• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1814
  • Last Modified:

CISCO 1721 Router Config

I have a CISCO 1721 router with 3DES. I wish to configure a VPN on it. Right now there is a base config. I reset to factory then upgraded to the latest IOS with 3DES and IPSEC. I also need to configure two ethernet ports.

One ethernet port will be my outside cable modem line (lets say 64.5.8.1)
The other will be my internal network (192.168.1.50)

I'd like to add two users to start, bob and tom to the VPN.
0
CDCOP
Asked:
CDCOP
  • 15
  • 9
1 Solution
 
trinak96Commented:
CDCOP,

Assuming you have a working internet connection then the following should work for you. This is basically a rip from one of my vpn server routers.
Note - VPN users are on different subnet, assumed your internal network is /24

aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
!
!
username tom privilege 15 secret <password>
username bob privilege 15 secret <password>
!
!
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
 group 2
!
!
crypto isakmp client configuration group VPN_users
 key <key>
 dns x.x.x.x
 wins x.x.x.x
 domain <your.domain.com>
 pool VPN_Client_DHCP_Pool_1
 acl 102
 include-local-lan
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
 set transform-set vpn_tset
 reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!

interface Ethernet0
 description $INTERNAL INTERFACE$
 ip address 192.168.1.50 255.255.255.0
!
!
!
interface ethernet1
description $External Interface$
ip address <64.5.8.1 255.255.255.255>
crypto map vpn_cmap
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 102.168.2.10


access-list 102 remark VPN_Client_Split_tunnel_Networks_to_Encrypt
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any


access-list nnn remark ADD TO NAT FOR INTERNET ACCESS - IE: DONT NAT VPN-SITE TRAFFIC
access-list nnn deny   ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
0
 
CDCOPAuthor Commented:
How do the clients connect? Using the Cisco VPN Client? What fields are required when setting up the client?

I also need to know how to setup port 80,25, etc for a private IP so I can use these services from the public side.
0
 
CDCOPAuthor Commented:
I also receive alot of messages when booting up...is this normal? Looks like a debug or something?
(I have worked a little with a PIX515e is the client vpn connection procedure the same with the 515e and the 1721?)

interface Serial0
          ^
% Invalid input detected at '^' marker.

 no ip address
% Incomplete command.

 shutdown
  ^
% Invalid input detected at '^' marker.

 no cdp enable
        ^
% Invalid input detected at '^' marker.


*Mar  1 00:00:04.847: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to
up
*Mar  1 00:00:05.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0, changed state to up
*Mar  1 00:00:17.835: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
*Mar  1 00:00:19.015: %SYS-5-CONFIG_I: Configured from memory by console
*Mar  1 00:00:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0,
 changed state to down
*Mar  1 00:00:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0, changed state to up
*Mar  1 00:00:20.395: %LINK-5-CHANGED: Interface Ethernet0, changed state to adm
inistratively down
*Mar  1 00:00:22.419: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-BK9NO3R2SY7-M), Version 12.3(22), RELEASE SOFTWAR
E (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:39 by ccai
*Mar  1 00:00:22.443: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing
 a cold start
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
CDCOPAuthor Commented:
better yet, here is my config:

Building configuration...

Current configuration : 823 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username michael privilege 15 secret 5 $1$aZh7$xXxX0gUaz5sbHP4xeQML1/
!
!
!
!
!
!
interface Ethernet0
 ip address 192.168.1.33 255.255.255.0
 shutdown
 half-duplex
 no cdp enable
!
interface FastEthernet0
 ip address 192.168.1.34 255.255.255.0
 speed auto
 no cdp enable
!
ip classless
no ip http server
no ip http secure-server
!
!
no cdp run
!
snmp-server community ### RW
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
 login
!
end

Router#
0
 
CDCOPAuthor Commented:
I got the VPN running with the cisco vpn client software! Thx!

Now, I did it in a test scenario so don't know what all is possible. I need to be able to connect to all inside resources when I use VPN, all IPs on the LAN.

I also have a server on the LAN which hosts websites, dns and mail server as well as other services so I need to configure the FW to allow traffic to 192.168.1.51
0
 
trinak96Commented:
cdcop,
 Glad you got it sorted, post your finished config (no public ip's,passwords), you should be able to access all internal servers if configured correctly.

Well Done....
0
 
CDCOPAuthor Commented:
Actually...I just got VPN going. Now I am having another problem...I was able to get the Public IP and the Private up on the interfaces. I was able to ping BOTH from inside the network. However, I could not ping anything else from inside the network. But I could ping other public IPs from the router. Its like the router isint letting inside resources connect to anything outside. I still need to be able to open the web,mail and other ports for 192.168.1.51 (my internal server)

Here is my config:

