Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!
Cisco VPN's (Easy VPN?)
Hi,
I am trying to set up remote access VPN with a 1841 router as the server, but I am having trouble trying to work out what type of VPN connection i need?
Site to site connection I am OK with, this is remote pc's connecting in.
Easy VPN, ipsec L2TP, SSL VPN, SSL VPN web.... this list seems to go on...
In the digram below you can see that i have a 1841 with a number of internal networks. The only one I want the VPN CLIENTS to talk to is the 172.16.1.0 / 24 network. So ideally the VPN host would be assigned a IP address from this range, and run "split tunnel (??).
so any traffic it sends to a 172.16.1.x address is sent over the VPN to the network, and any other traffic is routed as normal out to the internet from the client.
My question is what's the best way to achieve this? I see there is a SSL web client, an SSL secure desk top client, the CISCO VPN client. AS well as the inbuilt windows VPN client?
The inside network is only a test environment that I have my CISCO lab set up in, and a few other staff have AD labs and other test networks. So we are all IT staff who need the VPN access. All I need is some suggesting how to set this up.
And also can I have the Clients assigned a IP address with in the 172.16.1.0/24 network range so the appear to have one connection inside that network (so can talk to the test equipment) and there local connection/wireless left as normal so the client can access there local network and the internet as normal?
The two links below are just some pages I have come across that I am sure I can use but I have to be careful as the 1841 runs a production web serve so I can't afford to get it wrong. This is why I am asking before I make any changes.
Thank you
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml
VPN.jpg
I am trying to set up remote access VPN with a 1841 router as the server, but I am having trouble trying to work out what type of VPN connection i need?
Site to site connection I am OK with, this is remote pc's connecting in.
Easy VPN, ipsec L2TP, SSL VPN, SSL VPN web.... this list seems to go on...
In the digram below you can see that i have a 1841 with a number of internal networks. The only one I want the VPN CLIENTS to talk to is the 172.16.1.0 / 24 network. So ideally the VPN host would be assigned a IP address from this range, and run "split tunnel (??).
so any traffic it sends to a 172.16.1.x address is sent over the VPN to the network, and any other traffic is routed as normal out to the internet from the client.
My question is what's the best way to achieve this? I see there is a SSL web client, an SSL secure desk top client, the CISCO VPN client. AS well as the inbuilt windows VPN client?
The inside network is only a test environment that I have my CISCO lab set up in, and a few other staff have AD labs and other test networks. So we are all IT staff who need the VPN access. All I need is some suggesting how to set this up.
And also can I have the Clients assigned a IP address with in the 172.16.1.0/24 network range so the appear to have one connection inside that network (so can talk to the test equipment) and there local connection/wireless left as normal so the client can access there local network and the internet as normal?
The two links below are just some pages I have come across that I am sure I can use but I have to be careful as the 1841 runs a production web serve so I can't afford to get it wrong. This is why I am asking before I make any changes.
Thank you
http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html
http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml
VPN.jpg
Who is Participating?
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
I wear a lot of hats...
"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.
Why Lan to Lan ?
I just want my remote clients to be able to access the 172.16.1.0/24 network segment on the inside?
I was just wondering if there is a way to assign remote clients and IP address from that subnet.
I'm not sure why you suggest lan to lan as this has to be available from a client PC to the 1841. Looking over Easy VPN and cisco VPN client I get the setting up of that.
What I am not so sure of is how does the VPN machine appear to the networks attached to the router.
what interface does the router see that interface as being on? on a straight forward router I can see how it works, but in this case the 1841 is running a fire wall.
so say I set the clients to pick an address from the range 192.168.10.0/24.
now currently the 172.16.1.0 /24 is isolated from the rest of the networks via the zone based fire wall. So how would I open it up so the 192.168.10.0 network and the 172.16.1.0 networks can talk. Normally you put the interfaces in the same zone, or put a policy between the zones.. but what Zone/interface do the incoming clients come under? The WAN interface the VPN requests are received on ?
Cheers
I just want my remote clients to be able to access the 172.16.1.0/24 network segment on the inside?
I was just wondering if there is a way to assign remote clients and IP address from that subnet.
I'm not sure why you suggest lan to lan as this has to be available from a client PC to the 1841. Looking over Easy VPN and cisco VPN client I get the setting up of that.
What I am not so sure of is how does the VPN machine appear to the networks attached to the router.
what interface does the router see that interface as being on? on a straight forward router I can see how it works, but in this case the 1841 is running a fire wall.
so say I set the clients to pick an address from the range 192.168.10.0/24.
now currently the 172.16.1.0 /24 is isolated from the rest of the networks via the zone based fire wall. So how would I open it up so the 192.168.10.0 network and the 172.16.1.0 networks can talk. Normally you put the interfaces in the same zone, or put a policy between the zones.. but what Zone/interface do the incoming clients come under? The WAN interface the VPN requests are received on ?
Cheers
Oh hold on, looking at the ip route I can see how it works!! the IP address assigned but the VPN group, is set as a route on the router with a next hop of the pc's public IP address...
so just put a policy between the outside interface and the inside network to allow the VPN network IP's to reach the internal network.
Cheers for the pointers though, think I got this now :)
so just put a policy between the outside interface and the inside network to allow the VPN network IP's to reach the internal network.
Cheers for the pointers though, think I got this now :)
Hello!
