08-15-2016 02:06 AM
I am new to configure Cisco device. Manage to configure the Cisco 881 work as router and VPN.
But at remote computer, no local lan access
My Config as below;
Current configuration : 5442 bytes
!
! Last configuration change at 08:30:12 UTC Mon Aug 15 2016 by cisco
!
version 15.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 xxxxxxxxxxx
enable password 7 xxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login VPN_CLIENT_LOGIN local
aaa authorization network VPN_CLIENT_GROUP local
!
!
!
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-2833602029
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2833602029
revocation-check none
rsakeypair TP-self-signed-2833602029
!
!
crypto pki certificate chain TP-self-signed-2833602029
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 32383333 36303230 3239301E 170D3136 30383034 31303235
32365A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D32 38333336
30323032 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100FD21 EEA71109 0E9D4EDC 162D6DC1 04D293B4 718E04F6 768258D1 CF723901
9BCA145B AD24F769 85C388E5 B95E06B1 CD5F115B 7BEC2CF0 498D9726 02F0143A
61B742B1 912EBF91 7DBE18E7 A7299164 38C74E70 CB9B249A AF761A0E AFAA6D50
8775C513 595CFF22 85CC24E1 3F5AE55E 00152187 EC937935 40579D65 00ED911A
78A70203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 145EF67B F8BD4453 AFA39209 010393DA FFBA5168 5B301D06
03551D0E 04160414 5EF67BF8 BD4453AF A3920901 0393DAFF BA51685B 300D0609
2A864886 F70D0101 05050003 818100C5 661C7B88 DF646AA2 73093228 DDC1CB3F
64E7D688 84B59724 20BB5A7A 6895EBD1 3BC9CD43 1475542C 787E8FDF 685B9B0E
E31E94C7 37033236 821C2E72 414F1698 49D3504A 554BF3EB 09CEE466 97502648
55F31AFA 7F063FEE 879E1D62 D6AA6C0D F90DA2C2 570F639A 8EE4A72D 9431365F
89D6CDDA F14DCCF3 CE94804A AA95C5
quit
no ip source-route
no ip gratuitous-arps
!
!
!
!
!
!
!
!
!
!
!
!
no ip bootp server
no ip domain lookup
ip cef
login block-for 10 attempts 10 within 10
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
cts logging verbose
license udi pid C881-K9 sn FGL201820WQ
!
!
username cisco privilege 15 password 7 xxxxxxxxx
username jhbpvpn secret 5 xxxxxxxx
!
!
!
!
no cdp run
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
lifetime 3600
!
crypto isakmp client configuration group jhbpvpn
key xxxxxxxx
dns 10.249.8.36
domain SGBP.COM
pool VPN_CLIENT_POOL
acl 110
!
!
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
!
!
!
crypto dynamic-map EXT_DYNAMIC_MAP 10
set transform-set TRANS_3DES_SHA
!
!
crypto map EXT_MAP client authentication list VPN_CLIENT_LOGIN
crypto map EXT_MAP isakmp authorization list VPN_CLIENT_GROUP
crypto map EXT_MAP client configuration address respond
crypto map EXT_MAP 10 ipsec-isakmp dynamic EXT_DYNAMIC_MAP
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
ip address 10.10.10.180 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
crypto map EXT_MAP
!
interface Vlan1
ip address 10.249.8.10 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly in
!
ip local pool VPN_CLIENT_POOL 10.249.20.220 10.249.20.230
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface FastEthernet4 overload
ip nat inside source static tcp 10.249.8.36 80 10.10.10.180 80 extendable
ip route 0.0.0.0 0.0.0.0 10.10.10.177
!
ip access-list extended NAT
!
logging trap debugging
logging facility local2
dialer-list 1 protocol ip permit
!
snmp-server community public RO
access-list 101 permit ip 10.249.8.0 0.0.0.255 any
access-list 110 permit ip 10.249.8.0 0.0.0.255 10.249.20.0 0.0.0.255
access-list 110 permit ip 10.249.20.0 0.0.0.255 10.249.8.0 0.0.0.255
!
!
!
control-plane
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
!
banner motd ^CUNAUTHORISED ACCESS TO THIS DEVICE IS PROHIBITED^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
exec-timeout 15 0
login authentication local_auth
transport output telnet
line vty 0 4
privilege level 15
password 7 08114D5D1A0E0A051658
login authentication local_auth
transport input telnet ssh
transport output telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
transport output telnet ssh
!
scheduler allocate 20000 1000
!
!
!
end
Solved! Go to Solution.
