Cisco 1710 dial-in vpn through aux

confusedit used Ask the Experts™
I have a cisco 1710 router running on IOS 12.2something.  Using an external modem would it be possible to VPN onto my network via the AUX port?  I already have it setup through the ethernet port but the company would like to have dial-up purposes when employees are out of town.  I have the necessary hardware and the modem is hooked up.  I just wanted to know if anyone has done it before getting to far along with research.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®

Essentially, yes you can configure dial-in on the AUX port. It is configured the same as any other dial-in port. Here are a couple of URL's to help you along the way:

The one thing to be careful of is security. If you are going to allow them to dial-in and connect directly to the internal network, then this may be considered a security risk. If they are going to dial-in and then initiate a VPN, then how is this different to them connecting to and ISP and initiating a VPN over the Internet ?
Sr. Systems Engineer
Top Expert 2008
$0.02 for what it's worth.
yes, you can setup a modem on the AUX port to establish PPP dial-in access, and td_miles has provided good links to help. However, since this is a direct ppp connection, there is no need to use a VPN on top of it...that would just be throwing an extra layer of comlexity into the equation..


Ok thanks for the links.  Sorry for the delayed response I work strange hours.  I will try to get to trying these after everyone leaves the office and I can mess things up all I want :)

As for the security issue.  Would it be safe with just PPP dial-in access?  Is there someway to combine some sort of security log-on when dialing in?  Maybe through a Radius server?  Thanks for the responses I'll let you know my progress this weekend.
Become a Certified Penetration Testing Engineer

This CPTE Certified Penetration Testing Engineer course covers everything you need to know about becoming a Certified Penetration Testing Engineer. Career Path: Professional roles include Ethical Hackers, Security Consultants, System Administrators, and Chief Security Officers.

Don't worry about the delayed response. I'm in AU, so I tend not to even look at when people post, as it is most likely a strange time for me too  :)

As with any remote access, your security is going to be as good as the precautions you take. At the end of the day this comes down to how good the password is on your PPP dial-in. I would recommend having seperate username/password for each user. Make sure passwords are complex/long enough. Also audit all of the logins, so that if anything bad does happen, you have some chance of tracing it.

Whether to use RADIUS or local user DB depends on a couple of things:
a. number of users that will be using the dial-in facility
b. whether you already have a RADIUS server
c. how secure you want things to be

To further explain:
a. Given that you are only wanting a single dial-in line (router only has one AUX port), then I have to assume that you only have a few users wanting to use the facility, else you'll get lots of unhappy people unable to connect.
b. a RADIUS server is just software. As with most software, it costs money. You can either purchase a boxed product RADIUS server or run a free one for Linux. Either way you will expend money/time (usually time == money) in getting this to work.
c. If security is critical, then you can setup a RADIUS server that uses something like the securID tokens that are a little electronic tag that has a number/password on them that changes every 60 seconds. This means that for someone to gain access, they need to physically have one of the tokens instead of being able to attempt to guess a static password.

If you're wanting to setup RADIUS auth, see here for example:

SecurID link:
I'm sure there are other products similar to securID. This is simply the one I am most familiar with.

If you are using win2k server & AD, then you can install the Internet Authenticaion Service (IAS) that is a RADIUS server written by MS for win2k. This integrates with the AD and allows you to authenticate users back to their AD username/password and also control access using the "remote access permission" tickbox in their user profile:


td_miles thanks for the help... but I'm still a bit confused.

That first link you posted is configuring a serial0 port.  I have no physical serial port on my 1710.  Can this configuration still work without one?  Plus they are using IPX routing and I'm not using Novell.  Is it possible to use a static IP route instead?

I'm checking second link and am sure I'll have more questions in a bit.
Yes, it is using the serial0 port, this is because it is an example of dial-in the way it is normally done (on a dedicated serial port). You simply need to apply similar configuration that is listed under serial port config to your AUX port.
Just ignore all the stuff on IPX routing. It is an example config and shows how you would setup IPX routing as well as IP if you needed it.
Scroll down to the second example (with a Cisco 1700) router as this is easier to understand and more like what you are wanting to do.



I appreciate your patience.  I hopefully will get a chance to play with the second example some this afternoon sometime.  I will keep you posted on progress.


