03-12-2003 10:47 AM - edited 03-09-2019 02:29 AM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
I have a cisco 827 router at home and a 826 router at work, the 826 ip is static.
I've established a VPN tunnel with EzVPN but the problem is that I can only access my home router's
computer (192.168.30.2) by it's ip and never by it's dns name ( I can only do this from
the server that is connected directly to the router and not from any other computer on the
network), the other problem that I have is that I can't telnet the router that I have at home.
Resuming... I would like to :
-access my home router from work
-aceess it by it's dns name
-telnet the router
-access the router from any computer at my office
Here is the config that I presently have:
Here are my 826 and 827 configs:
**********************SERVER CONFIG******************************
version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
aaa new-model
!
!
aaa authorization network rtr-remote local
aaa session-id common
enable secret 5 --moderator edit--
!
username --moderator edit-- password 7 --moderator edit--
username --moderator edit-- privilege 15 password 7 --moderator edit--
username --moderator edit-- privilege 15 password 7 --moderator edit--
username --moderator edit-- privilege 15 password 7 --moderator edit--
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw http timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local xman-pool
!
crypto isakmp client configuration group rtr-remote
key xptoh10
dns 192.168.1.1
domain xman.local
pool xman-pool
!
!
crypto ipsec transform-set vpn-gbf esp-3des esp-sha-hmac
!
crypto dynamic-map xman-map 1
set transform-set vpn-xman
reverse-route
!
!
crypto map xman-map isakmp authorization list rtr-remote
crypto map xman-map client configuration address respond
crypto map xman-map 1 ipsec-isakmp dynamic xman-map
!
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this:192.168.1.254-255.255.255.0
ip address 192.168.1.254 255.255.255.0
ip nat inside
ip tcp adjust-mss 1452
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
pppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1400
ip nat outside
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1452
dialer pool 1
dialer remote-name --moderator edit--
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname --moderator edit--
ppp chap password 7 --moderator edit--
ppp pap sent-username --moderator edit-- password 7 --moderator edit--
crypto map xman-map
!
ip local pool xman-pool 192.168.1.200 192.168.1.250
ip nat inside source list 102 interface Dialer1 overload
ip nat inside source static tcp 192.168.1.1 1723 interface Dialer1 1723
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
!
ip access-list extended idletime
ip access-list extended service
ip access-list extended wins-servers
!
access-list 23 permit 192.168.0.0 0.0.0.255
access-list 23 permit 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 111 permit tcp any any eq 1723
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
access-list 111 permit ip any any
dialer-list 1 protocol ip permit
!
radius-server retransmit 3
radius-server authorization permit missing Service-Type
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
!
scheduler max-task-time 5000
end
*******************CLIENT CONFIG*****************
version 12.2
no service pad
service timestamp debug uptime
service timestamp log uptime
service password-encryption
!
hostname Router
!
no logging buffered
enable secret 5 --moderator edit--
!
username --moderator edit-- password 7 --moderator edit--
ip subnet-zero
ip name-server 10.10.10.126
ip name-server 10.20.10.127
ip dhcp excluded-address 192.168.30.1
!
ip dhcp pool CLIENT
import all
network 192.168.30.0 255.255.255.0
default-router 192.168.30.1
lease 0 2
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
!
!
!
crypto ipsec client ezvpn crws-client
connect auto
group rtr-remote key xptoh10
mode network-extension
peer 205.209.86.2
!
!
!
interface Ethernet0
description CRWS Generated text. Please do not delete this: 192.168.30.1-255.255.255.0
ip address 192.168.30.1 255.255.255.0 secondary
ip address 10.10.10.1 255.255.255.0
ip tcp adjust-mss 1348
crypto ipsec client ezvpn crws-client inside
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/35
ppoe-client dial-pool-number 1
!
dsl operating-mode auto
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip mtu 1492
ip inspect myfw out
encapsulation ppp
ip tcp adjust-mss 1348
dialer pool 1
dialer remote-name --moderator edit--
dialer-group 1
ppp authentication pap chap callin
ppp chap hostname --moderator edit--
ppp chap password 7 --moderator edit--
ppp pap sent-username --moderator edit-- password 7 --moderator edit--
ppp ipcp dns request
ppp ipcp wins request
crypto ipsec client ezvpn crws-client
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
!
!
access-list 23 permit 192.168.30.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 deny ip any any
dialer-list 1 protocol ip permit
!
!
line con 0
exec-timeout 120 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end
03-13-2003 01:29 AM
Hi,
On your 827 router, ACL#102 should be :
access-list 102 deny ip 192.168.0.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 deny ip 192.168.1.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
-telnet the router
Telnet to the router outside (negotiated) IP address is possible only, when yo permit telnet traffic in ACL#111 on 826 router.
03-13-2003 07:40 AM
Hi
thanks a lot, I'll try to change my config like you have told me.
03-14-2003 03:47 AM
Ok I tried your sugestions and now I can telnet my Ezvpn client router :) and the Nat issue over the tunnel is also fine, but I still can´t figure out the rest
Thanks a lot....
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: