Cisco – How To configure an IPSec VPN
Posted by Josh on Sat 13 Oct 2007Categories: Cisco , Cisco Routers - [92] Comments
A virtual private network (VPN) is a network that uses a public telecommunication infrastructure, such as the Internet, to provide remote offices or individual users with secure access to their organization’s network. The following tutorial will show you how to connect two locations together with an IPSec VPN using pre-shared authentication.
Broadband prices get lower and lower while speeds keep getting faster and faster. Although VPNs have mostly been used for non-critical, low traffic connections, many companies are looking to the internet for primary connectivity.
There are 5 basic steps to configure a vpn using cisco routers.
1) Configure the ISAKMP policy
2) Configure the ISAKMP pre-shared key
3) Configure the IPSec transform-set
4) Configure an access-list to identify traffic to be encrypted
5) Configure a crypto map to tie steps 2 – 4 together.
6) Apply the crypto map to the external interface.
| Configure router R1 |  |
| Configure router R2 | |
Download the ipsec.net config file and ISP router configuration here.
If this is not what you are looking for, here are a few other VPN tutorials I have:
How to configure remote access vpn on a router
How to configure a GRE/IPSec VPN – Part 1
How to configure a GRE/IPSec VPN – Part 2
How to configure NAT for an IPSec VPN
October 15th, 2007 at 12:02 am
good job!
October 15th, 2007 at 4:59 am
Great !!!
Would you provide example for Remote Access VPN?
October 16th, 2007 at 8:03 am
Remote Access VPN is on the list of future tutorials.
October 17th, 2007 at 1:18 am
Hi
please provide an example for configure ipsec between cisco router and Microsoft windows or linux
thanks
October 30th, 2007 at 2:33 pm
Hey, cool VPN video…can I download a copy it?
Thx!
Jason
November 12th, 2007 at 1:16 pm
WOW…Cool stuff, very usefull … Keep the good work sir..
I will keep in back to browse Blindhog..
Many Thanks.
November 23rd, 2007 at 7:00 pm
nice …do you know anything about router rip..and how to retrive lost passwords on a cisco router when it crash..??
November 23rd, 2007 at 11:52 pm
Sure. Do you need help with it or would you like a tutorial?
November 29th, 2007 at 4:15 pm
How to u configure the internet cloud?u have only talked of the 2 routers.
Please help
November 29th, 2007 at 9:09 pm
Sure. You can download a zip file with the ipsec.net and ISP router config HERE
December 5th, 2007 at 8:49 am
Which IOS is this? From my 3640 I can’t use the crypto isakmp commands.
December 5th, 2007 at 1:56 pm
You will need an encryption image.
December 11th, 2007 at 12:50 am
I did this by using 3725 router with ipsec enabled image.For ISP I used 3640 router.
Thx a lot.
December 21st, 2007 at 6:47 pm
I WOULD LIKE INFO ON ROUTER RIP CAN YOU SEND ME SOMETHING ON LOST PASS WORDS AT KOOL2BME1@YAHOO.COM…WOULD GREATLY APPRECIATE IT
December 23rd, 2007 at 9:22 am
RIP
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=xv7&q=how+to+configure+rip&btnG=Search
Lost Password
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&hs=HGn&q=cisco+lost+password&btnG=Search
January 24th, 2008 at 4:57 pm
That was awesome and exactly what I was looking for!! Thank you!
February 2nd, 2008 at 9:47 am
I can’t thankyou enough for this tutorial. I have searched hi and low for a step by step to do just this.
You are the man!!!!!!
Thanks again for such a good tutorial
February 4th, 2008 at 1:58 pm
Great video,
Do you have any configureation tutorials doing the same thing using IPsec,
Between Cisco 3000 VPN Consentrator / Cisco 851
Been looking al over and caint find much on these two. With the info provided though will try and set something up
March 12th, 2008 at 11:12 am
Forgive my ignorance – but which IOS images contain encryption? I’ve got a whole library of IOS images! (I know this could open a can of worms explaining the whole naming convention thing! But just the basic of what to look for will do! Thanks in advance!)
March 12th, 2008 at 4:21 pm
If you have a cisco.com account, you can go to
http://www.cisco.com/go/fn
Use the feature navigator to find out what capabilities a particular image has.
March 13th, 2008 at 4:49 am
Dude! That’s exactly what I’m looking for. Cheers mate!
April 26th, 2008 at 1:49 pm
Would you provide example for pix-to-pix vpn?
April 29th, 2008 at 11:29 am
Is the VPN relationship 1:1 or 1:many? I.e. if I have two remote offices, can I get away with just one 851 at the home office, or does the home office need a separate router for each remote office?
April 29th, 2008 at 8:31 pm
Mule,
The VPN is a 1:many or many to many. You can have one router at the home office. The key that you have to use the same crypto map name.
crypto isakmp key R4zorb4ck address 23.45.67.2
crypto isakmp key R4zorb4ck address 34.56.78.2
crypto ipsec transform-set esp-aes-sha esp-aes esp-sha-hmac
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 102 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
crypto map vpn 10 ipsec-isakmp
match address 101
set peer 23.45.67.2
set transform-set esp-aes-sha
crypto map vpn 20 ipsec-isakmp
match address 102
set peer 34.56.78.2
set transform-set esp-aes-sha
int s0/0
crypto map vpn
Josh
May 2nd, 2008 at 9:00 am
Josh,
Thanks for the answer and the additional detail. The example you gave shows two remotes with static IPs. Is a similar configuration possible with dynamic IPs? The scenario is a home office with three telecommuters. We want to extend both our network and phone system to them over VPN, but I doubt they have static IPs at home. It would be worth the extra $ to get them a static, but for at least one user that might not be an option.
May 13th, 2008 at 12:35 pm
Thanks for making the configurations so clear and easy to follow. Your configs were a main resource for me setting up an IPSec VPN for my employeer. Thanks again!!!
May 21st, 2008 at 1:18 pm
that is just great……and its reallyy helpful. Good Job!!!!
June 9th, 2008 at 2:53 am
v v v god job done
June 10th, 2008 at 2:26 am
Very Goog job ……………. Thanks
pls. send some OSPF tutorial/Configuration links
-Riton
June 23rd, 2008 at 5:01 am
Hello.
I have a problemem using crypto command.
Can you provide a IOS or only its nate you used for this turorial?
I can’t find any encription image.
Thanks.
August 25th, 2008 at 8:49 pm
Man very good but how can i configure this with split tunneling.
Thanks
August 28th, 2008 at 8:44 pm
Thank you for the great info. I was able to get 3 tunnels successfully created.
I am not able to use RDP over any of them though, and after googling the issue I see I am not alone. Can you provide information on what steps are necessary to allow RDP over an IPSEC tunnel?
August 28th, 2008 at 9:56 pm
Tom,
It might be an MTU issue. Try adding ‘crypto ipsec df-bit clear’ in global config mode.
Josh
September 1st, 2008 at 9:49 pm
Brilliant work. great explanation.
September 4th, 2008 at 10:56 am
[...] ensure security. If you would like to see a video tutorial on how to setup and IPSEC VPN please click here. Hopefully tomorrow I can get something up on AH and [...]
November 13th, 2008 at 3:34 pm
You can see the version of IOS from the first screen of the tutorial. When the system boots up to the run menu option, you can see the version and level.
I have a small problem when I tried it. I don’t have serial ports. What blades did you use for 0 and 1? I used the following IOS: Cisco IOS Software, 3600 Software (C3640-JK9O3S-M), Version 12.4(5a), RELEASE SO ^FTWARE (fc3). I know yours was 12.4(16), but is there that much difference from these levels? Any thoughts?
November 21st, 2008 at 11:02 am
Awesome job!!!! Very informative. Can you provide the same for a remote access VPN connection?
Thanks
November 26th, 2008 at 7:04 am
John,
Once I am finished with the virtual voice lab, I might look into doing a remote access vpn tutorial.
Josh
November 30th, 2008 at 6:24 am
Keep up the brilliant jobs Bro … will keep in browse into blindhog in the future, and hope to learn the remote access VPN from you…
THANKS THANKS THANKS !!!
January 29th, 2009 at 4:39 pm
Very Good!
I have difficulties to shape a router for remote login from a static IP with ssh, from the lan ssh it works but not from external interface.
Assuming external interface ATM0 and remote IP 79.1.X.X how to qualify ssh? Thanks Thousands!
February 16th, 2009 at 4:59 am
Hi there
I am not sure if I have missed out anything, but I have download the ipsec.net config files and tried it out. The only changes I made are to the file path.
These are the issues which I encountered
1) when I tried to ping the 192.168.2.254 from R1 I get ‘U.U.U’
2) when I ‘show crypto session’ it shows that the IP Sec is down.
Is there anything I missed?
Thanks in Advance
February 24th, 2009 at 11:03 am
great tutorial!
is there any news on the Remote Access VPN tutorial that was promised?
February 24th, 2009 at 9:59 pm
len,
Yes, it has been put on hold. I have been working on the virtual voice lab tutorial series instead.
Josh
February 25th, 2009 at 11:56 am
Hi Josh,
Would it be possible to post an example config, if you have one, or point me to a suitable www site?
It would be greatly appreciated!
Thanks
February 26th, 2009 at 7:11 am
len,
I will try to come up with a sample config for you. Sorry my intentions shifted focus.
Josh
February 26th, 2009 at 10:25 am
Thanks.
One last question, on the ipsec vpn solution above: in practice, is it advised to hide both of the cisco routers behind firewalls, permitting only ipsec traffic?
Without using firewalls, how can i secure each device to ensure that no unauthorised internet access or traffic can use the vpn tunnel?
Thanks
February 28th, 2009 at 9:34 am
Gud show
March 2nd, 2009 at 1:07 pm
very very good
very nice to see this
March 5th, 2009 at 9:13 pm
Len,
In this configuration, you should use access-lists and CBAC to insure security.
Another thing you can do is to remove the gateway of last resort (default gateway) from your router and only insert static routes to the other vpn routers just for good measure.
Josh
Josh
March 5th, 2009 at 9:28 pm
Len,
This link should help.
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_easy_vpn_srvr_ps6441_TSD_Products_Configuration_Guide_Chapter.html
Josh
March 25th, 2009 at 8:37 pm
Very useful…..
March 26th, 2009 at 10:19 am
Hi Josh,
I have setup your example above, which works perfectly. However, is it possible to have multiple crypto mappings on a single interface? Im hoping to configure multiple ispec vpns on a central, ‘hub-sytle’ router which can support several tunnels.
Thanks
Len
April 19th, 2009 at 7:45 am
len,
Yes, you can have multiple crypto maps on an interface. Just do it like this.
crypto map newvpn 10 ipsec-isakmp
set peer 10.1.1.2
set transform-set STRONG
match address 102
crypto map newvpn 11 ipsec-isakmp
set peer 10.1.1.3
set transform-set STRONG
match address 103
crypto map newvpn 12 ipsec-isakmp
set peer 10.1.1.4
set transform-set STRONG
match address 104
interface Fa0/0
crypto map newvpn
Josh
August 1st, 2009 at 12:23 am
Hi,
Thank you for such a wonderful tutorial!!!!
pls add the configuration for remote access vpn!!!
Thanks a lot!!!
August 27th, 2009 at 4:50 pm
excelent!
thanks you!
October 29th, 2009 at 9:17 am
Nice, thanks for the tutorial.
November 1st, 2009 at 6:24 am
This is what I was looking for.
Thanks a lot !!!
November 1st, 2009 at 3:44 pm
I just tried and it works. This is just great.
Thanks, Thanks, Thanks
November 3rd, 2009 at 5:08 am
It is an Awesome one..You are simply great & god bless. No Words to say:) I was actually looking for a dynamic internet ip[adsl] – VPN setup [with Dyndns or no-ip] for remote VPN users. Can you please guide on it or where can I get similar guidance.
November 9th, 2009 at 11:08 am
Hello Josh … this example was interesting, but i would like to know…how will be, if we want a vpn over ip sec with different device in both sites, for example Juniper (ADSL Connection)in one and ASA 5110 in the other side. Thanks a lot for you attention.
Thanks
November 12th, 2009 at 6:04 pm
Is this a VPN transport mode ?
November 19th, 2009 at 1:27 am
Hi
Great video.when you configred fast ethernet port, you use the no keepalive command.i presume this is because no actual cable is plugged into the port and the no keepalive command fools the port into thinking that it is up all the time,correct?
December 21st, 2009 at 1:26 am
Hi, great job.
I would like to know how to setup the site to site vpn using ddns. In my senario i am using Cisco at HO and sonicwall at remote end. for an info i have already configured this and working flawlessly,but as soon as dyndns IP chages occured at site we loose the tunnel.The Cisco is having leased line and sonicwall is on ADSL where i have configured the ddns in modem provided by ISP and port forwarding to sonicwall at remote site.
It will be greatly appreciated if you guys help me on this.
Regards,
Ashish Vaishya
February 12th, 2010 at 4:38 pm
What a goo post¡¡¡¡
I am doing my Final Job about IPSec VPN on Cisco and this post is very very helpfull.
Thank you so much
February 14th, 2010 at 4:52 am
Hi,
good day.I would like to know how to setup the site to multi site vpn using cisco router. In my senario i am using Cisco 2811 at Head office and some cisco 2610 at remote end.
It will be greatly appreciated if you guys help me on this issus.
With Best Regards,
M Crown
March 23rd, 2010 at 1:19 pm
Hello,
thank you very much for this help!^^
I used three 1841 for this test, and configure only FastEthernet interfaces.
Nevertheless i can not ping the other side of the Vpn…i do not have exactly the same configuration of the ISP router : for exemple i have “Ip Classless” but do not have “Ip Cef”.
Do you think it is why i can ping through the Vpn?
Thanks fot your time
.
April 22nd, 2010 at 4:03 pm
Brice: I’ll assume you are using an xDSL connection, if so, try using the Dialer0 Interface, these are your external interfaces unless you are told that you are using the FE interface. Most configs you see for and from Cisco are more likely setup in a test lab where either the connection is either a serial interface or ethernet interface.
Josh – quick question need to connect an C1841 router to a Netgear DG834 router, using IPSEC, is there any tricks I need to perform on the NetGear to allow the VPN tunnel to work. Also I need to configure QoS on C1841 for VoIP and RDP protocols only.
Thanks
May 20th, 2010 at 11:50 am
Excellent article!.
Would you provide example for Remote Access VPN? I want to learn it.
Many thanks, from Arg.
Germán
June 21st, 2010 at 2:21 pm
Hi Users! This software is great!!!
Someone could test with this software Remote Access VPN ??? and for the other hand i installed a linux machine host in GNS3. Someone know where i can download a windows test machine ? because i would like t test a Remote Access VPN installing the vpn cisco software.
Thz
July 3rd, 2010 at 12:14 pm
Say how to create one site have static public ip and other remote site have dynamic public ip ,how to create IPSEC vpn through the Internet
im very appreciate if u could explain
regards
Rajeewa
July 17th, 2010 at 4:36 pm
This is amazingly kewl, made me understand stuff i never did.
Aj.
