Solved

VPN client access Router cisco 837

Posted on 2008-10-13
1
509 Views
Last Modified: 2010-05-18
Hi,
I would like to setup remote vpn client access on my router. I have the software from cisco (vpn client). Previously I have setup vpn access on asa 5505, I used radius to authenticate the session with a windows 2003 server. This time I am using cisco 837 series and I would like to setup vpn client access, I really have no idea how to do this, there wont be a server to authenticate the session so I just want a basic username and password to connect in to  my network. I have attached a config, can anyone help? Also I have 2 vpn tunnels connecting into this network and none of them can gain access to our Lacie drive (10.11.1.3) can anyone see if my firewall may be blocking access as well? Thanks
Building configuration...
 

Current configuration : 5814 bytes

!

version 12.3

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname RTR1

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$z9rX$ZH3myMhQ7t/j/Gb4bqOh.0

enable password password

!

clock timezone London 0

clock summer-time London date Mar 30 2003 1:00 Oct 26 2003 2:00

no aaa new-model

ip subnet-zero

ip dhcp excluded-address 10.11.1.1 10.11.1.99

!

ip dhcp pool Default

   import all

   network 10.11.1.0 255.255.255.0

   dns-server 194.72.0.114 62.6.40.162 

   default-router 10.11.1.1 

!

!

ip inspect name SDM_LOW cuseeme

ip inspect name SDM_LOW ftp

ip inspect name SDM_LOW h323

ip inspect name SDM_LOW icmp

ip inspect name SDM_LOW netshow

ip inspect name SDM_LOW rcmd

ip inspect name SDM_LOW realaudio

ip inspect name SDM_LOW rtsp

ip inspect name SDM_LOW sqlnet

ip inspect name SDM_LOW streamworks

ip inspect name SDM_LOW tftp

ip inspect name SDM_LOW tcp

ip inspect name SDM_LOW udp

ip inspect name SDM_LOW vdolive

ip ips po max-events 100

no ftp-server write-enable

!

!

username admin privilege 15 view root secret 5 $1$r3GO$v2o3/79JBJjz2TJmKC2ya0

!

! 

!

crypto isakmp policy 1

 encr 3des

 authentication pre-share

 group 2

crypto isakmp key password address 90.152.x.x

crypto isakmp key password address 82.69.x.x

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 

crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac 

!

crypto map SDM_CMAP_1 1 ipsec-isakmp 

 description Tunnel to90.152.x.x

 set peer 90.152.x.x

 set transform-set ESP-3DES-SHA 

 match address 102

crypto map SDM_CMAP_1 2 ipsec-isakmp 

 description Tunnel to82.69.x.x

 set peer 82.69.x.x

 set security-association lifetime seconds 86400

 set transform-set ESP-3DES-SHA1 

 match address 104

!

!

!

interface Ethernet0

 description $FW_INSIDE$

 ip address 10.11.1.1 255.255.255.0

 ip access-group 100 in

 ip nat inside

 ip virtual-reassembly

 hold-queue 100 out

!

interface ATM0

 no ip address

 no atm ilmi-keepalive

 dsl operating-mode auto

!

interface ATM0.1 point-to-point

 pvc 0/38 

  encapsulation aal5mux ppp dialer

  dialer pool-member 1

 !

!

interface FastEthernet1

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet2

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet3

 no ip address

 duplex auto

 speed auto

!

interface FastEthernet4

 no ip address

 duplex auto

 speed auto

!

interface Dialer0

 description $FW_OUTSIDE$

 ip address 213.120.x.x255.255.255.248

 ip access-group 101 in

 ip nat outside

 ip inspect SDM_LOW out

 ip virtual-reassembly

 encapsulation ppp

 dialer pool 1

 dialer-group 1

 ppp authentication chap callin

 ppp chap hostname User@isp

 ppp chap password 0 password

 crypto map SDM_CMAP_1

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0

ip http server

no ip http secure-server

ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source static tcp 10.11.1.3 21 213.120.x.x21 extendable

!

!

access-list 1 remark INSIDE_IF=Ethernet0

access-list 1 remark SDM_ACL Category=2

access-list 1 permit 10.11.1.0 0.0.0.255

access-list 100 remark auto generated by SDM firewall configuration

access-list 100 remark SDM_ACL Category=1

access-list 100 deny   ip 213.120.112.136 0.0.0.7 any

access-list 100 deny   ip host 255.255.255.255 any

access-list 100 deny   ip 127.0.0.0 0.255.255.255 any

access-list 100 permit ip any any

access-list 101 remark auto generated by SDM firewall configuration

access-list 101 remark SDM_ACL Category=1

access-list 101 remark IPSec Rule

access-list 101 permit ip 10.12.1.0 0.0.0.255 10.11.1.0 0.0.0.255

access-list 101 permit udp host 82.69.x.x host 213.120.x.xeq non500-isakmp

access-list 101 permit udp host 82.69.x.x host 213.120.x.xeq isakmp

access-list 101 permit esp host 82.69.x.x host 213.120.112.140

access-list 101 permit ahp host 82.69.x.x host 213.120.112.140

access-list 101 remark IPSec Rule

access-list 101 permit ip 192.168.0.0 0.0.0.255 10.11.1.0 0.0.0.255

access-list 101 permit udp host 90.152.x.x host 213.120.x.xeq non500-isakmp

access-list 101 permit udp host 90.152.x.x host 213.120.x.xeq isakmp

access-list 101 permit esp host 90.152.x.x host 213.120.112.140

access-list 101 permit ahp host 90.152.x.x host 213.120.112.140

access-list 101 deny   ip 10.11.1.0 0.0.0.255 any

access-list 101 permit tcp any host 213.120.x.xeq ftp

access-list 101 permit icmp any host 213.120.x.xecho-reply

access-list 101 permit icmp any host 213.120.x.xtime-exceeded

access-list 101 permit icmp any host 213.120.x.xunreachable

access-list 101 deny   ip 10.0.0.0 0.255.255.255 any

access-list 101 deny   ip 172.16.0.0 0.15.255.255 any

access-list 101 deny   ip 192.168.0.0 0.0.255.255 any

access-list 101 deny   ip 127.0.0.0 0.255.255.255 any

access-list 101 deny   ip host 255.255.255.255 any

access-list 101 deny   ip host 0.0.0.0 any

access-list 101 deny   ip any any log

access-list 102 remark SDM_ACL Category=4

access-list 102 remark IPSec Rule

access-list 102 permit ip 10.11.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 remark SDM_ACL Category=2

access-list 103 remark IPSec Rule

access-list 103 deny   ip 10.11.1.0 0.0.0.255 10.12.1.0 0.0.0.255

access-list 103 remark IPSec Rule

access-list 103 deny   ip 10.11.1.0 0.0.0.255 192.168.0.0 0.0.0.255

access-list 103 permit ip 10.11.1.0 0.0.0.255 any

access-list 104 remark SDM_ACL Category=4

access-list 104 remark IPSec Rule

access-list 104 permit ip 10.11.1.0 0.0.0.255 10.12.1.0 0.0.0.255

dialer-list 1 protocol ip permit

route-map SDM_RMAP_1 permit 1

 match ip address 103

!

!

control-plane

!

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 exec-timeout 120 0

 password password

 login

 length 0

!

scheduler max-task-time 5000

end

Open in new window

0
Comment
Question by:Dan560
1 Comment
 
LVL 5

Accepted Solution

by:
gratex_ssd earned 500 total points
ID: 22792164
0) you need to define authentication and authorization group
aaa authentication login Radius_authen group radius local
aaa authorization network Group_author local

0.5)  define VPNpool
ip local pool VPNpool 192.168.3.1 192.168.3.x

1) you need to define VPN group
crypto isakmp client configuration group VPNHiddenSharedSecret     (that will be Shared Secret in Cisco VPN client)
 key *****                    (that will be password in Cisco VPN client config)
 dns 192.168.x.x
 domain mydomain.local
 pool VPNpool
 include-local-lan
 netmask 255.255.255.0

2) you need extend your crypto map for dynamic vpn (like this)
crypto dynamic-map Adynmap 10
 set security-association idle-time 3600
 set transform-set ESP-3DES-SHA
 reverse-route
!
crypto map ACryptoMap client authentication list Radius_authen
crypto map ACryptoMap isakmp authorization list Group_author
crypto map ACryptoMap client configuration address respond
crypto map ACryptoMap 10 ipsec-isakmp
 set peer x.x.x.x
 set transform-set ESP-3DES-SHA
 match address 120
crypto map ACryptoMap 1000 ipsec-isakmp dynamic Adynmap

3) modify outside -> inside access-list for passing any/udp/500 and any/udp/4500 from utside
3.1) modify access-list 103 to deny nat from VPN clients to local LAN

4) last thing -> define radius server
radius-server host 192.168.x.x auth-port 1645 acct-port 1646 timeout 15 key 7 ****

Hope it was ste-by-step -> and you will succeeded...

Or read somthing at ciscohttp://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

It happens many times that access list (ACL) have to be applied to outgoing router interface in order to limit some traffic.This article is about how to test ACL from the router which is not very intuitive for everyone. Below scenario shows simple s…
I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now