Solved

Cisco 1760 VPN Setup

Posted on 2011-09-03
32
1,161 Views
Last Modified: 2012-06-22
Hello All :)
I have a Cisco 1760 router that I would like to set up as a VPN server.  The configuration looks like this:
                                                                                       
Cable Modem --> Cisco 1760 Router --> Cisco PIX 520 --> Inside network and DMZ

I'd like to set up a VPN server so I can dial into it from my van hrough an internet card that I have from Sprint.  I would like to use Cisco's VPN software to connect from a laptop in my work van but Idon't know how to set up the router to accept connections.  I have a static IP address and I've attached text files containing the configs of each appliance.  Once that is done, I need to be able to access a computer on the inside network.  If someone could help me it would be great.  It's kind of time sensitive so the faster the better, and seeing how I'm not the best at this, actual commands would be extremely helpful so all I have to do is copy and paste.  Thanks everyone for all your help. My Network Configuration Router.txt PIX-520.txt
0
Comment
Question by:Music_Man608
  • 15
  • 7
  • 4
  • +1
32 Comments
 
LVL 36

Expert Comment

by:ArneLovius
ID: 36479165
If you just have a single static address on the router, why do you have the router between the cable modem and the PIX ?

It would be simpler to remove the router from the config and just have the PIX, then you could use the VPN capabilities of the PIX...

In either event, you will need to use the Cisco IPSec client. What version of Windows are you currently running ? And do you have the VPN client ?
0
 
LVL 15

Expert Comment

by:deepdraw
ID: 36479580
System image file is "flash:c1700-ipbase-mz.123-6c.bin"

cisco 1760 (MPC860P) processor (revision 0x500) with 55642K/9894K bytes of memory.
link to which feature set does what

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin09186a00801af451.html
So your cisco router cannont do vpn and might need a ram upgrade as well as a new ios.
I like the above idea more and more.

Greg
0
 

Author Comment

by:Music_Man608
ID: 36480510
I put the router in the equasion simply to learnhow to use it.  Eventually I was going to subscribe to a VoiP service and learn to set that up by connecting my router to another router at another site.  In the current config, is there any way to set he PIX up to do the VPN?  I like that idea too but I don't necessarily wsant to remove the router.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 36480524
If you want to learn more about how to configure a router, I'd suggest having it inside your network, not in "production".

IPSec can travel over NAT, but it is simpler if it does not.

From the two configurations that you have posted, the router is not adding anything to your security.
0
 

Author Comment

by:Music_Man608
ID: 36480634
Ok, so I'll remove the router but can you tell me what the commands would be to set a VPN up on my PIX?
0
 

Author Comment

by:Music_Man608
ID: 36533334
Let me ask you this:  Can you tell me how to set the VPN up on the PIX, but going through the router?  Like what would I need to do to the router to let the PIX handle the VPN, and what would I need to do to the PIX to set up the VPN?  Thanks.
0
 

Author Comment

by:Music_Man608
ID: 36989402
Can you try something to assist in getting an answer?  I just renewed my membership again just for the purpose of getting this dilemma solved.  Thanks.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 36991039
as per my previous, if you have the router terminating your Internet connection, you will not be able to have the PIX terminating VPNs "behind" it
0
 

Author Comment

by:Music_Man608
ID: 37014919
Why can't I have the router act as the VPN server?
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 37015017
as above from here http://www.cisco.com/en/US/prod/collateral/iosswrel/ps8802/ps5460/prod_bulletin09186a00801af451.html

you have IP Base

IP Base is a baseline set of Cisco IOS Software services required to operate a Cisco IOS Router in a data environment. It includes technologies such as DSL connectivity, Ethernet Switching modules, 802.1q routing, and trunking on Ethernet interfaces. The Cisco IOS Software features and services in IP Base will be "inherited" in all the packages listed below. Additionally, IP Base will be the default image for most Cisco IOS Routers.

this does not include VPN capability
0
 

Author Comment

by:Music_Man608
ID: 37015245
Ok so if I remove the router, what are the commands I would use to set the PIX up as a VPN server?
0
 

