CDCOP
asked on
CISCO 1721 Router Config
I have a CISCO 1721 router with 3DES. I wish to configure a VPN on it. Right now there is a base config. I reset to factory then upgraded to the latest IOS with 3DES and IPSEC. I also need to configure two ethernet ports.
One ethernet port will be my outside cable modem line (lets say 64.5.8.1)
The other will be my internal network (192.168.1.50)
I'd like to add two users to start, bob and tom to the VPN.
One ethernet port will be my outside cable modem line (lets say 64.5.8.1)
The other will be my internal network (192.168.1.50)
I'd like to add two users to start, bob and tom to the VPN.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I also receive alot of messages when booting up...is this normal? Looks like a debug or something?
(I have worked a little with a PIX515e is the client vpn connection procedure the same with the 515e and the 1721?)
interface Serial0
^
% Invalid input detected at '^' marker.
no ip address
% Incomplete command.
shutdown
^
% Invalid input detected at '^' marker.
no cdp enable
^
% Invalid input detected at '^' marker.
*Mar 1 00:00:04.847: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to
up
*Mar 1 00:00:05.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0, changed state to up
*Mar 1 00:00:17.835: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
*Mar 1 00:00:19.015: %SYS-5-CONFIG_I: Configured from memory by console
*Mar 1 00:00:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0,
changed state to down
*Mar 1 00:00:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0, changed state to up
*Mar 1 00:00:20.395: %LINK-5-CHANGED: Interface Ethernet0, changed state to adm
inistratively down
*Mar 1 00:00:22.419: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-BK9NO3R2SY7-M), Version 12.3(22), RELEASE SOFTWAR
E (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:39 by ccai
*Mar 1 00:00:22.443: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing
a cold start
(I have worked a little with a PIX515e is the client vpn connection procedure the same with the 515e and the 1721?)
interface Serial0
^
% Invalid input detected at '^' marker.
no ip address
% Incomplete command.
shutdown
^
% Invalid input detected at '^' marker.
no cdp enable
^
% Invalid input detected at '^' marker.
*Mar 1 00:00:04.847: %LINK-3-UPDOWN: Interface FastEthernet0, changed state to
up
*Mar 1 00:00:05.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0, changed state to up
*Mar 1 00:00:17.835: %LINK-3-UPDOWN: Interface Ethernet0, changed state to up
*Mar 1 00:00:19.015: %SYS-5-CONFIG_I: Configured from memory by console
*Mar 1 00:00:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface Ethernet0,
changed state to down
*Mar 1 00:00:19.371: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthern
et0, changed state to up
*Mar 1 00:00:20.395: %LINK-5-CHANGED: Interface Ethernet0, changed state to adm
inistratively down
*Mar 1 00:00:22.419: %SYS-5-RESTART: System restarted --
Cisco Internetwork Operating System Software
IOS (tm) C1700 Software (C1700-BK9NO3R2SY7-M), Version 12.3(22), RELEASE SOFTWAR
E (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by cisco Systems, Inc.
Compiled Wed 24-Jan-07 15:39 by ccai
*Mar 1 00:00:22.443: %SNMP-5-COLDSTART: SNMP agent on host Router is undergoing
a cold start
ASKER
better yet, here is my config:
Building configuration...
Current configuration : 823 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username michael privilege 15 secret 5 $1$aZh7$xXxX0gUaz5sbHP4xeQ
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.33 255.255.255.0
shutdown
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.1.34 255.255.255.0
speed auto
no cdp enable
!
ip classless
no ip http server
no ip http secure-server
!
!
no cdp run
!
snmp-server community ### RW
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Router#
Building configuration...
Current configuration : 823 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
no aaa new-model
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username michael privilege 15 secret 5 $1$aZh7$xXxX0gUaz5sbHP4xeQ
!
!
!
!
!