July 26th, 2010 at 9:50 am
hi! sorry my ignorance but I’m starting to configure cisco equipments.
the video is great, but I want to configure a vpn Internet -> Router with cisco client to access the vpn.
Any help?
July 27th, 2010 at 8:18 pm
Rajeewa,
You would need to use DMVPN or EzVPN if one side has a dynamic ip address.
Josh
July 27th, 2010 at 8:26 pm
Pedro,
I need to put a tutorial together for that. I have had a lot of requests.
Josh
August 21st, 2010 at 3:04 am
the video based explanation is very help full for beginners.this gives a feel of practical experience.
September 5th, 2010 at 3:14 am
how to construct one VPN site to site step by step between two cisco router 2811
Hello friends, I need all information reference a this topis about VPN site to site.
Thank for your colaboration.
September 20th, 2010 at 1:16 am
great …. brother finally it worked for me
October 3rd, 2010 at 3:38 am
thank you sooooooooooooooooooooooooo much.
this thing has given me sleepless nights. tanks man.it really helped.
cheers man
October 28th, 2010 at 1:00 pm
Hi,Very nice tutorial..4 Thumbs up for y
February 14th, 2011 at 8:06 am
thanks a lot for work i so much appreciate it.how connect my active directory to a lan- to lan ipsec cisco tunnel
May 8th, 2011 at 7:20 am
how to start capture with wireshark
June 1st, 2011 at 3:39 pm
I’m at my wits end… and hopefully you can help.
We had a working VPN on a 2650 that allowed our 2 branches to connect to us. It was slow over the single T1, but it worked ok. We upgraded to a second T1 (bonded with multilink PPP encap) and a new router (Cisco 2901) and all hell has broken loose.
The internet works fine, nice and fast. However the VPN is a nightmare. Even copying (for the most part, obviously the IPs are different) what you have here I get nowhere. When i run a ping from the router, sourced to the ethernet port, everything is fine. Response times are around 80-85ms. However if I ping them from my desktop the times are all over the place; some going through at 80ms like from the router, and some timing out entirely even with the timeout set to 20,000. I’ve had my ISP’s techs working on it, and been working at it myself, for the past 3 days to no avail and am about to pull my hair out… any suggestions (other than a nice wig company)?
June 1st, 2011 at 3:59 pm
Denny,
It sounds like you do not have a vpn module in the 2650. Can you post the output of ‘show version’ and ‘show diag’?
Josh
June 2nd, 2011 at 7:10 am
Sure… the VPN module was on the old 2650, and worked fine. it’s the new 2901 that’s killing me. here are the outputs from the 2901.
Version:
Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.0(1)M5, REL
EASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Wed 23-Feb-11 15:41 by prod_rel_team
ROM: System Bootstrap, Version 15.0(1r)M9, RELEASE SOFTWARE (fc1)
router uptime is 19 hours, 19 minutes
System returned to ROM by power-on
System image file is “flash0:c2900-universalk9-mz.SPA.150-1.M5.bin”
Last reload type: Normal Reload
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
Cisco CISCO2901/K9 (revision 1.0) with 483328K/40960K bytes of memory.
Processor board ID FTX151703TR
2 Gigabit Ethernet interfaces
2 Serial interfaces
2 Channelized T1/PRI ports
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
255K bytes of non-volatile configuration memory.