08-19-2016 05:42 AM
08-17-2016 02:46 AM
no ip access-list extended NAT
no access-list 101
no access-list 110
access-list 110 permit ip 10.249.8.0 0.0.0.255 10.249.20.0 0.0.0.255
access-list 101 deny ip 10.249.8.0 0.0.0.255 10.249.20.0 0.0.0.255
access-list 101 permit ip 10.249.8.0 0.0.0.255 any
crypto isakmp client configuration group jhbpvpn
acl 110
exit
ip nat inside source list 101 interface FastEthernet4 overload
clear ip nat translations *
copy run start
reload
Please rate helpful posts and mark correct answers.
08-18-2016 02:23 AM
After removed incorrect access list and recreate access list. VPN from remote computer via cisco VPN Client not successful.
08-18-2016 12:01 PM
debug ip icmp
term mon
Please rate helpful posts and mark correct answers.
08-18-2016 09:02 PM
Noticed that now only can connect VPN by using Cisco VPN Client ver 5.0.06.0110
It is still can not ping local IP and can't RDP local computer
1. ipconfig and route print as follow;
Windows IP Configuration
Ethernet adapter Local Area Connection:
Media State. . . . . . . . . . . : Media disconnected
PPP adapter XXXXXXX
Connection-specific DNS Suffix . :
IPv4 Address . . . . . . . . . . : 14.100.54.172
Subnet Mask. . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . : 0.0.0.0
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . : SGBP.COM
IPv4 Address . . . . . . . . . . : 10.249.8.221
Subnet Mask. . . . . . . . . . . : 255.0.0.0
Default Gateway . . . . . . . . :
IPv4 Route Table
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 On-link 14.100.54.172 31
10.0.0.0 255.0.0.0 On-link 10.249.20.221 286
10.249.8.0 255.255.255.0 10.0.0.1 10.249.20.221 100
10.249.20.221 255.255.255.255 On-link 10.249.20.221 286
10.255.255.255 255.255.255.255 On-link 10.249.20.221 286
14.100.54.172 255.255.255.255 On-link 14.100.54.172 286
10.10.10.180 255.255.255.255 On-link 14.100.54.172 100
127.0.0.0 255.0.0.0 On-link 127.0.0.1 4531
127.0.0.1 255.255.255.255 On-link 127.0.0.1 4531
127.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 127.0.0.1 4531
224.0.0.0 240.0.0.0 On-link 14.100.54.172 31
224.0.0.0 240.0.0.0 On-link 10.249.20.221 286
255.255.255.255 255.255.255.255 On-link 127.0.0.1 4531
255.255.255.255 255.255.255.255 On-link 14.100.54.172 286
255.255.255.255 255.255.255.255 On-link 10.249.20.221 286
============================================================================
Persistent Routes:
Network Address Network Gateway Address Metric
0.0.0.0 0.0.0.0 10.249.8.10 Default
2. show ip route and show ip int brief result as follow
JHBPRouter#show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
a - application route
+ - replicated route, % - next hop override
Gateway of last resort is 10.10.10.177 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 10.10.10.177
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.249.8.0/24 is directly connected, Vlan1
L 10.249.8.10/32 is directly connected, Vlan1
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.10.10.176/29 is directly connected, FastEthernet4
L 10.10.10.180/32 is directly connected, FastEthernet4
JHBPRouter#show ip int brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0 unassigned YES unset up up
FastEthernet1 unassigned YES unset up up
FastEthernet2 unassigned YES unset up down
FastEthernet3 unassigned YES unset up down
FastEthernet4 10.10.10.180 YES NVRAM up up
NVI0 10.10.10.180 YES unset up up
Vlan1 10.249.8.10 YES NVRAM up up
JHBPRouter#
3. debug ip icmp and term mon
JHBPRouter#debug ip icmp
ICMP packet debugging is on
JHBPRouter#term mon
% Console already monitors
4. Cisco VPN Client ver 5.0.06.0110
Network : 10.249.8.0
Subnet Mask : 255.255.255.0
5.
08-19-2016 05:42 AM
08-22-2016 06:43 PM
The configuration "no mode tunnel" seems not accept by the device.
running configuration as below
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
no mode tunnel
or
no crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
no mode tunnel
still having configuration as
crypto ipsec transform-set TRANS_3DES_SHA esp-3des esp-sha-hmac
mode tunnel
and Configuration below has auto added
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
access-class sl_def_acl in
exec-timeout 15 0
ipv6 access-class sl_def_ipv6_acl in
login authentication local_auth
transport output telnet
line vty 0 4
access-class sl_def_acl in
privilege level 15
password 7 107E080A16001D190857
ipv6 access-class sl_def_ipv6_acl in
login authentication local_auth
transport input telnet ssh
transport output telnet ssh
line vty 5 15
access-class sl_def_acl in
privilege level 15
ipv6 access-class sl_def_ipv6_acl in
transport input telnet ssh
transport output telnet ssh
I found the reason why it is fail. That is my fault that I tap on this device with the existing local network which already has cisco PIX.
08-19-2016 05:59 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: