From: Christopher Larson (clarson@xxxxxxxxxxx)
Date: Wed Feb 07 2001 - 15:38:50 GMT-3
Actually (sorry) you would set a range in the client software form 10.1.1.0
- 10.1.2.0.
-----Original Message-----
From: Christopher Larson [mailto:clarson@mtieast.com]
Sent: Wednesday, February 07, 2001 1:30 PM
To: 'David Etling'; ccielab@groupstudy.com
Subject: RE: Client to PC VPN
Using a dynamic crypto map is going to allow the client software to dictate
what it has access to. So if you are using Cisco Secure Client then set the
remote party addressing to 10.1.2.0 255.255.255.0 and you should have access
to that whole subnet. If you watch the router when a client connect and then
do a show access-list you will see a dynamic access list shows up basically
saying 10.1.2.0 can go to your client
-----Original Message-----
From: David Etling [mailto:detling@fdinetworking.com]
Sent: Wednesday, February 07, 2001 12:53 PM
To: ccielab@groupstudy.com
Subject: Client to PC VPN
Hi Group,
This may be a stupid question but when your client PC attaches via =
secure tunnel, what allows a network connection I.E. mail server, NT. =
Server. Is there any special configuration you need! The reason I ask is =
I'm automatically assigning an internal 10.1.2.x address different than =
the local FA 10.1.1.X segment. I can ping the FA fine, but again it's on =
a different
subnet (will that matter for broadcast reasons). Would Ip simply take =
care of it ? I haven't tried logging in to an NT server because I don't =
have one available, but please look at my attached config and let me =
know if I would need anything else. Sorry, I'm new to VPN technology.=20
Kind Regards,
David Etling
CCNP, CCDP, CCSE
hostname Lab
!
logging buffered 4096 debugging
enable password cisco
!
!
!
!
!
memory-size iomem 10
ip subnet-zero
no ip domain-lookup
ip domain-name lab.com
!
ip audit notify log
ip audit po max-events 100
cns event-service server
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
crypto isakmp key lab123 address 0.0.0.0
crypto isakmp client configuration address-pool local ourpool
!
!
crypto ipsec transform-set tran esp-3des esp-md5-hmac
!
crypto dynamic-map dyno 10
set transform-set tran
!
crypto map lab client configuration address initiate
crypto map lab client configuration address respond
crypto map lab 10 ipsec-isakmp dynamic dyno
!
!
!
!
!
!
interface Loopback0
ip address 209.50.24.1 255.255.255.0
no ip directed-broadcast
!
interface FastEthernet0/0
ip address 10.1.1.1 255.255.255.0
no ip directed-broadcast
ip nat inside
no keepalive
duplex auto
speed auto
!
interface Serial1/0
ip address 204.173.79.102 255.255.255.252
no ip directed-broadcast
ip nat outside
crypto map lab
!
interface Serial1/1
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/2
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/3
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/4
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/5
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/6
no ip address
no ip directed-broadcast
shutdown
!
interface Serial1/7
no ip address
no ip directed-broadcast
shutdown
!
ip local pool ourpool 10.1.2.1 10.1.2.254
ip nat pool rtrb 209.50.24.2 209.50.24.254 netmask 255.255.255.0
ip nat inside source route-map nat pool rtrb
ip classless
ip route 0.0.0.0 0.0.0.0 204.173.79.101
no ip http server
!
access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
access-list 101 permit ip 10.1.1.0 0.0.0.255 any
route-map nat permit 10
match ip address 101
!
!
!
line con 0
password 7 094F471A1A0A
login local
transport input none
line aux 0
password 7 0822455D0A16
login local
line vty 0 4
password 7 030752180500
login local
!
no scheduler allocate
end
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:40 GMT-3