254464K bytes of ATA System CompactFlash 0 (Read/Write)
License Info:
License UDI:
————————————————-
Device# PID SN
————————————————-
*0 CISCO2901/K9 FTX151703TR
Technology Package License Information for Module:’c2900′
—————————————————————-
Technology Technology-package Technology-package
Current Type Next reboot
—————————————————————–
ipbase ipbasek9 Permanent ipbasek9
security securityk9 Evaluation securityk9
uc None None None
data None None None
Configuration register is 0×2102
Diag:
Slot 0:
C2901 Mother board 2GE, integrated VPN and 4W Port adapter, 4 ports
Port adapter is analyzed
Port adapter insertion time 19:19:46 ago
EEPROM contents at hardware discovery:
PCB Serial Number : FOC15115W40
Hardware Revision : 1.0
Part Number : 73-11834-06
Top Assy. Part Number : 800-30795-02
Board Revision : E0
Deviation Number : 113332
Fab Version : 03
Product (FRU) Number : CISCO2901/K9
Version Identifier : V02
CLEI Code : CMMBN00ARA
Processor type : C1
Chassis Serial Number : FTX151703TR
Chassis MAC Address : 6400.f1a5.aa48
MAC Address block size : 72
Manufacturing Test Data : 00 00 00 00 00 00 00 00
EEPROM format version 4
EEPROM contents (hex):
0×00: 04 FF C1 8B 46 4F 43 31 35 31 31 35 57 34 30 40
0×10: 06 17 41 01 00 82 49 2E 3A 06 C0 46 03 20 00 78
0×20: 4B 02 42 45 30 88 00 01 BA B4 02 03 CB 8C 43 49
0×30: 53 43 4F 32 39 30 31 2F 4B 39 89 56 30 32 20 D9
0×40: 04 40 C1 CB C2 C6 8A 43 4D 4D 42 4E 30 30 41 52
0×50: 41 09 C1 C2 8B 46 54 58 31 35 31 37 30 33 54 52
0×60: C3 06 64 00 F1 A5 AA 48 43 00 48 C4 08 00 00 00
0×70: 00 00 00 00 00 F3 00 65 40 01 25 41 00 87 42 00
0×80: 00 F8 00 28 03 E8 1C 89 07 D0 20 21 0B B8 20 93
0×90: 0F A0 21 2F 13 88 21 83 17 70 21 A8 1B 58 21 B0
0xA0: 1F 40 21 AB 23 28 21 79 27 10 21 78 41 01 1D 42
0xB0: 00 00 F8 00 28 03 E8 1C 20 07 D0 1F 40 0B B8 20
0xC0: 6C 0F A0 21 34 13 88 21 34 17 70 21 98 1B 58 21
0xD0: 98 1F 40 21 98 23 28 21 34 27 10 21 34 FF FF FF
0xE0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0xF0: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
WIC Slot 0:
VWIC2-2MFT-T1/E1 – 2-Port RJ-48 Multiflex Trunk – T1/E1
Hardware Revision : 0.0
Top Assy. Part Number : 800-22629-05
Board Revision : C0
Deviation Number : 0
Fab Version : 04
PCB Serial Number : FOC15142CF2
RMA Test History : 00
RMA Number : 0-0-0-0
RMA History : 00
Product (FRU) Number : VWIC2-2MFT-T1/E1
Version Identifier : V01
EEPROM format version 4
EEPROM contents (hex):
0×00: 04 FF 40 03 FC 41 00 00 C0 46 03 20 00 58 65 05
0×10: 42 43 30 88 00 00 00 00 02 04 C1 8B 46 4F 43 31
0×20: 35 31 34 32 43 46 32 03 00 81 00 00 00 00 04 00
0×30: CB 90 56 57 49 43 32 2D 32 4D 46 54 2D 54 31 2F
0×40: 45 31 89 56 30 31 20 D9 02 40 C1 FF FF FF FF FF
0×50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0×60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0×70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
June 2nd, 2011 at 7:11 am
and from the 2650.
Version:
Cisco Internetwork Operating System Software
IOS ™ C2600 Software (C2600-IK9O3S3-M), Version 12.3(19), RELEASE SOFTWARE (f
c2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2006 by cisco Systems, Inc.