!
interface Ethernet0
ip address 192.168.1.33 255.255.255.0
shutdown
half-duplex
no cdp enable
!
interface FastEthernet0
ip address 192.168.1.34 255.255.255.0
speed auto
no cdp enable
!
ip classless
no ip http server
no ip http secure-server
!
!
no cdp run
!
snmp-server community ### RW
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
login
!
end
Router#
ASKER
I got the VPN running with the cisco vpn client software! Thx!
Now, I did it in a test scenario so don't know what all is possible. I need to be able to connect to all inside resources when I use VPN, all IPs on the LAN.
I also have a server on the LAN which hosts websites, dns and mail server as well as other services so I need to configure the FW to allow traffic to 192.168.1.51
Now, I did it in a test scenario so don't know what all is possible. I need to be able to connect to all inside resources when I use VPN, all IPs on the LAN.
I also have a server on the LAN which hosts websites, dns and mail server as well as other services so I need to configure the FW to allow traffic to 192.168.1.51
cdcop,
Glad you got it sorted, post your finished config (no public ip's,passwords), you should be able to access all internal servers if configured correctly.
Well Done....
Glad you got it sorted, post your finished config (no public ip's,passwords), you should be able to access all internal servers if configured correctly.
Well Done....
ASKER
Actually...I just got VPN going. Now I am having another problem...I was able to get the Public IP and the Private up on the interfaces. I was able to ping BOTH from inside the network. However, I could not ping anything else from inside the network. But I could ping other public IPs from the router. Its like the router isint letting inside resources connect to anything outside. I still need to be able to open the web,mail and other ports for 192.168.1.51 (my internal server)
Here is my config:
Building configuration...
Current configuration : 2262 bytes
!
! Last configuration change at 13:07:53 UTC Wed Aug 1 2007 by michael
! NVRAM config last updated at 13:08:35 UTC Wed Aug 1 2007 by michael
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username michael privilege 15 secret 5 $1$aZh7$XxxX0gUaz5sbHP4xeQ
username admin privilege 15 secret 5 $1$MzpL$VCOXXxxxWvfKkNwCsh
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_users
key XXX
dns 192.168.1.51
domain myserver.com
pool VPN_Client_DHCP_Pool_1
acl 102
!
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
set transform-set vpn_tset
reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!
interface Ethernet0
description Outside
ip address 20.10.15.71 255.255.255.0
ip access-group 101 in
ip nat outside
half-duplex
no cdp enable
crypto map vpn_cmap
!
interface FastEthernet0
description Inside
ip address 192.168.1.50 255.255.255.0
ip access-group 102 in
ip nat inside
speed auto
no cdp enable
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 20.10.15.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 remark VPN_Client_Split_tunnel_Ne
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run
!
snmp-server community XXXX RW
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
!
end
I want the internal network to have access to any port on any outside resource./ simply unrestricted..also..I'm a little unsure about the routes.
Here is my config:
Building configuration...
Current configuration : 2262 bytes
!
! Last configuration change at 13:07:53 UTC Wed Aug 1 2007 by michael
! NVRAM config last updated at 13:08:35 UTC Wed Aug 1 2007 by michael
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username michael privilege 15 secret 5 $1$aZh7$XxxX0gUaz5sbHP4xeQ
username admin privilege 15 secret 5 $1$MzpL$VCOXXxxxWvfKkNwCsh
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_users
key XXX
dns 192.168.1.51
domain myserver.com
pool VPN_Client_DHCP_Pool_1
acl 102
!
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
set transform-set vpn_tset
reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!
interface Ethernet0
description Outside
ip address 20.10.15.71 255.255.255.0
ip access-group 101 in
ip nat outside
half-duplex
no cdp enable
crypto map vpn_cmap
!
interface FastEthernet0
description Inside
ip address 192.168.1.50 255.255.255.0
ip access-group 102 in
ip nat inside
speed auto
no cdp enable
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 192.168.2.10
ip classless
ip route 0.0.0.0 0.0.0.0 20.10.15.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 remark VPN_Client_Split_tunnel_Ne
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
no cdp run
!
snmp-server community XXXX RW
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
!
end
I want the internal network to have access to any port on any outside resource./ simply unrestricted..also..I'm a little unsure about the routes.
cdcop,
OK, since you need clients on the internal network to access the internet aswell then you need to NAT their address range.
conf t
access-list 105 Remark NAT traffic to internet
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 105 interface e0 overload
and you should be done....
