VPN Public Internet on a Stick

RJDavison_2 · ‎05-06-2010

I've read the Cisco document - 'Router and VPN configuration for Public Internet on a Stick COnfiguration Example' and I've got a couple of questions.

Below is my config that I've built using the above example.... I know the VPN side of it works as i've butched my exisiting configuration.

My problem comes in understanding what IP address to give the Loopback interface, and do I need to give it a static nat translation like my other entries ??

My internal network is in the range 192.168.0.1 - 192.168.0.8

The VPN gives out the ip pool 192.168.1.1 - 192.168.1.19

What should the Looback interface be (i've currently got this as 192.168.2.1 ???)

If someone could take a quick look at the below and see if I've got any errors, that would be great (if I do need to include a static nat translation for the Loopback interface, would it simply be......ip nat inside source static 192.168.2.1 78.105.111.102

Thanks

!

version 12.4

service timestamps debug uptime

service timestamps log uptime

no service password-encryption

!

hostname 2651xm

!

boot-start-marker

boot-end-marker

!

enable secret 5 $1$8K/M$mPKgykdzMNoav0TuHJFrG0

!

aaa new-model

!

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

clock timezone PCTime 0

clock summer-time PCTime date Mar 30 2003 1:00 Oct 26 2003 2:00

no network-clock-participate slot 1

no network-clock-participate wic 0

ip cef

!

ip domain name casezero.net

ip name-server 78.105.111.96

ip name-server 87.194.255.154

!

multilink bundle-name authenticated

!

username XXX privilege 15 password 0 XXX

!

vlan internal allocation policy ascending

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group ezvpn

key XXX

pool SDM_POOL_1

max-users 5

max-logins 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto dynamic-map SDM_DYNMAP_1 1

set security-association idle-time 3600

set transform-set ESP-3DES-SHA

reverse-route

!

crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1

crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1

crypto map SDM_CMAP_1 client configuration address respond

crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1

!

interface Loopback0

ip address 192.168.2.1 255.255.255.0

ip nat inside

ip virtual reassembly

!

interface FastEthernet0/0

description Interface$ETH-WAN$

ip address 78.105.111.95 255.255.248.0

ip nat outside

ip policy route-map VPN-Client

ip virtual-reassembly

duplex auto

speed auto

crypto map SDM_CMAP_1

!

interface FastEthernet0/1

description Interface$ETH-LAN$

ip address 192.168.0.1 255.255.255.0

ip nat inside

ip virtual-reassembly

duplex auto

speed auto

!

ip local pool SDM_POOL_1 192.168.1.1 192.168.1.19

ip default-gateway 78.105.104.1

ip route 0.0.0.0 0.0.0.0 78.105.104.1

!

ip http server

ip http authentication local

no ip http secure-server

ip http path flash:

!

ip nat inside source list 101 interface FastEthernet0/0 overload

ip nat inside source static 192.168.0.2 78.105.111.96

ip nat inside source static 192.168.0.3 78.105.111.97

ip nat inside source static 192.168.0.4 78.105.111.98

ip nat inside source static 192.168.0.5 78.105.111.99

ip nat inside source static 192.168.0.6 78.105.111.100

ip nat inside source static 192.168.0.7 78.105.111.101

ip nat inside source static 192.168.0.8 78.105.111.102

!

access-list 101 permit ip any any

!

access-list 144 permit ip 192.168.1.0 0.0.0.255 any

!

route-map VPN-Client permit 10

match ip address 144

set interface Loopback0

!

control-plane

!

line con 0

line aux 0

line vty 0 4

transport input ssh

!

end

Jennifer Halim · ‎05-07-2010

Loopback interface ip address is already correctly been configured. It needs to be unique.

Minor changes to be done on the route-map:

- Currently you have "set interface Loopback0"

- You would need to change it to "set ip next-hop 192.168.2.2"

And, no, you don't need to configure any other static translation, because you already have ACL 101 for the translation that basically covers the ip pool subnet to be NATed.

However, you might want to configure NAT exemption so your vpn client can access the internal network.

ACL 101 should be changed to as follows:

access-list 101 deny ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255

access-list 101 permit ip 192.168.0.0 0.0.0.255 any

access-list 101 permit ip 192.168.1.0 0.0.0.255 any

Hope that helps.

RJDavison_2 · ‎05-07-2010

Thank you for the quick response -

When you say....

'set ip next-hop 192.168.2.2' - where is this going as I've got nothing that has this ip address ??

my internal network in 192.168.0.1 -

my vpn network is 192.168.1.0 -

my Loopback interface has 192.168.2.1 but nothing has the address 192.168.2.2 ??? so where would the traffic be hopping to ?

Jennifer Halim · ‎05-07-2010

Yup, it's just a virtual ip in the same subnet as your loopback interface, basically to make the traffic route through the loopback interface because the interface has "ip nat inside", and then it will be routed towards the external interface that has "ip nat outside" so it can be NATed.

For NAT to happen, it needs to go through an interface with "ip nat inside" then "ip nat outside". If we don't route it through the loopback interface, theh outside interface is just "ip nat outside", so NATing for the vpn client will not work.

RJDavison_2 · ‎05-07-2010

OK, thanks. One final question.

If im not translating the loopback ip through a static NAT translation, then what external ip address will the outside world see ?

Jennifer Halim · ‎05-07-2010

The VPN IP Pool subnet will be PATed to your router FastEthernet0/0 interface ip address (78.105.111.95) when they are accessing the Internet.