We help IT Professionals succeed at work.

Cisco 837 VPN EzVPN Security

gpshute
gpshute asked
on
2,894 Views
Last Modified: 2008-01-09
I use Cisco 837 routers to connect to a Cisco VPN concentrator.
The cisco 837 has four switch/ethernet ports.
I would like to make one of the ports able to use the VPN tunnel, but the 3 remaining ports just internet access.
This is to avoid home users machines having access to the corporate VPN, but one port should be anabled for this purpose.
I was hoping to avoid implementing 802.1x IBNS.
Can anybody think of a way to do this using Vlans or access lists? Any advice appreciated.

Here is a sample configuration:

Current configuration : 10689 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gfd-c837-rkmeera
!
memory-size iomem 5
logging queue-limit 100
logging buffered 52000 debugging
logging console informational
enable secret <Removed>
!
username gpshute privilege 15  <Removed>
username gfdtech password 7  <Removed>
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login NO_AUTHEN local
aaa authentication login AUTHEN group tacacs+ local
aaa authorization exec NO_AUTHOR none
aaa authorization exec AUTHOR group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 1 AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization commands 15 AUTHOR group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
ip subnet-zero
no ip source-route
ip tftp source-interface Ethernet0
ip domain name internal.uop.com
ip name-server 194.74.65.69
ip name-server 194.72.9.38
ip name-server  <Removed>
ip name-server  <Removed>
ip dhcp excluded-address 172.30.1.33
!
ip dhcp pool CLIENT
   import all
   network 172.30.1.32 255.255.255.248
   default-router 172.30.1.33
   dns-server  <Removed>
   netbios-name-server  <Removed>
   domain-name  <Removed>
   lease 0 2
!
!
ip cef
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 15
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW http
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW cuseeme timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 group 2
 lifetime 3600
crypto isakmp key 0 $ecret address  <Removed>
crypto isakmp key 0 $ecret address  <Removed>
crypto isakmp key 0 $ecret address  <Removed>
crypto isakmp key 0 $ecret address  <Removed>
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
!
!
crypto ipsec client ezvpn uop
 connect auto
 group  <Removed> key 0  <Removed>
 mode network-extension
 peer  <Removed>
 peer  <Removed>
!
!
!
!
!
interface Null0
 no ip unreachables
!
interface Ethernet0
 description $FW_INSIDE$
 ip address 172.30.1.33 255.255.255.248
 ip access-group 122 out
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 no cdp enable
 crypto ipsec client ezvpn uop inside
 hold-queue 100 out
!
interface ATM0
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip route-cache flow
 no ip mroute-cache
 atm vc-per-vp 64
 no atm ilmi-keepalive
 pvc 0/38
  encapsulation aal5mux ppp dialer
  dialer pool-member 1
 !
 dsl operating-mode auto
!
interface Dialer1
 description $FW_OUTSIDE$
 ip address negotiated
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect IOSFW out
 encapsulation ppp
 ip route-cache flow
 no ip mroute-cache
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname  <Removed>
 ppp chap password 7  <Removed>
 ppp pap sent-username  <Removed>
 ppp ipcp dns request
 ppp ipcp wins request
 crypto ipsec client ezvpn uop
 hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip tacacs source-interface Ethernet0
ip http server
ip http access-class 1
ip http secure-server
!
logging trap notifications
logging origin-id hostname
logging facility local6
logging source-interface Ethernet0
logging  <Removed>
access-list 1 remark SDM_ACL Category=17
access-list 1 permit  <Removed>
access-list 1 permit  <Removed>
access-list 1 permit  <Removed>
access-list 1 permit  <Removed>
access-list 1 permit  <Removed>
access-list 1 permit 172.30.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=17
access-list 101 remark Auto generated by SDM for NTP (123) 192.36.143.150
access-list 101 permit udp host  <Removed> eq ntp any eq ntp
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) uop
access-list 101 permit udp host  <Removed> any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) uop
access-list 101 permit udp host  <Removed> any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) uop
access-list 101 permit udp host  <Removed> any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) uop
access-list 101 permit esp host  <Removed> any
access-list 101 remark Auto generated by SDM for EzVPN (esp) uop
access-list 101 permit ahp host  <Removed> any
access-list 101 permit udp host  <Removed> any eq 10000
access-list 101 permit udp host  <Removed> any eq non500-isakmp
access-list 101 permit udp host  <Removed> any eq isakmp
access-list 101 permit ahp host  <Removed> any
access-list 101 permit udp host  <Removed> eq isakmp any eq isakmp
access-list 101 permit udp host  <Removed> eq non500-isakmp any eq non500-isakmp
access-list 101 permit esp host  <Removed> any
access-list 101 permit tcp host  <Removed> any eq 22
access-list 101 permit tcp host  <Removed> any eq 22
access-list 101 permit tcp host  <Removed> any eq 22
access-list 101 permit tcp host  <Removed> any eq 22
access-list 101 permit ip  <Removed> 0.0.255.255 any
access-list 101 permit ip 172.30.0.0 0.0.255.255 any
access-list 101 remark Allow Ping
access-list 101 permit icmp any any echo-reply
access-list 102 permit udp any host 172.30.1.33 eq bootps
access-list 102 permit ip 172.30.1.32 0.0.0.7 any
access-list 102 permit icmp any any
access-list 102 deny   ip any any log
access-list 122 deny   tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
tacacs-server host  <Removed> single-connection port 49 timeout 30 key  <Removed>
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key  <Removed>
snmp-server community  <Removed> RO
snmp-server trap-source Ethernet0
snmp-server location Ray Reerabeau's House
snmp-server contact Graham Shute
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps pppoe
snmp-server enable traps rtr
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps atm subif
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 138.90.235.31 apstndp
radius-server authorization permit missing Service-Type
banner exec ^C
             
Connected to $(hostname).$(domain) Via line $(line) $(line-desc)
^C
banner login ^CBanner installed by SDM^C
banner motd ^C
^C
!
line con 0
 exec-timeout 120 0
 privilege level 15
 no modem enable
 stopbits 1
line aux 0
 privilege level 15
 stopbits 1
line vty 0 2
 access-class 1 in
 exec-timeout 120 0
 privilege level 15
 authorization commands 1 AUTHOR
 authorization commands 15 AUTHOR
 authorization exec AUTHOR
 login authentication AUTHEN
 length 0
 transport preferred ssh
 transport input ssh
line vty 3 4
 access-class 1 in
 exec-timeout 120 0
 authorization commands 1 AUTHOR
 authorization commands 15 AUTHOR
 authorization exec AUTHOR
 login authentication AUTHEN
 length 0
 transport preferred ssh
 transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 192.36.143.150
!
end


Comment
Watch Question

CERTIFIED EXPERT
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.