OK, since you need clients on the internal network to access the internet aswell then you need to NAT their address range.
conf t
access-list 105 Remark NAT traffic to internet
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
ip nat inside source list 105 interface e0 overload
and you should be done....
ASKER
What about port forwards?
Any ports that the vpn client wants to use will be encapsulated into the ipsec packet, what the router is doing is allowing the whole packet in. You can add restrictions/permissions if you like, but at the moment your vpn users (which are authorised anyway) have complete access to internal resources.
ASKER
got it...
Glad to have of some help......good luck.
ASKER
And I meant any outside users having access to smtp and web, not just vpn users. I found the settings tho. Thanks for all your help!
ASKER
Actually, I cannot access inside resources via VPN. Do I need a route setup for VPN users? also, they are on diff subnets, wouldn't this matter?
Main net is 192.168.1.x
Pool for VPN is 192.168.2.x
Main net is 192.168.1.x
Pool for VPN is 192.168.2.x
ASKER
or do I have extra route info in my config that I do not need?
ASKER
Also, when I try and ping 192.168.1.51 when connected to vpn, it gives a reply from my public outside address??
cdcop,
You have put access-li 102 into fastethernet0.
102 is the access-list given to the client to know what subnets to encrypt.
So remove from fastethernet0
You have put access-li 102 into fastethernet0.
102 is the access-list given to the client to know what subnets to encrypt.
So remove from fastethernet0
ASKER
Do I also need to remove the one from eth0?
nope.....thats a different access-list.
ASKER
Still a no go. Cannot access internal resources...
cdcop,
Post your current config. Does the client connect OK ?
Post your current config. Does the client connect OK ?
ASKER
Client connects fine. It also has listed under secured routes (under client stats)
I am using 20.10.15.71 as my public IP. I have changed it from my real one for security reasons.
Network: Subnetmask:
0.0.0.0 0.0.0.0
20.10.15.71 255.255.255.0
Here is config:
Router#sh run
Building configuration...
Current configuration : 2982 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username admin privilege 15 secret 5 $1$MzpL$dscssdXHthWvfKkNwC
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_users
key XXX
dns 192.168.1.51
domain myserver.com
pool VPN_Client_DHCP_Pool_1
acl 102
!
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
set transform-set vpn_tset
reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!
interface Ethernet0
description Outside
ip address 20.10.15.71 255.255.255.0
ip access-group 101 in
ip nat outside
half-duplex
no cdp enable
crypto map vpn_cmap
!
interface FastEthernet0
description Inside
ip address 192.168.1.50 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 192.168.2.15
ip nat inside source list 105 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.51 80 20.10.15.71 80 extendable
ip nat inside source static tcp 192.168.1.51 25 20.10.15.71 25 extendable
ip nat inside source static tcp 192.168.1.51 110 20.10.15.71 110 extendable
ip nat inside source static tcp 192.168.1.51 53 20.10.15.71 53 extendable
ip nat inside source static udp 192.168.1.51 53 20.10.15.71 53 extendable
ip nat inside source static tcp 192.168.1.51 443 20.10.15.71 443 extendable
ip nat inside source static tcp 192.168.1.51 143 20.10.15.71 143 extendable
ip nat inside source static tcp 192.168.1.51 3389 20.10.15.71 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 20.10.15.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 remark VPN_Client_Split_tunnel_Ne
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 105 remark NAT Traffic to Internet
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
!
end
I am using 20.10.15.71 as my public IP. I have changed it from my real one for security reasons.
