Need to understand the connectivity of VPN 3005 box with Cisco 1720 router running FW feature set
I will have 1720 router running FW feature set on it. Have one public IP address on WAN interface and that is 188.8.131.52. Now I would like to add VPN 3005 Concentaror box so mobile user can access company's network.
We are using 192.168.42.0 on LAN. So I mean can I have 192.168.42.1 on router's ethernet interface connected directly to VPN box which can be 192.168.42.2 and other interface of VPN box can hav e 192.168.42.3 connected to switch where all the user are coonected.?
I mean would this configuration will allow people inside network to go out and browse web and also will this allow mobile user to connect to corporate network via VPN and access network resources?
Can someone explain me how the traffic will flow from VPN client machine to all the way upto the network and which IP address we need to confiure at VPN client machines?
Can client machines have one authentication from Windows domain controller so they don't log on with different passwords. Can they be authenticated with single passwrod with above mentioned config. Can someone explain how the authentication will work and how we can set up. Step by step..
In response to your question, please note that the scenario as presented in your question is, in essence, workable, however, this is dependent on the number of users tunneling through your network, as well as the security policy in place.
Following is an overview of how a to configure the Cisco VPN 3000 Client to the VPN 3000 Concentrator with Microsoft Windows NT Domain Authentication.
This scenario demonstrates how to configure the Cisco VPN 3000 Concentrator to authenticate Cisco VPN 3000 clients to an external Microsoft Windows NT Domain server. If multiple NT Domain servers are specified, the first server listed is the primary server; the rest are backup servers in the event the primary server is inoperative after a configurable number of retries (0-10) and seconds (1-30). To have authentication to multiple NT domains, set up a trust relationship in NT, with one NT Domain server listed in the VPN 3000. All requests go to the single NT Domain server, which forwards the request to the appropriate trusted PDC in the specified domain.
If only one NT Domain server:
184.108.40.206 (FOO=netbios name, domain=ANYWHERE)
is listed in the VPN 3000 Concentrator, but a trust relationship is set up in Windows NT, requests go to 220.127.116.11 (FOO), which services user requests itself or forwards requests for other users to 18.104.22.168 (PDCAPPS).
Configure the VPN 3000 Concentrator to Authenticate Clients to an External Windows NT Server
Test with local authentication.
Add the Windows NT domain server to concentrator.
Test concentrator to Windows NT domain server.
Change the group to point to Windows NT domain server.
Test the VPN 3000 Client to the VPN 3000 Concentrator with Windows NT.
Test to be sure that VPN 3000 client authentication and encryption to the internal VPN 3000 database works before adding authentication to a Windows NT domain server.
Add the NT domain server to the VPN 3000 Concentrator authentication server list. For a trust relationship, you may need to increase the timeout (the default is a 4 second timeout and 2 retries).
Test the NT domain server authentication from the VPN 3000 Concentrator. For example, we formed an NT trust relationship between 22.214.171.124 and 126.96.36.199 with one server listed. The authentication was tested by entering:
(user on 188.8.131.52)
User Name: vpnuser
User Name: ANYWHERE\vpnuser
(user on 184.108.40.206)
User Name: APPS\appsuser
Configure the VPN 3000 group to point to the NT domain for authentication.
Test the VPN 3000 client to the VPN 3000 Concentrator. The VPN 3000 client should be able to connect to the VPN 3000 Concentrator at this point. If there are problems, see Debug the Configuration and Bad Debug - VPN 3000 Concentrator to NT.
Debug the Configuration
Turn on VPN 3000 Concentrator debugging by selecting:
Configuration > System > Events > Classes > Add
Include AUTH, AUTHDBG, AUTHDECODE with:
Severity to Log = 1-9
Severity to Console = 1-3
In Windows NT, enable the audit facility:
Examine the VPN 3000 Concentrator debug by selecting:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :