Cisco 881w Complex Configuration

I was recently asked to looking to what I would call a complex network structuring for a remote office that uses a 881w. I only know enough about the configurations for the 881 to be dangerous. So I was hoping someone might be able to help provide a sample. I have to 2 of these each with just about the same configuration, minus one little detail that I'll explain below.X

Below you will have a img for the structure I'm wanting to accomplish.
Example Network layout
Currently the devices are configured like it's show above minus 1 thing. The isolated lan. Basicly what I'm looking to accomplish is have the isolated lan act kinda like a dual wan. I want the 172.16.9.0/24 to be able to reach anything on the 10.10.6.0/24 subnet, but only allow established connections from the 10.10.6.0/24 subnet to come back into the 172.16.9.0/24 subnet.


I did mention that I have to do this with 2 devices, but there is a minior defference between them. 1 of them also needs to establish a outbound IPSEC Xauth under Network Address Extension mode to a VPN Concentrator. I've never programmed a VPN connection on the 881 before. I've only ever done it on a PIX 501. So I'm not sure how to do it. I have read this article, but looking at it seems to have the person trying to connect to othre side of the vpn authenticate themselfs, which isn't what I want. What i've done for the PIX configurations in the past is something like:

vpnclient server X.X.X.X
vpnclient mode network-extension-mode
vpnclient vpngroup GROUPNAME password ********
vpnclient username USERNAME password ********
vpnclient management tunnel 172.16.0.0 255.255.0.0
vpnclient enable

Open in new window


I have looked and I see the 881's os doesn't have that command.

Any sample configurations on these would be greatly appericated.

Here is the current configuration for the 881w I'm using:
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
!
hostname router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable password ********
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-99847944
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-99847944
revocation-check none
rsakeypair TP-self-signed-99847944
!
!
crypto pki certificate chain TP-self-signed-99847944
certificate self-signed 01
        quit
ip source-route
!
!
!
!
ip cef
ip domain name *****************
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
username admin privilege 15 secret 5 ***************
!
!
!
archive
log config
  hidekeys
!
!
ip ssh rsa keypair-name pubkey-chain
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address X.X.X.10 255.255.255.248
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan1
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
!
interface Vlan1
ip address 172.16.9.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 X.X.X.9 permanent
no ip http server
no ip http secure-server
!
!
ip nat pool mypool X.X.X.12 X.X.X.12 netmask 255.255.255.255
ip nat inside source static tcp 172.16.9.23 443 interface FastEthernet4 443
ip nat inside source static tcp 172.16.9.23 25 interface FastEthernet4 25
ip nat inside source static tcp 172.16.9.22 3389 interface FastEthernet4 3389
ip nat inside source list 15 interface FastEthernet4 overload
ip nat inside source static tcp 172.16.9.23 873 X.X.X.10 873 extendable
ip nat inside source static tcp 172.16.9.24 80 X.X.X.12 80 extendable
ip nat inside source static tcp 172.16.9.24 873 X.X.X.12 873 extendable
!
access-list 15 permit 172.16.9.0 0.0.0.255
access-list 101 permit tcp host X.X.X.X host X.X.X.10 range 7788 7799
!
!
!
!
!
control-plane
!
!
line con 0
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
password ********
login
!
scheduler max-task-time 5000
end

Open in new window

LVL 5
PyromanciAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Henk van AchterbergSr. Technical ConsultantCommented:
interface Vlan10
 description isolated LAN
 ip address 10.10.6.254 255.255.255.0
 ip access-group access_vlan10_in in
!
interface FastEthernet3
 description member of isolated LAN
 switchport mode access
 switchport access vlan 10
!
ip access-list extended access_vlan10_in
 deny ip any any
 
crypto ipsec client ezvpn <vpn name>
 connect auto
 group <groupname> key <key>
 mode network-extension
 peer <peer ip>
 username <username> password <password>
 xauth userid mode local

interface FastEthernet4
 crypto ipsec client ezvpn <vpn name>

interface Vlan1
 crypto ipsec client ezvpn <vpn name> inside

This should do it I think, can you test this?

P.S. Normally I use ALSO a loopback interface for the ezvpn inside client because Vlan1 is down when all the interfaces are down.

I use for example this:

interface Loopback1
 ip address 10.254.0.1 255.255.255.255
 crypto ipsec client ezvpn ASA inside
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PyromanciAuthor Commented:
I can give it a test here in a little bit.

Though i do have a question. Are those configurations additions to the existing?
0
Henk van AchterbergSr. Technical ConsultantCommented:
Yes they are!
0
Webinar: Miercom Evaluates Wi-Fi Security

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom how WatchGuard's Wi-Fi security stacks up against the competition in our upcoming webinar!

PyromanciAuthor Commented:
I just got to the point of testing the VPN.

The VPN Starts Ups and connects. I can see it in the VPN Concencator.  Though I can't get traffic to go through. I can watch the concentrator and see incoming bytes, but nothing going back to the 881w

Here is the output of "show crypto ipsec client ezvpn"
Easy VPN Remote Phase: 8

Tunnel name : vpn1
Inside interface list: Vlan1
Outside interface: FastEthernet4
Current State: IPSEC_ACTIVE
Last Event: MTU_CHANGED
DNS Primary: 192.168.9.23
Default Domain: internaldomain
Save Password: Allowed
Split Tunnel List: 1
       Address    : 192.168.0.0
       Mask       : 255.255.0.0
       Protocol   : 0x0
       Source Port: 0
       Dest Port  : 0
Current EzVPN Peer: X.X.X.X

Open in new window


When I do show ip route I see nothing about the 192.168.0.0/255.255.0.0 network
Gateway of last resort isX.X.X.57 to network 0.0.0.0

     172.17.0.0/24 is subnetted, 1 subnets
C       172.17.1.0 is directly connected, Vlan1
     X.0.0.0/29 is subnetted, 1 subnets
C       X.X.X..56 is directly connected, FastEthernet4
S*   0.0.0.0/0 [1/0] via X.X.X.57, FastEthernet4

Open in new window

0
Henk van AchterbergSr. Technical ConsultantCommented:
did you make the proper nat statements?

you need to disable nat translation for that network!
0
PyromanciAuthor Commented:
There is is only 1 nat command on the 881 and thats

ip nat inside source list 15 interface FastEthernet4 overload

So there shouldn't be any natting assigned to the VPN connection.

Here is the complete config for that unit.

