|
Posted by Absolut Newbie on February 10, 2005, 2:15 pm
If you were Registered and logged in, you could reply and use other advanced thread options
I have a Cisco 800 router w/ easy vpn. It is setup to allow IP access from
outside to inside the network using ip address only.
However now i need to have my users
1) authenticate via the Windows Domain controller (PDC) on connection.
2) once authenticated, they need to be identified by the network as
Domain\User and not have to reenter the username and password when accessing
network shares
3) users need to be able to access computers via thier netbios name i.e.
"ping foobar"
is this doable ? where can i find info how to do this. attached is my config
file. am i may blocking something w/ my firewall ? would i need to change a
lot to get it working ? also do i have to assign my vpn users an address
from another subnet can't i give them an address from my office subnet ?
thanx !
adam#sh running-config
Building configuration...
Current configuration : 5339 bytes
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname foo
!
no logging buffered
no logging console
enable secret 5 XXXXXXXXXXXXXXXXXXXXXXXX
!
username CRWS_Giri privilege 15 password 7 XXXXXXXXXXXXXXXXXXXXXXX
username XXXXX password 7 XXXXXXXXXXXXXXXXX
username sdm privilege 15 password 7 XXXXXXXXXXXXXX
aaa new-model
!
!
aaa authentication password-prompt "Enter your password now:"
aaa authentication username-prompt "Enter your name here:"
aaa authentication login default local
aaa authentication login userlist local
aaa authentication ppp default local
aaa authorization network grouplist local
aaa session-id common
ip subnet-zero
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.10.129 10.10.10.254
!
ip dhcp pool CLIENT
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
lease infinite
!
ip inspect name myfw cuseeme timeout 3600
ip inspect name myfw ftp timeout 3600
ip inspect name myfw rcmd timeout 3600
ip inspect name myfw realaudio timeout 3600
ip inspect name myfw smtp timeout 3600
ip inspect name myfw tftp timeout 30
ip inspect name myfw udp timeout 15
ip inspect name myfw tcp timeout 3600
ip inspect name myfw h323 timeout 3600
ip inspect name myfw icmp
ip audit notify log
ip audit po max-events 100
ip ssh break-string foo
no ftp-server write-enable
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp policy 3
encr 3des
authentication pre-share
!
crypto isakmp policy 4
encr 3des
hash md5
authentication pre-share
!
crypto isakmp client configuration group vpn_group
key XXXXXXX
domain local
pool vpnclients
acl 129
!
!
crypto ipsec transform-set tr-null-sha esp-null esp-sha-hmac
crypto ipsec transform-set tr-des-md5 esp-des esp-md5-hmac
crypto ipsec transform-set tr-des-sha esp-des esp-sha-hmac
crypto ipsec transform-set tr-3des-sha esp-3des esp-sha-hmac
!
crypto dynamic-map vpnusers 1
description Client to Site VPN Users
set transform-set tr-des-md5 tr-des-sha tr-3des-sha
!
!
crypto map cm-cryptomap client authentication list userlist
crypto map cm-cryptomap isakmp authorization list grouplist
crypto map cm-cryptomap client configuration address respond
crypto map cm-cryptomap 99 ipsec-isakmp dynamic vpnusers
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no ip mroute-cache
hold-queue 100 out
!
interface ATM0
no ip address
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 8/48
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
dsl power-cutback 1
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
ip access-group 111 in
ip nat outside
ip inspect myfw out
encapsulation ppp
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname XXXXXXXXXXXXX
ppp chap password 7 XXXXXXXXXXXX
ppp pap sent-username XXXXXXXXXXXXX password 7 XXXXXXXXXXXXX
ppp ipcp dns request
ppp ipcp wins request
crypto map cm-cryptomap
hold-queue 224 in
!
ip local pool vpnclients 192.168.10.1 192.168.10.254
ip nat inside source route-map nonat interface Dialer1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
no ip http secure-server
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 111 permit icmp any any administratively-prohibited
access-list 111 permit icmp any any echo
access-list 111 permit icmp any any echo-reply
access-list 111 permit icmp any any packet-too-big
access-list 111 permit icmp any any time-exceeded
access-list 111 permit icmp any any traceroute
access-list 111 permit icmp any any unreachable
access-list 111 permit udp any eq bootps any eq bootpc
access-list 111 permit udp any eq bootps any eq bootps
access-list 111 permit udp any eq domain any
access-list 111 permit esp any any
access-list 111 permit udp any any eq isakmp
access-list 111 permit udp any any eq 10000
access-list 111 permit tcp any any eq 1723
access-list 111 permit tcp any any eq 139
access-list 111 permit udp any any eq netbios-ns
access-list 111 permit udp any any eq netbios-dgm
access-list 111 permit gre any any
access-list 111 permit ip 192.168.2.0 0.0.0.255 10.10.10.0 0.0.0.255
access-list 111 permit udp any any eq non500-isakmp
access-list 129 permit ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 deny ip 10.10.10.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 150 permit ip 10.10.10.0 0.0.0.255 any
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 150
!
banner motd ^CWelcome To The Machine.^C
!
line con 0
exec-timeout 120 0
no modem enable
transport preferred all
transport output all
stopbits 1
line aux 0
transport preferred all
transport output all
line vty 0 4
access-class 23 in
exec-timeout 120 0
length 0
transport preferred all
transport input all
transport output all
!
scheduler max-task-time 5000
!
end
| 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map