Network: Subnetmask:
0.0.0.0 0.0.0.0
20.10.15.71 255.255.255.0
Here is config:
Router#sh run
Building configuration...
Current configuration : 2982 bytes
!
version 12.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot system flash c1700.bin
boot-end-marker
!
!
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
aaa new-model
!
!
aaa authentication login default local
aaa authentication login VPN_Client_xauth_1 local
aaa authorization exec default local
aaa authorization network VPN_Client_group_1 local
aaa session-id common
ip subnet-zero
!
!
!
ip cef
ip audit po max-events 100
!
!
username admin privilege 15 secret 5 $1$MzpL$dscssdXHthWvfKkNwC
!
!
!
!
crypto isakmp policy 5
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group VPN_users
key XXX
dns 192.168.1.51
domain myserver.com
pool VPN_Client_DHCP_Pool_1
acl 102
!
!
crypto ipsec transform-set vpn_tset esp-3des esp-md5-hmac
!
crypto dynamic-map VPN_Client_1 1
set transform-set vpn_tset
reverse-route
!
!
crypto map vpn_cmap client authentication list VPN_Client_xauth_1
crypto map vpn_cmap isakmp authorization list VPN_Client_group_1
crypto map vpn_cmap client configuration address respond
crypto map vpn_cmap 65535 ipsec-isakmp dynamic VPN_Client_1
!
!
!
interface Ethernet0
description Outside
ip address 20.10.15.71 255.255.255.0
ip access-group 101 in
ip nat outside
half-duplex
no cdp enable
crypto map vpn_cmap
!
interface FastEthernet0
description Inside
ip address 192.168.1.50 255.255.255.0
ip nat inside
speed auto
no cdp enable
!
ip local pool VPN_Client_DHCP_Pool_1 192.168.2.5 192.168.2.15
ip nat inside source list 105 interface Ethernet0 overload
ip nat inside source static tcp 192.168.1.51 80 20.10.15.71 80 extendable
ip nat inside source static tcp 192.168.1.51 25 20.10.15.71 25 extendable
ip nat inside source static tcp 192.168.1.51 110 20.10.15.71 110 extendable
ip nat inside source static tcp 192.168.1.51 53 20.10.15.71 53 extendable
ip nat inside source static udp 192.168.1.51 53 20.10.15.71 53 extendable
ip nat inside source static tcp 192.168.1.51 443 20.10.15.71 443 extendable
ip nat inside source static tcp 192.168.1.51 143 20.10.15.71 143 extendable
ip nat inside source static tcp 192.168.1.51 3389 20.10.15.71 3389 extendable
ip classless
ip route 0.0.0.0 0.0.0.0 20.10.15.1
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip any any
access-list 102 remark VPN_Client_Split_tunnel_Ne
access-list 102 permit ip 192.168.1.0 0.0.0.255 any
access-list 102 deny ip any any
access-list 105 remark NAT Traffic to Internet
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
no cdp run
!
snmp-server enable traps tty
!
!
line con 0
line aux 0
line vty 0 4
!
end
cdcop,
Try changing access-list 105 to :
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.1681.0 0.0.0.255 any
You'll need to delete the existing one and re-create, the "deny" is to not NAT traffic destined for the vpn client conversations.
Try changing access-list 105 to :
deny ip 192.168.1.0 0.0.0.255 192.168.2.0 0.0.0.255
permit ip 192.1681.0 0.0.0.255 any
You'll need to delete the existing one and re-create, the "deny" is to not NAT traffic destined for the vpn client conversations.
ASKER
You are the man! If I had more points to give, I would.
In fact, look here:
https://www.experts-exchange.com/questions/22739982/Cisco-1721-Router-Port-Mapping-and-VPN.html
In fact, look here:
https://www.experts-exchange.com/questions/22739982/Cisco-1721-Router-Port-Mapping-and-VPN.html
ASKER
I also need to know how to setup port 80,25, etc for a private IP so I can use these services from the public side.