1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lan to Lan Connection Using IPSec

Discussion in 'Routing & Switching' started by Robt800, Apr 27, 2011.

  1. Robt800

    Robt800 Bit Poster

    21
    0
    2
    View attachment spoke_configv2.doc View attachment SysGate_Router_Config110420v2.doc

    Hi,

    I'm trying to create a secure tunnel between our office & my home. The aim being that if I ping a 192.168.100.x number (the office), then it works, even if I'm sat on my 192.168.3.x number at home.

    I've followed a cisco document on how to create this and have come up against a slight issue. If I apply this to my interface (BVI1) I can't get on the internet on the same interface. The BVI is the bridge between the lan ports & the wireless. I would like the wireless to be able to access the internet or the office router. I am quite a novice so any help would be appreciated.

    I've attached my configs for anyone to check against & make sure I haven't done other bits wrong.

    Thanks for looking

    Rob
     
  2. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    if you take a look at the attached config then you should be able to figure out where you are going wrong......

    The document has a quick draw up on the config for one router that i currently use with a few bits ommitted (not needed). The VPN works a treat and so does the internet.

    Take a look and see if it helps, if not then let me know what routers you have and i will try to create a config for you......this will be last resort as im a firm believer in trying first! :D

    Good luck!
    Jon
     

    Attached Files:

    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  3. keconnect sparky

    keconnect sparky Nibble Poster

    78
    5
    34
    Basically what jonny7_2002 has said...

    So it looks to me like your trying to implement a Site-2-Site VPN, i have this setup to my brothers router so i can vnc/remote desktop from my private subnet 10.14.0.x to his private subnet 192.168.1.x without having to worry about security or public IPs and port forwarding, poking holes in firewalls etc etc,

    So basically what you need to bring up the IPSEC tunnel (IKE Phase 2) is the following information;
    # Remote IP or Hostname (most commonly IP)
    # Key distribution method (level of diffie hellman)
    # Authentication method (pre-shared keys or certificates)
    # Encryption Algorithm ( what size and strength of symmetric encryption to use for IKE Phase 1 tunnel)
    # Hash Algorithm (MD5 or SHA-1 - hashing is making sure that the data within the packet does not change/is tampered with from start to finish)
    # Lifetime (How long does the tunnel live for)

    In order for the Tunnel to work, the key is symmetry, everything has to match either side, so router A has have the same policy as router B, so for the VPN below i have used;

    Encryption: AES-128bit
    Hashing: SHA-1
    Authentication: Pre-Shared
    DH level: 2
    Lifetime: 86,400 (24 hours, but the config takes it in seconds)

    So this is the information i have used in a policy on both sides of the router, you can have multiple policies ...because the router will work its way down the list of policies until it finds a match, if it does not find a match the tunnel will not be brought up (so hence the bit about matching above is CRUCIAL)

    Now we know what we want to use we need to map out how we want to secure the IPSEC tunnel (IKE Phase 2) It is abit like FTP, in how their is a port for the connection plane (TCP Port 20), then one for the data (TCP Port 21) anyways ...

    This is done with the follow;
    # Transform Set (Level of encryption and hashing - AES and DES etc)
    # Peer Information (Remote IP)
    # Interesting traffic designation (What needs to be encrypted)

    I have used the following Encryption and Hashing (which is pretty secure, better than the default policy, and is a good compromise between speed and security):

    Encryption: ESP-AES
    Hashing: ESP-SHA-HMAC

    So bearing in mind the above, these are the parts of my config of interest:

    !
    !
    crypto isakmp policy 10
    encr aes
    authentication pre-share (im using pre-shared keys not certificates)
    group 2
    crypto isakmp key example address 92.29.1x6.xx (Public IP of remote router, example is the Pre-Shared key you would use for authentication, this needs to match on both sides, so example could be cisco or whatever u like)
    !
    !
    crypto ipsec transform-set BRUVVPN esp-aes esp-sha-hmac (my transform set is called BRUVVPN, so i no what the hell it is in the config)
    !
    crypto map S2S-VPN 100 ipsec-isakmp (try and name the map something meaningful, this is short for Site-2-Site)
    description Tunnel to 92.29.116.xx (Public IP of remote router)
    set peer 92.29.1x6.xx (Public IP of remote router)
    set transform-set BRUVVPN (name of the transform as defined above)
    match address S2S-VPN-TRAFFIC (Interesting traffic designation)
    !
    !
    !

