Cisco 871 Router as Dedicated VPN

hbrzezni
hbrzezni used Ask the Experts™
on
Hi

I have a network where I have

10.0.4.1 Netgear Layer 3 Switch, with DHCP Range 10.0.4.100 to 10.0.4.200, Default Gateway, 10.0.4.1, DNS Server: 10.0.4.11 (AD)

10.0.4.11 - MS AD Server
10.0.4.12 - MS Exchange server

Now I add a

10.0.4.2 - Cisco871-K9-SEC router to be used as a dedicated VPN Router through a seperate internet line.

I have configured the router, with no DHCP, and a VPN Tunnel that work fine to dial in, and I ca nsuccessully ping the router on 10.0.4.2 form the outside

The problem is when I try to ping another device within the network. When I change the Default Gatway on one of the server to be of the Cisco router, ie 10.0.4.2 manually, I can ping the server from the outside via VPN. When the default gateway is changed back to what it should be, ie 10.0.4.1, I can no longer reach the device from the outside.

I am prettu sure that it is something to do with routing, but I am unsure what it is, and what I should do to make the inside network reachable from the outside.
Current configuration : 5461 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
no service dhcp
!
hostname LA-C871-1
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 $1$AxvR$xbllOrBd6Uiqrp8yc7ohT.
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local 
aaa authorization network sdm_vpn_group_ml_1 local 
!
aaa session-id common
!
resource policy
!
clock timezone PCTime 0
clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00
ip subnet-zero
no ip source-route
ip cef
!
!
no ip dhcp use vrf connected
ip dhcp excluded-address 10.0.4.1 10.0.4.99
ip dhcp excluded-address 10.0.4.201 10.0.4.254
!
ip dhcp pool sdm-pool1
   import all
   network 10.0.4.0 255.255.255.0
   dns-server 10.0.4.2 
   default-router 10.0.4.2 
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name mydomain.com
ip name-server 87.194.0.52
ip name-server 87.194.0.53
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto pki trustpoint TP-self-signed-914941922
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-914941922
 revocation-check none
 rsakeypair TP-self-signed-914941922
!
!
crypto pki certificate chain TP-self-signed-914941922
 certificate self-signed 01
  Certificate: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  quit
username xxxxxxx privilege 15 secret 5 XXXXXXXXXXX
!
! 
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group XXXXXXXXX
 key XXXXXXXXX
 dns 10.0.4.11
 pool SDM_POOL_1
 acl 100
 save-password
 include-local-lan
 netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac 
!
crypto dynamic-map SDM_DYNMAP_1 1
 set transform-set ESP-3DES-SHA 
 reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1 
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description $ES_WAN$$FW_OUTSIDE$
 ip address 94.195.197.152 255.255.248.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map SDM_CMAP_1
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$ES_LAN$$FW_INSIDE$
 ip address 10.0.4.2 255.255.255.0
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1452
!
ip local pool SDM_POOL_1 10.2.5.10
ip classless
ip route 0.0.0.0 0.0.0.0 94.195.192.1
!
ip dns server
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet4 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.0.4.0 0.0.0.255
access-list 100 remark SDM_ACL Category=4
access-list 100 permit ip 10.0.4.0 0.0.0.255 any
access-list 101 remark SDM_ACL Category=2
access-list 101 deny   ip 10.0.4.0 0.0.0.255 host 10.2.5.10
access-list 101 permit ip 10.0.4.0 0.0.0.255 any
no cdp run
!
route-map SDM_RMAP_1 permit 1
 match ip address 101
!
!
control-plane
!
banner login ^CAuthorized access only!
 Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

Open in new window

Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Most Valuable Expert 2015

Commented:
On the machine(s) that you wish to access through the VPN, add the routes for 10.2.5.10 and 94.195.192.1 to the gateway 10.0.4.2.

route -p ADD 10.2.5.10 MASK 255.255.255.255 10.0.4.2
route -p ADD 94.195.192.0 MASK 255.255.255.252 10.0.42

http://www.howtogeek.com/howto/windows/adding-a-tcpip-route-to-the-windows-routing-table/

It would be better to add the route on the Netgear layer 3 switch.  Just route 10.2.5.10 to 10.2.4.2.
Most Valuable Expert 2015

Commented:
You can do that but it opens a security hole if traffic on the netgear is monitored.
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Can I just add that 10.2.5.10 is just one IP address from the whole range of dynamicall assigned IP addresses for the VPN Tunnel, ie they go from 10.2.5.10 to 10.2.5.200

I have tested the first option and it works fine, but would it be possible to get to see the whole main network (ie from  10.0.4.1 -> 10.0.4.254) withoug haveing to adjust each machine?
Most Valuable Expert 2015

Commented:
Not without bypassing security and adding the route in the netgear.

You can optionally use the vpn router as the default gateway for the machines and create a route-map to route vpn traffic locally and all other traffic to the netgear.

Author

Commented:
Jesper, I think your solution would be preferable.

How do I do this. Basically what I want to achieve is that all outgoing and incoming traffic goes via the Netgear switch on 10.0.4.1, and 10.0.4.2 would server as VPN and tunnel, and now a new function of the default gateway.
Most Valuable Expert 2015

Commented:
Give me a few minutes and I'll put something together.
Most Valuable Expert 2015
Commented:
This should work.  Please try it with one PC (a VPN connection and a non-VPN connection).  I am going to give you two examples.  I have seen some equipment not route when the last route-map is set to the next hop of the default route of that device and others that require it.

-----------------------------------------------------------------
access-list 102 deny ip any 10.2.5.0 0.0.0.255
access-list 102 permit ip 10.0.4.0 0.0.0.255 any

route-map Network permit 10
 match ip address 102
 set ip next-hop 10.0.4.1

int Vlan1
 ip policy route-map Network

---------------------------------------------------------------------------------
access-list 102 deny ip any 10.2.5.0 0.0.0.255
access-list 102 permit ip 10.0.4.0 0.0.0.255 any
access-list 103 permit ip any 10.2.5.0 0.0.0.255


route-map Network permit 10
 match ip address 102
 set ip next-hop 10.0.4.1

route-map Network permit 20
 match ip address 103
 set ip next-hop 94.195.192.1

int Vlan1
 ip policy route-map Network
I'm not clear on why adding a route to one's central router creates a security hole.  Can you explain that a bit more?
Most Valuable Expert 2015

Commented:
The goal is to limit the transit of non-encrypted traffic.

I don't see the point in the installation of a separate link/device for a VPN if one doesn't care that traffic transits a non-VPN routing device.  So, it's not the core router usage that's the problem, it is more staying with the original intent.
Seems to me the intent is to provide remote access via a dedicated Internet connection.

I suppose hbrzezni can determine that for himself.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial