Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
223
Views
0
Helpful
1
Replies

Need help with EzVPN

baptista.miguel
Level 1
Level 1

‎03-12-2003 09:02 AM - edited ‎03-09-2019 02:28 AM

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

I have a cisco 827 router at home and a 826 router at work, the 826 ip is static.

I've established a VPN tunnel with EzVPN but the problem is that I can only access my home router's

computer (192.168.30.2) by it's ip and never by it's dns name ( I can only do this from

the server that is connected directly to the router and not from any other computer on the

network), the other problem that I have is that I can't telnet the router that I have at home.

Resuming... I would like to :

-access my home router from work

-aceess it by it's dns name

-telnet the router

-access the router from any computer at my office

Here is the config that I presently have:

Here are my 826 and 827 configs:

**********************SERVER CONFIG******************************

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname Router

!

aaa new-model

!

!

aaa authorization network rtr-remote local

aaa session-id common

enable secret 5 --moderator edit--

!

username Router password 7 --moderator edit--

username --moderator edit-- privilege 15 password 7 --moderator edit--

username --moderator edit-- privilege 15 password 7 --moderator edit--

username --moderator edit-- privilege 15 password 7 --moderator edit--

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw http timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp client configuration address-pool local xman-pool

!

crypto isakmp client configuration group rtr-remote

key xptoh10

dns 192.168.1.1

domain xman.local

pool xman-pool

!

!

crypto ipsec transform-set vpn-gbf esp-3des esp-sha-hmac

!

crypto dynamic-map xman-map 1

set transform-set vpn-xman

reverse-route

!

!

crypto map xman-map isakmp authorization list rtr-remote

crypto map xman-map client configuration address respond

crypto map xman-map 1 ipsec-isakmp dynamic xman-map

!

!

!

!

interface Ethernet0

description CRWS Generated text. Please do not delete this:192.168.1.254-255.255.255.0

ip address 192.168.1.254 255.255.255.0

ip nat inside

ip tcp adjust-mss 1452

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/35

pppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1400

ip nat outside

ip inspect myfw out

encapsulation ppp

ip tcp adjust-mss 1452

dialer pool 1

dialer remote-name redback

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname --moderator edit--

ppp chap password 7 --moderator edit--

ppp pap sent-username --moderator edit--password 7 --moderator edit--

crypto map xman-map

!

ip local pool xman-pool 192.168.1.200 192.168.1.250

ip nat inside source list 102 interface Dialer1 overload

ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

!

ip access-list extended idletime

ip access-list extended service

ip access-list extended wins-servers

!

access-list 23 permit 192.168.0.0 0.0.0.255

access-list 23 permit 192.168.1.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 111 permit tcp any any eq 1723

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

access-list 111 permit ip any any

dialer-list 1 protocol ip permit

!

radius-server retransmit 3

radius-server authorization permit missing Service-Type

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

length 0

!

scheduler max-task-time 5000

end

*******************CLIENT CONFIG*****************

version 12.2

no service pad

service timestamp debug uptime

service timestamp log uptime

service password-encryption

!

hostname Router

!

no logging buffered

enable secret 5 --moderator edit--

!

username Xpto password 7 --moderator edit--

ip subnet-zero

ip name-server --moderator edit-- 10.10.10.126

ip name-server 197.79.54.127

ip dhcp excluded-address 192.168.30.1

!

ip dhcp pool CLIENT

import all

network 192.168.30.0 255.255.255.0

default-router 192.168.30.1

lease 0 2

!

ip inspect name myfw cuseeme timeout 3600

ip inspect name myfw ftp timeout 3600

ip inspect name myfw rcmd timeout 3600

ip inspect name myfw realaudio timeout 3600

ip inspect name myfw smtp timeout 3600

ip inspect name myfw tftp timeout 30

ip inspect name myfw udp timeout 15

ip inspect name myfw tcp timeout 3600

ip inspect name myfw h323 timeout 3600

!

!

!

crypto ipsec client ezvpn crws-client

connect auto

group rtr-remote key xptoh10

mode network-extension

peer 205.209.86.2

!

!

!

interface Ethernet0

description CRWS Generated text. Please do not delete this: 192.168.30.1-255.255.255.0

ip address 192.168.30.1 255.255.255.0 secondary

ip address 10.10.10.1 255.255.255.0

ip tcp adjust-mss 1348

crypto ipsec client ezvpn crws-client inside

hold-queue 100 out

!

interface ATM0

no ip address

atm vc-per-vp 64

no atm ilmi-keepalive

pvc 0/35

ppoe-client dial-pool-number 1

!

dsl operating-mode auto

!

interface Dialer1

ip address negotiated

ip access-group 111 in

ip mtu 1492

ip inspect myfw out

encapsulation ppp

ip tcp adjust-mss 1348

dialer pool 1

dialer remote-name --moderator edit--

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname --moderator edit--

ppp chap password 7 --moderator edit--

ppp pap sent-username --moderator edit--password 7 --moderator edit--

ppp ipcp dns request

ppp ipcp wins request

crypto ipsec client ezvpn crws-client

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer1

ip http server

!

!

access-list 23 permit 192.168.30.0 0.0.0.255

access-list 23 permit 10.10.10.0 0.0.0.255

access-list 111 permit icmp any any administratively-prohibited

access-list 111 permit icmp any any echo

access-list 111 permit icmp any any echo-reply

access-list 111 permit icmp any any packet-too-big

access-list 111 permit icmp any any time-exceeded

access-list 111 permit icmp any any traceroute

access-list 111 permit icmp any any unreachable

access-list 111 permit udp any eq bootps any eq bootpc

access-list 111 permit udp any eq bootps any eq bootps

access-list 111 permit udp any eq domain any

access-list 111 permit esp any any

access-list 111 permit udp any any eq isakmp

access-list 111 permit udp any any eq 10000

access-list 111 permit tcp any any eq 1723

access-list 111 permit tcp any any eq 139

access-list 111 permit udp any any eq netbios-ns

access-list 111 permit udp any any eq netbios-dgm

access-list 111 permit gre any any

access-list 111 deny ip any any

dialer-list 1 protocol ip permit

!

!

line con 0

exec-timeout 120 0

stopbits 1

line vty 0 4

access-class 23 in

exec-timeout 120 0

login local

length 0

!

scheduler max-task-time 5000

end

Labels:
0 Helpful
1 Reply 1

raymong
Level 4
Level 4

‎03-17-2003 07:46 AM

The problem you are having could be caused by your NAT config. The way you have set up your acl 102, all traffic coming from 192.168.1.x will be overloaded to the dialer1 interface address. The third line of the acl will never be hit because the keyword "any" includes the 192.168.30.x subnet.

ip nat inside source list 102 interface Dialer1 overload

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255

Try changing your acl to:

access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 102 permit ip 192.168.1.0 0.0.0.255 any

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents