Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
428
Views
0
Helpful
2
Replies

Configure a Cisco VPN 3000 Concentrator to a Cisco IOS Router

wasanthak
Level 1
Level 1

‎12-24-2005 03:24 PM

Hi,

I have a cisco 1750 router with 2 VPN profiles/dynamic map for mobile users with cisco vpn client software.

Now i want to give these mobile users acess to 2 servers behind a cisco 3000 VPN concentrator. I dont have the access to 3000 VPN concentrator and have configured the 1750 to match with it (key and encryption types).

I am facing problems When i try to access these servers behind VPN concentrator by first connectiong to 1750 with cisco vpn client software.

When i do a "sh crypto isakmp sa" i get MMO_NO_STATE for the site to site VPN.

My configuration is as follows

crypto isakmp policy 10

encr 3des

hash md5

authentication pre-share

group 2

!

crypto isakmp policy 20

encr 3des

authentication pre-share

crypto isakmp key xxx address x.x.x.x

crypto isakmp keepalive 10 4

!

crypto isakmp client configuration group VPN001

key xxxx

domain xyz.com

pool dynpool

acl 150

!

crypto isakmp client configuration group VPN002

key xxxx

domain xyz.com

pool dynpool2

acl 151

crypto isakmp profile VPN002

description VPN002 Client VPN profile

match identity group VPN002

isakmp authorization list client-vpn

client configuration address initiate

client configuration address respond

crypto isakmp profile vpn001

description Innitial VPN access Profile

match identity group VPN001

isakmp authorization list client-vpn

client configuration address initiate

client configuration address respond

crypto isakmp profile sitetosite

description Site to Site VPN

match identity address 200.200.200.200 255.255.255.255

!

!

crypto ipsec transform-set ts001 esp-3des esp-md5-hmac

crypto ipsec transform-set ts002 esp-3des esp-sha-hmac

crypto ipsec nat-transparency spi-matching

!

crypto dynamic-map dynmap 1

set transform-set ts001

set isakmp-profile vpn001

crypto dynamic-map dynmap 2

set transform-set ts001

!

!

crypto map TestVPN 1 ipsec-isakmp dynamic dynmap

crypto map TestVPN 2 ipsec-isakmp

set peer 200.200.200.200

set transform-set ts002

match address sitetositeACL

!

!

!

interface Ethernet0

ip address 100.100.100.1 255.255.255.248

ip access-group 111 in

ip nat outside

ip inspect E0 in

full-duplex

crypto map TestVPN

!

interface FastEthernet0

ip address 192.168.100.254 255.255.255.0

ip access-group 110 in

ip nat inside

ip inspect Fa0 in

ip route-cache flow

speed auto

!

I appriciate your expert help on this.I have also attached the config file with this.

Thanks

Wasantha

Labels:
Preview file
6 KB
0 Helpful
2 Replies 2

wasanthak
Level 1
Level 1

‎12-25-2005 07:18 PM

Hello There,

If there is a configuration example for configuring site-to-site and remote access on the same router,

please let me know. I have tried searching this site and google without a success.

Thanks gain.

0 Helpful

jackko
Level 7
Level 7
In response to wasanthak

‎12-27-2005 02:27 PM

below are the sample codes with both lan-lan vpn and remote vpn access on a single router:

crypto isakmp policy 10

encr 3des

authentication pre-share

group 2

crypto isakmp key xxxxxxxx address no-xauth

crypto isakmp client configuration group vpngroup

key xxxxxxxx

pool vpnpool

acl 130

crypto ipsec transform-set vpnset esp-3des esp-md5-hmac

crypto dynamic-map dynmap 10

set transform-set vpnset

crypto map vpnmap client authentication list vpnauthen

crypto map vpnmap isakmp authorization list vpnauthor

crypto map vpnmap client configuration address respond

crypto map vpnmap 10 ipsec-isakmp dynamic dynmap

crypto map vpnmap 20 ipsec-isakmp

set peer

set transform-set superset

match address 140

interface Ethernet0

ip address 192.168.1.1 255.255.255.0

ip nat inside

interface Dialer0

ip address

ip nat outside

crypto map vpnmap

ip local pool vpnpool 10.1.1.1 10.1.1.10

ip nat inside source route-map nonat interface Dialer0 overload

access-list 101 deny ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 101 deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

access-list 130 permit ip 192.168.1.0 0.0.0.255 10.1.1.0 0.0.0.255

access-list 140 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255

route-map nonat permit 10

match ip address 101

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents