We help IT Professionals succeed at work.

Cisco 1841 VPN Pool - Change local IP Address

RLComputing
RLComputing asked
on
Hi Experts,

I have a cisco 1841 setup with a VPN that our remote users connect to. Currently the VPN Pool is 50 addresses but it's not enough. Due to the size of the network, I can't expand the VPN Pool anymore. Here is the current config:
interface Virtual-Template1
 ip unnumbered Serial0/1/0.531
 peer default ip address pool testpool
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
!
ip local pool VPNPOOL 192.168.2.50 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->

Our corporate location is the 192.168.2.0/24 network and our branch locations are setup on the 192.168.X.0/24 networks.

Is is possible to put everyone that connects to the VPN on a different IP scheme - i.e 192.168.20.0/24? This way I can have hundreds of addresses for VPN but the vpn users would still have access to all network resources. Can I also assign a name server to the VPN Local Pool config? The router does have a name server defined, but just curious if it's possible to define it in the VPN config so they get the correct name server.

Thanks!
Comment
Watch Question

Yes, you can create a new pool which a different subnet. You would use the following commands:

ip local pool VPN 10.10.1.1-10.10.1.254 netmask 255.255.255.0

You have to add DNS servers under the group policy:

group-policy ElCentro attributes
 dns-server value 10.10.1.250 10.10.2.90

Once you change your VPN DHCP Pool, you have to make sure to use nat exemption for traffic to the new subnet.

Author

Commented:
What would the command for the NAT exemption be? I do have some access-lists so I believe I would also have to add:

access-list ### permit ip 192.168.2.0 0.0.0.255 192.168.20.0 0.0.0.255

Thanks for the help.
It would be something similar to this:

access-list nonat permit ip <INSIDE SUBNET> <VPN SUBNET>
nat (inside) 0 access-list nonat

Do you already have a line using nat (inside) 0?

You can see it by typing "show run  nat"

Author

Commented:
The show run nat was not a valid command on my router. Here is the full config though:

version 12.4
<!------->
aaa group server radius primary
 server 192.168.2.28 auth-port 1645 acct-port 1646
!
aaa authentication login default local
aaa authentication login DOMAIN local
aaa authentication ppp default group radius local
aaa authorization exec default local
aaa authorization network default group radius if-authenticated
!
aaa session-id common
clock timezone EDT -5
ip cef
!
!
!
!
ip domain name xxxxx.com
ip name-server 192.168.2.28
ip inspect name DOMAIN-FW http
ip inspect name DOMAIN-FW https
ip inspect name DOMAIN-FW ftp
ip inspect name DOMAIN-FW realaudio
ip inspect name DOMAIN-FW smtp
ip inspect name DOMAIN-FW tcp
ip inspect name DOMAIN-FW udp
ip inspect name DOMAIN-FW rcmd
ip inspect name DOMAIN-FW tftp
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
vpdn enable
!
vpdn-group 1
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
!
!
crypto pki trustpoint TP-self-signed-XXXX
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-XXXX
 revocation-check none
 rsakeypair TP-self-signed-XXXX
!
!
<!--User Accounts -->
!
!
!
class-map match-any VOIP-Stream
 match access-group 100
class-map match-any VOIP-MAnagement
 match access-group 102
class-map match-any VOIP-Control
 match access-group 101
!
!
policy-map WAN-QOS
 class VOIP-Stream
  priority percent 75
  set dscp ef
 class VOIP-Control
  priority percent 15
  set dscp af41
 class VOIP-MAnagement
  priority percent 9
  set dscp af21
 class class-default
  fair-queue
!
!
!
crypto isakmp policy 1
 encr 3des
 hash md5
 authentication pre-share
!
crypto isakmp policy 2
 hash md5
 authentication pre-share
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 67.XXX.XXX.XXX
crypto isakmp key cisco200 address 72.XXX.XXX.XXX
crypto isakmp key cisco200 address 208.XXX.XXX.XXX
!
!
crypto ipsec transform-set trans171 XXXXX
crypto ipsec transform-set trans174 XXXXX
!
crypto map mymap 1 ipsec-isakmp
 set peer 67.XXX.XXX.XXX
 set transform-set trans171
 match address 171
crypto map mymap 2 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
crypto map mymap 3 ipsec-isakmp
 set peer 208.XXX.XXX.XXX
 set transform-set trans171
 match address 173
crypto map mymap 4 ipsec-isakmp
 set peer 67.XXX.XXX.XXX
 set transform-set trans174
 match address 174
crypto map mymap 5 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
 set transform-set trans171
 match address 175
crypto map mymap 6 ipsec-isakmp
 set peer 72.XXX.XXX.XXX
 set transform-set trans171
 match address 176
crypto map mymap 7 ipsec-isakmp
 set peer 208.XXX.XXX.XXX
 set transform-set trans171
 match address 177
!
!
!
interface Loopback0
 ip address 4.0.0.40 255.255.255.255
!
interface Loopback1
 ip address 10.255.0.40 255.255.255.255
!
interface Tunnel0
 description Tunnel to Remote Site #1
 bandwidth 400
 ip address 10.xxx.xxx.xxx 255.255.255.252
 ip mtu 1390
 ip route-cache flow
 tunnel source Serial0/1/0.531
 tunnel destination 208.xxx.xxx.xxx
 tunnel key XXXXXXX
!


interface FastEthernet0/0
 description <<Choice One Internet>>
 ip address 10.XXX.XXX.XXX 255.255.255.0
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 no ip mroute-cache
 speed 100
 full-duplex
 no cdp enable
!
interface FastEthernet0/1
 description << LAN >>
 ip address 192.168.2.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 no ip mroute-cache
 speed auto
 full-duplex
 no cdp enable
 hold-queue 32 in
 hold-queue 100 out
!
interface Serial0/1/0
 description Connection to GBLX Cloud
 no ip address
 ip virtual-reassembly
 encapsulation frame-relay IETF
 no ip route-cache cef
 no ip route-cache
 service-module t1 timeslots 1-24
 service-module t1 remote-alarm-enable
 frame-relay lmi-type ansi
!
interface Serial0/1/0.16 point-to-point
 description Connection to GBLX MPLS
 ip address 67.XXX.XXX.XXXX 255.255.255.252
 no ip route-cache
 no cdp enable
 frame-relay interface-dlci 16
  class VOIP-CLASS
!
interface Serial0/1/0.531 point-to-point
 description Connection to DIA
 ip address 146.XXX.XXX.XXX 255.255.255.252
 ip nat outside
 ip virtual-reassembly
 no ip route-cache
 no cdp enable
 frame-relay interface-dlci 552
  class Data-CLASS
 crypto map mymap
!
interface Virtual-Template1
 ip unnumbered Serial0/1/0.531
 peer default ip address pool testpool
 ppp max-bad-auth 3
 ppp authentication ms-chap-v2
!
router eigrp 500
 network 10.XXX.XXX.XX 0.0.0.255
 network 192.168.2.0
 no auto-summary
 eigrp stub connected summary
!
router bgp 60040
 no synchronization
 bgp log-neighbor-changes
 network 10.XXX.XXX.XXX
 network 192.168.0.0
 aggregate-address 10.XXX.XXX.XXX 255.255.255.255
 aggregate-address 10.XXX.XXX.XXX 255.255.255.0
 aggregate-address 192.168.2.0 255.255.255.0
 redistribute connected
 neighbor 67.xxx.xxx.xxx remote-as 6745
 neighbor 67.xxx.xxx.xxx description OSN->GlobalX
 neighbor 67.xxx.xxx.xxx version 4
 neighbor 67.xxx.xxx.xxx soft-reconfiguration inbound
 no auto-summary
!
ip local pool testpool 192.168.2.75 192.168.2.100
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 146.xxx.xxx.xxx
ip route 10.255.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 64.XXX.XXX.6 255.255.255.255 67.xxx.xxx.xxx
ip route 64.XXX.XXX.0 255.255.255.0 67.xxx.xxx.xxx
ip route 192.168.0.0 255.255.0.0 67.xxx.xxx.xxx
ip route 192.168.5.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.6.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.7.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
ip route 192.168.8.0 255.255.255.0 146.xxx.xxx.xxx <!-- local LAn for remote site -->
!
!
ip http server
ip http authentication local
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface Serial0/1/0.531 overload
ip nat inside source static tcp 192.168.2.20 25 146.xxx.xxx.xxxx 25 extendable
!
!
map-class frame-relay VOIP-CLASS
 frame-relay cir 1024000
 frame-relay bc 10240
 frame-relay be 0
 frame-relay mincir 1024000
 frame-relay interface-queue fair queue-limit 32
 frame-relay interface-queue priority high
 service-policy output WAN-QOS
!
map-class frame-relay Data-CLASS
 frame-relay cir 512000
 frame-relay bc 5120
 frame-relay be 5120
 frame-relay mincir 512000
 frame-relay fair-queue
 frame-relay interface-queue fair queue-limit 32
 frame-relay interface-queue priority low
logging trap debugging
logging 192.168.2.27
access-list 100 remark ****MArk VOIP RTP streaming Traffic (LLQ)
access-list 100 permit udp any any range 16384 32768
access-list 100 permit udp 10.255.0.0 0.0.255.255 64.xx.xx.0 0.0.0.255
