Configure VPN Server Cisco 877W

Unanswered Question
Feb 20th, 2014
User Badges:

Hello!



I need to implement VPN Server on a Cisco 877W.



The idea is as follows:

Access the network from anywhere using the Cisco VPN Client;

The router need receive a minimum 5 simultaneous connections;

Each User would have a login and password;



Cisco 877W (System image file is "flash: C870-advipservicesk9-mz.150-1.M10.bin")



Following script:




!

version 15.0

no service pad

service tcp-keepalives-in

service tcp-keepalives-out

service timestamps debug uptime

service timestamps log uptime

service password-encryption

service sequence-numbers

!

hostname VPN

!

boot-start-marker

boot-end-marker

!

logging buffered 10240

enable secret [email protected]

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization exec default local

!

aaa session-id common

!

clock timezone BR -3

!

dot11 syslog

!

dot11 ssid ACESSO01

authentication open

authentication key-management wpa

guest-mode

wpa-psk ascii [email protected]

!

no ip source-route

!

!

!

ip dhcp pool ODIM

   import all

   network 192.168.100.224 255.255.255.224

   default-router 192.168.100.254

   dns-server 10.151.176.80 201.10.120.3 10.151.176.79 201.10.1.2

   update arp

!

!

ip cef

no ip bootp server

no ip domain lookup

ip domain name local

ip inspect name firewall tcp

ip inspect name firewall udp

ip inspect name firewall cuseeme

ip inspect name firewall h323

ip inspect name firewall rcmd

ip inspect name firewall realaudio

ip inspect name firewall streamworks

ip inspect name firewall vdolive

ip inspect name firewall sqlnet

ip inspect name firewall tftp

ip inspect name firewall ftp

ip inspect name firewall icmp

ip inspect name firewall sip

ip inspect name firewall esmtp max-data 52428800

ip inspect name firewall fragment maximum 256 timeout 1

ip inspect name firewall netshow

ip inspect name firewall rtsp

ip inspect name firewall pptp

ip inspect name firewall skinny

no ipv6 cef

!

multilink bundle-name authenticated

!

archive

path flash:config

write-memory

file verify auto

username suporte privilege 15 secret 5 $1$WdPL$PHwugOutS3fztS8hBUl9g0

!

ip tcp timestamp

ip ssh version 2

!

bridge irb

!

interface ATM0

description #### A D S L - INTERNET ####

no ip address

no ip proxy-arp

load-interval 30

no atm ilmi-keepalive

!

!

interface ATM0.1 point-to-point

description #### A D S L - INTERNET ####

pvc 0/35

  pppoe-client dial-pool-number 1

!

!

interface FastEthernet0

description #### I N T R A N E T ####

switchport trunk native vlan 100

switchport mode trunk

load-interval 30

!

!

interface FastEthernet1

!

!

interface FastEthernet2

!

!

interface FastEthernet3

!

!

interface Dot11Radio0

no ip address

no ip proxy-arp

load-interval 30

!

encryption mode ciphers aes-ccm tkip

!

ssid ACESSO01

!

speed basic-1.0 basic-2.0 basic-5.5 basic-6.0 basic-9.0 basic-11.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0

station-role root

no cdp enable

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 spanning-disabled

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

!

!

interface Vlan1

description #### ETH`S ####

no ip address

no ip proxy-arp

load-interval 30

bridge-group 1

bridge-group 1 spanning-disabled

!

!

interface Vlan100

description #### I N T R A N E T ####

ip address dhcp

no ip proxy-arp

ip nat outside

ip virtual-reassembly

!

!

interface Dialer0

description #### I N T E R N E T ####

ip address negotiated

ip access-group Traffic-Permit-IN in

no ip redirects

no ip unreachables

ip mtu 1492

ip nat outside

ip inspect firewall out

ip virtual-reassembly

rate-limit input access-group 100 16000 8000 8000 conform-action transmit exceed-action drop

encapsulation ppp

load-interval 30

dialer pool 1

dialer-group 1

ppp authentication pap chap callin

ppp chap hostname [email protected]

ppp chap password [email protected]

ppp pap sent-username [email protected] password [email protected]

ppp ipcp dns request

ppp ipcp wins request

ppp ipcp route default

no cdp enable

!

