i'm facing with this simple configuration and i can't figure it out.
Scenario:
With a cisco vpn client (or ipad, iphone..) i can connect to my company vpn.
What i know is:
VPN GROUP NAME
VPN KEY
VPN SERVER PUBLIC IP
VPN USERNAME and PASSWORD
Ip address of virtual adapter created by cisco vpn client: 10.0.201.31 255.255.255.0
My lan 172.23.28.0 255.255.255.224
Company lan 172.19.248.0 255.255.252.0
The question is "How can i handle this for my home's lan with a cisco 827 router ?"
I think the steps are:
1) configuring eth0, dns and dhcp (done)
2) configuring ATM0 and Dialer0 to get internet access (done)
3) configuring access list and ip routes for my lan (done)
4)configuring ezvpn parameters (done)
5) configuring virtual interface with Ip 10.0.201.31 (What kind of interface?)
6) Set inside and outside nat for "crypto ipsec client ezvpn MYVPNTUNNELNAME" (which interfaces and how ?)
7) configuring route to 172.19.248.0 255.255.252.0 (how?)
Here is my configuration:
!
version 12.3
no service pad
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname R827
!
boot-start-marker
boot-end-marker
!
enable secret 5 cryptedSecret
enable password notcrypted
!
no aaa new-model
ip subnet-zero
ip dhcp excluded-address 172.23.28.1
ip dhcp excluded-address 172.23.28.2
ip dhcp excluded-address 172.23.28.3
ip dhcp excluded-address 172.23.28.4
ip dhcp excluded-address 172.23.28.5
ip dhcp excluded-address 172.23.28.6
ip dhcp excluded-address 172.23.28.7
ip dhcp excluded-address 172.23.28.8
ip dhcp excluded-address 172.23.28.9
ip dhcp excluded-address 172.23.28.10
!
ip dhcp pool CeccoDhcp
network 172.23.28.0 255.255.255.224
default-router 172.23.28.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
!
!
!
!
!
!
crypto ipsec client ezvpn MYVPNTUNNELNAME
connect auto
group MYGROUPNAME key MYGROUPKEY
mode network-extension
peer PUBLICIPOFVPNSERVER
username MYUSER password MYPASSWORD
!
!
!
interface Ethernet0
ip address 172.23.28.1 255.255.255.224
ip nat inside
ip virtual-reassembly
hold-queue 100 out
!
interface ATM0
no ip address
no atm ilmi-keepalive
bundle-enable
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip tcp header-compression
dialer pool 1
dialer-group 1
no cdp enable
ppp pap sent-username aliceadsl password 7 15130705072F2A203B3F
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
no ip http secure-server
ip nat inside source list 101 interface Dialer0 overload
!
!
access-list 101 permit ip 172.23.28.0 0.0.0.31 any
dialer-list 1 protocol ip permit
!
!
control-plane
!
!
line con 0
stopbits 1
line vty 0 4
password MYTERMINALPASSWORD
login
!
scheduler max-task-time 5000
end
End of configuration.
Please note:
If i add
crypto ipsec client ezvpn MYVPNTUNNELNAME
to Dialer0
and
crypto ipsec client ezvpn MYVPNTUNNELNAME inside
to Ethernet0
i get this:
Tunnel name : MYVPNTUNNELNAME
Inside interface list: Ethernet0,
Outside interface: Dialer0
Current State: READY
Last Event: CONN_UP
Hope someone could help me.
Thanks in advance.
Cecco
Ok, I compared your config to some old notes I had. I did work turning up Cisco VPNs in the past so this jogged my memory.
I think the READY state and CONN_UP last event mean that it sits there, prior to authentication. And this may be because you're not telling the 871 how to handle XAUTH.
Try adding the below to your crypto ipsec client ezvpn section:
xauth userid mode interactive
That and turning debugging on should give you something to work on. Let me know how it goes.
Solved!!
Thanks to James help i switched ezvpn conf to "mode client" and with debug i noticed that the problem was on server side, cause "storage-password enable" was not set.
When company's net admin told me that "storage-password enable" was set i just did:
conf t
int Dia0
crypto ipsec client ezvpn MYVPNTUNNELNAME
....and everything works perfectly :-)
Related
I'd like to set up a vpn to allow two separate computers to connect to each other.
I've found a bunch of places where they say you should remove redirect-gateway def1 bypass-dhcp from the server config and add a route route 10.0.0.0 255.255.255.0 vpn_gateway to make connecting to the private network work. But this doesn't seem to do what I want.
Yes it now makes all requests via my local gateway (All servers report my public ip is my own ip, rather than that of the vpn), but now connecting to other clients no longer works.
I can still connect to my own private ip (10.0.0.0) as assigned by the vpn, but other clients can not reach me on this same ip.
