01-23-2012 04:50 AM - editado 03-21-2019 06:46 PM
Olá,
Será possível configurar o router ISR 1802 com VPN, em que este equipamento possa autenticar e autorizar os utilizador sem necessitar de um elemento como por exemplo Cisco VPN 3000?
Será possível usar AD (Windows Autthentication) ou RADIUS para autenticar os utilizadores por VPN em vez do Cisco VPN 3000? E neste caso como configurar o router?
Obrigado,
António
Solucionado! Ir para a Solução.
em 02-23-2012 05:40 PM
You can change your inspection policy on the router, so remove these three lines.
no ip inspect name FW tcp
no ip inspect name FW udp
no ip inspect name FW icmp
and go more specific to protocol itself as shown below.
ip inspect name FW match protocol ftp
ip inspect name FW match protocol http
ip inspect name FW match protocol https
ip inspect name FW match protocol icmp
ip inspect name FW match protocol dns
ip inspect name FW match protocol ymsgr
ip inspect name FW match protocol realmedia
ip inspect name FW match protocol netshow
ip inspect name FW match protocol appleqtc
ip inspect name FW match protocol streamworks
ip inspect name FW match protocol tftp
ip inspect name FW match protocol vdolive
ip inspect name FW match protocol sqlnet
ip inspect name FW match protocol netbios
ip inspect name FW match protocol isakmp
ip inspect name FW match protocol pop3
ip inspect name FW match protocol smtp
ip inspect name FW match protocol snmp
ip inspect name FW match protocol snmptrap
ip inspect name FW match protocol ssh
ip inspect name FW match protocol h323
ip inspect name FW match protocol ftps
Copy the ACL "101" as "in" the ACL one you saw on the my demo router which showed you with, under "interface Dialer0" on your router.
Can you please also copy the ACL 101, on forum, as I don't remeber how I configured it.
thanks
em 02-24-2012 01:00 AM
Hi,
Your ACL 101, is
interface Dialer1
ip access-group 101 in
exit
!
access-list 101 permit udp any host 206.53.53.215 eq isakmp
access-list 101 permit esp any host 206.53.53.215
But I have a problem, my IP it is dynamic, so time to time the IP address change. How can I build the ACL 101 to replace de IP 206.53.53.215 to the one that change?
Thanks,
António
em 02-24-2012 06:24 AM
Usually business class DSL service IP address do not change even though this IP address is assigned dynamically. The ISP register or reserve the given public IP they assign on your DSL connection to your DSL account, so that it is easier accounting for the ISP, therefore you will always receives the same IP address from DSL PPPoE connection with a DSL Service provider even after rebooting the router. This is true in Canada with some of the ISP I have dealt with.
So, you may check with your local ISP, whether this is the case with your business class DSL service on your branch router.
If this is case with your local ISP, then you should change public IP address to reflect your public IP address on the ACL 101 and apply it on the dialer interface as facing "in"
As with Firewall inspection, try avoid inspecting traffic on both direction and stick with only for going outside as "ip inspect FW out" and for the inside traffic coming in, use the ACL 101 instead.
I hope that helps.
Thanks
Rizwan Rafeek
em 02-25-2012 02:21 PM
Hi,
Well, in Portugal the scenario i tis quit different. If you disconnect your modem or your router form any reason you got a new IP address. And you can have a several IP address for as many time your disconnect yours machines (so this afternoon I disconnected the modem 3 time and 4 the router and I had 5 different IP address).
But, all that matter, the tips that you gave me, there were very helpful!
The router ISR 1802 are connected through the ADLS, with VPN in and authentication in RADIUS.
Once again thank you.
António Deus
em 08-31-2012 09:28 AM
Boa tarde, Antonio!
Caso a sua dúvida tenha sido sanada, favor marcar essa discussão como respondida.
Grande abraço,
Davi Garcia
em 09-02-2012 01:43 AM
Bom dia Davi,
Como é que se marca a discussão como respondida?
Obrigado,
António Deus
em 09-02-2012 05:48 AM
Olá Antonio
Apenas escolha as respostas que vc considerou como a correta e clique no botão Resposta correta.
Não esqueça de Avaliar as respostas, utilizando as Estrelas
Encontre respostas, faça perguntas e conecte-se com nossa comunidade de especialistas da Cisco de todo o mundo.
Estamos felizes por você estar aqui! Participe de conversas e conecte-se com sua comunidade.
Navegue pelos links rápidos da Comunidade e usufrua de um conteúdo personalizado e em seu idioma nativo: