Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN - between Win 3.X client, router (IOS 12.2, 1721), intranet

Hello,

i've now a running version for a VPN between a 1721 router and a Windows Cisco 3.X VPN client in a test environment.

Topology of network is like this:

|Win 3.x VPN Client|----|Simulated www|----|fe0 <router> e1|----|Intranet|

configuration is realy near to this example:

http://www.cisco.com/warp/customer/471/ios-unity.html

Most things works fine. Authentication, logon works.

VPN Client gets private IP from Pool. VPN can ping hosts located in Intranet.

The problem is now, that EVERYBODY can connect to the intranet.

He mus only have a valid IP address from the pool. Access Lists does'nt help there.

For Example :

Client's IP is 172.16.16.93/19

Router's fe0 IP is 172.16.12.20/19

Router's e1 IP is 192.168.1.1/24

Intranet's Address is 192.168.1.0/24

VPN IP Pool is 192.168.4.1/24 - 192.168.4.10/24

Routes are correct set.

access-lists allows only for 192.168.4.0 net to connect to 192.168.1.0 net.

When client logs on, he get an IP from pool (e.g. 192.168.4.1),

and can connect to a host in the intranet.

On this point everthing seems to be fine ....

Now i use a host in the "www" or extranet, and set the IP on this host to one from pool (e.g. 192.168.4.2), set a gateway route for this net to the router

(route add 192.168.1.0 MASK 255.255.255.0 172.16.12.20)

and can connect to this network. Without any authentication - nothing ...

ok - in the internet - ip spoofing is not easy - but possibe - and using IP's

from Private pool doese'nt make it realy secure ...

Is there a possibility to make authentication also for the intranet - not only for VPN?

Or a possibility to create a Tunnel device on VPN connection - or something like that - that is then alowed to connect to intranet ?

What is the best strategy there ?

thanks for helping a CISCO newbie

regards

Thomas Schmidt

1 REPLY
Cisco Employee

Re: VPN - between Win 3.X client, router (IOS 12.2, 1721), intra

Hi Thomas,

You should be able to use AAA to setup authentication for the Intranet clients.

Some of the links that would help:

http://www.cisco.com/warp/public/480/http-3.html

Regards,

Aamir

90
Views
0
Helpful
1
Replies
CreatePlease to create content