cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
422
Views
3
Helpful
3
Replies

VPN on Cisco 1751

Anand Narayana
Level 6
Level 6

Hi,

i have got cisco 1751 with the IPsec IOS, having 2 ehternet ports, now i wanted to have VPN server on this router, so how do i configure, requirement is 1 port will be having public IP & other port will be having private IP pointing towards my LAN, i wanted to access the office LAN from my winXP laptop@home having broadband connection,by connecting to the public IP of the router, i will be accessing my office LAN & i get private IP defined in the pool on the router. so how do i configure? earlier i was using thru windows 2000 server, which is working fine, now i have decided to put a router in place of that.

3 Replies 3

arvindchari
Level 3
Level 3

Hi Ananda

There are several steps to configure a VPN connection between a router and a PC.

Im listing below a sample template of a config that I build on usually:

Router1#configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

Router1(config)#aaa new-model

Router1(config)#aaa authentication login default group tacacs+

Router1(config)#aaa authentication enable default group tacacs+

Router1(config)#tacacs-server host 172.25.1.1

Router1(config)#tacacs-server key xxx

Router1(config)#crypto isakmp policy 10

Router1(config-isakmp)#encryption 3des

Router1(config-isakmp)#authentication pre-share

Router1(config-isakmp)#group 2

Router1(config-isakmp)#exit

Router1(config)#crypto ipsec transform-set VPN-TRANSFORMS ah-sha-hmac esp-sha-hmac

esp-3des

Router1(cfg-crypto-trans)#mode tunnel

Router1(cfg-crypto-trans)#exit

Router1(config)#crypto dynamic-map VPN-USER-MAP 50

Router1(config-crypto-map)#description A dynamic crypto map for VPN users

Router1(config-crypto-map)#match address 115

Router1(config-crypto-map)#set transform-set VPN-TRANSFORMS

Router1(config-crypto-map)#exit

Router1(config)#access-list 115 deny any 224.0.0.0 35.255.255.255

Router1(config)#access-list 115 deny any 172.25.1.255 0.0.0.0

Router1(config)#access-list 115 permit any any

Router1(config)#crypto map CRYPTOMAP 10 ipsec-isakmp dynamic VPN-USER-MAP

Router1(config)#interface FastEthernet0/1

Router1(config-if)#ip address 172.25.1.5 255.255.255.0

Router1(config-if)#crypto map CRYPTOMAP

Router1(config-if)#exit

Router1#

I will try to explain the above to my best abilities.

1. Setup ISAKMP policy using the crypto isakmp policy command and select your encryption / authentication and group

2. After doing this, we need to define the IPSec VPN properties. We begin by defining the transform set that we want to use for these VPN connections. We will call this transform set VPN-TRANSFORMS.The VPN will use the esp-sha-hmac and esp-3des transforms

3.Because the workstation could, in principle, be anywhere on the Internet, we can't even define an IP address for it. But, to use IPSec on a Cisco router, we need to create a crypto map, which is a template for the SA that IPSec will use for this session. So in this case we are using a dynamic map statement "crypto dynamic-map VPN-USER-MAP 5"

4. This creates a dynamic map called VPN-USER-MAP. The number (50) on the end of the line is a sequence number, similar to the sequence numbers used in route map statements.

5. The access list here blocks any packets whose destination addresses are either multicasts or local broadcasts. Obviously this type of traffic cannot possible be associated with a VPN.

6. We can then build the actual crypto map that references this dynamic map.

7.You apply the crypto map to the interface that will be receiving the VPN requests.

As you can see there are quite a few considerations involved.

HTH

Please rate posts that help

Regards

Arvind

Thankz for the reply, for authentication you hav specified tacacs, instead of tacacs authentication, i can also use the local user created on the router itself isn't?

Yes you may use any mode of authentication you desire including local authentication.

HTH

Please rate posts that help

Regards

Arvind

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco