RE: Client to PC VPN

From: NoOne Important (lm_nguyen@xxxxxxxxxxx)
Date: Thu Feb 08 2001 - 16:09:49 GMT-3

• Next message: Peter Puczko: "RE: Catalyst multicast"
• Previous message: Kevin Baumgartner: "RE: New command found in 12.0 IOS"
• Maybe in reply to: David Etling: "Client to PC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
You might not need anything at all. I configured for a client a while back
using PIX, and I heard no complains...and my part was done when you can ping
anyhow :). If not working then you
could set up the PC to use LMHOSTs file I think.

>From: Christopher Larson <clarson@mtieast.com>
>Reply-To: Christopher Larson <clarson@mtieast.com>
>To: Christopher Larson <clarson@mtieast.com>, "'David Etling'"
><detling@fdinetworking.com>, ccielab@groupstudy.com
>Subject: RE: Client to PC VPN
>Date: Wed, 7 Feb 2001 13:38:50 -0500
>
>Actually (sorry) you would set a range in the client software form 10.1.1.0
>- 10.1.2.0.
>
>-----Original Message-----
>From: Christopher Larson [mailto:clarson@mtieast.com]
>Sent: Wednesday, February 07, 2001 1:30 PM
>To: 'David Etling'; ccielab@groupstudy.com
>Subject: RE: Client to PC VPN
>
>
>Using a dynamic crypto map is going to allow the client software to dictate
>what it has access to. So if you are using Cisco Secure Client then set the
>remote party addressing to 10.1.2.0 255.255.255.0 and you should have
>access
>to that whole subnet. If you watch the router when a client connect and
>then
>do a show access-list you will see a dynamic access list shows up basically
>saying 10.1.2.0 can go to your client
>
>
>-----Original Message-----
>From: David Etling [mailto:detling@fdinetworking.com]
>Sent: Wednesday, February 07, 2001 12:53 PM
>To: ccielab@groupstudy.com
>Subject: Client to PC VPN
>
>
>Hi Group,
>
>This may be a stupid question but when your client PC attaches via =
>secure tunnel, what allows a network connection I.E. mail server, NT. =
>Server. Is there any special configuration you need! The reason I ask is =
>I'm automatically assigning an internal 10.1.2.x address different than =
>the local FA 10.1.1.X segment. I can ping the FA fine, but again it's on =
>a different
>subnet (will that matter for broadcast reasons). Would Ip simply take =
>care of it ? I haven't tried logging in to an NT server because I don't =
>have one available, but please look at my attached config and let me =
>know if I would need anything else. Sorry, I'm new to VPN technology.=20
>
>Kind Regards,
>David Etling
>CCNP, CCDP, CCSE
>
>
>hostname Lab
>!
>logging buffered 4096 debugging
>enable password cisco
>!
>
>!
>!
>!
>!
>memory-size iomem 10
>ip subnet-zero
>no ip domain-lookup
>ip domain-name lab.com
>!
>ip audit notify log
>ip audit po max-events 100
>cns event-service server
>!
>!
>crypto isakmp policy 1
> encr 3des
> hash md5
> authentication pre-share
>crypto isakmp key lab123 address 0.0.0.0
>crypto isakmp client configuration address-pool local ourpool
>!
>!
>crypto ipsec transform-set tran esp-3des esp-md5-hmac
>!
>crypto dynamic-map dyno 10
> set transform-set tran
>!
>crypto map lab client configuration address initiate
>crypto map lab client configuration address respond
>crypto map lab 10 ipsec-isakmp dynamic dyno
>!
>!
>!
>!
>!
>!
>interface Loopback0
> ip address 209.50.24.1 255.255.255.0
> no ip directed-broadcast
>!
>interface FastEthernet0/0
> ip address 10.1.1.1 255.255.255.0
> no ip directed-broadcast
> ip nat inside
> no keepalive
> duplex auto
> speed auto
>!
>interface Serial1/0
> ip address 204.173.79.102 255.255.255.252
> no ip directed-broadcast
> ip nat outside
> crypto map lab
>!
>interface Serial1/1
> no ip address
> no ip directed-broadcast
> shutdown
>!
>interface Serial1/2
> no ip address
> no ip directed-broadcast
> shutdown
>!
>interface Serial1/3
> no ip address
> no ip directed-broadcast
> shutdown
>!
>interface Serial1/4
> no ip address
> no ip directed-broadcast
> shutdown
>!
>interface Serial1/5
> no ip address
> no ip directed-broadcast
> shutdown
>!
>interface Serial1/6
> no ip address
> no ip directed-broadcast
> shutdown
>!
>interface Serial1/7
> no ip address
> no ip directed-broadcast
> shutdown
>!
>ip local pool ourpool 10.1.2.1 10.1.2.254
>ip nat pool rtrb 209.50.24.2 209.50.24.254 netmask 255.255.255.0
>ip nat inside source route-map nat pool rtrb
>ip classless
>ip route 0.0.0.0 0.0.0.0 204.173.79.101
>no ip http server
>!
>access-list 101 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255
>access-list 101 permit ip 10.1.1.0 0.0.0.255 any
>route-map nat permit 10
> match ip address 101
>!
>!
>!
>line con 0
> password 7 094F471A1A0A
> login local
> transport input none
>line aux 0
> password 7 0822455D0A16
> login local
>line vty 0 4
> password 7 030752180500
> login local
>!
>no scheduler allocate
>end

• Next message: Peter Puczko: "RE: Catalyst multicast"
• Previous message: Kevin Baumgartner: "RE: New command found in 12.0 IOS"
• Maybe in reply to: David Etling: "Client to PC VPN"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:28:42 GMT-3