07-25-2013 03:22 AM
07-25-2013 03:41 AM
Following document should be able to help you set it up.
07-29-2013 06:14 PM
Hi,
I have done the configuration and it seems like the session is also established. However, client computers cannot reach the servers on the other side. What i'm I missing here. Is it somthing to do with the cellular interface?
Interface: Dialer1 Cellular0
Profile: ISAKMP_PROF
Session status: UP-ACTIVE
Peer: <PaloAlto IP> port 500
IKEv1 SA: local 10.249.207.85/500 remote <PaloAlto IP>/500 Active
IPSEC FLOW: permit ip 10.20.1.0/255.255.255.0 10.3.0.0/255.255.0.0
Active SAs: 2, origin: crypto map
CISCO Config.
Router#sh run
Building configuration...
Current configuration : 2934 bytes
!
! Last configuration change at 00:59:39 UTC Tue Jul 30 2013
version 15.1
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
!
crypto pki token default removal timeout 0
!
!
no ip source-route
!
!
!
ip dhcp excluded-address 10.20.1.1 10.20.1.10
!
ip dhcp pool DHCP_POOL
network 10.20.1.0 255.255.255.0
default-router 10.20.1.1
dns-server 10.3.2.117 10.20.1.1
!
!
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
chat-script gsm "" "AT!SCACT=1,4" TIMEOUT 60 "OK" CONNECT
license udi pid C887VAG+7-K9 sn FGL1710248X
!
!
!
!
!
!
controller VDSL 0
!
controller Cellular 0
!
!
crypto keyring KEYR1
pre-shared-key address <PaloAlto IP> key <Password>
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key <Password> address <PaloAlto IP> no-xauth
crypto isakmp profile ISAKMP_PROF
keyring KEYR1
self-identity user-fqdn <email address>
match identity address <PaloAlto IP> 255.255.255.255
initiate mode aggressive
!
!
crypto ipsec transform-set PaloAlto esp-3des esp-sha-hmac
!
crypto map PaloAlto 10 ipsec-isakmp
set peer <PaloAlto IP>
set security-association lifetime seconds 86400
set transform-set PaloAlto
set pfs group2
set isakmp-profile ISAKMP_PROF
match address IPSEC
!
!
!
!
!
interface Ethernet0
no ip address
shutdown
!
interface ATM0
no ip address
shutdown
no atm ilmi-keepalive
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Cellular0
no ip address
ip nat outside
ip virtual-reassembly in
encapsulation slip
load-interval 60
dialer in-band
dialer pool-member 1
dialer-group 1
async mode interactive
crypto map PaloAlto
!
interface Vlan1
ip address 10.20.1.1 255.255.255.0
ip virtual-reassembly in
no ip route-cache cef
!
interface Dialer0
no ip address
!
interface Dialer1
ip address negotiated
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer pool 1
dialer idle-timeout 0
dialer string gsm
dialer persistent
dialer-group 1
crypto map PaloAlto
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source list NAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
ip access-list extended IPSEC
permit ip 10.20.1.0 0.0.0.255 10.3.0.0 0.0.255.255
ip access-list extended NAT
deny ip 10.20.1.0 0.0.0.255 10.3.0.0 0.0.255.255
permit ip 10.20.1.0 0.0.0.255 any
!
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 3
exec-timeout 0 0
script dialer gsm
modem InOut
no exec
transport input all
rxspeed 21600000
txspeed 5760000
line vty 0 4
login
transport input all
!
end
Router#
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
