Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Cisco 2911 VPN client setup

Hi guys,

We've bought 2911 and replaced 877W, but now I'm unable to complete setup for VPN client. In additional I'd like to have access to remote office which is connected via site-to-site when connected via VPN Client (remote net: 192.168.17.0). Also, before I've added

aaa new-model

!

!

aaa authentication login CiscoVPNClient_auth local

aaa authorization network CiscoVPNClient_group local

for manage Cisco has asked 2 passwords, for login and for exec, but now - only one. It will be excellent if for manage Cisco will ask 2 passwords (for admin) and for VPN client will be separate user, like VPNClient - without permissions for login and manage.

My current config:

!

version 15.2

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname hostname

!

boot-start-marker

boot system flash c2900-universalk9-mz.SPA.152-2.T.bin

boot-end-marker

!

!

security passwords min-length 10

logging buffered 51200 warnings

!

aaa new-model

!

!

aaa authentication login CiscoVPNClient_auth local

aaa authorization network CiscoVPNClient_group local

!

!

!

!

!

aaa session-id common

!

!

ipv6 spd queue min-threshold 62

ipv6 spd queue max-threshold 63

no ipv6 cef

ip auth-proxy max-login-attempts 5

ip admission max-login-attempts 5

!

!

!

ip dhcp excluded-address 192.168.10.1 192.168.10.99

ip dhcp excluded-address 192.168.22.1 192.168.22.99

ip dhcp excluded-address 192.168.33.1 192.168.33.99

ip dhcp excluded-address 192.168.44.1 192.168.44.99

ip dhcp excluded-address 192.168.55.1 192.168.55.99

ip dhcp excluded-address 192.168.10.240 192.168.10.254

ip dhcp excluded-address 192.168.22.240 192.168.22.254

ip dhcp excluded-address 192.168.33.240 192.168.33.254

ip dhcp excluded-address 192.168.44.240 192.168.44.254

ip dhcp excluded-address 192.168.55.240 192.168.55.254

!

ip dhcp pool desktops

import all

network 192.168.33.0 255.255.255.0

default-router 192.168.33.254

dns-server 192.168.10.10 dns

domain-name domain

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool wi-fi

import all

network 192.168.44.0 255.255.255.0

dns-server 192.168.10.10 dns

domain-name domain

default-router 192.168.44.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool DMZ

import all

network 192.168.55.0 255.255.255.0

dns-server 192.168.10.10 dns

domain-name domain

default-router 192.168.55.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool voip

import all

network 192.168.22.0 255.255.255.0

dns-server 192.168.10.10 dns

domain-name domain

default-router 192.168.22.254

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

ip dhcp pool servers

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.254

dns-server 192.168.10.10 dns

domain-name domain

netbios-name-server 192.168.10.10

netbios-node-type h-node

!

!

ip domain name domain

ip name-server 192.168.10.10

ip cef

login block-for 180 attempts 3 within 180

login delay 10

vlan ifdescr detail

!

multilink bundle-name authenticated

!

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate

revocation-check none

rsakeypair TP-self-signed-

!

!

crypto pki certificate chain TP-self-signed

certificate self-signed 01

...

      quit

license udi pid CISCO2911/K9 sn

!

!

object-group network FULL_NET

description complete network range

192.168.10.0 255.255.255.0

192.168.11.0 255.255.255.0

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

object-group network limited

description network without Servers and Router

192.168.22.0 255.255.255.0

192.168.33.0 255.255.255.0

192.168.44.0 255.255.255.0

!

vtp version 2

username nick privilege 15 password 7 pass

username admin privilege 0 password 7 pass

!

redundancy

!

!

!

!

!

no ip ftp passive

!

!

crypto isakmp policy 10

encr aes 256

authentication pre-share

group 2

crypto isakmp key admin address a.a.a.a  

crypto isakmp invalid-spi-recovery

!

crypto isakmp client configuration group CiscoVPNClient

key 1

pool CiscoVPNClient

acl 103

include-local-lan

max-users 2

netmask 255.255.255.0

crypto isakmp profile CiscoVPNClient_profile

   match identity group CiscoVPNClient

   client authentication list CiscoVPNClient_auth

   isakmp authorization list CiscoVPNClient_group

   client configuration address respond

!

