VPN - Cisco Client from behind a IOS box with Site to Site VPN on Box

This is Interesting: Free IT Magazines  
Home > Archive > VPN > October 2004 > Cisco Client from behind a IOS box with Site to Site VPN on Box





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author Cisco Client from behind a IOS box with Site to Site VPN on Box
Yulunga

2004-10-05, 5:45 pm

OK --

I have a cisco 800 Dsl router with a site to site VPN that work fine. I also
have remote
access to the nework behind the IOS through a cisco vpn client v. 4.6.
What I now need is to setup access to another remote network with the
Checkpoint
SecurRemote VPN client from inside my home network. Below is the config of
my home network
the Checkpoint client is on 10.100.200.10 255.255.255.224. I have 8 Public
Ip addresses from my ISP
and only use the one with NAT.

Please could someone help me with a explanation on how to go about this !!!

HOUSTON#show conf
Using 4426 out of 131072 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname HOUSTON
!
boot-start-marker
boot-end-marker
!
enable secret !
username dogma pass
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network client3000 local
aaa session-id common
ip subnet-zero
!
!
!
!
ip domain name simian.com
ip inspect name in2out rcmd
ip inspect name in2out ftp
ip inspect name in2out tftp
ip inspect name in2out tcp timeout 43200
ip inspect name in2out http
ip inspect name in2out udp
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp key test321 address 212.100.100.3
crypto isakmp key test123 address 80.100.100.10
!
crypto isakmp client configuration group client3000
key user@test1234user
dns 10.100.200.11
domain simian.com
pool ippool
acl 101
crypto isakmp profile VPNclient
match identity group client3000
client authentication list userauthen
isakmp authorization list client3000
client configuration address respond
!
!
crypto ipsec transform-set vpn-trans esp-3des esp-sha-hmac
mode transport
!
crypto ipsec profile test123
set security-association lifetime seconds 1800
!
!
crypto dynamic-map dynmap 10
set transform-set vpn-trans
set isakmp-profile VPNclient
reverse-route
!
!
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
crypto map dynmap 10 ipsec-isakmp
set peer 212.100.100.3
set transform-set vpn-trans
set pfs group2
match address 111
crypto map dynmap 20 ipsec-isakmp
set peer 80.100.100.10
set transform-set vpn-trans
set pfs group2
match address 115
!
!
!
interface Ethernet0
ip address 10.100.200.1 255.255.255.224
ip nat inside
ip virtual-reassembly
no ip mroute-cache
fair-queue
no cdp enable
hold-queue 100 out
!
interface ATM0
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
dsl operating-mode auto
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface FastEthernet1
no ip address
duplex auto
speed auto
!
interface FastEthernet2
no ip address
duplex auto
speed auto
!
interface FastEthernet3
no ip address
duplex auto
speed auto
!
interface FastEthernet4
no ip address
duplex auto
speed auto
!
interface Dialer0
ip address negotiated
ip access-group 121 in
ip nat outside
ip inspect in2out out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer enable-timeout 2
dialer-group 1
fair-queue
ppp authentication chap callin
ppp chap hostname ****
ppp chap password ***
crypto map dynmap
hold-queue 224 in
!
ip local pool ippool 192.168.1.200 192.168.1.210
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0
!
no ip http server
no ip http secure-server
ip nat inside source route-map nonat interface Dialer0 overload
ip nat inside source static 10.100.200.10 212.100.10.51
!
access-list 100 deny ip 10.100.200.0 0.0.0.31 10.10.10.0 0.0.0.255
access-list 100 deny ip 10.100.200.0 0.0.0.31 10.240.0.0 0.0.255.255
access-list 100 deny ip 10.100.200.0 0.0.0.31 145.227.178.0 0.0.0.255
access-list 100 permit ip 10.100.200.0 0.0.0.31 any
access-list 101 permit ip 192.168.1.0 0.0.0.255 10.100.200.0 0.0.0.31
access-list 101 permit ip 10.100.200.0 0.0.0.31 192.168.1.0 0.0.0.255
access-list 103 deny ip 10.100.200.0 0.0.0.31 10.10.10.0 0.0.0.255
access-list 103 deny ip 10.100.200.0 0.0.0.31 10.240.0.0 0.0.255.255
access-list 103 deny ip 10.100.200.0 0.0.0.31 145.227.178.0 0.0.0.255
access-list 103 deny ip 10.100.200.0 0.0.0.31 192.168.1.0 0.0.0.255
access-list 103 permit ip 10.100.200.0 0.0.0.31 any
access-list 103 permit ip 192.168.1.0 0.0.0.31 any
access-list 111 permit ip 10.100.200.0 0.0.0.31 10.240.0.0 0.0.255.255
access-list 111 permit ip 10.100.200.0 0.0.0.31 145.227.178.0 0.0.0.255
access-list 115 permit ip 10.100.200.0 0.0.0.31 10.10.10.0 0.0.0.255
dialer-list 1 protocol ip permit
route-map nonat permit 10
match ip address 103
!
!
control-plane
!
!
line con 0
line aux 0
transport preferred ssh
stopbits 1
line vty 0 4
transport input ssh
!
scheduler max-task-time 5000
end




Y.


Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com