Solved

Cisco 837 as VPN Server

Posted on 2004-09-05
4
662 Views
Last Modified: 2011-08-18
Hi

I have been running a Cisco 837 router as my internal network gateway for about 6 months now and it is rock solid - unlike the Draytek 2600 I had previously!

Whilst I've been very pleased with the 837 I am new to Cisco so I want to make sure that if I'm recommending the 837 to my clients I understand what is free and what costs money.

I managed to install SDM to replace CWRS and have IOS 12.2 (14.5)T installed. I registered with Cisco's website and have limited access to a few protected resources it would appear.

Specifically, I would like to understand about upgrades to IOS, support for configuration problems etc. Finally, I am using NAT on the existing 837 with VPN passthrough to Windows 2003 Server running RRAS as a VPN endpoint. Some of my clients run Windows workgroups (no server) and so I'd like to know how good the 837 is acting as a VPN endpoint itself. How do VPN clients get authorised without RADIUS? Also, is it necessary to use Cisco's Easy VPN Client software or can I use Windows 2000 / XP Professional as the client?

thanks

Rob
0
Comment
Question by:WebAdviser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 11986440
The 837 can easily act as an endpoint itself, but you will need an upgrade to the IOS to add the IPSEC feature set.
You can use Win2K or XP LT2P/IPSEC policies to connect to the 837 router, but again, you need the (extra cost) IPSEC feature set.

How do VPN clients get authorized without RAIDUS?
Easy enough with a simple group name and pre-shared key.
It is not necessary to use any 3rd party software.
0
 

Author Comment

by:WebAdviser
ID: 11987205
Thanks lrmoore.

I understand the group name and pre-shared key concept but what happens when the remote (VPN) user wants to connect to a network resource - say a share? With the setups I've been used to the remote user connects to the VPN server using their Windows login details via RRAS (VPN passthrough on 837) and then obviously once authenticated they have access to all network resources as if they were logged on "locally" (ie on the LAN wthout VPN).

Also, can you shed any light on IOS upgrades and support please?

thnaks again

Rob
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 11992779
Unfortunately, because the VPN connection is simply a network access and is not a Microsoft client, you must have another way to authenticate. Traditionally, this is done using the (Cisco) VPN Client functions of "start before logon" and the user then gets authenticated in the domain at logon (assuming their PC has joined the domain at one point).
If using IPSEC policies, the policy would have to be setup to be enabled before a user logs in, and then the user logs into the PC with their domain credentials.
Else, every domain resource will present username/password challenge. User will be prompted for domain username and password to connect to resources.
0
 

Author Comment

by:WebAdviser
ID: 11994233
Thanks lrmoore for your detailed comments.

I take your points regarding domain authentication - I'll need to think on these...

A few things spring to mind:

1) Where the remote network (running VPN Server) is on a Windows domain then I guess I would use the CISCO radius client to authenticate against the user account or use VPN passthrough and use RRAS

2) If the remote network is part of a Windows workgroup (rather than domain) then this is where I would like to make the most of the Cisco 837. In a workgroup scenario I obviously logon to the workstation/laptop as a local user (logon locally). Those credentials need to be held in each network resource's own user database (e.g. for a share on another workstation or file server) as there is no central domain controller obviously. Assuming that I can sucessfully open a VPN tunnel using whatever protocol via the remote network's VPN Server then wouldn't the credentials I logged on to the local machine with be used when the challenge/response handshaking is initiated?

3) Taking 2) a stage further then with Windows XP Pro and Windows 2000 Pro there is no need for a domain controller to be available at logon as credentials are cached on the local machine. When a domain controller does become available (for example where a VPN tunnel is established after logon using cached credentials) then again wouldn't those credentials mean be used to access remote network resources and wouldn't this be successful?

Sorry about the lengthy response but this has been going round in my head for a while now and I feel I'm getting somewhere nearer to a full understanding of the situation.

Further comments very welcome!

regards

Rob
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco ASDM device NT domain question 4 64
VPN tunnel between Watchguard and OpenVPN? 1 198
Cisco Anyconnect on MS Surface 12 45
port forwarding 2 67
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Let’s list some of the technologies that enable smooth teleworking. 
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Suggested Courses

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question