Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Trying to configure a 2801 to let in VPN client PC's

Hey there,

I need to configure my router to let a couple PC's get into my LAN remotely so we can do remote main. I have Cisco VPN client software and a SEC image on my router.

I tried SDM to make VPN work but it screwed up my NAT entries and all my users lost internet access!! :(

Please have a look at my config. If you can give me any hints on what my it should look like to allow a few clients past my nat?

This config works with voice and remote access.

I'll be using it as a marker before I implement

VPN.

sh run

Building configuration...

Current configuration : 2895 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname BD2801

!

boot-start-marker

boot system flash c2801-adventerprisek9-mz.124-17.bin

boot-end-marker

!

logging buffered 51200 warnings

!

aaa new-model

!

!

!

aaa session-id common

ip cef

!

!

!

voice-card 0

!

!

voice call carrier capacity active

voice rtp send-recv

voice dsp release early

!

voice service voip

fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco

!

!

!

fax interface-type fax-mail

!

!

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description Starboard Stratos VSAT$FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface Dialer0

no ip address

!

router eigrp 1

network 192.168.49.0

auto-summary

!

ip local pool vpn_pool_1 192.168.50.150 192.168.50.151

ip default-gateway 10.20.46.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.20.46.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool MADNATPOOL overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

!

!

!

control-plane

!

!

!

voice-port 0/2/0

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

!

voice-port 0/2/1

echo-cancel coverage 32

no comfort-noise

cptone GB

timeouts interdigit 3

music-threshold -70

!

ccm-manager mgcp

!

mgcp

mgcp call-agent 10.129.48.11 service-type mgcp version 0.1

mgcp dtmf-relay voip codec all mode nse

mgcp codec g729r8 packetization-period 60

mgcp playout adaptive 100 50 200

mgcp playout fax 500

no mgcp timer receive-rtcp

mgcp timer net-cont-test 1000

mgcp timer nse-response t38 1000

mgcp sdp simple

no mgcp fax t38 ecm

mgcp fax t38 nsf 000000

!

mgcp profile default

!

!

dial-peer cor custom

!

!

!

dial-peer voice 1 pots

service mgcpapp

port 0/2/0

!

dial-peer voice 2 pots

service mgcpapp

port 0/2/1

!

gateway

timer receive-rtp 1200

!

!

!

call-manager-fallback

max-conferences 4 gain -6

ip source-address 10.20.46.20 port 2000

max-ephones 24

max-dn 24

!

!

line con 0

line aux 0

line vty 0 4

privilege level 15

transport input telnet ssh

line vty 5 15

privilege level 15

transport input telnet ssh

!

scheduler allocate 20000 1000

end

18 REPLIES

Re: Trying to configure a 2801 to let in VPN client PC's

You have forgotten to include the VPN config?

follow the below config example:-

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_configuration_example09186a00806ad10e.shtml

If this is not specific or does not fit - the below link has all config examples for your platform:-

http://www.cisco.com/en/US/products/ps5854/prod_configuration_examples_list.html

HTH>

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

Thanks for the reply! Ok so now I have a working VPN scenario.

My VPN Client can now get to some areas of my inside network.

I need to make sure NAT lets me get to all of my internal lan that is behind the router.

Can anyone help me adjust my NAT?

inet--> 10.20.46.20(router)192.168.49.1-->168.192.49.2(L3 3560 switch)192.168.50.0

192.168.51.0

192.168.52.0

etc.

Here's the router config.

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.20.46.1 10.20.46.30

!

ip dhcp pool S_LAN

network 10.20.46.0 255.255.255.0

default-router 10.20.46.1

dns-server

!

!

ip domain name ocean-group.net

ip name-server

ip name-server

!

!

voice-card 0

!

!

voice call carrier capacity active

voice rtp send-recv

voice dsp release early

!

voice service voip

fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco

!

!

crypto pki trustpoint TP-self-signed-3884018817

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3884018817

revocation-check none

rsakeypair TP-self-signed-3884018817

!

crypto pki certificate chain TP-self-signed-3884018817

certificate self-signed 0D

quit

fax interface-type fax-mail

archive

log config

hidekeys

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group madsummer

key v@ncouver

pool SDM_POOL_1

include-local-lan

max-users 10

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group madsummer

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

interface Loopback0

ip address 194.217.5.38 255.255.255.255

!

interface FastEthernet0/1

description Starboard Stratos VSAT$FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router eigrp 1

network 192.168.0.0

network 192.168.49.0

auto-summary

!

ip local pool SDM_POOL_1 10.20.46.200 10.20.46.220

ip default-gateway 10.20.46.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.20.46.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool MADNATPOOL overload

access-list 1 permit 192.168.0.0 0.0.255.255

Re: Trying to configure a 2801 to let in VPN client PC's

why have you configured the VPN pool out of 10.x.x.x IP addresses?

I would use a 192.168.x.x address pool, then configure my nat something like

access-list 101 deny ip 192.168.x.x 0.0.255.255 192.168.x.x 0.0.0.255

access-list 101 permit 192.168.0.0 0.0.255.255

ip nat inside source list 101 pool MADNATPOOL overload

HTH?

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

Well actually my Public IP is something different than my outside router interface. My ISP dropped the VPN down on the 10.20.46.20. The good thing is that now I can get in. But I can't get full roam of all my vlans... although I can get all over one of them 192.168.50.0

I would like to terminate the vpn on an inside address but I'm afraid!

