Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Cisco IOS with EZVPN to HQ ASA, Split DNS, Wireless, SSL VPN, PPTP VPN, and Zone Based Firewall

861W is used as an example. This will work on any IOS router

Configuration on ASA

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set SP-3DES-SHA

crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set reverse-route

crypto map VPN 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP

crypto map VPN interface outside

!

ip local pool VPNPOOL 192.168.250.1-192.168.250.254 mask 255.255.255.0

access-list split_tunnel_list_1000 extended permit ip 10.0.0.0 255.255.0.0 any < HQ NETWORK

!

access-list 100 extended permit ip 10.0.0.0 255.255.0.0 10.0.20.0 255.255.255.0 < Don't NAT traffic to the remote site 10.0.20.0/24

nat (inside) 0 access-list 100

!

group-policy EZVPN internal

group-policy EZVPN attributes

vpn-idle-timeout none

vpn-tunnel-protocol IPSec

password-storage enable < Allow automatic login for EZVPN

ipsec-udp enable < Allow automatic login for EZVPN

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel_list_1000 < This list controls the automatic routes installed on the remote EZVPN router

default-domain value DOMAIN.com

nem enable < Allow EZVPN network extension mode

!

tunnel-group EZVPN type remote-access

tunnel-group EZVPN general-attributes

address-pool VPNPOOL

default-group-policy EZVPN

tunnel-group EZVPN ipsec-attributes

pre-shared-key <GROUP KEY>

!

username <REMOTESITENAME> password <PASSWORD> encrypted privilege 0

Configuration on remote 861W (or any other IOS router)

version 15.1

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

service sequence-numbers

no service config

!

hostname ROUTER_NAME

!

logging buffered 100000

no logging console

enable secret ENABLE_PASSWORD

!

aaa new-model

!

aaa authentication login default local

aaa authentication ppp default local         < for PPTP

aaa authorization console

aaa authorization exec default local

!

clock timezone CST -6 0      < Set your timezone

clock summer-time CDT recurring      < Set your timezone

!

crypto pki trustpoint TP-self-signed-709273033      < Self-signed certificate will be automatically created by WEBVPN configuration

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-709273033

revocation-check none

!

!

crypto pki certificate chain TP-self-signed-709273033

certificate self-signed 01

  <...>

  quit

!

!

ip dhcp excluded-address 10.0.20.1 10.0.20.99

ip dhcp excluded-address 10.0.20.150 10.0.20.254

!

ip dhcp pool LAN

   network 10.0.20.0 255.255.255.0

   default-router 10.0.20.254

   domain-name DOMAIN.com

   dns-server 10.0.20.254       < Router will do split DNS

!

!

!

ip cef

ip domain name DOMAIN.com

ip name-server 4.2.2.2      < Public DNS server

!

!

vpdn enable      < PPTP Server

!

vpdn-group PPTP-VPDN      < PPTP Server (might need to disable encryption in Windows PPTP client settings)

accept-dialin

  protocol pptp

  virtual-template 3  < Virtual Template 3 for PPTP

!

license udi pid CISCO861W-GN-A-K9 sn <SN>

!

!

username ROUTERADMIN privilege 15 password PASSWORD

username VPNUSER1 privilege 0 password PASSWORD

username VPNUSER1 autocommand exit       < Prevent user from logging into the router (SSH/telnet) [there is a better way to do this with AAA login methods but it requires more configuration]

username VPNUSER2 privilege 0 password PASSWORD

username VPNUSER2 autocommand exit

!

!

ip tcp synwait-time 5

ip ssh version 2

!

class-map type inspect match-any safe-hostile-cmap      < Inspect and allow all outbound traffic

match protocol tcp

match protocol udp

match protocol icmp

class-map type inspect match-all hostile-safe-cmap-1

match protocol tcp

match access-group name hostile-safe-acl-1      < For TCP port forwarding to an internal server, see below

!

!

policy-map type inspect safe-hostile-pmap

class type inspect safe-hostile-cmap

  inspect

class class-default

  drop

policy-map type inspect hostile-safe-pmap

class type inspect hostile-safe-cmap-1

  inspect

class class-default

  drop

!

zone security hostile

zone security safe

zone-pair security safe-hostile source safe destination hostile

service-policy type inspect safe-hostile-pmap

zone-pair security hostile-safe source hostile destination safe

service-policy type inspect hostile-safe-pmap

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 10

!

!

crypto ipsec transform-set TS esp-3des esp-sha-hmac

!

!

!

crypto ipsec client ezvpn EZVPNCONFIG

connect auto

group EZVPN key <ASA GROUP KEY>      < ASA tunnel group name and key

mode network-extension      < Enable NEM, or otherwise traffic to HQ site will be NATted

peer X.X.X.X       < ASA external IP

virtual-interface 1      < Using virtual template interface to simplify Zone Based Firewall configuration

username <REMOTESITENAME> password <PASSWORD>  < match username on the ASA

xauth userid mode local

!

!

!

!

!

interface Loopback0

ip address 172.16.1.1 255.255.255.255  < any unused IP

!

interface FastEthernet0

spanning-tree portfast    < 861W has four switch ports

!

interface FastEthernet1

spanning-tree portfast

!

interface FastEthernet2

spanning-tree portfast

!

interface FastEthernet3

spanning-tree portfast

!

interface FastEthernet4  < 861W has one external WAN Ethernet port

ip address x.x.x.x x.x.x.x < Public IP at the remote site. This can also be DHCP, but then SSL VPN will not work as it is tied to a static IP address. This can also be behind NAT (EZVPN will work through NAT), but then you need to make sure that external NAT device port forwards ports 443 for SSL VPN to work (additional ports for PPTP and other port forwarding will also be needed)

ip nat outside

ip virtual-reassembly in

zone-member security hostile

load-interval 30

duplex auto

speed auto

crypto ipsec client ezvpn EZVPNCONFIG

!

interface Virtual-Template1 type tunnel  < Virtual Template 1 for EZVPN

no ip address

zone-member security safe  < You can also set up separate VPN zone, but usually all traffic is allowed through VPN, so it's safe to put it into internal ZONE

tunnel mode ipsec ipv4

!

interface Virtual-Template3  < Virtual Template 3 for inbound PPTP connections

ip unnumbered Loopback0

zone-member security safe

peer default ip address pool vpnpool

ppp authentication ms-chap ms-chap-v2

!

interface Virtual-Template10  < Virtual Template 10 for SSL VPN

ip unnumbered Loopback0

zone-member security safe

!

interface wlan-ap0    < Management connection to built-in AP, connect to AP's console with "service-module wlan-ap 0 session"

description Service module interface to manage the embedded AP

ip unnumbered Vlan1

arp timeout 0

!

interface Wlan-GigabitEthernet0  < Data switchport to the AP, this could also be setup as 802.1q trunk for multiple SSID+VLANs

description Internal switch interface connecting to the embedded AP

spanning-tree portfast

!

interface Vlan1

ip address 10.0.20.254 255.255.255.0

ip dns view-group SPLITDNS  < Enable split DNS

ip nat inside

ip virtual-reassembly in

zone-member security safe

crypto ipsec client ezvpn EZVPNCONFIG inside

!

ip local pool vpnpool 10.0.21.1 10.0.21.20  < VPN Pool for SSL VPN and PPTP. It must be a different subnet from the VLAN1 subnet

ip forward-protocol nd

no ip http server

no ip http secure-server

!

ip dns view SPLITDNS-VIEW < DNS View for Internal DNS

domain name-server  10.0.0.100  < DNS server at the HQ site

dns forwarding source-interface Vlan1  < Source DNS requests for internal DNS from the internal IP

!

ip dns view-list SPLITDNS < DNS View Group grouping Internal DNS view 10 for DOMAIN.com requests and External DNS view 20 for public DNS requests

view SPLITDNS-VIEW 10

  restrict name-group 1

view default 20

!

ip dns name-list 1 permit .*.DOMAIN.COM  < SPLITDNS-VIEW will be used for DNS requests for <anything>.DOMAIN.COM (syntax: "." is for any character, "*" is for any number of any character, and the following "." represents the actual "." in the domain name)

!

ip dns server   < Enable DNS server

!

ip nat inside source list 100 interface FastEthernet4 overload   < Enable dynamic PAT to the Internet. If you use named ACL you might experience a bug where you can't connect the router from the outside (SSH, SSL VPN, PPTP)

ip nat inside source static tcp 10.0.20.55 22 interface FastEthernet4 2022  < Port forwarding from outside to SSH on an internal server

!

ip route 0.0.0.0 0.0.0.0 X.X.X.X < Default route to outside. Not necessary if using DHCP.

!

ip access-list extended hostile-safe-acl-1  < Allow inbound port forwarding from outside through Zone Based firewall. Use local IP and Port instead of global IP and Port

permit tcp any host 10.0.20.55 eq 22

!

ip sla 100 < Keep VPN connection up

icmp-echo 10.0.0.100 source-ip 10.0.20.254

frequency 5

ip sla schedule 100 life forever start-time now

!

access-list 100 permit ip any any  < No need to not NAT traffic to HQ site because it's not flowing through the Fas4 outside interface but instead through a virtual-template (actually, virtual-access) interface

!

banner motd ^

Authorized access only!

