How to Configure Easy VPN server on Cisco 2811 router

nicegagan · 11-04-2007, 03:09 AM

Dear experts,

We bought new Cisco 2811 router with vpn. I configured EASY VPN Server on Cisco 2811 router with Cisco SDM. Im able to Connect with Router using Cisco VPN client but Im not able to communicate with local Lan of my Router. Here Im sending complete configuration for my router and my network.

Router F0/1 : 172.16.1.42 255.255.255.0 (Local Lan need to access through Remote VPN Client this is Im not able to reach when I connect with vpn remotely)

Router F0/0 : 80.227.XXX.XXX (Public IP)

Building configuration...

Current configuration : 5761 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ctsvpn
!
boot-start-marker
boot-end-marker
!
no logging buffered
enable secret 5 $1$.gHI$M0zCY2pPs7V/W6WjfzqMy0
enable password XXXX
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
ip subnet-zero
no ip routing
!
!
no ip cef
!
!
ip domain name cig.ae
ip name-server 80.227.2.2
ip name-server 80.227.2.3
ip name-server 213.132.33.15
!
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-879286165
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-879286165
revocation-check none
rsakeypair TP-self-signed-879286165
!
!
crypto pki certificate chain TP-self-signed-879286165
certificate self-signed 01
3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 38373932 38363136 35301E17 0D303731 31303331 39313431
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3837 39323836
31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
B91D4C9C ADEA6860 D734711E 3A9EBB28 8FF50DAC 00F158E6 942B302D CCCBE4AB
013384D8 3F9F14A4 5F534F14 18F158F4 A157F4E5 9A1B8B0F E4E80A88 2C14ED02
4547EA3F D526E896 A8500548 5FD96A61 3FCD80CA 7FF1AE23 74E8B17B 15E4D3AD
FCDA0F73 D8DADC51 5C8F9D79 700707C5 1B2102EA 46A9A519 88ED15C8 B97088D9
02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D
11040B30 09820763 74737670 6E2E301F 0603551D 23041830 168014E4 0078CD15
BEFAB0C2 138E8CC6 C76A1253 3ABBC430 1D060355 1D0E0416 0414E400 78CD15BE
FAB0C213 8E8CC6C7 6A12533A BBC4300D 06092A86 4886F70D 01010405 00038181
005E436C 0DA40403 76DF45D8 19F5C205 2934717B F7A6AB06 83102FD3 5A4C46DE
F63F591B 10582DD7 EDFF25CB 29C629B8 8B2D46B4 BAC35F34 1B975649 48A75FCA
82907A9C 3ACCC73F 79C6B121 134EED2E BC8CECDC D4D855F0 C8F0D5B8 A8C0DC7B
92A27298 E336F27B C764E588 0007ED34 FA28B7B2 E5A6FC2A A6CAAEB9 5AD8137D AA
quit
username admin privilege 15 secret 5 $1$d3fS$Gb1rsMIhAvsVYz/rePZZc1
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp xauth timeout 15