My client.conf:
client
dev tun
proto udp
remote vpn.example.com 1194
resolv-retry infinite
nobind
user nobody
group nogroup
persist-key
persist-tun
remote-cert-tls server
cipher AES-256-GCM
auth SHA256
verb 3
key-direction 1
My server.conf:
port 1194
proto udp
dev tun
ca ca.crt
cert vpnserver.crt
key vpnserver.key
dh none
topology subnet
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
ifconfig-pool-persist /var/log/openvpn/ipp.txt
client-config-dir ccd
# push "redirect-gateway def1 bypass-dhcp"
push "route 10.0.0.0 255.255.255.0 vpn_gateway 1"
client-to-client
keepalive 10 120
tls-crypt ta.key
cipher AES-256-GCM
auth SHA256
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
verb 3
explicit-exit-notify 1
ccd/myclient
ifconfig-push 10.0.0.0 255.255.255.255
How can I make client-to-client work without making all my regular traffic flow through the vpn?
edit: After some more experimenting I've figured out that this setup is working fine as long the assigned private ip is in the 10.8.0.x range. I have a few static private ips in the 10.0.0.x range, so that's why it isn't working. I'd still like to use these ips though.
I ended up changing the server config to use 10.0.0.x as default pool.
I changed:
server 10.8.0.0 255.255.255.0
route 10.0.0.0 255.255.255.0
to
server 10.0.0.0 255.255.255.0
I don't like that static and dynamic ips are now both using the same pool, but this is the best I can do.
I can ping from the router Google's DNS server at 8.8.8.8 and 8.8.4.4...I can reach all inside network devices attached in the 192.168.1.X range. Other than those few addresses, I can't reach outside of my router. I have pulled an IP from my ISP. I have a route built to my next-hop address provided by my ISP.
Below is my running-config. I used a guide FROM CISCO to set this up. If anyone sees any reason why I am only able to reach these two addresses, please let me know.
Current configuration : 1903 bytes
!
! Last configuration change at 14:49:37 UTC Wed Oct 14 2020
!
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname StorageRTR
!
boot-start-marker
boot-end-marker
!
!
enable secret 5 $1$3PFU$WQpG5ApsBE/6BZZpd7Oew1
enable password Probasco1!
!
no aaa new-model
!
no ipv6 cef
ip source-route
ip cef
!
!
!
ip dhcp excluded-address 192.168.1.1
ip dhcp excluded-address 192.168.1.2
ip dhcp excluded-address 192.168.1.3
ip dhcp excluded-address 192.168.1.4
ip dhcp excluded-address 192.168.1.5
ip dhcp excluded-address 192.168.1.6
ip dhcp excluded-address 192.168.1.7
ip dhcp excluded-address 192.168.1.8
ip dhcp excluded-address 192.168.1.9
ip dhcp excluded-address 192.168.1.10
!
ip dhcp pool CLIENT
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 8.8.8.8
!
!
ip name-server 8.8.8.8
ip name-server 8.8.4.4
multilink bundle-name authenticated
!
crypto pki token default removal timeout 0
!
!
license udi pid CISCO1941/K9 sn FJC1931E0DD
!
!
username Rob password 0 Probasco1
!
!
!
!
!
!
interface GigabitEthernet0/0
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
interface GigabitEthernet0/1
ip address dhcp
ip nat outside
ip virtual-reassembly in
no ip route-cache cef
no ip route-cache
duplex auto
speed auto
no cdp enable
!
ip forward-protocol nd
!
ip http server
no ip http secure-server
!
ip nat inside source list 102 interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.255.77.69
!
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
!
control-plane
!
!
line con 0
exec-timeout 120 0
stopbits 1
line aux 0
line vty 0 4
exec-timeout 30 0
login local
length 0
transport input all
!
scheduler allocate 20000 1000
end
The configuration looks ok to me, but you should not need to configure your gateway IP statically when you are using DHCP, but I guess it's working since you are able to ping Google DNS. I would remove this line:
ip route 0.0.0.0 0.0.0.0 10.255.77.69
You can check if you have the right ip using this command:
show ip int brief
And check your route with this command:
show ip route
The gateway IP from your ISP is a private IP address, so the ISP will be doing NAT once more before you get to the Internet. Perhaps the ISP router is blocking stuff, like DNS to Google?
What happens if you connect a PC directly to the ISP router? Are you able to browse the Internet then? If the ISP hands out different DNS servers, try using those in the Cisco router.
Hello Everyone!
I want to know that is there any way to access a photocopier machine which is connected to a computer through Ethernet wire and that computer is connected to my WiFi network?
P.S: What if I don't know the IP assigned to that Photocopier machine?
If the wireless network is part of the wired network you should have any problem reaching the photocopier.
If you don't know the IP address, you can reach it by host name if the DHCP and DNS are working properly. If you are on an Active Directory infrastructure and DHCP and DNS are integrated it should be transparent.
