The Cisco VPN client is already a legacy application and has been replaced by AnyConnect Secure Mobility Solutions. Although it's still a good VPN client for testing in a lab environment. I've been using AnyConnect on my laptop to VPN into our corporate network since we've migrated from the Cisco VPN 3000 concentrator last year. The only drawback is that there's no VPN client support on iPhone since our corporate ASA firewall don't have the AnyConnect mobile license installed.
Router(config)#hostname R1
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 27 12:34:05.607: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 27 12:34:06.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
*Jun 27 12:34:26.831: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 27 12:34:27.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 27 12:34:56.803: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 27 12:34:57.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 27 12:39:41.255: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 27 12:39:42.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#do ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R1(config)#security passwords min-length 10
R1(config)#enable secret cisco12345
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2(config)#security passwords min-length 10
R2(config)#enable secret cisco12345
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R3(config)#security passwords min-length 10
R3(config)#enable secret cisco12345
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R1(config)#service password-encryption
R2(config)#service password-encryption
R3(config)#service password-encryption
R3(config)#ip http server
R3(config)#username admin01 privilege 15 password 0 admin01pass
R3(config)#ip http authentication local
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\PC-C>ping 10.2.2.2 // R2 S0/0/1; STATEFUL ICMP ANY ANY ALLOWED
Pinging 10.2.2.2 with 32 bytes of data:
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Ping statistics for 10.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 18ms, Average = 18ms
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-C>ping 192.168.3.1 // CAN'T PING R3 DUE TO ZBF
Pinging 192.168.3.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.3.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 10.2.2.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 10.2.2.1 YES TFTP down down
R3#
*Jun 27 23:38:13.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.3.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 10.2.2.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 10.2.2.1 YES TFTP down down
Virtual-Access2 10.2.2.1 YES TFTP up up
R3#
*Jun 27 23:39:08.739: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.2.2.1, prot=50, spi=0x94040000(2483290112), srcaddr=192.168.1.3
R3#
*Jun 27 23:39:08.739: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.2.2.1 dst 192.168.1.3 for SPI 0x94040000
R3#
*Jun 27 23:39:18.883: ISAKMP (0:1001): received packet from 192.168.1.3 dport 500 sport 65306 Global (R) QM_IDLE
*Jun 27 23:39:18.883: ISAKMP: set new node -697361896 to QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001): processing HASH payload. message ID = -697361896
*Jun 27 23:39:18.887: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -697361896, sa = 652801E4
*Jun 27 23:39:18.887: ISAKMP:(1001):deleting node -697361896 error FALSE reason "Informational (in) state 1"
*Jun 27 23:39:18.887: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 27 23:39:18.887: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 27 23:39:18.887: ISAKMP:(1001):DPD/R_U_THERE received from peer 192.168.1.3, sequence 0x4C6CE159
*Jun 27 23:39:18.887: ISAKMP: set new node 738064527 to QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1701105672, message ID = 738064527
*Jun 27 23:39:18.887: ISAKMP:(1001): seq. no 0x4C6CE159
*Jun 27 23:39:18.887: ISAKMP:(1001): sending packet to 192.168.1.3 my_port 500 peer_port 65306 (R) QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 27 23:39:18.887: ISAKMP:(1001):purging node 738064527
R3#
*Jun 27 23:39:18.891: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jun 27 23:39:18.891: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
C:\Users\PC-A>telnet 192.168.3.1
User Access Verification
Username: admin01
Password:
R3#show users
Line User Host(s) Idle Location
0 con 0 admin01 idle 00:04:04
*194 vty 0 admin01 idle 00:00:00 192.168.3.100
Interface User Mode Idle Peer Address
Router(config)#hostname R1
R1(config)#no ip domain-lookup
R1(config)#interface fastethernet0/1
R1(config-if)#ip address 192.168.1.1 255.255.255.0
R1(config-if)#no shutdown
R1(config-if)#
*Jun 27 12:34:05.607: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 27 12:34:06.607: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R1(config-if)#interface serial0/0/0
R1(config-if)#ip address 10.1.1.1 255.255.255.252
R1(config-if)#no shutdown
*Jun 27 12:34:26.831: %LINK-3-UPDOWN: Interface Serial0/0/0, changed state to up
*Jun 27 12:34:27.831: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/0, changed state to up
R1(config-if)#clock rate 64000
R1(config-if)#exit
R1(config)#ip route 0.0.0.0 0.0.0.0 10.1.1.2
Router(config)#hostname R2
R2(config)#no ip domain-lookup
R2(config)#interface serial0/0/0
R2(config-if)#ip address 10.1.1.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#do ping 10.1.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 28/28/32 ms
R2(config-if)#interface serial0/0/1
R2(config-if)#ip address 10.2.2.2 255.255.255.252
R2(config-if)#no shutdown
R2(config-if)#
*Jun 27 12:34:56.803: %LINK-3-UPDOWN: Interface Serial0/0/1, changed state to up
