?
Solved

Cisco 1760 VPN Setup

Posted on 2011-09-03
32
Medium Priority
?
1,182 Views
Last Modified: 2012-06-22
Hello All :)
I have a Cisco 1760 router that I would like to set up as a VPN server.  The configuration looks like this:
                                                                                       
Cable Modem --> Cisco 1760 Router --> Cisco PIX 520 --> Inside network and DMZ

I'd like to set up a VPN server so I can dial into it from my van hrough an internet card that I have from Sprint.  I would like to use Cisco's VPN software to connect from a laptop in my work van but Idon't know how to set up the router to accept connections.  I have a static IP address and I've attached text files containing the configs of each appliance.  Once that is done, I need to be able to access a computer on the inside network.  If someone could help me it would be great.  It's kind of time sensitive so the faster the better, and seeing how I'm not the best at this, actual commands would be extremely helpful so all I have to do is copy and paste.  Thanks everyone for all your help. My Network Configuration Router.txt PIX-520.txt
0
Comment
Question by:Music_Man608
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 7
  • 4
  • +1
32 Comments
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36479165
If you just have a single static address on the router, why do you have the router between the cable modem and the PIX ?

It would be simpler to remove the router from the config and just have the PIX, then you could use the VPN capabilities of the PIX...

In either event, you will need to use the Cisco IPSec client. What version of Windows are you currently running ? And do you have the VPN client ?
0
 
LVL 15

Expert Comment

by:greg ward
ID: 36479580
System image file is "flash:c1700-ipbase-mz.123-6c.bin"

cisco 1760 (MPC860P) processor (revision 0x500) with 55642K/9894K bytes of memory.
link to which feature set does what

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin09186a00801af451.html
So your cisco router cannont do vpn and might need a ram upgrade as well as a new ios.
I like the above idea more and more.

Greg
0
 

Author Comment

by:Music_Man608
ID: 36480510
I put the router in the equasion simply to learnhow to use it.  Eventually I was going to subscribe to a VoiP service and learn to set that up by connecting my router to another router at another site.  In the current config, is there any way to set he PIX up to do the VPN?  I like that idea too but I don't necessarily wsant to remove the router.
0
Learn how to optimize MySQL for your business need

With the increasing importance of apps & networks in both business & personal interconnections, perfor. has become one of the key metrics of successful communication. This ebook is a hands-on business-case-driven guide to understanding MySQL query parameter tuning & database perf

 
LVL 37

Expert Comment

by:ArneLovius
ID: 36480524
If you want to learn more about how to configure a router, I'd suggest having it inside your network, not in "production".

IPSec can travel over NAT, but it is simpler if it does not.

From the two configurations that you have posted, the router is not adding anything to your security.
0
 

Author Comment

by:Music_Man608
ID: 36480634
Ok, so I'll remove the router but can you tell me what the commands would be to set a VPN up on my PIX?
0
 

Author Comment

by:Music_Man608
ID: 36533334
Let me ask you this:  Can you tell me how to set the VPN up on the PIX, but going through the router?  Like what would I need to do to the router to let the PIX handle the VPN, and what would I need to do to the PIX to set up the VPN?  Thanks.
0
 

Author Comment

by:Music_Man608
ID: 36989402
Can you try something to assist in getting an answer?  I just renewed my membership again just for the purpose of getting this dilemma solved.  Thanks.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 36991039
as per my previous, if you have the router terminating your Internet connection, you will not be able to have the PIX terminating VPNs "behind" it
0
 

Author Comment

by:Music_Man608
ID: 37014919
Why can't I have the router act as the VPN server?
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 37015017
as above from here http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin09186a00801af451.html

you have IP Base

IP Base is a baseline set of Cisco IOS Software services required to operate a Cisco IOS Router in a data environment. It includes technologies such as DSL connectivity, Ethernet Switching modules, 802.1q routing, and trunking on Ethernet interfaces. The Cisco IOS Software features and services in IP Base will be "inherited" in all the packages listed below. Additionally, IP Base will be the default image for most Cisco IOS Routers.

this does not include VPN capability
0
 

Author Comment

by:Music_Man608
ID: 37015245
Ok so if I remove the router, what are the commands I would use to set the PIX up as a VPN server?
0
 

