Cisco VPN's (Easy VPN?)

Hi,

I am trying to set up remote access VPN with a 1841 router as the server, but I am having trouble trying to work out what type of VPN connection i need?

Site to site connection I am OK with, this is remote pc's connecting in.

Easy VPN, ipsec L2TP, SSL VPN, SSL VPN web.... this list seems to go on...

In the digram below you can see that i have a 1841 with a number of internal networks. The only one I want the VPN CLIENTS to talk to is the 172.16.1.0 / 24 network. So ideally the VPN host would be assigned a IP address from this range, and run "split tunnel (??).

so any traffic it sends to a 172.16.1.x address is sent over the VPN to the network, and any other traffic is routed as normal out to the internet from the client.

My question is what's the best way to achieve this? I see there is a SSL web client, an SSL secure desk top client, the CISCO VPN client. AS well as the inbuilt windows VPN client?

The inside network is only a test environment that I have my CISCO lab set up in, and a few other staff have AD labs and other test networks. So we are all IT staff who need the VPN access. All I need is some suggesting how to set this up.

And also can I have the Clients assigned a IP address with in the 172.16.1.0/24 network range so the appear to have one connection inside that network (so can talk to the test equipment) and there local connection/wireless left as normal so the client can access there local network and the internet as normal?

The two links below are just some pages I have come across that I am sure I can use but I have to be careful as the 1841 runs a production web serve so I can't afford to get it wrong. This is why I am asking before I make any changes.

Thank you

http://www.cisco.com/en/US/docs/routers/access/1800/1841/software/configuration/guide/ezvpn.html

http://www.cisco.com/en/US/products/sw/secursw/ps2308/products_configuration_example09186a008032b637.shtml
VPN.jpg
LVL 16
Aaron StreetInfrastructure ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Istvan KalmarHead of IT Security Division Commented:
Hi,

In this case you need L2L vpn:
http://www.cisco-tips.com/lan-to-lan-ipsec-vpn-between-two-cisco-routers/

Best regards
Istvan
0
Aaron StreetInfrastructure ManagerAuthor Commented:
Why Lan to Lan ?

I just want my remote clients to be able to access the 172.16.1.0/24 network segment on the inside?

I was just wondering if there is a way to assign remote clients and IP address from that subnet.

I'm not sure why you suggest lan to lan as this has to be available from a client PC to the 1841. Looking over Easy VPN and cisco VPN client I get the setting up of that.

What I am not so sure of is how does the VPN machine appear to the networks attached to the router.

what interface does the router see that interface as being on? on a straight forward router I can see how it works, but in this case the 1841 is running a fire wall.

so say I set the clients to pick an address from the range 192.168.10.0/24.

now currently the 172.16.1.0 /24 is isolated from the rest of the networks via the zone based fire wall. So how would I open it up so the 192.168.10.0 network and the 172.16.1.0 networks can talk. Normally you put the interfaces in the same zone, or put a policy between the zones.. but what Zone/interface do the incoming clients come under? The WAN interface the VPN requests are received on ?

Cheers
0
Aaron StreetInfrastructure ManagerAuthor Commented:
or could I set up a tunnel / virtual interface and use that in the policys?
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

Aaron StreetInfrastructure ManagerAuthor Commented:
Oh hold on, looking at the ip route I can see how it works!! the IP address assigned but the VPN group, is set as a route on the router with a next hop of the pc's public IP address...

so just put a policy between the outside interface and the inside network to allow the VPN network IP's to reach the internal network.

Cheers for the pointers though, think I got this now :)
0
geergonCommented:
Hello!

As you said you are looking for a remote client solution. EZVPN is a  term more often used to refers hardware remote client connection to VPN endpoint. Vpn client is the name for the software based remote client that connect to a server. So the links that you post are a little bit unrelated.

SSL for this case is not very recommended (I can tell you why later if you want)

You should Use the Cisco Vpn client Solution OR L2TP over Ipsec (the built in windows)
Cisco Vpn client works with any Windows version 32 bits and the New Beta 64 bits just for Windows 7.
But you can also use open ipsec client like:www.shrew.net

The problem with L2TP is that by default the connection is "tunnel all"
But there is some workarounds that seem to permit split tunneling, other than that the client will try to send all the traffic over the tunnel with this solution the only possibility to keep the VPN connection is to PAT the Internet connection on the router.

Is not suggested to have the vpn client and get and IP from the same Vlan that you want to access that is call overlapping network. Check the reference for: (anyway for security reason is not suggested either) Most Common L2L and Remote Access IPSec VPN Troubleshooting Solutions
http://www.ciscohelp.info/en/US/products/ps6120/products_tech_note09186a00807e0aca.shtml

The best example with your design
Router Allows VPN Clients to Connect IPsec and Internet Using Split Tunneling Configuration Example
https://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a0080819289.shtml

Configuring an IPsec Router Dynamic LAN-to-LAN Peer and VPN Clients
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801dddbb.shtml

Some other Suggestions.
Create an outage windows to do the changes if something fails do not save anything and just reload.
Also you are good enough with GNS3 you can reproduce this in a LAB environment.

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
geergonCommented:

----------------------------------------------------------------------

That is called nat bypass and you can do something like this as well:

Example:

!--- Enables Network Address Translation (NAT)
!--- of the inside source address that matches access list 111
!--- and gets PATed with the FastEthernet IP address.

ip nat inside source list 111 interface FastEthernet1/0 overload
!
!--- The access list is used to specify which traffic
!--- is to be translated for the outside Internet.
 
access-list 111 deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 111 permit ip any any

0
Istvan KalmarHead of IT Security Division Commented:
ok, if you want client VPN please  provide us the config and we help you to make VPN server
0
Aaron StreetInfrastructure ManagerAuthor Commented:
Yep that looks like the one :)

I also looked at a few CBT nugget videos on remote client VPN and that has cleared it up a lot in my mind.

So I think this should be fine. The only thing I am not sure of now is about how to force specific user names to use a specific group.

so if I have user A and user B

and VPN groups X and Y

how do I actual force A to use X and B to use Y... but this is something I will play around with.

Any way got it running on GNS3 at the moment so I will Play around with it there for a bit.

Cheers
0
geergonCommented:
As far as I know there is no way to do it with just the router... with the ASA you have more options...

User A and B are just valid users for extended authentication.
In theory only user A will have the pre-shared key for group X.
The same for user B and group Y.

But what you can do is that depending of the user you could inject based on authorization certain rules, but you will need to install a AAA server to handle that for example the CISCO ACS.
0
Aaron StreetInfrastructure ManagerAuthor Commented:
yer I haven't worked it out yet, but in the SDM there is a tick box that goes on about locking users to a group?

I haven't even played with that yet or looked how its set up but i did see there is a aaa authentication method for it.

I am actuly setting up ACS over the coming weeks, however unfortunately it will be on a completly air gaped  network :( so wont be much use.. but I do have radius server on this network two sso I might look in to that,

I saw some where the user has to authenticate with some thing like

username@group so i will see what's that all about some time.

For now still playing around with it. got the VPN part working, now rebuilding all the firewall and nat rules of the production network (or as much as i need) in GNS3 to make sure its works through that

Cheers for all the help

Aaron
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.