Compiled Fri 12-May-06 04:14 by evmiller
Image text-base: 0×80008098, data-base: 0x81A0C1A4
ROM: System Bootstrap, Version 12.1(3r)T2, RELEASE SOFTWARE (fc1)
ROM: C2600 Software (C2600-IK9O3S3-M), Version 12.3(19), RELEASE SOFTWARE (fc2)
sky2650 uptime is 18 hours, 15 minutes
System returned to ROM by power-on
System image file is “flash:c2600-ik9o3s3-mz.123-19.bin”
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
export@cisco.com.
cisco 2650 (MPC860P) processor (revision 0×200) with 111616K/19456K bytes of mem
ory.
Processor board ID JAB05380878 (4003562465)
M860 processor: part number 5, mask 2
Bridging software.
X.25 software, Version 3.0.0.
1 FastEthernet/IEEE 802.3 interface(s)
2 Serial network interface(s)
32K bytes of non-volatile configuration memory.
32768K bytes of processor board System flash (Read/Write)
Configuration register is 0×2102
Diag:
Slot 0:
C2650 1FE Mainboard Port adapter, 3 ports
Port adapter is analyzed
Port adapter insertion time unknown
EEPROM contents at hardware discovery:
Hardware Revision : 2.0
PCB Serial Number : JAB05380878 (4003562465)
Part Number : 73-5024-04
RMA History : 00
RMA Number : 0-0-0-0
Board Revision : B0
Deviation Number : 0-0
Product (FRU) Number : C2600M-1FE
EEPROM format version 4
EEPROM contents (hex):
0×00: 04 FF 40 01 C1 41 02 00 C1 18 4A 41 42 30 35 33
0×10: 38 30 38 37 38 20 28 34 30 30 33 35 36 32 34 36
0×20: 35 29 82 49 13 A0 04 04 00 81 00 00 00 00 42 42
0×30: 30 80 00 00 00 00 FF FF FF FF FF FF FF FF FF FF
0×40: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0×50: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0×60: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
0×70: FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
WIC Slot 0:
FT1 BT8360
Hardware revision 1.3 Board revision B0
Serial number 25333331 Part number 800-03279-04
FRU Part Number WIC-1DSU-T1=
Test history 0×0 RMA number 00-00-00
Connector type Wan Module
EEPROM format version 2
EEPROM contents (hex):
0×20: 02 11 01 03 01 82 8E 53 50 0C CF 04 00 00 00 00
0×30: 58 00 00 00 01 07 01 01 FF FF FF FF FF FF FF FF
WIC Slot 1:
FT1 BT8360
Hardware revision 1.3 Board revision C0
Serial number 14664217 Part number 800-03279-03
FRU Part Number WIC-1DSU-T1=
Test history 0×0 RMA number 00-00-00
Connector type Wan Module
EEPROM format version 2
EEPROM contents (hex):
0×20: 02 11 01 03 00 DF C2 19 50 0C CF 03 00 00 00 00
0×30: 60 00 00 00 99 07 02 01 FF FF FF FF FF FF FF FF
June 2nd, 2011 at 7:28 am
http://img834.imageshack.us/img834/9711/vpnhn.jpg
here is a diagram of how our VPN is layed out.
June 2nd, 2011 at 7:39 am
whoa… just made some progress. figured out it was only from machines which had a static public NAT’d IP that the error is happening.
June 2nd, 2011 at 9:34 am
ok… i got it working. my nat entries needed the ” route-map POLICY-NAT extendable” part… talk about a pain, i have over 120 NAT entries.
however… NOW my DNS servers (the ones that face the internet for our websites) won’t work. WTH?!
October 24th, 2011 at 1:32 pm
How would you modify this for DDNS routers?
February 21st, 2012 at 5:38 am
Hi,
I just wanted to ask you something irrelevant.
Have you ever used the Cisco Easy VPN client feature on routers? if you had to choose between the two methods for connecting two sites which one would you choose?
Thank you!
April 22nd, 2012 at 9:45 am
Wow. What A Great Post!…
[...] Today I was reading this great blog post and I wanted to link to it [...]…
November 27th, 2012 at 9:29 pm
Great video… looking for some security videos w.r.t VAPT..
thanks,
Ismail