Solved

Cisco 1710 dial-in vpn through aux

Posted on 2003-10-22
10
861 Views
Last Modified: 2008-02-01
I have a cisco 1710 router running on IOS 12.2something.  Using an external modem would it be possible to VPN onto my network via the AUX port?  I already have it setup through the ethernet port but the company would like to have dial-up purposes when employees are out of town.  I have the necessary hardware and the modem is hooked up.  I just wanted to know if anyone has done it before getting to far along with research.
0
Comment
Question by:confusedit
  • 4
  • 3
10 Comments
 
LVL 13

Expert Comment

by:td_miles
ID: 9604878
Essentially, yes you can configure dial-in on the AUX port. It is configured the same as any other dial-in port. Here are a couple of URL's to help you along the way:

http://www.cisco.com/en/US/products/hw/routers/ps221/products_configuration_guide_chapter09186a008007cd2e.html

http://www.cisco.com/en/US/products/sw/iosswrel/ps1824/products_configuration_guide_chapter09186a0080087b81.html

The one thing to be careful of is security. If you are going to allow them to dial-in and connect directly to the internal network, then this may be considered a security risk. If they are going to dial-in and then initiate a VPN, then how is this different to them connecting to and ISP and initiating a VPN over the Internet ?
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 75 total points
ID: 9609094
$0.02 for what it's worth.
yes, you can setup a modem on the AUX port to establish PPP dial-in access, and td_miles has provided good links to help. However, since this is a direct ppp connection, there is no need to use a VPN on top of it...that would just be throwing an extra layer of comlexity into the equation..
0
 

Author Comment

by:confusedit
ID: 9615448
Ok thanks for the links.  Sorry for the delayed response I work strange hours.  I will try to get to trying these after everyone leaves the office and I can mess things up all I want :)

As for the security issue.  Would it be safe with just PPP dial-in access?  Is there someway to combine some sort of security log-on when dialing in?  Maybe through a Radius server?  Thanks for the responses I'll let you know my progress this weekend.
0
 
LVL 13

Expert Comment

by:td_miles
ID: 9618593
Don't worry about the delayed response. I'm in AU, so I tend not to even look at when people post, as it is most likely a strange time for me too  :)

As with any remote access, your security is going to be as good as the precautions you take. At the end of the day this comes down to how good the password is on your PPP dial-in. I would recommend having seperate username/password for each user. Make sure passwords are complex/long enough. Also audit all of the logins, so that if anything bad does happen, you have some chance of tracing it.

Whether to use RADIUS or local user DB depends on a couple of things:
a. number of users that will be using the dial-in facility
b. whether you already have a RADIUS server
c. how secure you want things to be

To further explain:
a. Given that you are only wanting a single dial-in line (router only has one AUX port), then I have to assume that you only have a few users wanting to use the facility, else you'll get lots of unhappy people unable to connect.
b. a RADIUS server is just software. As with most software, it costs money. You can either purchase a boxed product RADIUS server or run a free one for Linux. Either way you will expend money/time (usually time == money) in getting this to work.
c. If security is critical, then you can setup a RADIUS server that uses something like the securID tokens that are a little electronic tag that has a number/password on them that changes every 60 seconds. This means that for someone to gain access, they need to physically have one of the tokens instead of being able to attempt to guess a static password.

If you're wanting to setup RADIUS auth, see here for example:
http://www.cisco.com/en/US/tech/tk583/tk547/technologies_configuration_example09186a00800fa54a.shtml

SecurID link:
http://www.rsasecurity.com/products/securid/
I'm sure there are other products similar to securID. This is simply the one I am most familiar with.

If you are using win2k server & AD, then you can install the Internet Authenticaion Service (IAS) that is a RADIUS server written by MS for win2k. This integrates with the AD and allows you to authenticate users back to their AD username/password and also control access using the "remote access permission" tickbox in their user profile:
http://www.cisco.com/en/US/tech/tk801/tk703/technologies_configuration_example09186a008009485e.shtml
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:confusedit
ID: 9627160
td_miles thanks for the help... but I'm still a bit confused.

That first link you posted is configuring a serial0 port.  I have no physical serial port on my 1710.  Can this configuration still work without one?  Plus they are using IPX routing and I'm not using Novell.  Is it possible to use a static IP route instead?

I'm checking second link and am sure I'll have more questions in a bit.
0
 
LVL 13

Assisted Solution

by:td_miles
td_miles earned 75 total points
ID: 9631716
Yes, it is using the serial0 port, this is because it is an example of dial-in the way it is normally done (on a dedicated serial port). You simply need to apply similar configuration that is listed under serial port config to your AUX port.
Just ignore all the stuff on IPX routing. It is an example config and shows how you would setup IPX routing as well as IP if you needed it.
Scroll down to the second example (with a Cisco 1700) router as this is easier to understand and more like what you are wanting to do.