Author Comment

by:Music_Man608
ID: 37165789
I am not going to award any points at all.  The responses are too speratic and if I needed something else to complete my task then I would thing one of the "experts" would tell me.  Instead I am simply told that it cannot be done even though I can go to my work and stand in my data center and see exactly what it is that I'm trying to accomplish.  The reason I joined and pay for this membership is to get these exact answers.  Since I cannot get any answers I am cancelling my membership only this time I will not return.  To me the problem is difficult, to an "expert" this should be easy but I keep getting the same answer "it can't be done".  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37213835
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
 

Author Comment

by:Music_Man608
ID: 37213836
Before you close the question, mayme someone out there can explain to me how an entire agency in Cleveland Ohio is doing exactly what I'm asking?  So far the experts here in this forum tell me that what I'm asking cannot be done yet it's done all over the world.  It's nothing special I just don't have the education to complete the task which is why I came here.  Just think about it, how to pass right through the router and terminate the VPN at the PIX.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214012
Ok, let me switch from cleaning mode to answering mode and have a look.

Try adding the following to your PIX config:

access-list split_tunnel_vpn permit ip 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_nonat permit ip 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpnpool1 192.168.1.1-192.168.1.254
nat (inside) 0 access-list vpn_nonat
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool1
vpngroup mygroup dns-server 192.168.35.x
vpngroup mygroup wins-server 192.168.35.y
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup split-tunnel split_tunnel_vpn
vpngroup mygroup idle-time 1800
vpngroup mygroup password mypassword


The bold parts you will need to replace with your own values or leave the lines out if you don't have them (except for the password line of course ;)

With this setup you should be able to connect using a cisco secure vpn client. Just leave the router out for now.

Let me know if this works (and if you have any questions).
0
 

Author Comment

by:Music_Man608
ID: 37214042
Thank you so very much, I will get back to you once I complete this.  I have to back up the PIX forst and to do that I have to set up my TFTP server again so give me a little while but I'm all over it.  Thanks again.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214175
No problem, I'll be here.
Just let me know if you run in to any problems (also if you don't :)
0
 

Author Comment

by:Music_Man608
ID: 37214324
So far the only thing it didnt like was the encryption method.  I changed it to DES and it worked fine.  I'm going to set up the client on my lptop and try logging in.  By the way, is there a user id and password / group password I need to add?  Thanks.
0
 

Author Comment

by:Music_Man608
ID: 37214459
Would you by chance have the Cisco VPN Client for Windows 7 64 bit that I could possibly get from you?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214487
Ehr, as a matter of fact I do. But we're not allowed to post links here besides links to official sources. Perhaps we can arrange an other way?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214528
Oh didn't read your other post.
You use mygroup and mypassword as configured in the vpngroup line.
0
 

Author Comment

by:Music_Man608
ID: 37214705
Can you send it to an email address?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214776
Officially not.
But I can't do anything about it if you still post it here ;)
0
 

Author Comment

by:Music_Man608
ID: 37214942
Universal Lock & Key (330) 483-2200 if you're available.  I have other config proplems too big to keep typing here.  Thanks.
0
 

Author Comment

by:Music_Man608
ID: 37215097
Disregard that last one.  I'm making headway but my cable company blocks everything incoming up to port 1024.  Is there anything I can do to make all this happen on a higher port?  PIX and/or client?  A Cisco tech did it once before years ago for me and I can't seem to locate that config file although I'm looking dilligently.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 2000 total points
ID: 37215410
Just change providers ;)
I have a serious @#$%& issue with providers that decide those things for me.
Anyway, there might be possibilities. I'll have to dig into that first.
0
 

Author Closing Comment

by:Music_Man608
ID: 37350805
Nothing seems to be working.  I'll follow your advise and remove the router from the equasion and then repost another question.  Sorry for wasting everyones time.

-Glenn
0

Featured Post

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's recap what we learned from yesterday's Skyport Systems webinar.
Ever wonder what it's like to get hit by ransomware? "Tom" gives you all the dirty details first-hand – and conveys the hard lessons his company learned in the aftermath.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
NetCrunch network monitor is a highly extensive platform for network monitoring and alert generation. In this video you'll see a live demo of NetCrunch with most notable features explained in a walk-through manner. You'll also get to know the philos…
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question