VPN with 2811 set-up and Cisco VPN Client

Unanswered Question
Jan 22nd, 2009

I am looking for the correct IOS to install on my 2811 so I can set up vpn groups, much like you would with a PIX for remote employees running the Cisco VPN Client software.

I have done this on a Pix 525 and 506e, but the company I work for today does not have a PIX, they employ a Juniper firewall and Juniper SSL device. I am creating a backdoor in the event the firewall dies and we cannot route internally remotely to gain cli access to bring the firewall back up. What I have to work with is a 2811 so any help would be appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
kwillacey Thu, 01/22/2009 - 09:40

I think you need an Advanced Security or higher feature set for that.

pauloroque Thu, 01/22/2009 - 10:05

Hi,

Do you just need the remote access vpn (RA VPN) feature or you realy need to be able to create vpn groups/user profiles?

For RA VPN, I think you can use any security or advanced feature set. For the exact IOS matching your needs you can use the Feature Navigator Tool (www.cisco.com/go/fn).

There search for IPSec feature and drill down on your platform, release e memory needs.

PRoque

Rick Morris Thu, 01/22/2009 - 10:12

I am basically trying to set up the same type of set-up on the 2811 that I would have done on the PIX525 by creating a vpn user group, assigning an address-pool and building an acl to allow access to the needed resources.

To mirror a replication of being on the network, with the ability to map drives, etc...

I have done this in a PIX just never on the router.

pauloroque Thu, 01/22/2009 - 10:40

Yes, it can be done. Use the Feature navigator as I said to find the correct IOS. A sample config follows.

PRoque

----

! 10.198.50.0/24 the inside protected network

! 10.199.x.x/24 the public address

! It will use IOS local user database for authentication

! The group to be used in the Cisco VPN Client is VPNCLIENT-GRP the key is 'grevpn'

aaa new-model

aaa authentication login LOCAL-AUTH local

aaa authorization network LOCAL-AUTHOR local

aaa session-id common

!

!

username proque password 0 mypass

!

!

crypto isakmp policy 5

encr aes 256

authentication pre-share

group 2

hash md5

!

!

crypto isakmp client configuration group VPNCLIENT-GRP

key grevpn

dns 10.198.50.6 10.198.50.7

domain youdomain.com.br

pool VPNCLIENT-POOL

acl VPNCLIENT-SPLIT-ACL

!

!

crypto ipsec transform-set ESP-AES-SHA-HMAC esp-aes esp-sha-hmac

!

crypto dynamic-map VPNCLIENT-DMAP 10

set transform-set ESP-AES-SHA-HMAC

reverse-route

!

!

crypto map VPNCLIENT-MAP client authentication list LOCAL-AUTH

crypto map VPNCLIENT-MAP isakmp authorization list LOCAL-AUTHOR

crypto map VPNCLIENT-MAP client configuration address respond

crypto map VPNCLIENT-MAP 10 ipsec-isakmp dynamic VPNCLIENT-DMAP

!

!

!

!

interface FastEthernet0/0

desc INSIDE NET

ip address 10.198.50.106 255.255.255.0

!

interface FastEthernet0/0.2

desc OUTSIDE NET

ip address 10.199.2.1 255.255.255.0

crypto map VPNCLIENT-MAP

!

ip local pool VPNCLIENT-POOL 10.198.50.129 10.198.50.140

!

ip access-list extended VPNCLIENT-SPLIT-ACL

permit ip 10.198.50.0 0.0.0.255 any

Actions

This Discussion