access-list 101 remark MArk ****MGCP/Skinny/H.323 VOIP signaling traffic (CBWFQ)
access-list 101 permit udp any any eq 2727
access-list 101 permit tcp any any eq 2727
access-list 101 permit udp any any eq 2427
access-list 101 permit tcp any any eq 2427
access-list 101 permit udp any any eq 2428
access-list 101 permit tcp any any eq 2428
access-list 101 permit tcp any any eq 1720
access-list 101 permit tcp any any range 2000 2002
access-list 101 permit tcp any any range 11000 11999
access-list 101 remark Mark ****IAX/IAX2/SIP VOIP signaling traffic
access-list 101 permit udp any any eq 4569
access-list 101 permit udp any any range 5060 5069
access-list 101 permit udp any any range 5070 5079
access-list 101 permit udp any any range 5080 5099
access-list 102 remark Mark ****Client Endpoints --> NOC/Management Servers (CBWFQ-AF21)
access-list 102 permit tcp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 64.xxx.xxx.0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx0 0.0.0.255
access-list 102 permit tcp any 172.xxx.xxx.0 0.0.0.255
access-list 102 permit udp any 172.xxx.xxx.0 0.0.0.255
access-list 125 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
access-list 125 permit ip 192.168.2.0 0.0.0.255 any
access-list 171 permit ip 192.168.2.0 0.0.0.255 192.168.3.0 0.0.0.255
access-list 172 permit ip 192.168.2.0 0.0.0.255 192.168.5.0 0.0.0.255
access-list 173 permit ip 192.168.2.0 0.0.0.255 192.168.4.0 0.0.0.255
access-list 174 permit ip 192.168.2.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 192.168.6.0 0.0.0.255
access-list 176 permit ip 192.168.2.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.2.0 0.0.0.255 192.168.7.0 0.0.0.255
snmp-server community monitoring RO
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps tty
snmp-server enable traps isdn call-information
snmp-server enable traps isdn layer2
snmp-server enable traps isdn chan-not-avail
snmp-server enable traps isdn ietf
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps frame-relay
snmp-server enable traps frame-relay subif
snmp-server enable traps hsrp
snmp-server enable traps ipmulticast
snmp-server enable traps msdp
snmp-server enable traps pim neighbor-change rp-mapping-change invalid-pim-message
snmp-server enable traps pppoe
snmp-server enable traps rsvp
snmp-server enable traps rtr
snmp-server enable traps syslog
!
route-map nonat permit 10
 match ip address 125
!
!
!
radius-server host 192.168.2.28 auth-port 1645 acct-port 1646
radius-server key 7 XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
!
control-plane
!
!
banner login ^CCC
Warning !!!
This system is solely for the use of authorized users for official purposes.
You have no expectation of privacy in its use and to ensure that the system
is functioning properly, individuals using this computer system are subject
to having all of their activities monitored and recorded by system
personnel.  Use of this system evidences an express consent to such
monitoring and agreement that if such monitoring reveals evidence of
possible abuse or criminal activity, system personnel may provide
the results of such monitoring to appropriate officials.
^C
!
line con 0
line aux 0
line vty 0 4
 privilege level 15
 login authentication SASi
 transport input ssh
line vty 5 15
 access-class 23 in
 privilege level 15
 transport input ssh
!
scheduler allocate 20000 1000
ntp clock-period 17178389
ntp server 132.236.56.250
end