Cisco Blog

Jeremy,
Nice post. I am curious if your CVOICE nuggets includes some Call Manger review? big picture? I recently was contracted into a wan support position with 1 of the larger telcos and they plan to start support for true voice solutions ie. Cisco. I lack in the knowledge of voice in a bad way outside of QoS which is not voice but needed to support it, which once again I'll give you a plug for a "SWEET!" 642-642. I just want to make sure I purchase the right nugget. 642-432 CVOICE should be a good start?
Thanks,
A satisfied disciple:)

Hi Jeremy,

Nice post! I was wondering if you know how your pc was hacked, via RDP or VNC? I have the idea that RDP is pretty secure since there are no real vulnerabilities reported? Do you have more info regarding this?

Thanks

Ruben

David - Thanks for the kind words :). CVOICE contains very little CallManager material; that'll be part of CIPT, which is due out as soon as I can finish CCNP updates.

Ruben - My PC was hacked via VNC. I was using RealVNC, which contained a known vulnerability (not known at the time, of course) that allowed an intruder in without authentication. Yikes! VPN took care of that...

More information on the hack: http://secunia.com/advisories/20107/

Is there any way to do something like this with some low end linksys (cisco) wrt54g routers? I'm looking to connect the router at my girlfriends house to the router my home so that I can be connected to my home network when I am on her wireless.

Hello JC,

i did everythink as you posted here. But i am still unable to connect with vpn client.

This is debug message from IOS:

ISAKMP (0:13): Checking ISAKMP transform 12 against priority 21 policy
ISAKMP: encryption 3DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x20 0xC4 0x9B
ISAKMP (0:13): Preshared authentication offered but does not match policy!

I have configured aaa new model:
aaa new-model
!
!
aaa authentication login userlist local

Please could you help me?
Tomas

I like your article. i have something similar to this setup. Do you know if there is a way to log vpn connections like this to a syslog server. All i can find info on is how to do this with RADIUS.

-Dustin

Post was great! I have the Cisco Pix configuration file and am trying to get a VPN client to work to no avail. Is it possible to reverse engineer? Also, what does the show or wr t look like?

Hi Jeremy,

Thanks for a nice article.
I have on question,
if i want to restrict one interface of my router to accept ONLY VPN connections and deny all other connectoins, How can I do that?

How will the clients know how to route to the internal network?

Hi

My config is very similar to your but I am trying to connect with an XP pc to the router but it does not get connected at all it comes up with SA not offered. Can you help.

Marius

Hi Jeremy,

I love your stuff and videos that you do with CBT. I'm kind of stuck with my configuration for an Easy VPN server. I have a 2821 router attached to my SBC DSL modem with Static IP (69.x.x.x). And on the other interface (10.x.x.3) I have a switch connected just doing switching. Off this switch there's a call manager and a PC hanging (both within the 10.x.x.x IP Address range).

I am successfully able to VPN to the 69.x.x.x interface from my PC using Cisco VPN client (My VPN'ed IP becomes 1.1.1.10). But for some reason, I'm not able to ping either the Call Manager or the 10.x.x.3 interface on the router. My final objective is to attach the CIPC on my laptop to the CCM. Any pointers on where I could be wrong will be MUCCCCCH appreciated.

thanks,
Kamran

Jeremy,

sorry for spamming but are you sure this config is correct in your article above:

Router(config)# crypto dynamic-map CLIENT_MAP 1
Router(config-crypto-map)# set transform-set JEREMYS_SET
Router(config-crypto-map)# reverse-route
Router(config)# crypto map JEREMY_VPN client

shouldn't the crypto map name be "CLIENT_MAP" instead of "JEREMY_VPN"?

thx,
Kamran

Jeremy,
I love your Blog.
Please advise me, why if we Configure aaa new model on the CISCO as5400/5300, the passw via vty/telnet is change?

My configure aaa :
no aaa new-model
aaa authentication login local line
aaa accounting exec default start-stop group tacacs+
aaa accounting network default start-stop group tacacs+
aaa accounting connection h323 stop-only group radius
aaa nas port voip

radius-server host 203.x.x.x auth-port 1645 acct-port 1646
radius-server host 203.x.x.x auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server key 7 13060E100E1E517C

Regards,
Bayu-
Jakarta-Indonesia

i want to know one thing in cisco router pls explain me How can block the ICMP traffic on cisco router if u know than email me

hi guys,

I need help for configure this VPN in my router cisco. I am not getting to understand and to configure correctly.
please help me.

Paulo Célio

heloo sir
i want to configure the router but i don't know the configuration if you can help me in this regards it will be very helpfull for me
thank you
Bilal Ahmadi

I need the Configuration for making vpn for CISCO router as client side.

Regards
Hadi

I need to connect a CVPN v 4.8 client to a Cisco 2621xm router
but I'm experincing a lot of problems. My
router config is as follows:PLease help

I still cannot connect via via VPN client. Please help

username cisco password 0 class
memory-size iomem 10
no network-clock-participate slot 1
no network-clock-participate wic 0
aaa new-model
!
!
aaa authentication login LOCAL_DB local
aaa session-id common
ip subnet-zero
ip cef
!
crypto isakmp policy 1
encr des
authentication pre-share
group 2
!
crypto isakmp client configuration group HOME
key secret
dns 192.168.99.1
domain cisco.com
pool CLIENT_ADDRESSES

!
crypto ipsec transform-set VPN_TRANSFORM esp-des esp-md5-hmac
!
!
crypto dynamic-map CLIENT_MAP 1
set transform-set VPN_TRANSFORM
reverse-route
!
!
crypto map REMOTE_VPN client authentication list LOCAL_DB
crypto map REMOTE_VPN isakmp authorization list LOCAL_DB
crypto map REMOTE_VPN client configuration address respond
crypto map REMOTE_VPN 100 ipsec-isakmp dynamic CLIENT_MAP
!

interface FastEthernet0/0
ip address 192.168.1.1 255.255.255.0
duplex auto
speed auto
crypto map REMOTE_VPN
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 192.168.110.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/1
no ip address
shutdown
!
router rip
network 192.168.1.0
network 192.168.110.0
!
ip local pool CLIENT_ADDRESSES 192.168.99.10 192.168.99.20

thanks for above knowldege.
I want to know what is crypto?why we have used
Crypto command in cisco?plz send me reply as early
as possible on my mail i-d.

I am trying the same exact config on my 2621 but my IOS doesnt seem to have a group command for "crypto isakmp client configuration..." All I have is crypto isakmp client configuration ?
address-pool Set network address for client

Any ideas? I am running this version
IOS (tm) C2600 Software (C2600-JK9S-M), Version 12.2(46), RELEASE SOFTWARE (fc1)

and I have a feeling it is my IOS version. Please help. Thanks.

-Jay

it is good to connect the pc to the modem first before connecting to the router.

hi i m pradeep

Great post!!!

How can I show a summary of all addresses handed out to VPN clients from the pool through CLI?

Quote: How can I show a summary of all addresses handed out to VPN clients from the pool through CLI?

...and compare to the account who authenticated the request.

To Hadi Nazari:

You've probably spotted your issue already. This line is missing:

aaa authorization network LOCAL_DB local

Dear sir
I am shofiur Rahman form Bangladeh.I am working as a Network Engineer in one of the top most private Banks in Bangladesh.Recently our management take the decision to expand their business sector through online. But this online will not be centralized.It will be distributed that means Any Branch Banking(ABB) through WAN connectivity. I want to configure the Cisco Router for VPN.

I would like to request you that please give the design diagram as for example (eg. Bank)and then please show the configuration.

Please please anwser my query. Its very urgent.

Thanks
Engr. Shofiur Rahman

"Dear sir
I am shofiur Rahman form Bangladeh.I am working as a Network Engineer in one of the top most private Banks in Bangladesh.Recently our management take the decision to expand their business sector through online. But this online will not be centralized.It will be distributed that means Any Branch Banking(ABB) through WAN connectivity. I want to configure the Cisco Router for VPN.

I would like to request you that please give the design diagram as for example (eg. Bank)and then please show the configuration.

Please please anwser my query. Its very urgent.

Thanks
Engr. Shofiur Rahman
"

Youd think if you were a network engineer, that this is something youd know. Not do haphazardly from googling results.

Your lab is helpful for my work and study .

Hi all

I am trying to establish a VPN connection and need some help. The scenario is simple.

Router "RTA" acts as the VPN server which accepts remote VPN connections from a remote user with a laptop using Cisco VPN client v5.0. The remote user never

has a static ip address since he is always around on different sites which have dynamically assigned ip addressess on DSL connections.

