Cisco 831 VPN and Basic NAT setup
I have a basic router configuration problem. I generally work with a PIX so i am a bit thrown off with how the commands apply in the router environment.
I want to set up a basic one to many NAT with IPSEC VPN for access to the internal network.
I have a single routable address on interface1, I have a non routable on interface0 behind it a /24 non routable subnet. (Very basic)
I have successfully set up the VPN and can connect using the cisco client.
However, the way that it is set up, the NAT does not seem to be configured properly as the routable subnet can hit anything on the inside without the VPN bieng established.
I need to accomplish the following:
1) Provide internet access for the internal subnet via NAT.
2) Prevent unauthorized access to the internal subnet (with the exception for the VPN clients)
I surmise that its all about access lists but for some reason I am not gettign my head around it.
Please straighten me out.
The config:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FPC831rt
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$Xsaz$JTxZg316vIq6sNTQ8R
enable password 7 111D110C191941160124
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa authorization network password local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name blazewave.net
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin password 7 08254942084854
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group password
key password
dns 192.168.1.10
domain fpclaw.nj
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list password
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.1.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address xxx.xxx.82.135 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
crypto map dynmap
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1
duplex half
speed auto
!
interface FastEthernet2
duplex half
speed auto
!
interface FastEthernet3
duplex half
speed auto
!
interface FastEthernet4
duplex half
speed auto
!
ip local pool dynpool 192.168.112.10 192.168.112.50
ip route 0.0.0.0 0.0.0.0 xxx.xxx.82.1
!
ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community whatever RO
no cdp run
!
!
control-plane
!
banner motd ^C Watch yo self fool!!! ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15160E00057B7A
login authentication local_auth
transport input telnet ssh
!
scheduler max-task-time 5000
end
Regards,
P
I want to set up a basic one to many NAT with IPSEC VPN for access to the internal network.
I have a single routable address on interface1, I have a non routable on interface0 behind it a /24 non routable subnet. (Very basic)
I have successfully set up the VPN and can connect using the cisco client.
However, the way that it is set up, the NAT does not seem to be configured properly as the routable subnet can hit anything on the inside without the VPN bieng established.
I need to accomplish the following:
1) Provide internet access for the internal subnet via NAT.
2) Prevent unauthorized access to the internal subnet (with the exception for the VPN clients)
I surmise that its all about access lists but for some reason I am not gettign my head around it.
Please straighten me out.
The config:
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FPC831rt
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$Xsaz$JTxZg316vIq6sNTQ8R
enable password 7 111D110C191941160124
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa authorization network password local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name blazewave.net
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin password 7 08254942084854
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group password
key password
dns 192.168.1.10
domain fpclaw.nj
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list password
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.1.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address xxx.xxx.82.135 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
crypto map dynmap
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1
duplex half
speed auto
!
interface FastEthernet2
duplex half
speed auto
!
interface FastEthernet3
duplex half
speed auto
!
interface FastEthernet4
duplex half
speed auto
!
ip local pool dynpool 192.168.112.10 192.168.112.50
ip route 0.0.0.0 0.0.0.0 xxx.xxx.82.1
!
ip http server
no ip http secure-server
!
!
!
ip access-list extended VPN
permit ip 0.0.0.0 255.255.255.0 0.0.0.0 255.255.255.0
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
dialer-list 1 protocol ip permit
snmp-server community whatever RO
no cdp run
!
!
control-plane
!
banner motd ^C Watch yo self fool!!! ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15160E00057B7A
login authentication local_auth
transport input telnet ssh
!
scheduler max-task-time 5000
end
Regards,
P
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
BTW, I notice you have the first part of a firewall configured (all those "ip inspect name [blah] lines). The NAT should cover most of your security (since your private hosts are using non-routable addresses. Do you want to use IOS Firewall Inspection?
ASKER
Hi,
I have applied the NAT statements and it appears that they are doing the trick.
However,
What is still killing me is the connectivity for the VPN clients. I am connecting and getting the ip address on the subnet in the pool (192.168.112.0) but I cannot access the internal subnet from the vpn client.
Now on a PIX the VPN subnet must be different from the local subnet. THen I would apply global nat entrys and access lists. I am just not gettign how to do the same thing here.
HEEELP!!!
Thanks,
P
Current configuration : 3420 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FPC831rt
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$Xsaz$JTxZg316vIq6sNTQ8R
enable password 7 111D110C191941160124
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa authorization network fpclaw local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name blazewave.net
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin password 7 08254942084854
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group fpclaw
key *******
dns 192.168.111.10
domain ******.nj
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list fpclaw
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.1.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address XXX.XXX.82.135 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
crypto map dynmap
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1
duplex half
speed auto
!
interface FastEthernet2
duplex half
speed auto
!
interface FastEthernet3
duplex half
speed auto
!
interface FastEthernet4
duplex half
speed auto
!
ip local pool dynpool 192.168.112.10 192.168.112.50
!
ip http server
no ip http secure-server
!
ip nat inside source list 111 interface Ethernet1 overload
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip 192.168.112.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community fpclaw RO
no cdp run
!
!
control-plane
!
banner motd ^C Watch yo self fool!!! ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15160E00057B7A
login authentication local_auth
transport input telnet ssh
!
scheduler max-task-time 5000
end
I have applied the NAT statements and it appears that they are doing the trick.
However,
What is still killing me is the connectivity for the VPN clients. I am connecting and getting the ip address on the subnet in the pool (192.168.112.0) but I cannot access the internal subnet from the vpn client.
Now on a PIX the VPN subnet must be different from the local subnet. THen I would apply global nat entrys and access lists. I am just not gettign how to do the same thing here.
HEEELP!!!
Thanks,
P
Current configuration : 3420 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname FPC831rt
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 10 log
security passwords min-length 6
logging console critical
enable secret 5 $1$Xsaz$JTxZg316vIq6sNTQ8R
enable password 7 111D110C191941160124
!
aaa new-model
!
!
aaa authorization network hw-client-groupname local
aaa authorization network fpclaw local
!
aaa session-id common
!
resource policy
!
no ip source-route
no ip gratuitous-arps
!
!
!
!
ip cef
ip domain name blazewave.net
no ip bootp server
ip inspect audit-trail
ip inspect udp idle-time 1800
ip inspect dns-timeout 7
ip inspect tcp idle-time 14400
ip inspect name autosec_inspect cuseeme timeout 3600
ip inspect name autosec_inspect ftp timeout 3600
ip inspect name autosec_inspect http timeout 3600
ip inspect name autosec_inspect rcmd timeout 3600
ip inspect name autosec_inspect realaudio timeout 3600
ip inspect name autosec_inspect smtp timeout 3600
ip inspect name autosec_inspect tftp timeout 30
ip inspect name autosec_inspect udp timeout 15
ip inspect name autosec_inspect tcp timeout 3600
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
!
username admin password 7 08254942084854
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group fpclaw
key *******
dns 192.168.111.10
domain ******.nj
pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
set transform-set transform-1
reverse-route
!
!
crypto map dynmap isakmp authorization list fpclaw
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0
ip address 192.168.1.14 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
!
interface Ethernet1
ip address XXX.XXX.82.135 255.255.255.0
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip virtual-reassembly
duplex auto
crypto map dynmap
!
interface Ethernet2
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
!
interface FastEthernet1
duplex half
speed auto
!
interface FastEthernet2
duplex half
speed auto
!
interface FastEthernet3
duplex half
speed auto
!
interface FastEthernet4
duplex half
speed auto
!
ip local pool dynpool 192.168.112.10 192.168.112.50
!
ip http server
no ip http secure-server
!
ip nat inside source list 111 interface Ethernet1 overload
!
logging trap debugging
logging facility local2
access-list 100 permit udp any any eq bootpc
access-list 111 permit ip 192.168.1.0 0.0.0.255 any
access-list 112 permit ip 192.168.112.0 0.0.0.255 any
dialer-list 1 protocol ip permit
snmp-server community fpclaw RO
no cdp run
!
!
control-plane
!
banner motd ^C Watch yo self fool!!! ^C
!
line con 0
exec-timeout 5 0
login authentication local_auth
no modem enable
transport output telnet
line aux 0
login authentication local_auth
transport output telnet
line vty 0 4
password 7 15160E00057B7A
login authentication local_auth
transport input telnet ssh
!
scheduler max-task-time 5000
end
ASKER
Any ideas anyone?
I am still looking for some guidance.
Thanks,
P
I am still looking for some guidance.
Thanks,
P
You can try binding your access list for the VPN pool to your outside interface
conf t
int eth1
ip access-group 112 in
Shawn
conf t
int eth1
ip access-group 112 in
Shawn
ASKER
Thanks but no go.
I am suprised that I have recieved so few suggestions to this post.
This seems to be such a simple scenario.
I am 2 seconds from buying a pix.
Regards,
P
I am suprised that I have recieved so few suggestions to this post.
This seems to be such a simple scenario.
I am 2 seconds from buying a pix.
Regards,
P
just use the SDM and create an "Easy VPN Server" Takes about 3 minutes and it always works. http:// to your router. Before you do it though turn on the preference to show submitted commands then you can see what it does. It is nothing like the PDM (this works)
Shawn
Shawn
ASKER
Hi,
I would LOOVE that. I do not however have the sdm software and have no cisco login.
Any ideas on where I can get it?
It says that it is a free download.
Regards,,
P
I would LOOVE that. I do not however have the sdm software and have no cisco login.
Any ideas on where I can get it?
It says that it is a free download.
Regards,,
P
http://www.cisco.com/go/sdm
When the login comes up enter anonymous and your email address as the password.
Shawn
When the login comes up enter anonymous and your email address as the password.
Shawn
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.