• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 635
  • Last Modified:

Cisco 831 VPN and Basic NAT setup

I have a basic router configuration problem. I generally work with a PIX so i am a bit thrown off with how the commands apply in the router environment.

I want to set up a basic one to many NAT with IPSEC VPN for access to the internal network.

I have a single routable address on interface1, I have a non routable on interface0 behind it a /24 non routable subnet. (Very basic)

I have successfully set up the VPN and can connect using the cisco client.

However, the way that it is set up, the NAT does not seem to be configured properly as the routable subnet can hit anything on the inside without the VPN bieng established.

I need to accomplish the following:

1) Provide internet access for the internal subnet via NAT.

2) Prevent unauthorized access to the internal subnet (with the exception for the VPN clients)

I surmise that its all about access lists  but for some reason I am not gettign my head around it.

Please straighten me out.

The config:

!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FPC831rt
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$Xsaz$JTxZg316vIq6sNTQ8RbPH/
enable password 7 111D110C191941160124
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa authorization network password local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name blazewave.net
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin password 7 08254942084854
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group password
 key password
 dns 192.168.1.10
 domain fpclaw.nj
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap isakmp authorization list password
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 ip address 192.168.1.14 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1
 ip address xxx.xxx.82.135 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 crypto map dynmap
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet1
 duplex half
 speed auto
!
interface FastEthernet2
 duplex half
 speed auto
!
interface FastEthernet3
 duplex half
 speed auto
!
interface FastEthernet4
 duplex half
 speed auto
!
ip local pool dynpool 192.168.112.10 192.168.112.50
ip route 0.0.0.0 0.0.0.0 xxx.xxx.82.1
!
ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN
 permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community whatever RO
no cdp run
!
!
control-plane
!
banner motd ^C Watch yo self fool!!! ^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 no modem enable
 transport output telnet
line aux 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password 7 15160E00057B7A
 login authentication local_auth
 transport input telnet ssh
!
scheduler max-task-time 5000
end


Regards,

P

0
pacman_d
Asked:
pacman_d
  • 4
  • 4
  • 2
2 Solutions
 
mr_dirtCommented:
You've got part of the right idea.  You've configured "nat inside" and "nat outside" on the correct interfaces.  Your supposition about an ACL is correct, too, but possibly not in the manner you're thinking.

You need to define who is allowed to be nated, and what type of nat to apply.  In the simplest scenario, configure an ACL that describes who will be nated to whom.  You said you want everyone on the e0 subnet to access the whole internet.  Thus, set up, say, ACL 111:

access-list 111 permit ip 192.168.1.0 0.0.0.255 any

This admits any host in your 192.168.1.0/24 net, who is traveling to any destination.

Associate this ACL with the outside interface (e1) and define what type of NAT to use.  This should do the trick:

ip nat inside source list 111 interface ethernet1 overload

That should put you in business.  
0
 
mr_dirtCommented:
BTW, I notice you have the first part of a firewall configured (all those "ip inspect name [blah] lines).  The NAT should cover most of your security (since your private hosts are using non-routable addresses.  Do you want to use IOS Firewall Inspection?
0
 
pacman_dAuthor Commented:
Hi,

I have applied the NAT statements and it appears that they are doing the trick.

However,

What is still killing me is the connectivity for the VPN clients. I am connecting and getting the ip address on the subnet in the pool (192.168.112.0) but I cannot access the internal subnet from the vpn client.

Now on a PIX the VPN subnet must be different from the local subnet. THen I would apply global nat entrys and access lists. I am just not gettign how to do the same thing here.

HEEELP!!!

Thanks,

P

Current configuration : 3420 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FPC831rt
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$Xsaz$JTxZg316vIq6sNTQ8RbPH/
enable password 7 111D110C191941160124
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa authorization network fpclaw local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name blazewave.net
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin password 7 08254942084854
!
!
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group fpclaw
 key *******
 dns 192.168.111.10
 domain ******.nj
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap isakmp authorization list fpclaw
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
 ip address 192.168.1.14 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet1
 ip address XXX.XXX.82.135 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 duplex auto
 crypto map dynmap
!
interface Ethernet2
 no ip address
 no ip redirects
 no ip unreachables
 no ip proxy-arp
!
interface FastEthernet1
 duplex half
 speed auto
!
interface FastEthernet2
 duplex half
 speed auto
!
interface FastEthernet3
 duplex half
 speed auto
!
interface FastEthernet4
 duplex half
 speed auto
!
ip local pool dynpool 192.168.112.10 192.168.112.50
!
ip http server
no ip http secure-server
!
ip nat inside source list 111 interface Ethernet1 overload
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip 192.168.112.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community fpclaw RO
no cdp run
!
!
control-plane
!
banner motd ^C Watch yo self fool!!! ^C
!
line con 0
 exec-timeout 5 0
 login authentication local_auth
 no modem enable
 transport output telnet
line aux 0
 login authentication local_auth
 transport output telnet
line vty 0 4
 password 7 15160E00057B7A
 login authentication local_auth
 transport input telnet ssh
!
scheduler max-task-time 5000
end



0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
pacman_dAuthor Commented:
Any ideas anyone?


I am still looking for some guidance.

Thanks,

P
0
 
wingateslCommented:
You can try binding your access list for the VPN pool to your outside interface
 
conf t
int eth1
ip access-group 112 in

Shawn
0
 
pacman_dAuthor Commented:
Thanks but  no go.

I am suprised that I have recieved so few suggestions to this post.

This seems to be such a simple scenario.

I am 2 seconds from buying a pix.

Regards,

P
0
 
wingateslCommented:
just use the SDM and create an "Easy VPN Server" Takes about 3 minutes and it always works. http:// to your router. Before you do it though turn on the preference to show submitted commands then you can see what it does. It is nothing like the PDM (this works)
Shawn
0
 
pacman_dAuthor Commented:
Hi,

I would LOOVE that. I do not however have the sdm software and have no cisco login.

Any ideas on where I can get it?

It says that it is a free download.

Regards,,

P
0
 
wingateslCommented:
http://www.cisco.com/go/sdm
When the login comes up enter anonymous and your email address as the password.
Shawn
0
 
wingateslCommented:
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 4
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now