If you are on your home with a "home" router they usually do the hostname to IP resolve (DNS).
You can nslookup hostname in your machine to see if your dns is resolving the ip address. you can also ping hostname or ping ip address to test that you can reach the desired host. Some hosts block ping (ICMP) requests, please note that ping is ping does not respond is not a definitive solution.
Please note that in your home router you should use your router or default gateway to be the DNS also, and then add the google public DNS or your ISP.
Also when connecting the access point to an existing network you may have 2 DHCP servers providing IP addresses to hosts, you should disable DHCP on the Access Point and connect the AP to the network using the switch port and not the WAN port (the WAN port will try to do NAT and assign a different set of IP addresses).
I have Cisco 1812 router which I would like to setup as our office internet gateway. Although I followed guides on Cisco web site, I cannot get NAT to work.
My problem is that NAT is not happening, and I cannot get why.
When I connect to router, I get IP address from DHCP, and I can ping both local interface IP (192.168.210.254) and public IP (212.94.196.71 slightly changed), but I cannot get pass to internet. I cannot ping default gateway from machine connected to local interface, but I can ping it from the router itself, as well as any site on the internet.
Lastly, show ip nat translations is showing empty list.
What am I doing wrong?
Here is my configuration
Current configuration : 2022 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname router
!
boot-start-marker
boot-end-marker
!
enable secret 5 $1$FXW9$XXXXXXXXXXXXXXXXXXX.
!
no aaa new-model
!
resource policy
!
no ip routing
!
!
no ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.210.240 192.168.210.254
ip dhcp excluded-address 192.168.210.1 192.168.210.4
!
ip dhcp pool lan1
network 192.168.210.0 255.255.255.0
dns-server 192.168.210.100
default-router 192.168.210.254
domain-name mydomain.com
!
ip name-server 210.127.96.3
ip name-server 210.127.96.4
!
interface FastEthernet0
ip address 192.168.210.254 255.255.255.0
ip nat inside
ip virtual-reassembly
no ip route-cache
speed auto
full-duplex
!
interface FastEthernet1
ip address 212.94.196.71 255.255.255.240
ip nat outside
ip virtual-reassembly
no ip route-cache
duplex auto
speed auto
!
interface BRI0
no ip address
encapsulation hdlc
no ip route-cache
shutdown
!
interface FastEthernet2
shutdown
!
interface FastEthernet3
shutdown
!
interface FastEthernet4
shutdown
!
interface FastEthernet5
shutdown
!
interface FastEthernet6
shutdown
!
interface FastEthernet7
shutdown
!
interface FastEthernet8
shutdown
!
interface FastEthernet9
shutdown
!
interface Vlan1
ip address 192.168.1.254 255.255.255.0
no ip route-cache
!
interface Vlan10
ip address 10.28.10.254 255.255.255.0
no ip route-cache
!
interface Vlan11
ip address 10.1.11.254 255.255.255.0
no ip route-cache
!
interface Vlan55
ip address 10.28.55.254 255.255.255.0
no ip route-cache
!
ip default-gateway 212.94.196.65
!
!
no ip http server
no ip http secure-server
ip nat pool ovrld 212.94.196.71 212.94.196.71 prefix-length 28
!
access-list 7 permit 192.168.210.0 0.0.0.31
snmp-server community public RO
!
control-plane
!
line con 0
line aux 0
line vty 0 4
login
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end
You forgot enable translation of inside source addresses.
ip nat inside source { list <acl> pool <name> [overload] |
static <local-ip><global-ip> }
I see you already have an access-list so (according to your private addressing) in global config add:
ip nat inside source list 7 pool ovrld
Additional Edit:
With IP routing enabled ip routing it works
Your DHCP is for the lower subnet and your gateway is in another subnet the top .224-254
your nat list is for the .0 subnet
Router ip : 192.168.1.1
Camera 1 ip : 192.168.1.80 port : 8000
Camera 2 ip : 192.168.1.81 port : 8100
Dyndns host : test.dyndns.org
Firewall disable
upnp : enable
port fordward 8000 to 192.168.1.80 (both)
port fordward 8100 to 192.168.1.81 (both)
When i am connected to MY network :
http://192.168.1.80:8000 WORKING
http://192.168.1.80:8000 WORKING
When i am connected with 3g (or wifi to ANOTHER network e.g. my friend) i go to url --> http://test.dyndns.org:8000 and camera WORKING.
When i am connected with wifi to MY network i go to url --> http://test.dyndns.org:8000 and camera NOT WORKING.
NO URL FIND. CONNECTION REFUSED
Why i have this problem?
Any solution?
Thanks
You need to setup NAT loopback on your router. This allows you to connect to the WAN interface IP while you're on the LAN. How you enable this will depend on what type of router you have.
You can read more about it here: http://en.wikipedia.org/wiki/Network_address_translation#NAT_loopback