!

crypto ipsec transform-set PEER1 esp-aes esp-sha-hmac

crypto ipsec transform-set CiscoVPNClient esp-3des esp-sha-hmac

!

!

!

crypto dynamic-map CiscoVPNClient 1

set transform-set CiscoVPNClient

set isakmp-profile CiscoVPNClient_profile

reverse-route

!

!

crypto map CiscoVPNClient_map 65535 ipsec-isakmp dynamic CiscoVPNClient

!

crypto map MAP 10 ipsec-isakmp

set peer a.a.a.a

set peer b.b.b.b

set transform-set PEER1

match address 160

!

!

!

!

!

interface Port-channel1

no ip address

hold-queue 150 in

!

interface Port-channel1.1

encapsulation dot1Q 1 native

ip address 192.168.11.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.10

encapsulation dot1Q 10

ip address 192.168.10.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.22

encapsulation dot1Q 22

ip address 192.168.22.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.33

encapsulation dot1Q 33

ip address 192.168.33.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.44

encapsulation dot1Q 44

ip address 192.168.44.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Port-channel1.55

encapsulation dot1Q 55

ip address 192.168.55.254 255.255.255.0

ip nat inside

ip virtual-reassembly in

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

no ip address

shutdown

duplex auto

speed auto

!

interface GigabitEthernet0/1

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/2

description $ES_LAN$

no ip address

duplex auto

speed auto

channel-group 1

!

interface GigabitEthernet0/0/0

ip address xxx.xxx.xxx.xxx 255.255.255.224

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

crypto map MAP

!

ip local pool CiscoVPNClient 192.168.9.1 192.168.9.2

ip forward-protocol nd

!

no ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list NAT_INTERNET interface GigabitEthernet0/0/0 overload

ip nat inside source static tcp 192.168.10.20 1723 interface GigabitEthernet0/0/0 1723

ip nat inside source static udp xxx.xxx.xxx.xxx 500 interface GigabitEthernet0/0/0 500

ip nat inside source static udp xxx.xxx.xxx.xxx 4500 interface GigabitEthernet0/0/0 4500

ip route 0.0.0.0 0.0.0.0 xxx.xxx.xxx.193

!

ip access-list extended NAT_INTERNET

deny   ip object-group FULL_NET 192.168.17.0 0.0.0.255

deny   ip object-group FULL_NET 192.168.1.0 0.0.0.255

permit ip object-group FULL_NET any

deny   ip object-group FULL_NET 192.168.9.0 0.0.0.255

deny   ip 192.168.9.0 0.0.0.255 192.168.17.0 0.0.0.255

!

access-list 1 permit 192.168.44.100

access-list 23 permit 192.168.10.7

access-list 23 permit 123.108.151.13 log

access-list 23 permit 192.168.44.0 0.0.0.255

access-list 100 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 103 remark CiscoVPNClient

access-list 103 permit ip object-group FULL_NET any

access-list 103 permit ip 192.168.17.0 0.0.0.255 any

access-list 160 permit ip 192.168.10.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.11.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.22.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.33.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.44.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.55.0 0.0.0.255 192.168.17.0 0.0.0.255

access-list 160 permit ip 192.168.9.0 0.0.0.255 192.168.17.0 0.0.0.255

!

!

!

!

!

control-plane

!

!

!

line con 0

password 7 password

line aux 0

line 2

no activation-character

no exec

transport preferred none

transport input all

transport output pad telnet rlogin lapb-ta mop udptn v120 ssh

stopbits 1

line vty 0 4

access-class 23 in

privilege level 15

transport input ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input ssh

!

scheduler allocate 20000 1000

!

end

Thanks a lot,

Nick

1539
Views
0
Helpful
0
Replies
CreatePlease to create content