!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname firewall
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
enable secret 5 ****************
enable password 7 ****************
!
no aaa new-model
service-module wlan-ap 0 bootimage autonomous
!
crypto pki trustpoint TP-self-signed-99847944
 enrollment selfsigned
 revocation-check crl
 rsakeypair OurKey
!
!
crypto pki certificate chain TP-self-signed-99847944
 certificate self-signed 02
  30820216 3082017F A0030201 02020102 300D0609 2A864886 F70D0101 04050030
  1B311930 1706092A 864886F7 0D010902 160A6873 66697265 77616C6C 301E170D
  31333131 30383134 34333336 5A170D32 30303130 31303030 3030305A 301B3119
  30170609 2A864886 F70D0109 02160A68 73666972 6577616C 6C30819F 300D0609
  2A864886 F70D0101 01050003 818D0030 81890281 8100C6A2 4E75ED75 ED5325F0
  FDC91272 2B2F015A FFE19C54 A7D5DCA3 2E88A8E6 53BDD0B2 DDAE8F67 AF3F64DC
  CFA4B4F1 99EF1C55 A37F3CE1 C70798AE AC01D0C1 3F62DE42 A988E39C E489D65A
  433BE671 9AF10BEA AD509336 677AB6E9 2B0878F2 E2F1627E CB935D32 7703A0B9
  20645D06 9C06EAF0 0398C9B6 084BB9C3 74470558 B28D0203 010001A3 6A306830
  0F060355 1D130101 FF040530 030101FF 30150603 551D1104 0E300C82 0A687366
  69726577 616C6C30 1F060355 1D230418 30168014 245A159B BA3CFE71 897F5377
  69D30770 BC49623E 301D0603 551D0E04 16041424 5A159BBA 3CFE7189 7F537769
  D30770BC 49623E30 0D06092A 864886F7 0D010104 05000381 81005280 75BD41F7
  94042294 68F54F1C A63479D0 86102441 7E57CFD1 7B140F3B 5E15C770 7F91C1C3
  EDA9090A 4A3CF29E FAF5FC69 3FA70E3C 5E9216DC E799ACF2 EBC1917D 07E97044
  273C54A6 FBA507A1 67EB8DA3 64244B27 5C3E6B08 1F095F2C 5A07029F 4F5B8A6F
  5C572ABE 0A4958A1 EA728598 315DE2FE 0F133226 CE604966 D454
        quit
ip source-route
!
!
ip dhcp excluded-address 172.17.1.1 172.17.1.229
ip dhcp excluded-address 172.17.1.250 172.17.1.254
!
ip dhcp pool myDHCPpool
   import all
   network 172.17.1.0 255.255.255.0
   default-router 172.17.1.254
   dns-server 172.17.1.254 255.255.255.0
!
!
ip cef
ip domain name internal.local
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
!
!
multilink bundle-name authenticated
license boot module c880-data level advipservices
!
!
username admin privilege 15 secret 5 ****************
!
!
!
!
!
!
crypto ipsec client ezvpn vpn1
 connect auto
 group REMOTE_OFC_GROUP key ********
 mode network-extension
 peer X.X.X.X
 username REMOTE_OFC_FIREWALL password ********
 xauth userid mode local
!
archive
 log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
 shutdown
!
interface FastEthernet2
 shutdown
!
interface FastEthernet3
 description member of isolated LAN
 switchport access vlan 10
 shutdown
!
interface FastEthernet4
 ip address X.X.X.X 255.255.255.248
 ip nat outside
 ip virtual-reassembly
 duplex auto
 speed auto
 crypto ipsec client ezvpn vpn1
!
interface wlan-ap0
 description Service module interface to manage the embedded AP
 ip unnumbered Vlan1
 arp timeout 0
!
interface Wlan-GigabitEthernet0
 description Internal switch interface connecting to the embedded AP
!
interface Vlan1
 ip address 172.17.1.254 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 crypto ipsec client ezvpn vpn1 inside
!
interface Vlan10
 description isolated LAN
 ip address 10.6.120.2 255.255.255.0
 ip access-group access_vlan10_in in
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 FastEthernet4 X.X.X.57 permanent
no ip http server
no ip http secure-server
!
!
ip dns server
ip nat inside source list 15 interface FastEthernet4 overload
!
ip access-list extended access_vlan10_in
 deny   ip any any
!
access-list 15 permit 172.17.1.0 0.0.0.255
!
!
!
!
!
control-plane
!
!
line con 0
 no modem enable
 length 0
line aux 0
 length 0
line 2
 no activation-character
 no exec
 length 0
 transport preferred none
 transport input all
line vty 0 4
 password 7 ****************
 login
 length 0
!
scheduler max-task-time 5000

Open in new window

0
Henk van AchterbergSr. Technical ConsultantCommented:
That config looks good.

What I meant is that you have to use NAT Exempt on the other side. So to the 172.17.1.0/24 network.
0
PyromanciAuthor Commented:
Hrmmm...

There isn't any NAT settings inside of the cisco concentrator. Which is why I'm a little confused as to why the traffic isn't getting back.
0
PyromanciAuthor Commented:
Oddly enough the VPN started working on it's own this morning.

So i started testing the rest of it, and everything seems to be in working order expect 1 thing.

Those on the 172 network can not connect to devices on the 10 network and vice versa.

Which is partly what i was wanting to do. I was wanting to allow device on 172 network to access things on the 10. network. But no the other way around.

I know this is all a ACL adjustment that needs playing with.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.