Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Router to dyn peer router + VPN 3.x clients

Anyone tried this? I have a customer router that was setup for vpn clients but then the one client decided he wanted faster access so he got an 827 and I configured it to work peer to peer with a dynamic address on his new 827. Since no one needed client access I didn't bother to check it still worked and now they do and it doesn't.

version 12.2

no service pad

service timestamps debug uptime

service timestamps log uptime

service password-encryption

!

hostname AJBates

!

aaa new-model

!

!

aaa authentication login userlist group radius local

aaa authentication login grouplist group radius local

aaa session-id common

enable secret xxxxxxxx

!

username maclean password xxxxxxxx

username AJBates password xxxxxxxx

mmi polling-interval 60

no mmi auto-configure

no mmi pvc

mmi snmp-timeout 180

ip subnet-zero

no ip source-route

no ip domain-lookup

!

ip inspect name firewall cuseeme

ip inspect name firewall http java-list 1

ip inspect name firewall smtp

ip inspect name firewall tftp

ip inspect name firewall vdolive

ip inspect name firewall h323

ip inspect name firewall realaudio

ip inspect name firewall sqlnet

ip inspect name firewall rtsp

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall udp

ip inspect name firewall rcmd

ip inspect name firewall ftp

ip inspect name firewall tcp

!

crypto isakmp policy 10

hash md5

authentication pre-share

group 2

crypto isakmp key xxxxxxxxx address 0.0.0.0 0.0.0.0 no-xauth

crypto isakmp client configuration address-pool local ourpool

!

crypto isakmp client configuration group xxxxxxx

key xxxxxxx

dns 202.27.184.3

domain ajbates.co.nz

pool ourpool

acl 199

!

!

crypto ipsec transform-set macpolicy esp-des esp-md5-hmac

!

crypto dynamic-map macdyna 10

set transform-set macpolicy

match address 110

!

!

crypto map macmap client authentication list userlist

crypto map macmap isakmp authorization list grouplist

crypto map macmap client configuration address respond

crypto map macmap 10 ipsec-isakmp dynamic macdyna

!

!

!

!

interface Ethernet0

ip address 192.168.100.254 255.255.255.0

no ip proxy-arp

ip nat inside

ip inspect firewall in

no ip route-cache

no ip mroute-cache

no cdp enable

hold-queue 100 out

!

interface ATM0

no ip address

no ip proxy-arp

ip accounting access-violations

no ip route-cache

no ip mroute-cache

no atm ilmi-keepalive

pvc 0/100

encapsulation aal5mux ppp dialer

dialer pool-member 1

!

bundle-enable

dsl operating-mode auto

hold-queue 224 in

!

interface Dialer0

ip address negotiated

ip accounting access-violations

ip nat outside

encapsulation ppp

no ip route-cache

no ip mroute-cache

dialer pool 1

dialer-group 1

no cdp enable

ppp pap sent-username xxxxxxx password xxxxxxxxx

crypto map macmap

!

ip local pool ourpool 172.22.100.1 172.22.100.254

ip nat inside source route-map nonat interface Dialer0 overload

ip nat inside source static tcp 192.168.100.1 25 xxxxxxxxx 25 extendable

ip nat inside source static tcp 192.168.100.254 23 xxxxxxxx 23 extendable

ip nat inside source static tcp 192.168.100.1 3389 xxxxxxxx 3389 extendable

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

ip pim bidir-enable

!

!

access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit ip 172.22.100.0 0.0.0.255 192.168.100.0 0.0.0.255

access-list 101 permit icmp any any

access-list 101 permit tcp host xxxxxxxx any eq telnet

access-list 101 permit tcp host xxxxxxxxx any eq 3389

access-list 101 permit tcp any any eq smtp

access-list 101 permit tcp any any eq www

access-list 101 permit tcp any any eq pop3

access-list 101 permit udp any host xxxxxx eq isakmp

access-list 101 permit esp any host xxxxxx

access-list 101 deny ip any any log

access-list 110 remark Traffic that shall be encrypted.

access-list 110 permit ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 110 permit ip 192.169.100.0 0.0.0.255 172.22.100.0 0.0.0.255

access-list 172 remark Excepts VPN traffic from NAT.

access-list 172 deny ip 192.168.100.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 172 deny ip 192.168.100.0 0.0.0.255 172.22.100.0 0.0.0.255

access-list 172 deny ip 192.168.0.0 0.0.0.255 172.22.100.0 0.0.0.255

access-list 172 permit ip 192.168.100.0 0.0.0.255 any

access-list 172 permit ip 192.168.0.0 0.0.0.255 any

access-list 199 permit ip 192.168.100.0 0.0.0.255 any

access-list 199 permit ip 172.22.100.0 0.0.0.255 any

dialer-list 1 protocol ip permit

no cdp run

!

route-map nonat permit 10

match ip address 172

!

!

line con 0

stopbits 1

line vty 0 4

password

!

scheduler max-task-time 5000

end

1 REPLY
Cisco Employee

Re: Router to dyn peer router + VPN 3.x clients

You set the 827 up as an EzVPN client, or as a LAN-to-LAN connection? Looks like the former, in which case you shouldn't have needed to change anything on the customer router, correct? What does the debug show when a client tries to connect in now?

I would remove the "match address 110" from the dynamic crypto map, these always tend to cause more problems than they're worth.

82
Views
0
Helpful
1
Replies
CreatePlease to create content