Solved

Cisco 1700 router w/ dual VPN configs

Posted on 2006-06-12
4
426 Views
Last Modified: 2008-02-26
i have a home office Cisco 1700 series router with a remote site connected to it through an identical 1700 series router (hardware site to site VPN in other words)  I am wanting to add a configuration to the home office router to allow travelling employees to connect in via Cisco VPN client.  I am getting a bit confused on how to setup the router to accomodate both VPN setups.  Can I please get some assistance with this.

thanks


this is the current Router Config for the site to site hardware based VPN:

Current configuration : 2857 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname *****
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 $1$zh6a$Ek0zR.Ph0LboV3InBtHjs.
enable password *****
!
username ***** privilege 15 password 0 ****
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
!
!
!
!
no ip domain lookup
ip domain name brightminds.local
no ip cef
ip ips po max-events 100
no ftp-server write-enable
!
!
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key **** address 0.0.0.0 0.0.0.0
!
crypto isakmp client configuration group vpnhome
 key *****
 dns 192.168.1.11
 wins 192.168.1.11
 domain blankname.com
 pool ippool
 acl 100
!
!
crypto ipsec transform-set myset esp-3des esp-md5-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
 match address 110
!
!
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address initiate
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
interface Ethernet0/0
 ip address xx.xx.xx.xx 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 speed auto
 half-duplex
!
ip local pool ippool 192.168.2.1 192.168.2.5
ip classless
ip route 0.0.0.0 0.0.0.0 xx.xx.xx.xx 254
ip http server
ip http authentication local
ip http secure-server
ip nat inside source list 120 interface Ethernet0/0 overload
ip nat inside source static tcp 192.168.1.41 25 xx.xx.xx.xx 25 extendable
ip nat inside source static tcp 192.168.1.41 80 xx.xx.xx.xx 80 extendable
!
!
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.150.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 110 deny   ip 192.168.1.0 0.0.0.255 any
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 120 deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip 192.168.1.0 0.0.0.255 any
!
route-map nonat permit 10
 match ip address 102 120
!
!
control-plane
!
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 password ******
 transport input telnet ssh
line vty 5 15
 privilege level 15
 password *****
 transport input telnet ssh
!
end
0
Comment
Question by:bwooden
  • 2
  • 2
4 Comments
 
LVL 9

Expert Comment

by:stressedout2004
Comment Utility
Just to confirm, the remote peer for the hardware site to site VPN, does it have a static public IP address or dynamic?
0
 

Author Comment

by:bwooden
Comment Utility
dynamic
0
 
LVL 9

Accepted Solution

by:
stressedout2004 earned 250 total points
Comment Utility
There are two ways of doing it.

1) The short way which sometimes doesn't work depending on the IOS and the VPN client version. All you have to do is make the following changes:

crypto dynamic-map dynmap 10
 no match address 110
 exit

You might ask how the router would know which traffic to encrypt if we remove the match address. Well, the remote peer will have the match address configured on it and will just push it to the router configured to accept dynamic connection.

2) The right way of configuring a router which accepts both dynamic to static VPN and remote access clients is using an isakmp profile. This is an advance configuration.

Let's try it the shorter way first since it is easier, if it doesn't work then I guess we have no choice but to switch to isakmp profile.
0
 

Author Comment

by:bwooden
Comment Utility
Thank you my friend!  Sorry about the delay in getting back.  Was out of town all last week.  

Option #1 did the trick!

0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Some time ago I was asked to set up a web portal PC to put at our entrance. When customers arrive, they could see a webpage 'promoting' our company. So I tried to set up a windows 7 PC as a kiosk PC.......... I will spare you all the annoyances I…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now