^

!

line con 0

logging synchronous

line aux 0

line 2   < Reverse CONSOLE to the built-in AP. Automatically configured.

no activation-character

no exec

transport preferred none

transport input all

!

line vty 0 4

logging synchronous

transport input ssh  < Allow only SSH from outside. Some might decide to use SELF zone for Zone Based Firewall to control management traffic, but I find it unnecessary. You might also experience problems with SSL VPN and PPTP if you do that.

!

ntp server 173.203.122.111

!

crypto key generate rsa modulus 2048   < Non-configuration command. Don't forget to do this to enable SSH server on the router.

!

webvpn gateway ssl  < SSL VPN configuration, as soon as you enter this mode IOS will create a self-signed certificate on the router

ip address X.X.X.X port 443  < Router's external IP. Not possible if router is using external DHCP.

http-redirect port 80  < Redirect port 80 to 443 for convenience

ssl trustpoint TP-self-signed-709273033

inservice  < Enable SSL VPN

!

webvpn install svc flash:/webvpn/anyconnect-win-3.0.1047-k9.pkg sequence 1   < Install anyconnect packages for Windows, Mac OSX, Linux 32-bit and Linux 64-bit. You need to download these packets from Cisco.com

!

webvpn install svc flash:/webvpn/anyconnect-macosx-i386-3.0.1047-k9.pkg sequence 2

!

webvpn install svc flash:/webvpn/anyconnect-linux-3.0.1047-k9.pkg sequence 3

!

webvpn install svc flash:/webvpn/anyconnect-linux-64-3.0.1047-k9.pkg sequence 4

!

webvpn context sslvpn

ssl authenticate verify all

!

login-message "Welcome to XYZ SSL VPN Service"

!

policy group sslvpn

   functions svc-required  < Disable clientless web vpn

   timeout idle 3600

   timeout session 86400

   svc address-pool "vpnpool"

   svc default-domain "DOMAIN.com"

   svc keep-client-installed

   svc mtu 1200

   svc split include 10.0.20.0 255.255.255.0  < Allow anyconnect to split tunnel

   svc dns-server primary 4.2.2.2

virtual-template 10  < Using virtual template for SSL VPN to simplify zone based firewall configuration

default-group-policy sslvpn

aaa authentication list default

gateway ssl

inservice

!

end

Built-in AP

ROUTER_NAME#service-module wlan-ap 0 session

Trying 10.0.20.254, 2002 ... Open

Connecting to AP console, enter Ctrl-^ followed by x,

then "disconnect" to return to router prompt

Authorized access only!

User Access Verification

Username: ROUTERADMIN      < This is ROUTERADMIN from the router's configuration

Password:

Welcome to wireless access point! Please login again! < MOTD Banner on the AP

User Access Verification

Username: ROUTERADMIN      < This is ROUTERADMIN from the AP's configuration

Password:

AP#sh run

Building configuration...

version 12.4

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

service password-encryption

!

hostname AP

!

logging buffered 20000 debugging

enable secret <ENABLE PASSWORD>

!

aaa new-model

!

!

aaa authentication login default local

aaa authorization console

aaa authorization exec default local

!

aaa session-id common

clock timezone CST -6

clock summer-time CDT recurring

!

!

dot11 syslog

!

dot11 ssid WIRELESS_SSID

   authentication open

   authentication key-management wpa version 2    < Enforce WPA2

   guest-mode    < Broadcast SSID

   wpa-psk ascii WPA_PASSWORD     < WPA2 Password

!

!

!

username ROUTERADMIN privilege 15 password PASSWORD

!

!

bridge irb

!

!

interface Dot11Radio0

no ip address

no ip route-cache

!

encryption mode ciphers aes-ccm

!

ssid WIRELESS_SSID

!

speed  basic-6.0 basic-9.0 basic-12.0 basic-18.0 basic-24.0 basic-36.0 basic-48.0 basic-54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11. m12. m13. m14. m15.   < Disable 802.11b clients

station-role root ap-only

bridge-group 1

bridge-group 1 subscriber-loop-control

bridge-group 1 block-unknown-source

no bridge-group 1 source-learning

no bridge-group 1 unicast-flooding

bridge-group 1 spanning-disabled

!

interface GigabitEthernet0

description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router

no ip address

no ip route-cache

bridge-group 1

no bridge-group 1 source-learning

bridge-group 1 spanning-disabled

!

interface BVI1

ip address 10.0.20.253 255.255.255.0 < AP's management IP

no ip route-cache

!

ip default-gateway 10.0.20.254

no ip http server

no ip http secure-server

ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag

bridge 1 route ip

!

!

banner motd ^Welcome to wireless access point! Please login again!^

!

line con 0

logging synchronous

no activation-character

line vty 0 4

logging synchronous

line vty 5 15

logging synchronous

Comments
Community Member

Having trouble getting version 15.1 to work with (aaa authorization network default group radius local) it works in 12.4. Anyone willing to share there reply-attributes?

4161
Views
5
Helpful
1
Comments