*Jun 27 12:34:57.803: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial0/0/1, changed state to up
R2(config-if)#clock rate 64000
R2(config-if)#exit
R2(config)#ip route 192.168.1.0 255.255.255.0 10.1.1.1
R2(config)#ip route 192.168.3.0 255.255.255.0 10.2.2.1
Router(config)#hostname R3
R3(config)#no ip domain-lookup
R3(config)#interface fastethernet0/1
R3(config-if)#ip address 192.168.3.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#
*Jun 27 12:39:41.255: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Jun 27 12:39:42.255: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
R3(config-if)#interface serial0/0/1
R3(config-if)#ip address 10.2.2.1 255.255.255.0
R3(config-if)#no shutdown
R3(config-if)#do ping 10.2.2.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 56/56/56 ms
R3(config-if)#exit
R3(config)#ip route 0.0.0.0 0.0.0.0 10.2.2.2
R1(config)#security passwords min-length 10
R1(config)#enable secret cisco12345
R1(config)#line console 0
R1(config-line)#password ciscoconpass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R1(config-line)#logging synchronous
R1(config-line)#line vty 0 4
R1(config-line)#password ciscovtypass
R1(config-line)#exec-timeout 5 0
R1(config-line)#login
R2(config)#security passwords min-length 10
R2(config)#enable secret cisco12345
R2(config)#line console 0
R2(config-line)#password ciscoconpass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R2(config-line)#logging synchronous
R2(config-line)#line vty 0 4
R2(config-line)#password ciscovtypass
R2(config-line)#exec-timeout 5 0
R2(config-line)#login
R3(config)#security passwords min-length 10
R3(config)#enable secret cisco12345
R3(config)#line console 0
R3(config-line)#password ciscoconpass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R3(config-line)#logging synchronous
R3(config-line)#line vty 0 4
R3(config-line)#password ciscovtypass
R3(config-line)#exec-timeout 5 0
R3(config-line)#login
R1(config)#service password-encryption
R2(config)#service password-encryption
R3(config)#service password-encryption
R3(config)#ip http server
R3(config)#username admin01 privilege 15 password 0 admin01pass
R3(config)#ip http authentication local
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.3.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.3.1
C:\Users\PC-C>ping 10.2.2.2 // R2 S0/0/1; STATEFUL ICMP ANY ANY ALLOWED
Pinging 10.2.2.2 with 32 bytes of data:
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Reply from 10.2.2.2: bytes=32 time=18ms TTL=254
Ping statistics for 10.2.2.2:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 18ms, Maximum = 18ms, Average = 18ms
C:\Users\PC-C>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::4562:9b92:c15f:91ff%10
IPv4 Address. . . . . . . . . . . : 192.168.1.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1
C:\Users\PC-C>ping 192.168.3.1 // CAN'T PING R3 DUE TO ZBF
Pinging 192.168.3.1 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Ping statistics for 192.168.3.1:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.3.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 10.2.2.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 10.2.2.1 YES TFTP down down
R3#
*Jun 27 23:38:13.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access2, changed state to up
R3#show ip interface brief
Interface IP-Address OK? Method Status Protocol
FastEthernet0/0 unassigned YES NVRAM administratively down down
FastEthernet0/1 192.168.3.1 YES NVRAM up up
Serial0/0/0 unassigned YES NVRAM administratively down down
Serial0/0/1 10.2.2.1 YES NVRAM up up
Virtual-Access1 unassigned YES unset down down
Virtual-Template1 10.2.2.1 YES TFTP down down
Virtual-Access2 10.2.2.1 YES TFTP up up
R3#
*Jun 27 23:39:08.739: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.2.2.1, prot=50, spi=0x94040000(2483290112), srcaddr=192.168.1.3
R3#
*Jun 27 23:39:08.739: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 10.2.2.1 dst 192.168.1.3 for SPI 0x94040000
R3#
*Jun 27 23:39:18.883: ISAKMP (0:1001): received packet from 192.168.1.3 dport 500 sport 65306 Global (R) QM_IDLE
*Jun 27 23:39:18.883: ISAKMP: set new node -697361896 to QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001): processing HASH payload. message ID = -697361896
*Jun 27 23:39:18.887: ISAKMP:(1001): processing NOTIFY DPD/R_U_THERE protocol 1
spi 0, message ID = -697361896, sa = 652801E4
*Jun 27 23:39:18.887: ISAKMP:(1001):deleting node -697361896 error FALSE reason "Informational (in) state 1"
*Jun 27 23:39:18.887: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_INFO_NOTIFY
*Jun 27 23:39:18.887: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
*Jun 27 23:39:18.887: ISAKMP:(1001):DPD/R_U_THERE received from peer 192.168.1.3, sequence 0x4C6CE159
*Jun 27 23:39:18.887: ISAKMP: set new node 738064527 to QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001):Sending NOTIFY DPD/R_U_THERE_ACK protocol 1
spi 1701105672, message ID = 738064527
*Jun 27 23:39:18.887: ISAKMP:(1001): seq. no 0x4C6CE159
*Jun 27 23:39:18.887: ISAKMP:(1001): sending packet to 192.168.1.3 my_port 500 peer_port 65306 (R) QM_IDLE
*Jun 27 23:39:18.887: ISAKMP:(1001):Sending an IKE IPv4 Packet.
*Jun 27 23:39:18.887: ISAKMP:(1001):purging node 738064527
R3#
*Jun 27 23:39:18.891: ISAKMP:(1001):Input = IKE_MESG_FROM_PEER, IKE_MESG_KEEP_ALIVE
*Jun 27 23:39:18.891: ISAKMP:(1001):Old State = IKE_P1_COMPLETE New State = IKE_P1_COMPLETE
C:\Users\PC-A>telnet 192.168.3.1
User Access Verification
Username: admin01
Password:
R3#show users
Line User Host(s) Idle Location
0 con 0 admin01 idle 00:04:04
*194 vty 0 admin01 idle 00:00:00 192.168.3.100
Interface User Mode Idle Peer Address
No comments:
Post a Comment