Ok, here is my current configuration:

version 12.2
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
hostname rtr
boot system flash c1710-k9o3sy-mz.122-4.YA6.bin
aaa new-model
aaa group server radius RADIUS01
 server "Server 1 IP" auth-port 1645 acct-port 1646
aaa authentication banner Cisco Router Login
aaa authentication login default group RADIUS01
aaa authentication ppp default group RADIUS01
aaa session-id common
enable secret *********
enable password ************
memory-size iomem 15
ip subnet-zero
ip dhcp excluded-address x.x.x.0 x.x.x.99
ip dhcp excluded-address x.x.x.200 x.x.x.255
ip dhcp pool DHCP1
   network x.x.x.0
   default-router "Router IP"
   dns-server "Server 1 IP"
   lease 7
ip audit notify log
ip audit po max-events 100
ip ssh time-out 120
ip ssh authentication-retries 3
ip dhcp-server "Router IP"
crypto isakmp policy 1
 hash md5
 authentication pre-share
crypto isakmp client configuration address-pool local DHCP1
crypto ipsec transform-set CryptoTransform esp-3des esp-md5-hmac
crypto dynamic-map DynamicMap 1
 set transform-set CryptoTransform
crypto map VPNmap isakmp authorization list RADIUS01
crypto map VPNmap client configuration address initiate
crypto map VPNmap client configuration address respond
crypto map VPNmap 1 ipsec-isakmp dynamic DynamicMap
interface Ethernet0
 ip address "Router e0 IP"
 no ip unreachables
 ip nat outside
 crypto map VPNmap
interface FastEthernet0
 ip address "Router IP"
 ip nat inside
 speed 100
interface Async5
 ip unnumbered FastEthernet0
 encapsulation ppp
 dialer in-band
 dialer idle-timeout 300
 dialer map ip x.x.x.250 name "My PC Name" broadcast
 dialer-group 1
 async dynamic routing
 async mode dedicated
 peer default ip address x.x.x.250
 ppp authentication chap
 crypto map VPNmap
router rip
 network x.x.x.0
ip nat inside source list 100 interface Ethernet0 overload
ip nat inside source static tcp "Server 1 IP" 1723 interface Ethernet0 1723
ip nat inside source static tcp "Server 2 IP" 80 "Server 2 external IP" 80 extendable
ip nat inside source static tcp "Server 3 IP" 25 "Server 3 external IP" 25 extendable
ip nat inside source static tcp "Server 3 IP" 110 "Server 3 external IP" 110 extendable
ip nat inside source static tcp "Server 2 IP" 21 "Server 2 external IP" 21 extendable
ip nat inside source static tcp "Server 3 IP" 21 "Server 3 external IP" 21 extendable
ip nat inside source static tcp "Server 3 IP" 135 "Server 3 external IP" 135 extendable
ip nat inside source static tcp "Server 3 IP" 1025 "Server 3 external IP" 1025 extendable
ip nat inside source static tcp "Server 3 IP" 5001 "Server 3 external IP" 5001 extendable
ip classless
ip route "Internet Provider IP"
ip http server
ip pim bidir-enable
access-list 100 permit ip any any
dialer-list 1 protocol ip list 100
radius-server host "Server 1 IP" auth-port 1645 acct-port 1646
radius-server retransmit 5
radius-server key radius
line con 0
 password ******
line aux 0
 modem Dialin
 autoselect during-login
 autoselect ppp
 speed 38400
 flowcontrol hardware
line vty 0 4
 password ******

1. First I am not responsible for everything on this router.  I did not do any of the "crypto" setup above and I really don't know anything about it.
Should I remove the "crypto map VPNmap" from async5?

2. Another question I had was on authentication.  Here we have it setup to use a Radius server.  Is this config going to mess up my dial-in?
Should I change the aaa authentication ppp default group RADIUS01 to local?

3. Will the two autoselect statements under the line aux setting effect my dial-in?

4. I'm assuming to test I can just change my computer name to "My PC Name" and set my IP to x.x.x.250 and then just use Windows software to dial-in

5. Are there any other obvious problems?  Or something I might be forgetting?

I can't test the setup until everyone leaves at five so I figured I would get as much ironed out beforehand.  Thanks for the help guys and I will be uping the points for all the effort.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial