Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
205
Views
0
Helpful
1
Replies

VPN - between Win 3.X client, router (IOS 12.2, 1721), intranet

thomas.schmidt
Level 1
Level 1

‎12-11-2002 01:06 AM - edited ‎02-21-2020 12:13 PM

Hello,

i've now a running version for a VPN between a 1721 router and a Windows Cisco 3.X VPN client in a test environment.

Topology of network is like this:

|Win 3.x VPN Client|----|Simulated www|----|fe0 <router> e1|----|Intranet|

configuration is realy near to this example:

http://www.cisco.com/warp/customer/471/ios-unity.html

Most things works fine. Authentication, logon works.

VPN Client gets private IP from Pool. VPN can ping hosts located in Intranet.

The problem is now, that EVERYBODY can connect to the intranet.

He mus only have a valid IP address from the pool. Access Lists does'nt help there.

For Example :

Client's IP is 172.16.16.93/19

Router's fe0 IP is 172.16.12.20/19

Router's e1 IP is 192.168.1.1/24

Intranet's Address is 192.168.1.0/24

VPN IP Pool is 192.168.4.1/24 - 192.168.4.10/24

Routes are correct set.

access-lists allows only for 192.168.4.0 net to connect to 192.168.1.0 net.

When client logs on, he get an IP from pool (e.g. 192.168.4.1),

and can connect to a host in the intranet.

On this point everthing seems to be fine ....

Now i use a host in the "www" or extranet, and set the IP on this host to one from pool (e.g. 192.168.4.2), set a gateway route for this net to the router

(route add 192.168.1.0 MASK 255.255.255.0 172.16.12.20)

and can connect to this network. Without any authentication - nothing ...

ok - in the internet - ip spoofing is not easy - but possibe - and using IP's

from Private pool doese'nt make it realy secure ...

Is there a possibility to make authentication also for the intranet - not only for VPN?

Or a possibility to create a Tunnel device on VPN connection - or something like that - that is then alowed to connect to intranet ?

What is the best strategy there ?

thanks for helping a CISCO newbie

regards

Thomas Schmidt

Labels:
0 Helpful
1 Reply 1

awaheed
Cisco Employee
Cisco Employee

‎12-11-2002 12:50 PM

Hi Thomas,

You should be able to use AAA to setup authentication for the Intranet clients.

Some of the links that would help:

http://www.cisco.com/warp/public/480/http-3.html

Regards,

Aamir

0 Helpful
Customers Also Viewed These Support Documents