Help me

From: Kim Judy (kim23uk@gmail.com)
Date: Sat Dec 24 2005 - 11:37:49 GMT-3

• Next message: Alexander Arsenyev \(GU/ETL\): "RE: Route preference"
• Previous message: Joshua Li: "Where to get IEWB-RS Version 3.00 Solution Guide?"
• Next in thread: atolstykh@atfam.com: "RE: Help me"
• Maybe reply: atolstykh@atfam.com: "RE: Help me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi group,
My client is running Cisco VPN client and wants to connect to the Head
Office to a Cisco's 3600 series, the PIX is behind the router
I checked Cisco's website they have this config :

nameif ethernet0 outside security0

nameif ethernet1 inside security100

nameif ethernet2 dmz security10

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

hostname SanJose

domain-name example.com

fixup protocol ftp 21

fixup protocol http 80

fixup protocol smtp 25

fixup protocol h323 1720

fixup protocol rsh 514

fixup protocol sqlnet 1521

names

pager lines 24

no logging on

interface ethernet0 auto

interface ethernet1 auto

interface ethernet2 auto

mtu outside 1500

mtu inside 1500

mtu dmz 1500

ip address outside 209.165.200.229 255.255.255.224

ip address inside 10.0.0.1 255.255.255.0

ip address dmz 192.168.101.1 255.255.255.0

no failover

failover ip address outside 0.0.0.0

failover ip address inside 0.0.0.0

failover ip address dmz 0.0.0.0

arp timeout 14400

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

access-list 80 permit ip 10.0.0.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0
255.255.255.0 eq telnet

access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq
ftp

access-list 100 permit tcp 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 eq
http

nat (inside) 0 access-list 80

global (outside) 1 209.165.200.45-209.165.200.50 netmask 255.255.255.224

route outside 0.0.0.0 0.0.0.0 209.165.200.227 1

timeout xlate 3:00:00 conn 1:00:00 half-closed 0:10:00 udp 0:02:00

timeout rpc 0:10:00 h323 0:05:00

timeout uauth 0:05:00 absolute

ip local pool dealer 10.1.1.1-10.1.1.254

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server partnerauth protocol tacacs+

aaa-server partnerauth (dmz) host 192.168.101.2 abcdef timeout 5

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

crypto map partner-map client configuration address initiate;

crypto ipsec transform-set strong-des esp-3des esp-sha-hmac

crypto dynamic-map cisco 4 set transform-set strong-des

crypto map partner-map 20 ipsec-isakmp dynamic cisco

crypto map partner-map client authentication partnerauth

crypto map partner-map interface outside

isakmp key cisco1234 address 0.0.0.0 netmask 0.0.0.0

isakmp enable outside

isakmp policy 8 authentication pre-share

isakmp policy 8 encryption 3des

isakmp policy 8 hash md5

isakmp policy 8 group 2

vpngroup superteam address-pool dealer

vpngroup superteam dns-server 10.0.0.15

vpngroup superteam wins-server 10.0.0.15

vpngroup superteam default-domain example.com

vpngroup superteam split-tunnel 80

vpngroup superteam idle-time 1800

sysopt connection permit-ipsec

telnet timeout 5

terminal width 80

I want to implement this scenario in a live network, and my client wants to
make sure the router is receiving the VPN client request, how do I verify if
the router is receiving the VPN client request ? I am running a NAT and
static routes on the router.

• Next message: Alexander Arsenyev \(GU/ETL\): "RE: Route preference"
• Previous message: Joshua Li: "Where to get IEWB-RS Version 3.00 Solution Guide?"
• Next in thread: atolstykh@atfam.com: "RE: Help me"
• Maybe reply: atolstykh@atfam.com: "RE: Help me"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:52 GMT-3