Announcement

Collapse
No announcement yet.

vpn server on router 2821 and pix/ASA

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • vpn server on router 2821 and pix/ASA

    hello,
    I am trying to make a vpn client connection from the internet-------router(2821)-------pix/ASA------core switch(internal network).it gives me an error message each time i try to make a connection outside my network from the internet.The cisco router 2821 is configured as my vpn server.here are the config on my router and pix/ASA:

    router 2821:

    SG-OD-RT-01#sh run
    Building configuration...
    Current configuration : 5703 bytes
    !
    version 12.4
    service timestamps debug datetime msec
    service timestamps log datetime msec
    service password-encryption
    !
    hostname SG-OD-RT-01
    !
    boot-start-marker
    boot-end-marker
    !
    no logging buffered
    enable secret 5 $1$/DRB$0mKgikepZYevkkX6IbVa90
    enable password 7 14461C1F09162C2A272D
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authentication login sdm_vpn_xauth_ml_1 local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    !
    !
    aaa session-id common
    clock timezone Luanda 1
    dot11 syslog
    !
    !
    ip cef
    !
    !
    ip domain name sitdeconline.org
    ip name-server 83.229.88.30
    ip name-server 217.194.129.30
    ip auth-proxy max-nodata-conns 3
    ip admission max-nodata-conns 3
    !
    multilink bundle-name authenticated
    !
    !
    voice-card 0
    no dspfarm
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    !
    crypto pki trustpoint TP-self-signed-162419641
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-162419641
    revocation-check none
    rsakeypair TP-self-signed-162419641
    !
    !
    crypto pki certificate chain TP-self-signed-162419641
    certificate self-signed 01
    30820241 308201AA A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31363234 31393634 31301E17 0D303830 38313631 34333435
    315A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
    532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3136 32343139
    36343130 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
    D0DAE2F0 2E5A1679 DD067EAF D3FB9065 36CDC2EF 70C55AB3 433C64B7 042D95C1
    13DE9A7A 5DA58B8D 0ED779B6 B9CE91DD 214DE128 E9D5D620 2C176747 E587B49A
    1EA62D26 20CEF916 B1917B4A CADB97ED 66326D56 78C28689 D6750467 2551CDBC
    A4756025 DF63DEB3 E98D6C8B EC315D5D BEDAEFD4 34480E56 F34E8B07 EDEBE387
    02030100 01A36B30 69300F06 03551D13 0101FF04 05300301 01FF3016 0603551D
    11040F30 0D820B53 472D4F44 2D52542D 3031301F 0603551D 23041830 168014AE
    644BAAB6 BE0F143A 3B3A3075 E9CA06D6 56815F30 1D060355 1D0E0416 0414AE64
    4BAAB6BE 0F143A3B 3A3075E9 CA06D656 815F300D 06092A86 4886F70D 01010405
    00038181 004004CF 97D1948F 6239F633 47A0BF9E C1D19E3E 533A4284 7251F933
    B0250443 CC4A02A8 BCD28F7F 73D4A547 B22B1D96 FEC5045A CE11782C BC64CC4A
    3619AD07 0D8C6407 438554D8 72039181 17A5205E BA8B6B01 7184B1DC 1EB8376B
    E1A1AA7F 5B3C8E16 9ACB08D7 92C6E966 4FE8A6E8 255672C6 973A1433 3D413264
    D53E389C 0A
    quit
    !
    !
    username admin privilege 15 password 7 0355551F031D274D4D0C
    archive
    log config
    hidekeys
    !
    !
    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    !
    crypto isakmp client configuration group SITAvpn
    key [email protected]
    dns 83.229.88.30 217.194.129.30
    pool SDM_POOL_1
    !
    !
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ctcp port 10000
    !
    !
    !
    class-map match-all VOIP
    match protocol rtp audio
    class-map match-all XWINDOWS
    match protocol xwindows
    class-map match-any p2p
    match protocol edonkey
    match protocol gnutella
    match protocol kazaa2
    match protocol bittorrent
    match protocol fasttrack
    match protocol skype
    class-map match-any WEB_TRAFFIC
    match protocol http
    match protocol secure-http
    match protocol ftp
    class-map match-all SQL
    match protocol sqlserver
    match protocol sqlnet
    !
    !
    policy-map CORP_POLICY
    class p2p
    police 8000 conform-action set-dscp-transmit af11 exceed-action set-dscp-tra
    nsmit 0 violate-action drop
    class WEB_TRAFFIC
    police 250000 conform-action set-dscp-transmit af32 exceed-action set-dscp-t
    ransmit af32 violate-action set-dscp-transmit 0
    class SQL
    police 8000 conform-action set-dscp-transmit af21 exceed-action set-dscp-tra
    nsmit af21 violate-action set-dscp-transmit 0
    class VOIP
    shape peak percent 10
    class XWINDOWS
    police 50000 conform-action set-dscp-transmit af21 exceed-action set-dscp-tr
    ansmit af21 violate-action set-dscp-transmit 0
    !
    !
    !
    !
    !
    interface GigabitEthernet0/0
    description $ETH-WAN$
    ip address 78.138.12.11 255.255.255.248
    ip nbar protocol-discovery
    ip nat outside
    ip virtual-reassembly
    duplex auto
    speed auto
    service-policy output CORP_POLICY
    hold-queue 4096 out
    !
    interface GigabitEthernet0/1
    description $ETH-LAN$
    ip address 10.10.1.1 255.255.255.248
    ip nbar protocol-discovery
    ip nat inside
    ip virtual-reassembly
    duplex auto
    speed auto
    !
    !
    router eigrp 20
    network 10.0.0.0
    network 77.0.0.0
    no auto-summary
    !
    ip local pool SDM_POOL_1 10.10.1.3 10.10.1.5
    ip default-gateway 78.138.12.9
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 78.138.12.9
    !
    !
    ip http server
    no ip http secure-server
    ip nat pool sitdec 78.138.12.12 78.138.12.14 netmask 255.255.255.248
    ip nat inside source list 1 pool sitdec overload
    !
    access-list 1 remark SDM_ACL Category=18
    access-list 1 permit any
    !
    !
    !
    !
    !
    !
    control-plane
    !
    !
    !
    !
    !
    !
    !
    !
    !
    banner login ^C
    --------------------------------------------------
    This Is The Property of Ondo State Government
    Your Identity can and will be traced if you
    carryout any UNAUTHORIZED ENTRY or ACTIVITY
    on this device.
    --------------------------------------------------
    ^C
    banner motd ^C
    ---------------------------------------------------
    Unauthorized Access To This Equipment Is Prohibited
    ---------------------------------------------------
    You have accessed SG-OD-RT-01.sitdeconline.org
    You are accessing line 3
    ----------------------------------------------------
    Unauthorized Access To This Equipment Is Prohibited
    ----------------------------------------------------
    ^C
    !
    line con 0
    password 7 101F070D0005140A0F01
    logging synchronous
    line aux 0
    password 7 101F070D0005140A0F01
    line vty 0 4
    password 7 135419060E1E022B2821
    !
    scheduler allocate 20000 1000
    !
    end
    SG-OD-RT-01#
    SG-OD-RT-01#




    pix/ASA....

    SG-OD-PIX-01#
    SG-OD-PIX-01# sh run
    : Saved
    :
    PIX Version 8.0(3)
    !
    hostname SG-OD-PIX-01
    domain-name sitdeconline.org
    enable password 1.eYFCbkc2qphhCj encrypted
    names
    dns-guard
    !
    interface Ethernet0
    nameif outside
    security-level 0
    ip address 10.10.1.2 255.255.255.248
    !
    interface Ethernet1
    nameif inside
    security-level 100
    ip address 10.10.1.9 255.255.255.248
    !
    interface Ethernet2
    shutdown
    nameif intf2
    security-level 4
    no ip address
    !
    interface Ethernet3
    shutdown
    nameif intf3
    security-level 6
    no ip address
    !
    interface Ethernet4
    shutdown
    nameif intf4
    security-level 8
    no ip address
    !
    interface Ethernet5
    shutdown
    nameif intf5
    security-level 10
    no ip address
    !
    passwd 2KFQnbNIdI.2KYOU encrypted
    boot system flash:/image.bin
    ftp mode passive
    clock timezone WAT 1
    dns server-group DefaultDNS
    domain-name sitdeconline.org
    access-list acl_out extended permit icmp any any
    access-list vpn_client extended permit ip host 10.10.1.3 host 10.10.1.9
    pager lines 24
    logging enable
    logging asdm informational
    mtu outside 1500
    mtu inside 1500
    mtu intf2 1500
    mtu intf3 1500
    mtu intf4 1500
    mtu intf5 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    asdm image flash:/asdm-603.bin
    asdm history enable
    arp timeout 14400
    nat-control
    global (outside) 1 interface
    nat (inside) 1 0.0.0.0 0.0.0.0
    access-group vpn_client in interface outside
    route outside 0.0.0.0 0.0.0.0 10.10.1.1 1
    route inside 10.10.0.0 255.255.0.0 10.10.1.10 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    aaa-server TACACS+ protocol tacacs+
    aaa-server RADIUS protocol radius
    aaa authentication http console LOCAL
    http server enable
    http 10.10.0.0 255.255.0.0 inside
    no snmp-server location
    no snmp-server contact
    snmp-server community public
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no sysopt connection permit-vpn
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    telnet 10.10.0.0 255.255.0.0 inside
    telnet timeout 30
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics
    username admin password xMnxCgc.xp9Nx7u4 encrypted privilege 15
    !
    class-map inspection_default
    match default-inspection-traffic
    !
    !
    policy-map type inspect dns migrated_dns_map_1
    parameters
    message-length maximum 512
    policy-map global_policy
    class inspection_default
    inspect dns migrated_dns_map_1
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect http
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip
    inspect xdmcp
    !
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:54b27217137937b43c9616256ee3ad45
    : end
    SG-OD-PIX-01#
    SG-OD-PIX-01#

    Also here is the error message: "Secure VPN connection terminated locally by the client reason 412:the remote peer is no longer responding"
Working...
X