gpshute
asked on
Cisco 837 VPN EzVPN Security
I use Cisco 837 routers to connect to a Cisco VPN concentrator.
The cisco 837 has four switch/ethernet ports.
I would like to make one of the ports able to use the VPN tunnel, but the 3 remaining ports just internet access.
This is to avoid home users machines having access to the corporate VPN, but one port should be anabled for this purpose.
I was hoping to avoid implementing 802.1x IBNS.
Can anybody think of a way to do this using Vlans or access lists? Any advice appreciated.
Here is a sample configuration:
Current configuration : 10689 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gfd-c837-rkmeera
!
memory-size iomem 5
logging queue-limit 100
logging buffered 52000 debugging
logging console informational
enable secret <Removed>
!
username gpshute privilege 15 <Removed>
username gfdtech password 7 <Removed>
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login NO_AUTHEN local
aaa authentication login AUTHEN group tacacs+ local
aaa authorization exec NO_AUTHOR none
aaa authorization exec AUTHOR group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 1 AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization commands 15 AUTHOR group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
ip subnet-zero
no ip source-route
ip tftp source-interface Ethernet0
ip domain name internal.uop.com
ip name-server 194.74.65.69
ip name-server 194.72.9.38
ip name-server <Removed>
ip name-server <Removed>
ip dhcp excluded-address 172.30.1.33
!
ip dhcp pool CLIENT
import all
network 172.30.1.32 255.255.255.248
default-router 172.30.1.33
dns-server <Removed>
netbios-name-server <Removed>
domain-name <Removed>
lease 0 2
!
!
ip cef
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 15
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW http
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW cuseeme timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
lifetime 3600
crypto isakmp key 0 $ecret address <Removed>
crypto isakmp key 0 $ecret address <Removed>
crypto isakmp key 0 $ecret address <Removed>
crypto isakmp key 0 $ecret address <Removed>
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
!
!
crypto ipsec client ezvpn uop
connect auto
group <Removed> key 0 <Removed>
mode network-extension
peer <Removed>
peer <Removed>
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_INSIDE$
ip address 172.30.1.33 255.255.255.248
ip access-group 122 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
crypto ipsec client ezvpn uop inside
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect IOSFW out
encapsulation ppp
ip route-cache flow
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <Removed>
ppp chap password 7 <Removed>
ppp pap sent-username <Removed>
ppp ipcp dns request
ppp ipcp wins request
crypto ipsec client ezvpn uop
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip tacacs source-interface Ethernet0
ip http server
ip http access-class 1
ip http secure-server
!
logging trap notifications
logging origin-id hostname
logging facility local6
logging source-interface Ethernet0
logging <Removed>
access-list 1 remark SDM_ACL Category=17
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit 172.30.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=17
access-list 101 remark Auto generated by SDM for NTP (123) 192.36.143.150
access-list 101 permit udp host <Removed> eq ntp any eq ntp
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) uop
access-list 101 permit udp host <Removed> any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) uop
access-list 101 permit udp host <Removed> any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) uop
access-list 101 permit udp host <Removed> any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) uop
access-list 101 permit esp host <Removed> any
access-list 101 remark Auto generated by SDM for EzVPN (esp) uop
access-list 101 permit ahp host <Removed> any
access-list 101 permit udp host <Removed> any eq 10000
access-list 101 permit udp host <Removed> any eq non500-isakmp
access-list 101 permit udp host <Removed> any eq isakmp
access-list 101 permit ahp host <Removed> any
access-list 101 permit udp host <Removed> eq isakmp any eq isakmp
access-list 101 permit udp host <Removed> eq non500-isakmp any eq non500-isakmp
access-list 101 permit esp host <Removed> any
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit ip <Removed> 0.0.255.255 any
access-list 101 permit ip 172.30.0.0 0.0.255.255 any
access-list 101 remark Allow Ping
access-list 101 permit icmp any any echo-reply
access-list 102 permit udp any host 172.30.1.33 eq bootps
access-list 102 permit ip 172.30.1.32 0.0.0.7 any
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
tacacs-server host <Removed> single-connection port 49 timeout 30 key <Removed>
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key <Removed>
snmp-server community <Removed> RO
snmp-server trap-source Ethernet0
snmp-server location Ray Reerabeau's House
snmp-server contact Graham Shute
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps pppoe
snmp-server enable traps rtr
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps atm subif
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 138.90.235.31 apstndp
radius-server authorization permit missing Service-Type
banner exec ^C
Connected to $(hostname).$(domain) Via line $(line) $(line-desc)
^C
banner login ^CBanner installed by SDM^C
banner motd ^C
^C
!
line con 0
exec-timeout 120 0
privilege level 15
no modem enable
stopbits 1
line aux 0
privilege level 15
stopbits 1
line vty 0 2
access-class 1 in
exec-timeout 120 0
privilege level 15
authorization commands 1 AUTHOR
authorization commands 15 AUTHOR
authorization exec AUTHOR
login authentication AUTHEN
length 0
transport preferred ssh
transport input ssh
line vty 3 4
access-class 1 in
exec-timeout 120 0
authorization commands 1 AUTHOR
authorization commands 15 AUTHOR
authorization exec AUTHOR
login authentication AUTHEN
length 0
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 192.36.143.150
!
end
The cisco 837 has four switch/ethernet ports.
I would like to make one of the ports able to use the VPN tunnel, but the 3 remaining ports just internet access.
This is to avoid home users machines having access to the corporate VPN, but one port should be anabled for this purpose.
I was hoping to avoid implementing 802.1x IBNS.
Can anybody think of a way to do this using Vlans or access lists? Any advice appreciated.
Here is a sample configuration:
Current configuration : 10689 bytes
!
version 12.2
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname gfd-c837-rkmeera
!
memory-size iomem 5
logging queue-limit 100
logging buffered 52000 debugging
logging console informational
enable secret <Removed>
!
username gpshute privilege 15 <Removed>
username gfdtech password 7 <Removed>
clock timezone GMT 0
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 1:00
aaa new-model
!
!
aaa authentication login NO_AUTHEN local
aaa authentication login AUTHEN group tacacs+ local
aaa authorization exec NO_AUTHOR none
aaa authorization exec AUTHOR group tacacs+ if-authenticated
aaa authorization commands 1 NO_AUTHOR none
aaa authorization commands 1 AUTHOR group tacacs+ if-authenticated
aaa authorization commands 15 NO_AUTHOR none
aaa authorization commands 15 AUTHOR group tacacs+ if-authenticated
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting connection default start-stop group tacacs+
aaa session-id common
ip subnet-zero
no ip source-route
ip tftp source-interface Ethernet0
ip domain name internal.uop.com
ip name-server 194.74.65.69
ip name-server 194.72.9.38
ip name-server <Removed>
ip name-server <Removed>
ip dhcp excluded-address 172.30.1.33
!
ip dhcp pool CLIENT
import all
network 172.30.1.32 255.255.255.248
default-router 172.30.1.33
dns-server <Removed>
netbios-name-server <Removed>
domain-name <Removed>
lease 0 2
!
!
ip cef
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 15
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW http
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW cuseeme timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW vdolive timeout 3600
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
group 2
lifetime 3600
crypto isakmp key 0 $ecret address <Removed>
crypto isakmp key 0 $ecret address <Removed>
crypto isakmp key 0 $ecret address <Removed>
crypto isakmp key 0 $ecret address <Removed>
!
!
crypto ipsec transform-set cisco esp-3des esp-md5-hmac
!
!
!
crypto ipsec client ezvpn uop
connect auto
group <Removed> key 0 <Removed>
mode network-extension
peer <Removed>
peer <Removed>
!
!
!
!
!
interface Null0
no ip unreachables
!
interface Ethernet0
description $FW_INSIDE$
ip address 172.30.1.33 255.255.255.248
ip access-group 122 out
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
no cdp enable
crypto ipsec client ezvpn uop inside
hold-queue 100 out
!
interface ATM0
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
no ip mroute-cache
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
dsl operating-mode auto
!
interface Dialer1
description $FW_OUTSIDE$
ip address negotiated
ip access-group 101 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip inspect IOSFW out
encapsulation ppp
ip route-cache flow
no ip mroute-cache
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname <Removed>
ppp chap password 7 <Removed>
ppp pap sent-username <Removed>
ppp ipcp dns request
ppp ipcp wins request
crypto ipsec client ezvpn uop
hold-queue 224 in
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer1
ip tacacs source-interface Ethernet0
ip http server
ip http access-class 1
ip http secure-server
!
logging trap notifications
logging origin-id hostname
logging facility local6
logging source-interface Ethernet0
logging <Removed>
access-list 1 remark SDM_ACL Category=17
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit <Removed>
access-list 1 permit 172.30.1.0 0.0.0.255
access-list 101 remark SDM_ACL Category=17
access-list 101 remark Auto generated by SDM for NTP (123) 192.36.143.150
access-list 101 permit udp host <Removed> eq ntp any eq ntp
access-list 101 remark Auto generated by SDM for EzVPN (udp-10000) uop
access-list 101 permit udp host <Removed> any eq 10000
access-list 101 remark Auto generated by SDM for EzVPN (non500-isakmp) uop
access-list 101 permit udp host <Removed> any eq non500-isakmp
access-list 101 remark Auto generated by SDM for EzVPN (isakmp) uop
access-list 101 permit udp host <Removed> any eq isakmp
access-list 101 remark Auto generated by SDM for EzVPN (ahp) uop
access-list 101 permit esp host <Removed> any
access-list 101 remark Auto generated by SDM for EzVPN (esp) uop
access-list 101 permit ahp host <Removed> any
access-list 101 permit udp host <Removed> any eq 10000
access-list 101 permit udp host <Removed> any eq non500-isakmp
access-list 101 permit udp host <Removed> any eq isakmp
access-list 101 permit ahp host <Removed> any
access-list 101 permit udp host <Removed> eq isakmp any eq isakmp
access-list 101 permit udp host <Removed> eq non500-isakmp any eq non500-isakmp
access-list 101 permit esp host <Removed> any
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit tcp host <Removed> any eq 22
access-list 101 permit ip <Removed> 0.0.255.255 any
access-list 101 permit ip 172.30.0.0 0.0.255.255 any
access-list 101 remark Allow Ping
access-list 101 permit icmp any any echo-reply
access-list 102 permit udp any host 172.30.1.33 eq bootps
access-list 102 permit ip 172.30.1.32 0.0.0.7 any
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 122 deny tcp any any eq telnet
access-list 122 permit ip any any
dialer-list 1 protocol ip permit
no cdp run
tacacs-server host <Removed> single-connection port 49 timeout 30 key <Removed>
tacacs-server timeout 10
tacacs-server directed-request
tacacs-server key <Removed>
snmp-server community <Removed> RO
snmp-server trap-source Ethernet0
snmp-server location Ray Reerabeau's House
snmp-server contact Graham Shute
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps pppoe
snmp-server enable traps rtr
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps atm subif
snmp-server enable traps entity
snmp-server enable traps syslog
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host 138.90.235.31 apstndp
radius-server authorization permit missing Service-Type
banner exec ^C
Connected to $(hostname).$(domain) Via line $(line) $(line-desc)
^C
banner login ^CBanner installed by SDM^C
banner motd ^C
^C
!
line con 0
exec-timeout 120 0
privilege level 15
no modem enable
stopbits 1
line aux 0
privilege level 15
stopbits 1
line vty 0 2
access-class 1 in
exec-timeout 120 0
privilege level 15
authorization commands 1 AUTHOR
authorization commands 15 AUTHOR
authorization exec AUTHOR
login authentication AUTHEN
length 0
transport preferred ssh
transport input ssh
line vty 3 4
access-class 1 in
exec-timeout 120 0
authorization commands 1 AUTHOR
authorization commands 15 AUTHOR
authorization exec AUTHOR
login authentication AUTHEN
length 0
transport preferred ssh
transport input ssh
!
scheduler max-task-time 5000
scheduler interval 500
sntp server 192.36.143.150
!
end
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.