Month: December 2012

How to configure a Cisco Router to connect to Cisco VPN Client in a NAT Environment

Posted on Updated on


aaa new-model
aaa authentication login VPN-VPN local
aaa authentication login sslvpn local
aaa authorization network GROUP-VPN local

username adminitrator secret 0 C!sC0123

!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key !9j5D1cretkY
dns 10.1.10.21 10.1.10.22
domain dummy.local
pool RemoteVPN-Pool
acl RemoteVPN-ACL
save-password
max-users 3
netmask 255.255.255.0
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list VPN-VPN
isakmp authorization list GROUP-VPN
client configuration address respond
virtual-template 2
!
crypto ipsec transform-set encrypt-method-2 esp-aes 256 esp-sha-hmac comp-lzs
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-2
!
interface Loopback0
ip address 10.1.120.254 255.255.255.0
!
interface GigabitEthernet0/0.100
description – connection to ISP –
ip add 1.1.1.1 255.255.255.0
ip nat outside

interface Virtual-Template2 type tunnel
ip unnumbered Loopback0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
ip local pool RemoteVPN-Pool 10.1.120.1 10.1.120.3
!
ip nat inside source list NAT-ACL interface GigabitEthernet0/0.100 overload
!
ip access-list extended NAT-ACL
remark *** Deny VPN Users ***
deny ip 10.1.70.0 0.0.0.255 10.1.120.0 0.0.0.255
deny ip 10.1.10.0 0.0.0.255 10.1.120.0 0.0.0.255
deny ip host 10.1.50.1 10.1.120.0 0.0.0.255
deny ip host 10.1.50.2 10.1.120.0 0.0.0.255
permit ip 10.1.0.0 0.0.255.255 any

!
ip access-list extended RemoteVPN-ACL
permit ip host 10.1.50.1 10.1.120.0 0.0.0.255
permit ip host 10.1.50.2 10.1.120.0 0.0.0.255
permit ip 10.1.70.0 0.0.0.255 10.1.120.0 0.0.0.255
permit ip 10.1.10.0 0.0.0.255 10.1.120.0 0.0.0.255
!

Advertisements

HOW TO CONFIGURE STATIC IP ADDRESS VIA DHCP (EXAMPLE – CISCO AP)

Posted on Updated on


ip dhcp excluded-address 10.1.60.0 10.1.60.238
ip dhcp excluded-address 10.1.60.244 10.1.60.254

!
ip dhcp pool AP
network 10.1.60.0 255.255.255.0
default-router 10.1.60.253
option 43 ascii XXXX.XXXX.XXXX.XXX
dns-server XXX.XXX.XX.XXX XXX.XXX.XX.XXX
domain-name XXX
lease 30

!
ip dhcp pool STATIC_MAPPING_FOR_1141N-05
host 10.1.60.239 /24
hardware-address XXXX.XXXX.XXXX (MAC)

!
ip dhcp pool STATIC_MAPPING_FOR_1141N-04
host 10.1.60.240 /24
hardware-address XXXX.XXXX.XXXX

!
ip dhcp pool STATIC_MAPPING_FOR_1141N-03
host 10.1.60.241 /24
hardware-address XXXX.XXXX.XXXX

!
ip dhcp pool STATIC_MAPPING_FOR_1141N-02
host 10.1.60.242 /24
hardware-address XXXX.XXXX.XXXX

!
ip dhcp pool STATIC_MAPPING_FOR_1141N-01
host 10.1.60.243 /24
hardware-address XXXX.XXXX.XXXX

How to Block or Limit the use of Bittorrent and P2P using NBAR on Cisco Router

Posted on Updated on


class-map match-any DenyP2PTraffic
description Deny Peer To Peer Traffic and Torrent
match protocol bittorrent
match protocol edonkey
match protocol fasttrack
match protocol gnutella
match protocol kazaa2
match protocol winmx
match protocol directconnect
match protocol irc

policy-map DenyP2PTraffic
class DenyP2PTraffic
drop

OR == To Limit ==

class DenyP2PTraffic
police cir 8000
conform-action drop
exceed-action drop

interface Tunnel100
description Tunnel_to_xxx
ip nbar protocol-discovery
service-policy input DenyP2PTraffic
service-policy output DenyP2PTraffic

interface FastEthernet0/1.40
description Guest_Pool
ip nbar protocol-discovery
service-policy input DenyP2PTraffic
service-policy output DenyP2PTraffic

interface FastEthernet0/1.131
description To_Internal_Data
ip nbar protocol-discovery
service-policy input DenyP2PTraffic
service-policy output DenyP2PTraffic

 

 

show policy-map interface fa0/1.131