cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1255
Views
8
Helpful
17
Replies

VPN on 877w router - Where to start

trietgiang
Level 1
Level 1

Hi all,

I am very new in Cisco and hope you could give some advice. Our office uses Cisco 877W via ADSL2+ connection. Wireless, DHCP, firewall are working ok. We have a Windows 2003 Server as a file server. The boss wants to VPN from home to access the files. I have used SDM to try setup VPN then used VPN Client to test from home but it didn't work. My questions are:

1. I believe the 877w router supports Easy VPN server. Do I need to set the Windows 2003 Server as a VPN server?

2. Is there a step-by-step official instruction to do this? I read the manual but I don't know how to customised those instructions for our case.

3. There is a D-link at the other side (i.e. at home). Do I need to set up port-forwarding or anything like that?

Thank you,

Triet

17 Replies 17

trietgiang
Level 1
Level 1

Here is the current config. Thanks.

haroon.shaikh
Level 1
Level 1

Greetings Triet,

First of all, you need to have a Static IP on your ADSL connection to create a VPN.

Second, it would be a good idea to configure VPN on Cisco router rather than on Windows Server because you need to know a hell lot of details about port forwarding which is as tricky as configuring VPN on router.

Third, look at the below link for instructions on how to configure Cisco Router as VPN server:

http://www.cisco.com/en/US/products/hw/routers/ps274/products_configuration_example09186a00806ad10e.shtml

D-Link at your boss's home should work fine, let me know.

Also, dont forget to rate this post if you find it helpful....

Cheers,

Haroon

Thank you Haroon,

I have follow the instructions, the connection seems working fine. I can get an IP address from VPN server, I can ping the router IP addresses (both internal and external-WAN address). Other than that, I can't do anything else. Please find the statistic windows attached.

I tried the following:

- ping to a server in the office - FAIL

- ping www.cisco.com - FAIL

- ping to an external DNS - FAIL

- ipconfig /all shows that DHCP is disabled in the Cisco VPN Adapter

- the number of encrypted packets is much higher compared to the decrypted. When I continuously ping the router IP, the number of decrypted gets higher.

Could you please give some advice?

Thank you,

Triet

haroon.shaikh
Level 1
Level 1

Can you post the config?

Also, please copy the config from the console window and post it. Because the config copied from the router's memory is not readable properly.

Thank you for your prompt reply. Please find the config attached. I used SDM to setup VPN twice, so there may be some duplication.

Triet

haroon.shaikh
Level 1
Level 1

Enter the following commands and check it out:

config terminal

no access-list 100

access-list 100 remark Access list for NAT Traffic

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 permit ip any any

no ip nat inside source route-map SDM_RMAP_1 interface Dialer0 overload

ip nat inside source list 100 interface Dialer0 overload

This should prevent traffic between VPN clients and internal LAN from NATing.

Also, make sure the default gateway of internal LAN systems is set to 10.1.1.254 (internal ip of router)

* Rate this post if it helps

Thank you, Haroon.

I have made the changes but I have to go home to test it out. By the way, can I stay inside the LAN and VPN back into itself? If it is possible, I can test it out now. I use Cisco VPN Client to connect, it says "Contacting the security gateway at xx.xx.xx.xx...." then disconnects. While at home, it is ok.

You are right about the default gateway, when I did ipconfig, the default gateway and the IP address (assigned by VPN server) were the same. I don't know where I can change it. Also if the PC address is in 10.1.2.x subnet, will it accepts the default gateway of 10.1.1.254?

Thank you.

Triet

I think you might have to go home and check it out.

But you dont have to change anything on VPN client. You have to change the default ip address of the clients behind the router (at office) to 10.1.1.254 (I believe they are wireless users).

Regarding VPN clients, your ip address and default gateway will be the same after you connect to VPN server. That is correct.

I will let you know as soon as I try it.

Yes, I have checked default gateway in the clients at the office, they are all 10.1.1.254.

Thanks again,

Triet

Hi Haroon,

The problem is still there. I can connect to the VPN Server (i.e. router) but I can not do anything else, neither surf the net nor connect to the file server. What do you think I should try please? Thank you.

Triet

Can you post the full config again?

Here it is. I hope I did the right things :)

Thank you,

Triet

Hey,

I have attached the configuration file.

Black Text - Dont change

Red Text - Remove the config lines

Blue Text - Remove them temporarily

And try the vpn configuration again using SDM

Make sure you configure with below settings:

VPN pool: 10.1.2.1 - 10.1.2.254

Local LAN: 10.1.1.0/24

You might also need to set your nat statements as:

ip nat inside source list 100 interface Dialer0 overload

access-list 100 remark Access list for NAT Traffic

access-list 100 deny ip 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255

access-list 100 permit ip any any

* Please rate this post if its helpful

haroon.shaikh
Level 1
Level 1

Sorry, missed the config file.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: