Re: Client to PC VPN

From: David Etling (detling@xxxxxxxxxxxxxxxxx)
Date: Thu Feb 08 2001 - 11:14:50 GMT-3

• Next message: Price, Jamie: "RE: Where to Sit the lab?"
• Previous message: jaksec@xxxxxxxxxx: "IOS image on a 2522"
• Maybe in reply to: David Etling: "Client to PC VPN"
• Next in thread: NoOne Important: "RE: Client to PC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Thanks for your help. Please find my config attached.
----- Original Message -----
From: Christopher Larson <clarson@mtieast.com>
To: 'David Etling' <detling@fdinetworking.com>
Sent: Thursday, February 08, 2001 7:40 AM
Subject: RE: Client to PC VPN

> I knwo you posted your configt before (I think). Could you resend it, and
> let me have a peek?
>
> -----Original Message-----
> From: David Etling [mailto:detling@fdinetworking.com]
> Sent: Wednesday, February 07, 2001 4:36 PM
> To: Christopher Larson
> Subject: Re: Client to PC VPN
>
>
> Chris,
>
> I also tried doing a show access-list on my router and get nothing. When I
> do a show crypto dynamic-map I get :
>
> Crypto Map Template"dyno" 10
> No matching address list set.
> Current peer: 0.0.0.0
> Security association lifetime: 4608000 kilobytes/3600 seconds
> PFS (Y/N): N
> Transform sets={ tran, }
>
>
>
> ----- Original Message -----
>
>
> From: Christopher Larson <clarson@mtieast.com>
> To: 'David Etling' <detling@fdinetworking.com>; <ccielab@groupstudy.com>
> Sent: Wednesday, February 07, 2001 1:30 PM
> Subject: RE: Client to PC VPN
>
>
> > Using a dynamic crypto map is going to allow the client software to
> dictate
> > what it has access to. So if you are using Cisco Secure Client then set
> the
> > remote party addressing to 10.1.2.0 255.255.255.0 and you should have
> access
> > to that whole subnet. If you watch the router when a client connect and
> then
> > do a show access-list you will see a dynamic access list shows up
> basically
> > saying 10.1.2.0 can go to your client
> >
> >
> > -----Original Message-----
> > From: David Etling [mailto:detling@fdinetworking.com]
> > Sent: Wednesday, February 07, 2001 12:53 PM
> > To: ccielab@groupstudy.com
> > Subject: Client to PC VPN
> >
> >
> > Hi Group,
> >
> > This may be a stupid question but when your client PC attaches via =
> > secure tunnel, what allows a network connection I.E. mail server, NT. =
> > Server. Is there any special configuration you need! The reason I ask is
=
> > I'm automatically assigning an internal 10.1.2.x address different than
=
> > the local FA 10.1.1.X segment. I can ping the FA fine, but again it's on
=
> > a different
> > subnet (will that matter for broadcast reasons). Would Ip simply take =
> > care of it ? I haven't tried logging in to an NT server because I don't
=
> > have one available, but please look at my attached config and let me =
> > know if I would need anything else. Sorry, I'm new to VPN technology.=20
> >
> > Kind Regards,
> > David Etling
> > CCNP, CCDP, CCSE
> >
> >
> > hostname Lab
> > !
> > logging buffered 4096 debugging
> > enable password cisco
> > !
> >
> > !
> > !
> > !
> > !
> > memory-size iomem 10
> > ip subnet-zero
> > no ip domain-lookup
> > ip domain-name lab.com
> > !
> > ip audit notify log
> > ip audit po max-events 100
> > cns event-service server
> > !
> > !
> > crypto isakmp policy 1
> > encr 3des
> > hash md5
> > authentication pre-share
> > crypto isakmp key lab123 address 0.0.0.0
> > crypto isakmp client configuration address-pool local ourpool
> > !
> > !
> > crypto ipsec transform-set tran esp-3des esp-md5-hmac
> > !
> > crypto dynamic-map dyno 10
> > set transform-set tran
> > !
> > crypto map lab client configuration address initiate
> > crypto map lab client configuration address respond
> > crypto map lab 10 ipsec-isakmp dynamic dyno
> > !
> > !
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 209.50.24.1 255.255.255.0
> > no ip directed-broadcast
> > !
> > interface FastEthernet0/0
> > ip address 10.1.1.1 255.255.255.0
> > no ip directed-broadcast
> > ip nat inside
> > no keepalive
> > duplex auto
> > speed auto
> > !
> > interface Serial1/0
> > ip address 204.173.79.102 255.255.255.252
> > no ip directed-broadcast
> > ip nat outside
> > crypto map lab
> > !
> > interface Serial1/1
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/2
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/3
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/4
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/5
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/6
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > interface Serial1/7
> > no ip address
> > no ip directed-broadcast
> > shutdown
> > !
> > ip local pool ourpool 10.1.2.1 10.1.2.254
> > ip nat pool rtrb 209.50.24.2 209.50.24.254 netmask 255.255.255.0
> > ip nat inside source route-map nat pool rtrb
> > ip classless
> > ip route 0.0.0.0 0.0.0.0 204.173.79.101
> > no ip http server
> > !
> > access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
> > access-list 101 permit ip 10.1.1.0 0.0.0.255 any
> > route-map nat permit 10
> > match ip address 101
> > !
> > !
> > !
> > line con 0
> > password 7 094F471A1A0A
> > login local
> > transport input none
> > line aux 0
> > password 7 0822455D0A16
> > login local
> > line vty 0 4
> > password 7 030752180500
> > login local
> > !
> > no scheduler allocate
> > end

• Next message: Price, Jamie: "RE: Where to Sit the lab?"
• Previous message: jaksec@xxxxxxxxxx: "IOS image on a 2522"
• Maybe in reply to: David Etling: "Client to PC VPN"
• Next in thread: NoOne Important: "RE: Client to PC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:41 GMT-3