IPSEC VPN with a CISCO 880 series router Dynamic IP

Shayan — Thu, 25 Jul 2013 10:22:57 GMT

Has anyone setup a IPSEC VPN with a CISCO 880 series router Dynamic IP?

Re: IPSEC VPN with a CISCO 880 series router Dynamic IP

Chatri — Thu, 25 Jul 2013 10:41:11 GMT

Following document should be able to help you set it up.

https://live.paloaltonetworks.com/docs/DOC-4791

Re: IPSEC VPN with a CISCO 880 series router Dynamic IP

Shayan — Tue, 30 Jul 2013 01:14:21 GMT

Hi,

I have done the configuration and it seems like the session is also established. However, client computers cannot reach the servers on the other side. What i'm I missing here. Is it somthing to do with the cellular interface?

Interface: Dialer1 Cellular0

Profile: ISAKMP_PROF

Session status: UP-ACTIVE

Peer: <PaloAlto IP> port 500

IKEv1 SA: local 10.249.207.85/500 remote <PaloAlto IP>/500 Active

IPSEC FLOW: permit ip 10.20.1.0/255.255.255.0 10.3.0.0/255.255.0.0

Active SAs: 2, origin: crypto map

CISCO Config.

Router#sh run
Building configuration...

Current configuration : 2934 bytes
!
! Last configuration change at 00:59:39 UTC Tue Jul 30 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.20.1.1 10.20.1.10
!
ip dhcp pool DHCP_POOL
network 10.20.1.0 255.255.255.0
default-router 10.20.1.1
dns-server 10.3.2.117 10.20.1.1
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script gsm "" "AT!SCACT=1,4" TIMEOUT 60 "OK" CONNECT
license udi pid C887VAG+7-K9 sn FGL1710248X
!
!
!
!
!
!
controller VDSL 0
!
controller Cellular 0
!
!
crypto keyring KEYR1
pre-shared-key address <PaloAlto IP> key <Password>
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <Password> address <PaloAlto IP> no-xauth
crypto isakmp profile ISAKMP_PROF
   keyring KEYR1
   self-identity user-fqdn <email address>
   match identity address <PaloAlto IP> 255.255.255.255
   initiate mode aggressive
!
!
crypto ipsec transform-set PaloAlto esp-3des esp-sha-hmac
!
crypto map PaloAlto 10 ipsec-isakmp
set peer <PaloAlto IP>
set security-association lifetime seconds 86400
set transform-set PaloAlto
set pfs group2
set isakmp-profile ISAKMP_PROF
match address IPSEC
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Cellular0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
crypto map PaloAlto
!
interface Vlan1
ip address 10.20.1.1 255.255.255.0
ip virtual-reassembly in
no ip route-cache cef
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
dialer-group 1
crypto map PaloAlto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended IPSEC
permit ip 10.20.1.0 0.0.0.255 10.3.0.0 0.0.255.255
ip access-list extended NAT
deny   ip 10.20.1.0 0.0.0.255 10.3.0.0 0.0.255.255
permit ip 10.20.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 3
exec-timeout 0 0
script dialer gsm
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line vty 0 4
login
transport input all
!
end

Router#

topic Re: IPSEC VPN with a CISCO 880 series router Dynamic IP in General Topics

IPSEC VPN with a CISCO 880 series router Dynamic IP

Re: IPSEC VPN with a CISCO 880 series router Dynamic IP

Re: IPSEC VPN with a CISCO 880 series router Dynamic IP