As you said you are looking for a remote client solution. EZVPN is a term more often used to refers hardware remote client connection to VPN endpoint. Vpn client is the name for the software based remote client that connect to a server. So the links that you post are a little bit unrelated.
SSL for this case is not very recommended (I can tell you why later if you want)
You should Use the Cisco Vpn client Solution OR L2TP over Ipsec (the built in windows)
Cisco Vpn client works with any Windows version 32 bits and the New Beta 64 bits just for Windows 7.
But you can also use open ipsec client like:www.shrew.net
The problem with L2TP is that by default the connection is "tunnel all"
But there is some workarounds that seem to permit split tunneling, other than that the client will try to send all the traffic over the tunnel with this solution the only possibility to keep the VPN connection is to PAT the Internet connection on the router.
Is not suggested to have the vpn client and get and IP from the same Vlan that you want to access that is call overlapping network. Check the reference for: (anyway for security reason is not suggested either) Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
http://www.ciscohelp.info/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
The best example with your design
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
https://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Some other Suggestions.
Create an outage windows to do the changes if something fails do not save anything and just reload.
Also you are good enough with GNS3 you can reproduce this in a LAB environment.
As you said you are looking for a remote client solution. EZVPN is a term more often used to refers hardware remote client connection to VPN endpoint. Vpn client is the name for the software based remote client that connect to a server. So the links that you post are a little bit unrelated.
SSL for this case is not very recommended (I can tell you why later if you want)
You should Use the Cisco Vpn client Solution OR L2TP over Ipsec (the built in windows)
Cisco Vpn client works with any Windows version 32 bits and the New Beta 64 bits just for Windows 7.
But you can also use open ipsec client like:www.shrew.net
The problem with L2TP is that by default the connection is "tunnel all"
But there is some workarounds that seem to permit split tunneling, other than that the client will try to send all the traffic over the tunnel with this solution the only possibility to keep the VPN connection is to PAT the Internet connection on the router.
Is not suggested to have the vpn client and get and IP from the same Vlan that you want to access that is call overlapping network. Check the reference for: (anyway for security reason is not suggested either) Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
http://www.ciscohelp.info/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml
The best example with your design
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
https://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml
Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml
Some other Suggestions.
Create an outage windows to do the changes if something fails do not save anything and just reload.
Also you are good enough with GNS3 you can reproduce this in a LAB environment.
Experts Exchange Solution brought to you by
Your issues matter to us.
Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.
Start your 7-day free trial--------------------------
That is called nat bypass and you can do something like this as well:
Example:
!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.
ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any
Yep that looks like the one :)
I also looked at a few CBT nugget videos on remote client VPN and that has cleared it up a lot in my mind.
So I think this should be fine. The only thing I am not sure of now is about how to force specific user names to use a specific group.
so if I have user A and user B
and VPN groups X and Y
how do I actual force A to use X and B to use Y... but this is something I will play around with.
Any way got it running on GNS3 at the moment so I will Play around with it there for a bit.
Cheers
I also looked at a few CBT nugget videos on remote client VPN and that has cleared it up a lot in my mind.
So I think this should be fine. The only thing I am not sure of now is about how to force specific user names to use a specific group.
so if I have user A and user B
and VPN groups X and Y
how do I actual force A to use X and B to use Y... but this is something I will play around with.
Any way got it running on GNS3 at the moment so I will Play around with it there for a bit.
Cheers
As far as I know there is no way to do it with just the router... with the ASA you have more options...
User A and B are just valid users for extended authentication.
In theory only user A will have the pre-shared key for group X.
The same for user B and group Y.
But what you can do is that depending of the user you could inject based on authorization certain rules, but you will need to install a AAA server to handle that for example the CISCO ACS.
User A and B are just valid users for extended authentication.
In theory only user A will have the pre-shared key for group X.
The same for user B and group Y.
But what you can do is that depending of the user you could inject based on authorization certain rules, but you will need to install a AAA server to handle that for example the CISCO ACS.
yer I haven't worked it out yet, but in the SDM there is a tick box that goes on about locking users to a group?
I haven't even played with that yet or looked how its set up but i did see there is a aaa authentication method for it.
I am actuly setting up ACS over the coming weeks, however unfortunately it will be on a completly air gaped network :( so wont be much use.. but I do have radius server on this network two sso I might look in to that,
I saw some where the user has to authenticate with some thing like
username@group so i will see what's that all about some time.
For now still playing around with it. got the VPN part working, now rebuilding all the firewall and nat rules of the production network (or as much as i need) in GNS3 to make sure its works through that
Cheers for all the help
Aaron
I haven't even played with that yet or looked how its set up but i did see there is a aaa authentication method for it.
I am actuly setting up ACS over the coming weeks, however unfortunately it will be on a completly air gaped network :( so wont be much use.. but I do have radius server on this network two sso I might look in to that,
I saw some where the user has to authenticate with some thing like
username@group so i will see what's that all about some time.
For now still playing around with it. got the VPN part working, now rebuilding all the firewall and nat rules of the production network (or as much as i need) in GNS3 to make sure its works through that
Cheers for all the help
Aaron
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN
From novice to tech pro — start learning today.
Experts Exchange Solution brought to you by
Enjoy your complimentary solution view.
Get every solution instantly with Premium.
Start your 7-day free trial.
In this case you need L2L vpn:
http://www.cisco-tips.com/lan-to-lan-ipsec-vpn-between-two-cisco-routers/
Best regards
Istvan