|
Posted by on April 18, 2006, 3:28 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I'm trying to set up a Cisco 877 router to function as a VPN server for
our network so that people can connect using the VPN client built into
Windows XP.
I've tried following the directions at
http://www.cisco.com/en/US/tech/tk827/tk369/technologies_configuration_example09186a00801e51e2.shtml,
and I can connect from a Windows XP machine, but I can't reach anything
on the internal network: I can ping the WAN address of the router, but
not the LAN address, and not any of the servers behind the router. Is
there something I didn't set up properly?
If I'm asking stupid questions here, and the answer should be obvious
to any sysadmin, there's a good reason: I'm not a sysadmin. I'm a
programmer who knows more about networking than anyone else in the
building.
--
Mark Wagner
|
|
Posted by Merv on April 18, 2006, 3:52 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> I'm trying to set up a Cisco 877 router to function as a VPN server for
> our network so that people can connect using the VPN client built into
> Windows XP.
post the following
show version
show run masking out the outside IP address
show ip route
show user
show vpdn
|
|
Posted by on April 19, 2006, 3:03 pm
If you were Registered and logged in, you could reply and use other advanced thread options
> > I'm trying to set up a Cisco 877 router to function as a VPN server for
> > our network so that people can connect using the VPN client built into
> > Windows XP.
>
>
> post the following
>
> show version
Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.3(8)YI2, RELEASE SOFTWARE (fc1)
Synched to technology version 12.3(10.3)T2
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2005 by Cisco Systems, Inc.
Compiled Tue 14-Jun-05 18:58 by ealyon
ROM: System Bootstrap, Version 12.3(8r)YI1, RELEASE SOFTWARE
ROM: Cisco IOS Software, C870 Software (C870-ADVSECURITYK9-M), Version
12.3(8)YI2, RELEASE SOFTWARE (fc1)
router uptime is 4 weeks, 6 days, 20 minutes
System returned to ROM by power-on
System restarted at 10:40:41 PCTime Thu Mar 16 2006
System image file is "flash:c870-advsecurityk9-mz.123-8.YI2.bin"
<crypto boilerplate snipped>
Cisco 877 (MPC8272) processor (revision 0x100) with 118784K/12288K
bytes of memory.
Processor board ID FHK094721E3
MPC8272 CPU Rev: Part Number 0xC, Mask Number 0x10
4 FastEthernet interfaces
1 ATM interface
128K bytes of non-volatile configuration memory.
24576K bytes of processor board System flash (Intel Strataflash)
Configuration register is 0x2102
> show run masking out the outside IP address
ww.xx.yy.zz is the first IP address in the block we got from our ISP
ww.xx.yy.zq is the outside IP address of the router
ww.xx.yy.zr is the outside IP address of the computer currently
functioning as a VPN server
!
! Last configuration change at 11:28:43 PDT Tue Apr 18 2006 by admin
! NVRAM config last updated at 14:26:22 PDT Mon Apr 3 2006 by admin
!
version 12.3
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 debugging
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username admin privilege 15 secret 5 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
username testclient password 7 xxxxxxxxxxxxxxxxxxxxxxxxxxxx
no aaa new-model
ip subnet-zero
no ip source-route
ip cef
ip dhcp excluded-address 192.168.17.1 192.168.17.34
ip dhcp excluded-address 192.168.17.208 192.168.17.254
!
ip dhcp pool sdm-pool1
import all
network 192.168.17.0 255.255.255.0
dns-server 192.168.17.27
default-router 192.168.17.1
netbios-name-server 192.168.17.27
lease 14
!
!
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
ip domain name our-company.com
ip name-server 205.171.3.65
ip name-server 205.171.2.65
ip ssh time-out 60
ip ssh authentication-retries 2
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
no ftp-server write-enable
!
!
!
!
!
!
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
!
interface ATM0.2 point-to-point
pvc 0/32
encapsulation aal5snap
protocol ppp dialer
dialer pool-member 1
!
!
interface FastEthernet0
no ip address
no cdp enable
!
interface FastEthernet1
no ip address
no cdp enable
!
interface FastEthernet2
no ip address
no cdp enable
!
interface FastEthernet3
no ip address
no cdp enable
!
interface Virtual-Template1
ip unnumbered FastEthernet0
ip mroute-cache
peer default ip address pool winvpn
no keepalive
ppp encrypt mppe 128 required
ppp authentication chap ms-chap
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
ip address 192.168.17.1 255.255.255.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
!
interface Dialer0
ip address ww.xx.yy.zq 255.255.255.248
ip access-group sdm_dialer0_in in
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxxxxxxxxxxxxxxxxxxx
ppp chap password 7 xxxxxxxxxxxxxxxxxxxxx
!
ip local pool winvpn 192.168.16.0 192.168.16.255
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip nat inside source static tcp 192.168.17.29 5003 interface Dialer0
5003
ip nat inside source static tcp 192.168.17.29 8001 interface Dialer0
8001
ip nat inside source static tcp 192.168.17.27 21 interface Dialer0 21
ip nat inside source static tcp 192.168.17.26 8080 interface Dialer0
8080
ip nat inside source static tcp 192.168.17.26 810 interface Dialer0 810
ip nat inside source static tcp 192.168.17.26 25 interface Dialer0 25
ip nat inside source static tcp 192.168.17.26 110 interface Dialer0 110
ip nat inside source static tcp 192.168.17.26 510 interface Dialer0 510
ip nat inside source static tcp 192.168.17.27 80 interface Dialer0 80
ip nat inside source static udp 192.168.17.26 810 interface Dialer0 810
ip nat inside source static 192.168.17.27 ww.xx.yy.zr
!