!

interface BVI1

description #### BRIDGE Vlan1/Dot11Radio0 ####

ip address 192.168.100.254 255.255.255.224

no ip proxy-arp

ip nat inside

ip virtual-reassembly

ip tcp adjust-mss 1452

ip policy route-map PBR

!

!

ip forward-protocol nd

no ip http server

no ip http secure-server

!

!

ip nat inside source route-map ADSL interface Dialer0 overload

ip nat inside source route-map INTRANET interface Vlan100 overload

ip route 0.0.0.0 0.0.0.0 Dialer0 name ADSL

ip route 0.0.0.0 0.0.0.0 10.48.50.1 name INTRANET

!

ip access-list extended ADSL

deny   ip any 10.0.0.0 0.255.255.255

permit ip any any

deny   ip any host 192.168.100.255

deny   udp any any eq tftp log

deny   ip any 0.0.0.0 0.255.255.255 log

deny   ip any 127.0.0.0 0.255.255.255 log

deny   ip any 169.254.0.0 0.0.255.255 log

deny   ip any 172.16.0.0 0.15.255.255 log

deny   ip any 192.0.2.0 0.0.0.255 log

deny   ip any 192.168.0.0 0.0.255.255 log

deny   ip any 198.18.0.0 0.1.255.255 log

deny   udp any any eq 135 log

deny   tcp any any eq 135 log

deny   udp any any eq netbios-ns log

deny   udp any any eq netbios-dgm log

deny   tcp any any eq 445 log

deny   ip any any log

ip access-list extended INTRANET

permit ip any 10.0.0.0 0.255.255.255

deny   ip any any

deny   ip any host 10.48.50.255

deny   udp any any eq tftp log

deny   ip any 0.0.0.0 0.255.255.255 log

deny   ip any 10.0.0.0 0.255.255.255 log

deny   ip any 127.0.0.0 0.255.255.255 log

deny   ip any 169.254.0.0 0.0.255.255 log

deny   ip any 172.16.0.0 0.15.255.255 log

deny   ip any 192.0.2.0 0.0.0.255 log

deny   ip any 192.168.0.0 0.0.255.255 log

deny   ip any 198.18.0.0 0.1.255.255 log

deny   udp any any eq 135 log

deny   tcp any any eq 135 log

deny   udp any any eq netbios-ns log

deny   udp any any eq netbios-dgm log

deny   tcp any any eq 445 log

ip access-list extended Traffic-Permit-IN

deny   ip 0.0.0.0 0.255.255.255 any

deny   ip 10.0.0.0 0.255.255.255 any

deny   ip 127.0.0.0 0.255.255.255 any

deny   ip 169.254.0.0 0.0.255.255 any

deny   ip 172.16.0.0 0.15.255.255 any

deny   ip 192.0.2.0 0.0.0.255 any

deny   ip 192.168.0.0 0.0.255.255 any

deny   ip 198.18.0.0 0.1.255.255 any

deny   ip 224.0.0.0 0.15.255.255 any

deny   ip any host 255.255.255.255

permit tcp any any eq 1723

permit gre any any

deny   icmp any any echo

deny   ip any any log

!

access-list 100 permit icmp any any echo-reply

access-list 100 permit icmp any any echo

access-list 110 permit ip 192.168.100.224 0.0.0.31 any

dialer-list 1 protocol ip permit

no cdp run

!

route-map ADSL permit 10

match ip address 110

match interface Dialer0

!

route-map INTRANET permit 10

match ip address 110

match interface Vlan100

!

route-map PBR permit 10

match ip address ADSL

set interface Dialer0

!

route-map PBR permit 20

match ip address INTRANET

set interface Vlan100

!

!

control-plane

!

!

bridge 1 route ip

!

line con 0

no modem enable

line aux 0

line vty 0 4

transport input telnet ssh

!

scheduler max-task-time 5000

end

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion