
ip route 192.168.2.0 255.255.255.0 192.168.0.251
ip route 192.168.5.0 255.255.255.0 62.28.161.24
!
!
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list ACL_NAT interface FastEthernet0.33 overload
!
ip access-list standard negar_acesso
remark negar_acesso
remark CCP_ACL Category=128
remark 123
deny   195.245.168.15
deny   any
deny   195.245.168.0 0.0.0.255
!
ip access-list extended ACL_NAT
permit ip 192.168.0.0 0.0.0.255 any
!
access-list 7 remark == ACL GESTAO
access-list 7 permit 192.168.0.0 0.0.0.255
access-list 30 remark === ACL SNMP Cliente ===
access-list 30 permit 192.168.0.0 0.0.255.255
access-list 41 remark === ACL SNMP PT RO
access-list 41 permit 62.48.131.96 0.0.0.31
access-list 100 remark CCP_ACL Category=4
access-list 100 remark IPSec Rule
access-list 100 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 101 remark CCP_ACL Category=4
access-list 101 remark IPSec Rule
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 remark CCP_ACL Category=4
access-list 102 remark IPSec Rule
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 111 remark === ACL entrada da iNet ===
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit ip host 62.48.196.232 any
access-list 111 permit ip host 62.48.207.128 any
access-list 111 permit ip host 62.48.131.101 any
access-list 111 permit ip host 62.48.205.207 any
access-list 111 permit ip host 62.48.236.145 any
access-list 111 permit tcp host 62.48.131.125 eq tacacs any
access-list 111 permit udp host 83.240.141.94 eq ntp any
access-list 111 deny   ip any any
snmp-server group GPTv3SNMP v3 auth access 41
snmp-server view client-view interfaces included
snmp-server view client-view sysUpTime included
snmp-server view client-view system.5 included
snmp-server view client-view system.9 included
snmp-server view client-view enterprises.351.110 included
snmp-server view client-view system.2.0 included
snmp-server view client-view lsystem included
snmp-server view client-view linterfaces included
snmp-server view client-view ciscoMgmt.387 included
snmp-server view client-view lsystem.73.0 excluded
snmp-server community pwlightcliente view client-view RO 30
snmp-server location R TRAS OS LAGOS 0  4525-325 GUISANDE VFR
snmp-server system-shutdown
!
!

#################################################################################################

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion