Solved

Cisco 1700 router w/ dual VPN configs

Posted on 2006-06-12
4
428 Views
Last Modified: 2008-02-26
i have a home office Cisco 1700 series router with a remote site connected to it through an identical 1700 series router (hardware site to site VPN in other words)  I am wanting to add a configuration to the home office router to allow travelling employees to connect in via Cisco VPN client.  I am getting a bit confused on how to setup the router to accomodate both VPN setups.  Can I please get some assistance with this.

thanks


this is the current Router Config for the site to site hardware based VPN:

Current configuration : 2857 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$zh6a$Ek0zR.Ph0LboV3InBtHjs.
enable password *****
!
username ***** privilege 15 password 0 ****
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip domain name brightminds.local
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key **** address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group vpnhome
 key *****
 dns 192.168.1.11
 wins 192.168.1.11
 domain blankname.com
 pool ippool
 acl 100
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 match address 110
!
!
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0/0
 ip address xx.xx.xx.xx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
ip local pool ippool 192.168.2.1 192.168.2.5
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 120 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.1.41 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 192.168.1.41 80 xx.xx.xx.xx 80 extendable
!
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 any
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 102 120
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password ******
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password *****
 transport input telnet ssh
!
end
0
Comment
Question by:bwooden
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16886990
Just to confirm, the remote peer for the hardware site to site VPN, does it have a static public IP address or dynamic?
0
 

Author Comment

by:bwooden
ID: 16887227
dynamic
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 250 total points
ID: 16889520
There are two ways of doing it.

1) The short way which sometimes doesn't work depending on the IOS and the VPN client version. All you have to do is make the following changes:

crypto dynamic-map dynmap 10
 no match address 110
 exit

You might ask how the router would know which traffic to encrypt if we remove the match address. Well, the remote peer will have the match address configured on it and will just push it to the router configured to accept dynamic connection.

2) The right way of configuring a router which accepts both dynamic to static VPN and remote access clients is using an isakmp profile. This is an advance configuration.

Let's try it the shorter way first since it is easier, if it doesn't work then I guess we have no choice but to switch to isakmp profile.
0
 

Author Comment

by:bwooden
ID: 16985012
Thank you my friend!  Sorry about the delay in getting back.  Was out of town all last week.  

Option #1 did the trick!

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question