    We then need to place the crypto map to an interface;

    interface Dialer0
    description ==-WAN-==
    ip address negotiated
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip mtu 1492
    ip flow ingress
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    no ip route-cache cef
    ip route-cache flow
    no ip mroute-cache
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication chap pap callin
    ppp chap hostname MYADSL USERNAME
    ppp chap password 7 MY ADSL PASSWORD
    ppp pap sent-username MYADSL USERNAME password 7 MY ADSL PASSWORD
    crypto map S2S-VPN - HERE IT IS, this name is the name of the crypto map


    Now we need to setup NAT as you normally would, but instead of an access-list we use a route map;

    ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

    The route map above used for NAT is below;
    !
    !
    route-map SDM_RMAP_1 permit 1
    match ip address NAT (So i have an access list that is called NAT as shown below)
    !
    !

    here are the access-lists needed for the routemap/nat;

    ip access-list extended NAT
    deny ip 10.14.0.0 0.0.0.255 192.168.1.0 0.0.0.255 (this is my local subnet - source, going to a destination of my brothers local subnet, dont want this NAT'ed)
    permit ip 10.14.0.0 0.0.255.255 any (now i need to NAT the rest of my local subnet so i can access the internet!)


    This is the "interesting traffic i mentioned early in an access list" so it is allowing my local subnet to my brothers.

    ip access-list extended S2S-VPN-TRAFFIC
    permit ip 10.14.0.0 0.0.0.255 192.168.1.0 0.0.0.255


    Now the configure on the other router needs to match this, but you need to swap a few bits over, such as the source and destination parts on the access-lists.

    so u should end up with something like;

    2621XM-A#show crypto map
    Crypto Map "S2S-VPN" 100 ipsec-isakmp
    Description: Tunnel to 92.29.1x6.xx
    Peer = 92.29.1x6.xx
    Extended IP access list S2S-VPN-TRAFFIC
    access-list S2S-VPN-TRAFFIC permit ip 10.14.0.0 0.0.0.255 192.168.1.0 0.0.0.255
    Current peer: 92.29.1x6.xx
    Security association lifetime: 4608000 kilobytes/3600 seconds
    PFS (Y/N): N
    Transform sets={
    BRUVVPN,
    }
    Interfaces using crypto map S2S-VPN:
    Virtual-Access2
    Dialer0


    now you need to bring the VPN as it is currently down, so send a ping across from your local subnet to your office, but remember to change the ping source to your local subnet (otherwise it will be NAT'ed and wont come from a source of your local network, but will be public IP and the tunnel wont come up) see below;

    2621XM-A#ping 192.168.1.1 source fa0/0

    Type escape sequence to abort.
    Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
    Packet sent with a source address of 10.14.0.1 (the packet is NOT NAT'ed)
    .!!!!
    Success rate is 80 percent (4/5) (remember you need to allow for ARP, hence the one lost packet), round-trip min/avg/max = 88/92/104 ms

    So now the tunnel is up, check it with;

    2621XM-A#show crypto isakmp sa
    IPv4 Crypto ISAKMP SA
    dst src state conn-id slot status
    92.29.1x6.xx 109.170.1x7.xx QM_IDLE 1004 0 ACTIVE

    IPv6 Crypto ISAKMP SA

    Woolia, all good in the hood! hope that makes sense
     
    Certifications: MCP, CCENT, CCNA, CCNA-S
    WIP: CCNP (ROUTE)
  4. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Thanks a lot for the responses

    worked my way through keconnect sparky example it & couldn't get it quite right (but at least i could still get on the net!) - so I wondered whats the easiest way to trouble shoot this?

    Also once I get this going - my home ip isn't static & would like to alter the config on the work one to be more dynamic

    Thanks a lot for the help - I really do appreciate it

    Rob
     
  5. keconnect sparky

    keconnect sparky Nibble Poster

    78
    5
    34
    Glad ur getting somewhere Robt800,

    Could you show me the output of these commands on both the home and office routers;
    show crypto map
    show ip access-lists
    show run | s crypto

    Thats how i would troubleshoot it, it mainly comes down to making sure the configs are identical (well, to some degree...all it takes is a wrong wildcard mask in an access-list or an interface not assigned to a crypto map...)
     
    Certifications: MCP, CCENT, CCNA, CCNA-S
    WIP: CCNP (ROUTE)
  6. Robt800

    Robt800 Bit Poster

    21
    0
    2
    View attachment spoke110504.doc View attachment SysGate110504.doc

    Hi,

    I've had a look through the outputs & corrected some minor probs - but still having some issues pinging the office (& remembering to put the source address on).

    If you wouldn't mind having a look for me

    Thanks a lot

    Rob

    edit: just noticed an old crypto cisco123 - could the router be scanning & trying to use this one first?
     
    Last edited: May 4, 2011
  7. keconnect sparky

    keconnect sparky Nibble Poster

    78
    5
    34
    The only way the router would use an old policy is if the policy number was lower (lower the better) i presume we are talking about isakkmp policies, ie;

    crypto isakmp policy 10 would be used to bring up the first part of the isakmp tunnel with the other router first over say crypto isakmp policy 50, but if the router could not find a match on the other router it would then try using policy 50 .....

    Are you sure the host(s) you are pinging on the other side are set to reply to icmp? i.e the local firewall is not blocking it?

    if you run

    #show crypto isakmp sa

    this will show you if the tunnel is up (but you will need to send traffic to the other side first, to trigger the VPN...)
     
    Certifications: MCP, CCENT, CCNA, CCNA-S
    WIP: CCNP (ROUTE)
  8. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    post both your configs again......
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  9. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Hi guys,

    Sorry for the delay in coming back (hate being slow to reply when people are taking the time to help me out) - just been really busy at work with a new client.

    Can't get to my router at the min - but will check a few things tomorrow (I think the office one does block icmp - as I'm sure I can't ping servers from the outside, but can rdc onto them)

    I'll also post the full configs as now

    Thanks

    Rob
     
  10. Robt800

    Robt800 Bit Poster

    21
    0
    2
  11. keconnect sparky

    keconnect sparky Nibble Poster

    78
    5
    34
    Okay, so the VPN tunnel is still not up, looks like you got a few issues in the two configs, only small minor errors, see below;

    remove these lines from sysgate110507.doc config

    crypto keyring spokes
    pre-shared-key address 0.0.0.0 0.0.0.0 key cisco123

    ip nat source list 1 interface FastEthernet0/1

    add this line (which is the PSK for the two routers, this needs to be the same on the other side, except the peer address)
    crypto isakmp key (a key of your choice) address (IP of the other router)


    This part of the config needs to change from:

    ip nat inside source route-map RMP_1 interface Dialer0 overload

    to

    ip nat inside source route-map RMAP_1 interface Dialer0 overload


    Now the other router, On router in config doc spoke110507 remove line;

    ip nat inside source list 1 interface Dialer0 overload


    now add the PSK line as you did on the other router;
    crypto isakmp key (the same key you choose on the other router) address (IP of the other router)


    that should do it, the ping in my example, was just some traffic to fire the VPN connection up thats all (as its quick/simple and i know my hosts respond to IMCP), in your case it could be an RDP session or anything you like......
     
    Certifications: MCP, CCENT, CCNA, CCNA-S
    WIP: CCNP (ROUTE)
  12. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Well thanks to all the help I seem to be making progress!

    I think the tunnel is working, because when I run the:
    show crypto isakmp sa

    I get details of the tunnel & the fact that it is active. (but interestingly shows deleted in brackets next to the active column?)

    However I still can't rdp onto any of the usual servers. I presume this is a firewall as port 3389 is defined as user protocol 2. I've tried changing some of the policy maps that include the user protocol 2 from inspect to allow, but this hasn't sorted it yet.

    I plan on having another look at this tomorrow night with a clear head!

    Thanks

    Rob
     
  13. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Post your config mate and when I get 5 minutes I will tell you where the problem is.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  14. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Config is attached

    Cheers

    Rob
    View attachment sysgate110511.doc
     
  15. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    OK mate, first of all lets strip your config back to basics, don't use the SDM Firewall as it can play havoc with traffic passing across a VPN tunnel and in this instance, lets get it working then apply firewall rules afterwards.

    Config is below, I have changed your encryption to 3DES SHA, so you will need to do the same the other end, you had dynamic VPN policies being applied as well and no acces lists on the outside interface. I have tidied this up, it should all make sense

    Edit: The NAT Policies and the ACL outside-in allow you to access the RDP and other services behind this router.

    Current configuration : 4354 bytes
    !
    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname SysGate
    !
    boot-start-marker
    boot-end-marker
    !
    logging buffered 51200 warnings
    enable secret 5 $1$y9A/$zxuPun550Xm2d8cYTxbpH.
    !
    aaa new-model
    !
    !
    !
    !
    aaa session-id common
    !
    crypto pki trustpoint TP-self-signed-1700639775
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-1700639775
    revocation-check none
    rsakeypair TP-self-signed-1700639775
    !
    !
    crypto pki certificate chain TP-self-signed-1700639775
    certificate self-signed 01
    3082024F 308201B8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 31373030 36333937 3735301E 170D3032 30333031 30303037
    30335A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 37303036
    33393737 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100AA5C 8DE8734F 0F0BC288 4852B19D 64DEAA6B 6CFC6301 6466B152 E0952B20
    7DDC5382 4B38551A D5F275FF C44EBD45 E84C3D31 4BED11BD 699515FF 82D9FF5A
    1160854C 3448A49B 93992C2B 6C1B66B4 F53EB315 F69F3A56 240BBC2E 150AF6BE
    78CBAC50 94DD5886 E8159511 5EC26B77 3E37727A 0F75189B C9475EC3 B00A078C
    97450203 010001A3 77307530 0F060355 1D130101 FF040530 030101FF 30220603
    551D1104 1B301982 17796F75 726E616D 652E796F 7572646F 6D61696E 2E636F6D
    301F0603 551D2304 18301680 143E1BD5 547FF670 50378120 6B18773E 93DE9398
    28301D06 03551D0E 04160414 3E1BD554 7FF67050 3781206B 18773E93 DE939828
    300D0609 2A864886 F70D0101 04050003 8181000A AB5AA14A D6AB637C AE2EB022
    8066F0A9 072003B8 FBBB3323 FD6F4D94 64CE0416 46AD3058 8FACE0EA 278A5360
    0CCDE6EC 10FC403E B4E0DE03 56623A47 B8DA1DC5 41A0FC70 52F15CE0 D3B3BACD
    FB5098E7 8FC39EDB 2A049076 7A0F1E9D 1850FB01 2DA9DC33 D6BB583C 9A857C2C
    EC43E90A 592B7939 38275663 E8D7CA94 14775B
    quit
    dot11 syslog
    ip cef
    no ip dhcp use vrf connected
    !

    !
    !
    no ip domain lookup
    ip domain name SysServers.local
    !
    !
    !
    username admin privilege 15 secret 5 $1$uOuY$w7wuCGXV9Saio7xLLEhbc1
    !
    !
    crypto isakmp policy 10
    hash sha
    authentication pre-share
    group 2
    crypto isakmp key password address IPAddress no-xauth
    !
    !
    crypto ipsec transform-set Myset esp-3des esp-sha-hmac
    !
    crypto map s2s-vpn 10 ipsec-isakmp
    set peer IP Address
    set transform-set Myset
    match address s2svpn
    !
    archive
    log config
    hidekeys
    !
    !
    !
    !
    !
    interface ATM0
    no ip address
    atm vc-per-vp 64
    no atm ilmi-keepalive
    pvc 0/38
    encapsulation aal5mux ppp dialer
    dialer pool-member 1
    !
    dsl operating-mode auto
    !
    interface FastEthernet0
    !
    interface FastEthernet1
    !
    interface FastEthernet2
    !
    interface FastEthernet3
    !
    interface Vlan1
    description LAN
    ip address 192.168.100.1
    ip access-group lantraffic in
    ip nat inside
    ip virtual-reassembly
    ip tcp adjust-mss 1452
    !
    interface Dialer1
    ip address negotiated
    ip access-group outside-in in
    ip nat outside
    ip virtual-reassembly
    encapsulation ppp
    dialer pool 1
    dialer-group 1
    no cdp enable
    ppp authentication pap chap callin
    ppp chap hostname Userid@hg70.btclick.com
    ppp chap password 7 ISP Password
    crypto map s2s-vpn
    !
    ip forward-protocol nd
    ip route 0.0.0.0 0.0.0.0 Dialer1
    !
    no ip http server
    no ip http secure-server
    ip nat inside source list nat interface Dialer1 overload
    ip nat inside source static tcp 192.168.100.234 3389 3389 IP Address 3389 extendable
    ip nat inside source static tcp 192.168.100.242 10783 IP Address 10783 extendable
    ip nat inside source static tcp 192.168.100.242 12373 IP Address 12373 extendable
    ip nat inside source static tcp 192.168.100.244 21 IP Address 21 extendable
    ip nat inside source static tcp 192.168.100.243 21 IP Address 21 extendable
    !
    ip access-list extended lantraffic
    permit ip any any
    ip access-list extended nat
    deny ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
    permit ip 192.168.100.0 0.0.0.255 any
    ip access-list extended s2svpn
    permit ip 192.168.100.0 0.0.0.255 192.168.3.0 0.0.0.255
    ip access-list extended outside-in
    permit icmp any any
    permit tcp any eq 3389 host 192.168.100.234 eq 3389
    permit tcp any eq 10783 host 192.168.100.232 eq 10783
    permit tcp any eq 12373 host 192.168.100.242 eq 12373
    permit tcp any eq 21 host 192.168.100.244 eq 21
    permit tcp any eq 21 host 192.168.100.243 eq 21
    permit ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
    !
    no cdp run
    !
    !
    !
    control-plane
    !
    banner motd ^C ##### No Unauthorised Access ##### ^C
    !
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    privilege level 15
    password 7 Password
    transport input ssh
    !
    scheduler max-task-time 5000
    end
     
    Last edited: May 12, 2011
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  16. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    On another note, you could just use tunnel interfaces......? I find using these is easier and is more logical in my head :rolleyes:

    Attached a 2 minute design diagram... sysgatespoke.jpg

    On the SysGate router.......

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key cisco address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set T1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile P1
    set transform-set T1
    !
    interface Tunnel0
    description VPN_TO_SPOKE
    ip address 192.168.0.1 255.255.255.252
    tunnel source Dialer1
    tunnel destination <SPOKE PUBLIC IP>
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile P1
    !
    ip route 192.168.1.0 255.255.255.0 Tunnel0

    On the Spoke router.......

    crypto isakmp policy 1
    encr 3des
    authentication pre-share
    group 2
    crypto isakmp key cisco address 0.0.0.0 0.0.0.0
    !
    !
    crypto ipsec transform-set T1 esp-3des esp-sha-hmac
    !
    crypto ipsec profile P1
    set transform-set T1
    !
    interface Tunnel0
    description VPN_TO_SYSGATE
    ip address 192.168.0.2 255.255.255.252
    tunnel source Dialer1
    tunnel destination <SYSGATE PUBLIC IP>
    tunnel mode ipsec ipv4
    tunnel protection ipsec profile P1
    ip route 192.168.100.0 255.255.255.0 Tunnel0

    If you want a basic firewall .......
    You could put this on both routers and ammend it to any specific needs of the site.....

    ip access-list extended BLOCK_ALL
    permit ip host <REMOTE ROUTER PUBLIC IP> any
    permit icmp any any echo-reply
    permit icmp any any time-exceeded
    permit icmp any any unreachable
    deny ip 172.16.0.0 0.15.255.255 any
    deny ip 10.0.0.0 0.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip host 255.255.255.255 any
    deny ip host 0.0.0.0 any

    ip inspect name DIALER_OUT cuseeme
    ip inspect name DIALER_OUT ftp
    ip inspect name DIALER_OUT h323
    ip inspect name DIALER_OUT icmp
    ip inspect name DIALER_OUT netshow
    ip inspect name DIALER_OUT rcmd
    ip inspect name DIALER_OUT realaudio
    ip inspect name DIALER_OUT rtsp
    ip inspect name DIALER_OUT esmtp
    ip inspect name DIALER_OUT sqlnet
    ip inspect name DIALER_OUT streamworks
    ip inspect name DIALER_OUT tftp
    ip inspect name DIALER_OUT tcp router-traffic
    ip inspect name DIALER_OUT udp router-traffic timeout 300
    ip inspect name DIALER_OUT vdolive
    ip inspect name DIALER_OUT dns

    interface Dialer1
    ip access-group BLOCK_ALL in
    ip inspect DIALER_OUT out

    Hope this doesnt confuse matters too much! :biggrin

    Cheers
    Jon
     
    Last edited: May 13, 2011
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  17. Robt800

    Robt800 Bit Poster

    21
    0
    2
    Well thanks a lot for all the help.

    Spoke to the boss & he wasn't too keen on me stripping out the firewall. So he gave me an 1800 series router to configure as the new replacement that we can test with & get spot on before replacing the existing one.

    Doddle I thought! Trying to get the existing config onto the new test router, but there is no atm interface. Searched the internet, but cant find any answers?

    Would somebody mind explaining it to me? All this is spot on learning & I do appreciate all the help

    Rob
     
  18. jonny7_2002

    jonny7_2002 Byte Poster

    191
    9
    37
    Is there a physical DSL interface??
    if you type "show ip int brie" or "show int" what does it show?
     
    Certifications: CCNA R&S, CCNP R&S, CCDA, CCNA Voice, CCNA Wireless & CCNA Security
    WIP: CCIE V5 (when its out)
  19. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Yep as Jonny7 mentions if might not have the HWIC ADSL Card.

    One of my colleagues recently implemented a Site to Site VPN using a Cisco 877 and using the SDM to put in place the Firewall on the low setting, it blocked AD replication!
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  20. Robt800

    Robt800 Bit Poster

    21
    0
    2
    View attachment interface.doc
    Attached is the show ip interface brief.

    If this wont work with adsl, would somebody mind explaining why - just to help further my understanding

    Thanks a lot
     

Share This Page

Loading...