Searching here and there I created the following configuration:

RTA#sh run
Building configuration...

version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname RTA
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 7
logging buffered 4096 critical
!
enable secret xxxxxxxxx
!
memory-size iomem 5
clock timezone EET 2
clock summer-time EEDST recurring last Sun Mar 3:00 last Sun Oct 4:00
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no ip source-route
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.130.1 192.168.130.250
!
ip dhcp pool LOCAL_DHCP
network 192.168.130.0 255.255.255.0
default-router 192.168.130.100
domain-name vpn.local
dns-server 192.168.130.100 62.169.194.17
lease infinite
!
!
no ip cef
!
!
ip domain name vpn.local
ip host SW 192.168.130.101
ip name-server 62.169.194.17
ip name-server 62.169.194.18
!
no ip bootp server
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
!
username cisco privilege 15 password xxxxx
archive
log config
hidekeys
!
!
ip tcp selective-ack
ip tcp timestamp
ip tcp synwait-time 10
ip tcp path-mtu-discovery
ip ssh maxstartups 2
ip ssh logging events
ip ssh version 2
!
aaa new-model
!
aaa session-id common
!
aaa authentication login default local
aaa authentication login XAUTH_for_VPNs local
aaa authorization exec default local
aaa authorization network VPN_GROUP local
!
aaa local authentication attempts max-fail 10
!
crypto isakmp policy 1
encr aes
authentication pre-share
group 2
lifetime 43200
!
crypto isakmp client configuration group VPN
key xxxxx
dns 192.168.130.100 62.169.194.17
domain vpn.local
pool VPN_POOL
include-local-lan
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-AES-SHA esp-aes esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set ESP-AES-SHA
reverse-route
!
!
crypto map dynmap client authentication list XAUTH_for_VPNs
crypto map dynmap isakmp authorization list VPN_GROUP
crypto map dynmap client configuration address respond
crypto map dynmap 65535 ipsec-isakmp dynamic dynmap
!
!
!
interface Null0
no ip unreachables
!
interface ATM0/0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no atm ilmi-keepalive
dsl operating-mode auto
pvc 8/35
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface ATM0/0.1 point-to-point
description ADSL_INTERFACE
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet0/0
description INSIDE_INTERFACE
ip address 192.168.130.100 255.255.255.0
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1460
speed auto
full-duplex
!
interface Dialer0
description OUTSIDE_INTERFACE
ip address negotiated
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1492
ip nat outside
ip virtual-reassembly
encapsulation ppp
ip route-cache flow
dialer pool 1
dialer-group 1
no cdp enable
ppp authentication chap callin
ppp chap hostname xxxxx@xxxxx
ppp chap password xxxxx
ppp ipcp dns request
ppp ipcp wins request
crypto map dynmap
!
ip local pool VPN_POOL 192.168.130.50 192.168.130.60
!
no ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer0
ip http server
ip http authentication local
ip http secure-server
!
ip nat inside source list 1 interface Dialer0 overload
!
ip dns server
!
!
access-list 1 permit 192.168.130.0 0.0.0.255
dialer-list 1 protocol ip permit
!
control-plane
!
line con 0
password xxxxx
logging synchronous
transport output telnet
line vty 0 4
password xxxxx
transport preferred ssh
transport input ssh
transport output telnet ssh
line vty 5 15
password xxxxx
transport preferred ssh
transport input ssh
transport output telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17180087
ntp server 193.93.167.241
end

The configuration works fine and the client connects to the Cisco VPN server (1751 router).

Here is the problem:

Before attempting to establish the VPN connection the laptop does have an active Internet connectionon and its physical NIC (which connects it to the

Internet) has the following settings assigned by the DHCP server on the local subnet of 192.168.0.1/24:

IP Address: 192.168.0.76
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.0.1
DHCP Server: 192.168.0.1
DNS Servers: 192.168.0.1

When Cisco VPN client runs and establishes succesfully a connection to the VPN, the Cisco VPN adapter (virtual NIC) gets the following configuration from the

VPN server (router):

IP Address: 192.168.130.51
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.130.51 (always same as the IP address it gets assigned from the VPN router at the tunnel end)
DNS Servers: 192.168.130.100
62.169.194.17

and in the same time the physical NIC looses the default gateway 192.168.0.1 it had thus loosing the connection to the Internet. So the physical NIC now has

this settings:

IP Address: 192.168.0.76
Subnet Mask: 255.255.255.0
Default Gateway:
DHCP Server: 192.168.0.1
DNS Servers: 192.168.0.1

So what is wrong in this scenario and how should it work?

Second question:

In the above example Site A(remote user's site) and Site B(VPN server's site) are configured with different subnets.

Site A: 192.168.0.0 / 24
Site B: 192.168.130.0 / 24

What if both LAN's on both sides of the tunnel, for example Site A/LAN1 (behind VPN server/router) subnet is 192.168.1.0/24 and Site B / LAN2 (where remote

user may be at any time) subnet is also 192.168.1.0/24, what would then happen?