 
0
 

Author Comment

by:confusedit
ID: 9643448
I appreciate your patience.  I hopefully will get a chance to play with the second example some this afternoon sometime.  I will keep you posted on progress.
0
 

Author Comment

by:confusedit
ID: 9716918
Ok, here is my current configuration:

!
version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
!
hostname rtr
!
boot system flash c1710-k9o3sy-mz.122-4.YA6.bin
aaa new-model
!
!
aaa group server radius RADIUS01
 server "Server 1 IP" auth-port 1645 acct-port 1646
!
aaa authentication banner Cisco Router Login
aaa authentication login default group RADIUS01
aaa authentication ppp default group RADIUS01
aaa session-id common
enable secret *********
enable password ************
!
memory-size iomem 15
ip subnet-zero
!
!
ip dhcp excluded-address x.x.x.0 x.x.x.99
ip dhcp excluded-address x.x.x.200 x.x.x.255
!
ip dhcp pool DHCP1
   network x.x.x.0 255.255.255.0
   default-router "Router IP"
   dns-server "Server 1 IP"
   lease 7
!
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
ip dhcp-server "Router IP"
!
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp client configuration address-pool local DHCP1
!
!
crypto ipsec transform-set CryptoTransform esp-3des esp-md5-hmac
!
crypto dynamic-map DynamicMap 1
 set transform-set CryptoTransform
!
!
crypto map VPNmap isakmp authorization list RADIUS01
crypto map VPNmap client configuration address initiate
crypto map VPNmap client configuration address respond
crypto map VPNmap 1 ipsec-isakmp dynamic DynamicMap
!
!
!
!
interface Ethernet0
 ip address "Router e0 IP" 255.255.255.248
 no ip unreachables
 ip nat outside
 half-duplex
 crypto map VPNmap
!
interface FastEthernet0
 ip address "Router IP" 255.255.255.0
 ip nat inside
 speed 100
 full-duplex
!
interface Async5
 ip unnumbered FastEthernet0
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 300
 dialer map ip x.x.x.250 name "My PC Name" broadcast
 dialer-group 1
 async dynamic routing
 async mode dedicated
 peer default ip address x.x.x.250
 ppp authentication chap
 crypto map VPNmap
!
router rip
 network x.x.x.0
!
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source static tcp "Server 1 IP" 1723 interface Ethernet0 1723
ip nat inside source static tcp "Server 2 IP" 80 "Server 2 external IP" 80 extendable
ip nat inside source static tcp "Server 3 IP" 25 "Server 3 external IP" 25 extendable
ip nat inside source static tcp "Server 3 IP" 110 "Server 3 external IP" 110 extendable
ip nat inside source static tcp "Server 2 IP" 21 "Server 2 external IP" 21 extendable
ip nat inside source static tcp "Server 3 IP" 21 "Server 3 external IP" 21 extendable
ip nat inside source static tcp "Server 3 IP" 135 "Server 3 external IP" 135 extendable
ip nat inside source static tcp "Server 3 IP" 1025 "Server 3 external IP" 1025 extendable
ip nat inside source static tcp "Server 3 IP" 5001 "Server 3 external IP" 5001 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 "Internet Provider IP"
ip http server
ip pim bidir-enable
!
!
access-list 100 permit ip any any
dialer-list 1 protocol ip list 100
!
radius-server host "Server 1 IP" auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server key radius
!
line con 0
 password ******
line aux 0
 modem Dialin
 autoselect during-login
 autoselect ppp
 speed 38400
 flowcontrol hardware
line vty 0 4
 password ******
!
end

1. First I am not responsible for everything on this router.  I did not do any of the "crypto" setup above and I really don't know anything about it.
Should I remove the "crypto map VPNmap" from async5?

2. Another question I had was on authentication.  Here we have it setup to use a Radius server.  Is this config going to mess up my dial-in?
Should I change the aaa authentication ppp default group RADIUS01 to local?

3. Will the two autoselect statements under the line aux setting effect my dial-in?

4. I'm assuming to test I can just change my computer name to "My PC Name" and set my IP to x.x.x.250 and then just use Windows software to dial-in

5. Are there any other obvious problems?  Or something I might be forgetting?

I can't test the setup until everyone leaves at five so I figured I would get as much ironed out beforehand.  Thanks for the help guys and I will be uping the points for all the effort.
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

In a WLAN, anything you broadcast over the air can be intercepted.  By default a wireless network is wide open to all until security is configured. Even when security is configured information can still be intercepted! It is very important that you …
While it is possible to put two routes in place with the secondary having a higher metric, this may not always work. In the event of a failure that does not bring down the physical interface on the router the primary route is not removed. There is a…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now