Solved

Cisco 1700 router w/ dual VPN configs

Posted on 2006-06-12
4
431 Views
Last Modified: 2008-02-26
i have a home office Cisco 1700 series router with a remote site connected to it through an identical 1700 series router (hardware site to site VPN in other words)  I am wanting to add a configuration to the home office router to allow travelling employees to connect in via Cisco VPN client.  I am getting a bit confused on how to setup the router to accomodate both VPN setups.  Can I please get some assistance with this.

thanks


this is the current Router Config for the site to site hardware based VPN:

Current configuration : 2857 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$zh6a$Ek0zR.Ph0LboV3InBtHjs.
enable password *****
!
username ***** privilege 15 password 0 ****
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip domain name brightminds.local
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key **** address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group vpnhome
 key *****
 dns 192.168.1.11
 wins 192.168.1.11
 domain blankname.com
 pool ippool
 acl 100
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 match address 110
!
!
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0/0
 ip address xx.xx.xx.xx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
ip local pool ippool 192.168.2.1 192.168.2.5
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 120 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.1.41 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 192.168.1.41 80 xx.xx.xx.xx 80 extendable
!
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 any
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 102 120
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password ******
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password *****
 transport input telnet ssh
!
end
0
Comment
Question by:bwooden
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:stressedout2004
ID: 16886990
Just to confirm, the remote peer for the hardware site to site VPN, does it have a static public IP address or dynamic?
0
 

Author Comment

by:bwooden
ID: 16887227
dynamic
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 250 total points
ID: 16889520
There are two ways of doing it.

1) The short way which sometimes doesn't work depending on the IOS and the VPN client version. All you have to do is make the following changes:

crypto dynamic-map dynmap 10
 no match address 110
 exit

You might ask how the router would know which traffic to encrypt if we remove the match address. Well, the remote peer will have the match address configured on it and will just push it to the router configured to accept dynamic connection.

2) The right way of configuring a router which accepts both dynamic to static VPN and remote access clients is using an isakmp profile. This is an advance configuration.

Let's try it the shorter way first since it is easier, if it doesn't work then I guess we have no choice but to switch to isakmp profile.
0
 

Author Comment

by:bwooden
ID: 16985012
Thank you my friend!  Sorry about the delay in getting back.  Was out of town all last week.  

Option #1 did the trick!

0

Featured Post

 Watch the Recording: Learning MySQL 5.7

MySQL 5.7 has a lot of new features. If you've dabbled with an older version of MySQL, it is definitely worth learning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Make the most of your online learning experience.
This program is used to assist in finding and resolving common problems with wireless connections.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

624 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question