Author Comment

by:Music_Man608
ID: 37165789
I am not going to award any points at all.  The responses are too speratic and if I needed something else to complete my task then I would thing one of the "experts" would tell me.  Instead I am simply told that it cannot be done even though I can go to my work and stand in my data center and see exactly what it is that I'm trying to accomplish.  The reason I joined and pay for this membership is to get these exact answers.  Since I cannot get any answers I am cancelling my membership only this time I will not return.  To me the problem is difficult, to an "expert" this should be easy but I keep getting the same answer "it can't be done".  
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37213835
I've requested that this question be deleted for the following reason:

This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 

Author Comment

by:Music_Man608
ID: 37213836
Before you close the question, mayme someone out there can explain to me how an entire agency in Cleveland Ohio is doing exactly what I'm asking?  So far the experts here in this forum tell me that what I'm asking cannot be done yet it's done all over the world.  It's nothing special I just don't have the education to complete the task which is why I came here.  Just think about it, how to pass right through the router and terminate the VPN at the PIX.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214012
Ok, let me switch from cleaning mode to answering mode and have a look.

Try adding the following to your PIX config:

access-list split_tunnel_vpn permit ip 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0
access-list vpn_nonat permit ip 192.168.35.0 255.255.255.0 192.168.1.0 255.255.255.0
ip local pool vpnpool1 192.168.1.1-192.168.1.254
nat (inside) 0 access-list vpn_nonat
sysopt connection permit-ipsec
crypto ipsec transform-set trmset1 esp-aes-256 esp-sha-hmac
crypto dynamic-map map2 10 set transform-set trmset1
crypto map map1 10 ipsec-isakmp dynamic map2
crypto map map1 interface outside
isakmp enable outside
isakmp identity address
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption aes-256
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
vpngroup mygroup address-pool vpnpool1
vpngroup mygroup dns-server 192.168.35.x
vpngroup mygroup wins-server 192.168.35.y
vpngroup mygroup default-domain mydomain.com
vpngroup mygroup split-tunnel split_tunnel_vpn
vpngroup mygroup idle-time 1800
vpngroup mygroup password mypassword


The bold parts you will need to replace with your own values or leave the lines out if you don't have them (except for the password line of course ;)

With this setup you should be able to connect using a cisco secure vpn client. Just leave the router out for now.

Let me know if this works (and if you have any questions).
0
 

Author Comment

by:Music_Man608
ID: 37214042
Thank you so very much, I will get back to you once I complete this.  I have to back up the PIX forst and to do that I have to set up my TFTP server again so give me a little while but I'm all over it.  Thanks again.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214175
No problem, I'll be here.
Just let me know if you run in to any problems (also if you don't :)
0
 

Author Comment

by:Music_Man608
ID: 37214324
So far the only thing it didnt like was the encryption method.  I changed it to DES and it worked fine.  I'm going to set up the client on my lptop and try logging in.  By the way, is there a user id and password / group password I need to add?  Thanks.
0
 

Author Comment

by:Music_Man608
ID: 37214459
Would you by chance have the Cisco VPN Client for Windows 7 64 bit that I could possibly get from you?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214487
Ehr, as a matter of fact I do. But we're not allowed to post links here besides links to official sources. Perhaps we can arrange an other way?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214528
Oh didn't read your other post.
You use mygroup and mypassword as configured in the vpngroup line.
0
 

Author Comment

by:Music_Man608
ID: 37214705
Can you send it to an email address?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 37214776
Officially not.
But I can't do anything about it if you still post it here ;)
0
 

Author Comment

by:Music_Man608
ID: 37214942
Universal Lock & Key (330) 483-2200 if you're available.  I have other config proplems too big to keep typing here.  Thanks.
0
 

Author Comment

by:Music_Man608
ID: 37215097
Disregard that last one.  I'm making headway but my cable company blocks everything incoming up to port 1024.  Is there anything I can do to make all this happen on a higher port?  PIX and/or client?  A Cisco tech did it once before years ago for me and I can't seem to locate that config file although I'm looking dilligently.
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 500 total points
ID: 37215410
Just change providers ;)
I have a serious @#$%& issue with providers that decide those things for me.
Anyway, there might be possibilities. I'll have to dig into that first.
0
 

Author Closing Comment

by:Music_Man608
ID: 37350805
Nothing seems to be working.  I'll follow your advise and remove the router from the equasion and then repost another question.  Sorry for wasting everyones time.

-Glenn
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Short answer to this question: there is no effective WiFi manager in iOS devices as seen in Windows WiFi or Macbook OSx WiFi management, but this article will try and provide some amicable solutions to better suite your needs.
PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now