I mean what if the remote user sitting on Site B is on subnet 192.168.1.0/24 and has an ip address of 192.168.1.10/24, wants to remote desktop to a PC

sitting on Site A at the other side of the tunnel that also has local subnet 192.168.1.0/24? How would the remote user's laptop know on which local subnet

Site A or Site B this PC is located and reach it?

Hope I didn't confuse you.

Please reply here or mail me at ksylvios@gmail.com

Thanks a lot in advance!

Cheers, Sylvios

[... - www.ciscoblog.com is one must read source of information on this subject,[... -

I like this site very much.

This is such a outstanding site.
And it is not like other money orientated site, the content here is genuinely valuable.

I am definitely bookmarking it as well as sharing it with my friends.

:)

Very outstanding website.
The information here is very valuable.

I will refer it to my friends.

Cheers

Hi !.
You re, I guess , perhaps very interested to know how one can collect a huge starting capital .
There is no initial capital needed You may start earning with as small sum of money as 20-100 dollars.

AimTrust is what you haven`t ever dreamt of such a chance to become rich
AimTrust represents an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with affiliates everywhere: In USA, Canada, Cyprus.
Do you want to become an affluent person?
That`s your choice That`s what you really need!

I`m happy and lucky, I started to get real money with the help of this company,
and I invite you to do the same. It`s all about how to select a correct partner utilizes your funds in a right way - that`s the AimTrust!.
I make 2G daily, and my first investment was 500 dollars only!
It`s easy to get involved , just click this link http://wonehuza.envy.nu/gujiqehy.html
and lucky you`re! Let`s take our chance together to get rid of nastiness of the life

Hi !.
might , perhaps curious to know how one can collect a huge starting capital .
There is no initial capital needed You may begin to get income with as small sum of money as 20-100 dollars.

AimTrust is what you haven`t ever dreamt of such a chance to become rich
The company represents an offshore structure with advanced asset management technologies in production and delivery of pipes for oil and gas.

It is based in Panama with offices everywhere: In USA, Canada, Cyprus.
Do you want to become really rich in short time?
That`s your choice That`s what you wish in the long run!

I`m happy and lucky, I began to take up income with the help of this company,
and I invite you to do the same. If it gets down to select a proper partner utilizes your savings in a right way - that`s the AimTrust!.
I take now up to 2G every day, and my first deposit was 1 grand only!
It`s easy to start , just click this link http://zikypove.arcadepages.com/lunupemu.html
and lucky you`re! Let`s take this option together to get rid of nastiness of the life

I somehow dont agree with a few things, but its great anyways.

I am assured, that you are mistaken.

Opulently I agree but I think the list inform should prepare more info then it has.

Again a fair post. Thank your achates

I want not agree on it. I regard as warm-hearted post. Especially the appellation attracted me to review the whole story.

Anyone heard about google money pro programm? I accidently came accro this website Google Money Pro review
author claims that this ebook can teach you to earn money with google adwords. What do you think is it real or no. Anyone bought it? I don't want to loose money again. BTW sorry for offtopic!

I just found the website who discuss about
Several
home based business

If you want to know more here it is
home business opportunity

Hey there, it's very great to see a fellow biker post their experiences. I'm really impressed by your blog, I
really liked the post a few weeks before this post as well, it just so happens I was talking to someone about
the same thing yesterday.

This is a very comprhensive long term care insurance site. They have a good online guide for long term care insurance.

dutyboard removal additions rheinland roland goodswe ncam stores blogland darlene lines
servimundos melifermuly

Thanks for publishing about this. There's a bunch of good tech information on the internet. You've got a lot of that info here on your web site. I'm impressed - I try to keep a couple blogs pretty on-going, but it's a struggle sometimes. You've done a big job with this one. How do you do it?

Solid blog. I got a lot of good information. I've been keeping an eye on this technology for awhile. It's intriguing how it keeps varying, yet some of the core factors remain the same. Have you seen much change since Google made their latest acquisition in the area?

frontal acceleration limiting earning postgraduate midsize contrib pointsearly emphatically timbre atul
servimundos melifermuly

Affiliate Marketing is a performance based sales technique used by companies to expand their reach into the internet at low costs. This commission based program allows affiliate marketers to place ads on their websites or other advertising efforts such as email distribution in exchange for payment of a small commission when a sale results.

www.onlineuniversalwork.com

Affiliate Marketing is a performance based sales technique used by companies to expand their reach into the internet at low costs. This commission based program allows affiliate marketers to place ads on their websites or other advertising efforts such as email distribution in exchange for payment of a small commission when a sale results.

www.onlineuniversalwork.com

Nice fill someone in on and this enter helped me alot in my college assignement. Gratefulness you as your information.

Damn, that sound's so easy if you think about it.