ip access-list extended sdm_dialer0_in
remark SDM_ACL Category=1
permit gre 206.63.88.0 0.0.7.255 host ww.xx.yy.zr
permit gre host 67.185.129.168 host ww.xx.yy.zr
permit esp any host ww.xx.yy.zr
permit tcp 206.63.88.0 0.0.7.255 host ww.xx.yy.zr eq 1723
permit tcp host 67.185.129.168 host ww.xx.yy.zr eq 1723
permit udp any host ww.xx.yy.zr eq isakmp
permit udp any host ww.xx.yy.zr eq 1701
permit udp any host ww.xx.yy.zr eq non500-isakmp
permit ip any host ww.xx.yy.zq
permit udp any eq domain host ww.xx.yy.zr
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 192.168.17.0 0.0.0.255
access-list 100 remark auto-generated by Cisco SDM Express firewall
configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip ww.xx.yy.zq 0.0.0.7 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto-generated by Cisco SDM Express firewall
configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 deny ip 192.168.17.0 0.0.0.255 any
access-list 101 permit icmp any host ww.xx.yy.zq echo-reply
access-list 101 permit icmp any host ww.xx.yy.zq time-exceeded
access-list 101 permit icmp any host ww.xx.yy.zq unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
dialer-list 1 protocol ip permit
no cdp run
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
login local
no modem enable
transport preferred all
transport output telnet
line aux 0
login local
transport preferred all
transport output telnet
line vty 0 4
privilege level 15
login local
transport preferred all
transport input telnet ssh
transport output all
!
end
> show ip route
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
ww.0.0.0/29 is subnetted, 1 subnets
C ww.xx.yy.zz is directly connected, Dialer0
207.225.41.0/32 is subnetted, 1 subnets
C 207.225.41.193 is directly connected, Dialer0
C 192.168.17.0/24 is directly connected, Vlan1
192.168.16.0/32 is subnetted, 1 subnets
C 192.168.16.0 is directly connected, Virtual-Access5
S* 0.0.0.0/0 is directly connected, Dialer0
> show user
Line User Host(s) Idle Location
* 2 vty 0 admin idle 00:00:00 192.168.17.34
Interface User Mode Idle Peer Address
Vi2 PPPoATM 00:00:07 207.225.41.193
Vi5 testclient PPPoVPDN 00:00:28 192.168.16.0
> show vpdn
%No active L2F tunnels
%No active L2TP tunnels
PPTP Tunnel and Session Information Total tunnels 1 sessions 1
LocID Remote Name State Remote Address Port Sessions VPDN
Group
29 estabd 192.168.17.64 1102 1 1
LocID RemID TunID Intf Username State Last Chg Uniq ID
29 49152 29 Vi5 testclient estabd 00:02:21 30
|
|
Posted by Merv on April 19, 2006, 6:59 pm
If you were Registered and logged in, you could reply and use other advanced thread options
and captilize its name so it stands out better in the configuration.
no ip local pool winvpn 192.168.16.0 192.168.16.255
ip local pool WINVPN 192.168.16.1 192.168.16.254
int Virtual-Template1
no peer default ip address pool winvpn
peer default ip address pool WINVPN
>From the "show vpdn" output the remote IP address is a LAN address of
192.168.17.64
Are you testing this from the LAN the Cisc0 877 is attached to or from
elsewhere on the Internet ?
|
|
Posted by on April 19, 2006, 7:24 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Merv wrote:
> I would suggest that you change the vpn pool aaddress range as follows
> and captilize its name so it stands out better in the configuration.
>
> no ip local pool winvpn 192.168.16.0 192.168.16.255
>
> ip local pool WINVPN 192.168.16.1 192.168.16.254
>
> int Virtual-Template1
> no peer default ip address pool winvpn
> peer default ip address pool WINVPN
Done.
> >From the "show vpdn" output the remote IP address is a LAN address of
> 192.168.17.64
>
> Are you testing this from the LAN the Cisc0 877 is attached to or from
> elsewhere on the Internet ?
The "show ip route", "show user", and "show vpdn" is from the LAN, but
my original message is from testing over the Internet.
--
Mark Wagner
|
| Similar Threads | Posted | | Setting up dial in properties for Cisco 1841 router. | June 15, 2007, 11:58 am |
| Cisco router client towards VPN windows server. | November 10, 2004, 12:40 pm |
| PPTP VPN between Windows host and Cisco router | March 5, 2005, 10:29 pm |
| Pinging IPV6 between Windows XP and Cisco Router | August 24, 2006, 4:17 pm |
| Register cisco router hostnames in windows 2003 server DNS record | December 19, 2006, 2:30 am |
| NetSaver : Cisco Router Configuration Archiver for windows (alpha stage prog.) | August 5, 2004, 7:49 pm |
| enabling/dissabling ip multicast traffic in real time on a Cisco router using windows script | July 23, 2005, 9:10 pm |
| Setting up an 831 router on SBC DSL | July 25, 2005, 6:38 pm |
| Setting up a router behind the PIX 501 | November 11, 2005, 9:57 am |
| setting up ssh access to a router | December 12, 2005, 4:52 pm |
|
|
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map