!
crypto isakmp client configuration group ctsvpn
key XXXXX
dns 172.16.1.50 172.16.1.51
wins 172.16.1.50
domain cig.ae
pool SDM_POOL_1
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0/0
description $ETH-WAN$
ip address 80.227.XXX.XXX 255.255.255.0
ip access-group 100 in
no ip route-cache
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet0/1
ip address 172.16.1.42 255.255.255.0
ip access-group 101 in
no ip route-cache
duplex half
speed auto
no mop enabled
!
interface Serial0/0/0
no ip address
no ip route-cache
shutdown
clock rate 2000000
!
interface Serial0/0/1
no ip address
no ip route-cache
shutdown
clock rate 2000000
!
ip local pool SDM_POOL_1 172.16.25.1 172.16.25.50
ip default-gateway 80.227.XXX.XXX
ip classless
!
!
ip http server
ip http access-class 1
ip http secure-server
!
access-list 1 remark Auto generated by SDM Management Access feature
access-list 1 remark SDM_ACL Category=1
access-list 1 permit 172.16.1.0 0.0.0.255
access-list 1 permit 91.75.80.0 0.0.0.255
access-list 100 remark Auto generated by SDM Management Access feature
access-list 100 remark SDM_ACL Category=1
access-list 100 permit tcp 91.75.80.0 0.0.0.255 host 80.227.146.250 eq 443
access-list 100 deny tcp any host 80.227.146.250 eq telnet
access-list 100 deny tcp any host 80.227.146.250 eq 22
access-list 100 deny tcp any host 80.227.146.250 eq www
access-list 100 deny tcp any host 80.227.146.250 eq 443
access-list 100 deny tcp any host 80.227.146.250 eq cmd
access-list 100 deny udp any host 80.227.146.250 eq snmp
access-list 100 permit ip any any
access-list 101 remark Auto generated by SDM Management Access feature
access-list 101 remark SDM_ACL Category=1
access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq telnet
access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq 22
access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq www
access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq 443
access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq cmd
access-list 101 deny tcp any host 172.16.1.42 eq telnet
access-list 101 deny tcp any host 172.16.1.42 eq 22
access-list 101 deny tcp any host 172.16.1.42 eq www
access-list 101 deny tcp any host 172.16.1.42 eq 443
access-list 101 deny tcp any host 172.16.1.42 eq cmd
access-list 101 deny udp any host 172.16.1.42 eq snmp
access-list 101 permit ip any any
access-list 102 remark Auto generated by SDM Management Access feature
access-list 102 remark SDM_ACL Category=1
access-list 102 permit ip 172.16.1.0 0.0.0.255 any
snmp-server community public RO
!
!
!
!
control-plane
!
!
!
!
!
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
access-class 102 in
password cts@doz
!
scheduler allocate 20000 1000
!
end

-----------------------------------
Thanks
Gagan

11-04-2007, 03:09 AM	#1 (permalink)
nicegagan Registered User Join Date: Nov 2007 Posts: 8 OS: WINXP WIN Vista	How to Configure Easy VPN server on Cisco 2811 router Dear experts, We bought new Cisco 2811 router with vpn. I configured EASY VPN Server on Cisco 2811 router with Cisco SDM. Im able to Connect with Router using Cisco VPN client but Im not able to communicate with local Lan of my Router. Here Im sending complete configuration for my router and my network. Router F0/1 : 172.16.1.42 255.255.255.0 (Local Lan need to access through Remote VPN Client this is Im not able to reach when I connect with vpn remotely) Router F0/0 : 80.227.XXX.XXX (Public IP) Building configuration... Current configuration : 5761 bytes ! version 12.4 service timestamps debug datetime msec service timestamps log datetime msec no service password-encryption ! hostname ctsvpn ! boot-start-marker boot-end-marker ! no logging buffered enable secret 5 $1$.gHI$M0zCY2pPs7V/W6WjfzqMy0 enable password XXXX ! aaa new-model ! ! aaa authentication login default local aaa authentication login sdm_vpn_xauth_ml_1 local aaa authorization exec default local aaa authorization network sdm_vpn_group_ml_1 local ! aaa session-id common ! resource policy ! ip subnet-zero no ip routing ! ! no ip cef ! ! ip domain name cig.ae ip name-server 80.227.2.2 ip name-server 80.227.2.3 ip name-server 213.132.33.15 ! ! voice-card 0 no dspfarm ! ! ! ! ! ! ! ! ! ! ! ! ! crypto pki trustpoint TP-self-signed-879286165 enrollment selfsigned subject-name cn=IOS-Self-Signed-Certificate-879286165 revocation-check none rsakeypair TP-self-signed-879286165 ! ! crypto pki certificate chain TP-self-signed-879286165 certificate self-signed 01 3082023D 308201A6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274 69666963 6174652D 38373932 38363136 35301E17 0D303731 31303331 39313431 355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F 532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3837 39323836 31363530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100 B91D4C9C ADEA6860 D734711E 3A9EBB28 8FF50DAC 00F158E6 942B302D CCCBE4AB 013384D8 3F9F14A4 5F534F14 18F158F4 A157F4E5 9A1B8B0F E4E80A88 2C14ED02 4547EA3F D526E896 A8500548 5FD96A61 3FCD80CA 7FF1AE23 74E8B17B 15E4D3AD FCDA0F73 D8DADC51 5C8F9D79 700707C5 1B2102EA 46A9A519 88ED15C8 B97088D9 02030100 01A36730 65300F06 03551D13 0101FF04 05300301 01FF3012 0603551D 11040B30 09820763 74737670 6E2E301F 0603551D 23041830 168014E4 0078CD15 BEFAB0C2 138E8CC6 C76A1253 3ABBC430 1D060355 1D0E0416 0414E400 78CD15BE FAB0C213 8E8CC6C7 6A12533A BBC4300D 06092A86 4886F70D 01010405 00038181 005E436C 0DA40403 76DF45D8 19F5C205 2934717B F7A6AB06 83102FD3 5A4C46DE F63F591B 10582DD7 EDFF25CB 29C629B8 8B2D46B4 BAC35F34 1B975649 48A75FCA 82907A9C 3ACCC73F 79C6B121 134EED2E BC8CECDC D4D855F0 C8F0D5B8 A8C0DC7B 92A27298 E336F27B C764E588 0007ED34 FA28B7B2 E5A6FC2A A6CAAEB9 5AD8137D AA quit username admin privilege 15 secret 5 $1$d3fS$Gb1rsMIhAvsVYz/rePZZc1 ! ! ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp xauth timeout 15 ! crypto isakmp client configuration group ctsvpn key XXXXX dns 172.16.1.50 172.16.1.51 wins 172.16.1.50 domain cig.ae pool SDM_POOL_1 include-local-lan netmask 255.255.255.0 ! ! crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac ! crypto dynamic-map SDM_DYNMAP_1 1 set transform-set ESP-3DES-SHA reverse-route ! ! crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1 crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1 crypto map SDM_CMAP_1 client configuration address respond crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 ! ! ! ! interface FastEthernet0/0 description $ETH-WAN$ ip address 80.227.XXX.XXX 255.255.255.0 ip access-group 100 in no ip route-cache duplex auto speed auto crypto map SDM_CMAP_1 ! interface FastEthernet0/1 ip address 172.16.1.42 255.255.255.0 ip access-group 101 in no ip route-cache duplex half speed auto no mop enabled ! interface Serial0/0/0 no ip address no ip route-cache shutdown clock rate 2000000 ! interface Serial0/0/1 no ip address no ip route-cache shutdown clock rate 2000000 ! ip local pool SDM_POOL_1 172.16.25.1 172.16.25.50 ip default-gateway 80.227.XXX.XXX ip classless ! ! ip http server ip http access-class 1 ip http secure-server ! access-list 1 remark Auto generated by SDM Management Access feature access-list 1 remark SDM_ACL Category=1 access-list 1 permit 172.16.1.0 0.0.0.255 access-list 1 permit 91.75.80.0 0.0.0.255 access-list 100 remark Auto generated by SDM Management Access feature access-list 100 remark SDM_ACL Category=1 access-list 100 permit tcp 91.75.80.0 0.0.0.255 host 80.227.146.250 eq 443 access-list 100 deny tcp any host 80.227.146.250 eq telnet access-list 100 deny tcp any host 80.227.146.250 eq 22 access-list 100 deny tcp any host 80.227.146.250 eq www access-list 100 deny tcp any host 80.227.146.250 eq 443 access-list 100 deny tcp any host 80.227.146.250 eq cmd access-list 100 deny udp any host 80.227.146.250 eq snmp access-list 100 permit ip any any access-list 101 remark Auto generated by SDM Management Access feature access-list 101 remark SDM_ACL Category=1 access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq telnet access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq 22 access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq www access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq 443 access-list 101 permit tcp 172.16.1.0 0.0.0.255 host 172.16.1.42 eq cmd access-list 101 deny tcp any host 172.16.1.42 eq telnet access-list 101 deny tcp any host 172.16.1.42 eq 22 access-list 101 deny tcp any host 172.16.1.42 eq www access-list 101 deny tcp any host 172.16.1.42 eq 443 access-list 101 deny tcp any host 172.16.1.42 eq cmd access-list 101 deny udp any host 172.16.1.42 eq snmp access-list 101 permit ip any any access-list 102 remark Auto generated by SDM Management Access feature access-list 102 remark SDM_ACL Category=1 access-list 102 permit ip 172.16.1.0 0.0.0.255 any snmp-server community public RO ! ! ! ! control-plane ! ! ! ! ! ! ! ! ! ! line con 0 line aux 0 line vty 0 4 access-class 102 in password cts@doz ! scheduler allocate 20000 1000 ! end ----------------------------------- Thanks Gagan