Building configuration...
Current configuration : 2262 bytes
!
! Last configuration change at 13:07:53 UTC Wed Aug 1 2007 by michael
! NVRAM config last updated at 13:08:35 UTC Wed Aug 1 2007 by michael
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username michael privilege 15 secret 5 $1$aZh7$XxxX0gUaz5sbHP4xeQML1/
username admin privilege 15 secret 5 $1$MzpL$VCOXXxxxWvfKkNwCshK0O1
!
!
!
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_users
 key XXX
 dns 192.168.1.51
 domain myserver.com
 pool VPN_Client_DHCP_Pool_1
 acl 102
!
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
 set transform-set vpn_tset
 reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!
interface Ethernet0
 description Outside
 ip address 20.10.15.71 255.255.255.0
 ip access-group 101 in
 ip nat outside
 half-duplex
 no cdp enable
 crypto map vpn_cmap
!
interface FastEthernet0
 description Inside
 ip address 192.168.1.50 255.255.255.0
 ip access-group 102 in
 ip nat inside
 speed auto
 no cdp enable
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 20.10.15.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 remark VPN_Client_Split_tunnel_Networks_to_Encrypt
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
no cdp run
!
snmp-server community XXXX RW
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
!
end



I want the internal network to have access to any port on any outside resource./ simply unrestricted..also..I'm a little unsure about the routes.
0
 
trinak96Commented:
cdcop,

OK, since you need clients on the internal network to access the internet aswell then you need to NAT their address range.

conf t
access-list 105 Remark NAT traffic to internet
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 105 interface e0 overload

and you should be done....
0
 
CDCOPAuthor Commented:
What about port forwards?
0
 
trinak96Commented:
Any ports that the vpn client wants to use will be encapsulated into the ipsec packet, what the router is doing is allowing the whole packet in. You can add restrictions/permissions if you like, but at the moment your vpn users (which are authorised anyway) have complete access to internal resources.
0
 
CDCOPAuthor Commented:
got it...
0
 
trinak96Commented:
Glad to have of some help......good luck.
0
 
CDCOPAuthor Commented:
And I meant any outside users having access to smtp and web, not just vpn users. I found the settings tho. Thanks for all your help!
0
 
CDCOPAuthor Commented:
Actually, I cannot access inside resources via VPN. Do I need a route setup for VPN users? also, they are on diff subnets, wouldn't this matter?

Main net is 192.168.1.x
Pool for VPN is 192.168.2.x
0
 
CDCOPAuthor Commented:
or do I have extra route info in my config that I do not need?
0
 
CDCOPAuthor Commented:
Also, when I try and ping 192.168.1.51 when connected to vpn, it gives a reply from my public outside address??
0
 
trinak96Commented:
cdcop,

You have put access-li 102 into fastethernet0.
102 is the access-list given to the client to know what subnets to encrypt.

So remove from fastethernet0
0
 
CDCOPAuthor Commented:
Do I also need to remove the one from eth0?
0
 
trinak96Commented:
nope.....thats a different access-list.
0
 
CDCOPAuthor Commented:
Still a no go. Cannot access internal resources...
0
 
trinak96Commented:
cdcop,

Post your current config. Does the client connect OK ?
0
 
CDCOPAuthor Commented:
Client connects fine. It also has listed under secured routes (under client stats)
I am using 20.10.15.71 as my public IP. I have changed it from my real one for security reasons.
Network:       Subnetmask:
0.0.0.0           0.0.0.0
20.10.15.71   255.255.255.0

Here is config:
Router#sh run
Building configuration...

Current configuration : 2982 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username admin privilege 15 secret 5 $1$MzpL$dscssdXHthWvfKkNwCshK0O1
!
!
!
!
crypto isakmp policy 5
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp client configuration group VPN_users
 key XXX
 dns 192.168.1.51
 domain myserver.com
 pool VPN_Client_DHCP_Pool_1
 acl 102
!
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
 set transform-set vpn_tset
 reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!
interface Ethernet0
 description Outside
 ip address 20.10.15.71 255.255.255.0
 ip access-group 101 in
 ip nat outside
 half-duplex
 no cdp enable
 crypto map vpn_cmap
!
interface FastEthernet0
 description Inside
 ip address 192.168.1.50 255.255.255.0
 ip nat inside
 speed auto
 no cdp enable
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 192.168.2.15
ip nat inside source list 105 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.51 80 20.10.15.71 80 extendable
ip nat inside source static tcp 192.168.1.51 25 20.10.15.71 25 extendable
ip nat inside source static tcp 192.168.1.51 110 20.10.15.71 110 extendable
ip nat inside source static tcp 192.168.1.51 53 20.10.15.71 53 extendable
ip nat inside source static udp 192.168.1.51 53 20.10.15.71 53 extendable
ip nat inside source static tcp 192.168.1.51 443 20.10.15.71 443 extendable
ip nat inside source static tcp 192.168.1.51 143 20.10.15.71 143 extendable
ip nat inside source static tcp 192.168.1.51 3389 20.10.15.71 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 20.10.15.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 remark VPN_Client_Split_tunnel_Networks_to_Encrypt
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny   ip any any
access-list 105 remark NAT Traffic to Internet
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
!
end
0
 
trinak96Commented:
cdcop,

Try changing access-list 105 to :

deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.1681.0 0.0.0.255 any

You'll need to delete the existing one and re-create, the "deny" is to not NAT traffic destined for the vpn client conversations.
0
 
CDCOPAuthor Commented:
You are the man! If I had more points to give, I would.

In fact, look here:
http://www.experts-exchange.com/Software/System_Utilities/Remote_Access/VPN/Q_22739982.html
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

  • 15
  • 9
Tackle projects and never again get stuck behind a technical roadblock.
Join Now