Will those entries you gave me affect any of my users leaving from my network?

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

Is it possible to create the vpn pool on a subnet that isn't on the router? If I could get my vpn sent in past the router outside int 10.20.46.20 past the inside int of 192.168.49.1 and to plop it down inside my L3 switch on the 192.168.50.0 network.

How can I help you help me? :)

I'm going grey over here.

Re: Trying to configure a 2801 to let in VPN client PC's

You can give the VPN pool and IP address of 192.168.254.0/24 - as long as the router, and the internal layer 3 routing device know that 192.168.254.0/24 is on the 2801 - no issues.

It's then a simple matter of routing!

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

I'm not sure how to get that address on the router only because I don't have any more interfaces I can use. I think I misunderstood.

Do I need to use a seperate subnet for the vpn clients or can I have them join an existing vlan the switch is routing?

I can post the switch config if you felt like looking at them.

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

I have the private network 192.168.49.0 and the only hosts on it are the router's internal int and the switch's (I'll call it) outside interface.

Could I plop the VPN users down into there with say a pool of 192.168.49.5 to 192.168.49.10?

Re: Trying to configure a 2801 to let in VPN client PC's

whoa - hold on mate.

You do not need to have a physical interface for VPN users. If you terminate the VPN on the outside interface (which is the norm) then you assign the VPN users an IP address from say 192.168.254.0/24 - the router KNOWS that this is a local pool.

The traffic from the VPN clients will enter the network with a 192.168.254.x address, from the routers inside interface. For this to work all you have to do, is make SURE the rest of your internal network knows that 192.168.254.0/24 lives on the router, just like a static route.

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

OK! :) sorry about that.

So here's what I'm going to do.

Change

ip local pool SDM_POOL_1 10.20.46.200 10.20.46.220

to

ip local pool SDM_POOL_1 192.168.254.200 192.168.254.220

and that's it?

Whew! that sounds easy as pie!

Would the routing already be covered by

router eigrp 1

network 192.168.0.0?

Or do I need to put a static route of maybe

ip route 192.168.0.0 255.255.0.0 10.20.46.20

I'm kinda shooting in the dark right now. Sorry about my ignorance.

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

Hey hey!

It worked. It's funny how less scary things are once you've seen them work once.

I'm able to now get to all the hosts I need to manage remotely.

Now I'm onto the next tasks. QoS :(

I'll be trying to give the client full bandwidth when it connects to do the maint.

See you in the other forums.

You rock, Andrew!

Thanks a lot. I mean it.

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

Crap!!!!

I thought everything worked until we found the voice stopped working.

Everytime I entered:

interface Loopback0

ip address 214.27.53.58 255.255.255.255

I could only talk in one direction! :(

Is there any way around using this??? With only a couple more days. I'm really up against the wall now.

aaa authentication login default local

aaa authentication login sdm_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network sdm_vpn_group_ml_1 local

!

aaa session-id common

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.20.46.1 10.20.46.30

!

ip dhcp pool Stratos_LAN

network 10.20.46.0 255.255.255.0

default-router 10.20.46.1

dns-server 158.152.1.58 158.152.1.43

!

!

!

!

voice-card 0

!

!

voice call carrier capacity active

voice rtp send-recv

voice dsp release early

!

voice service voip

fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco

!

!

crypto pki trustpoint TP-self-signed-3884018817

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-3884018817

revocation-check none

rsakeypair TP-self-signed-3884018817

!

!

crypto pki certificate chain TP-self-signed-3884018817

certificate self-signed 0D

3082023E 308201A7 A0030201 0202010D 300D0609 2A864886 F70D0101 04050030

31312F30 2D060355 04031326 494F532D

quit

fax interface-type fax-mail

username privilege 15

username privilege 15

archive

log config

hidekeys

!

!

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group madsummer

key

pool SDM_POOL_1

include-local-lan

max-users 10

netmask 255.255.255.0

crypto isakmp profile sdm-ike-profile-1

match identity group mad

client authentication list sdm_vpn_xauth_ml_1

isakmp authorization list sdm_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile SDM_Profile1

set transform-set ESP-3DES-SHA

set isakmp-profile sdm-ike-profile-1

!

!

!

!

!

interface Loopback0

ip address 214.27.53.58 255.255.255.255

!

interface FastEthernet0/0

no ip address

shutdown

duplex auto

speed auto

!

interface FastEthernet0/1

description Starboard Stratos VSAT$FW_OUTSIDE$

ip address 10.20.46.20 255.255.255.0

ip nat outside

ip virtual-reassembly

no ip mroute-cache

speed 100

full-duplex

!

interface FastEthernet0/3/0

!

interface FastEthernet0/3/1

!

interface FastEthernet0/3/2

!

interface FastEthernet0/3/3

!

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

!

interface Vlan1

description $FW_INSIDE$

ip address 192.168.49.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

router eigrp 1

network 192.168.0.0

network 192.168.49.0

auto-summary

!

ip local pool SDM_POOL_1 192.168.254.160 192.168.254.170

ip default-gateway 10.20.46.1

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 10.20.46.1

!

!

ip http server

ip http authentication local

ip http secure-server

ip http timeout-policy idle 600 life 86400 requests 10000

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0

ip nat inside source list 1 pool MADNATPOOL overload

!

access-list 1 permit 192.168.0.0 0.0.255.255

Re: Trying to configure a 2801 to let in VPN client PC's

Errrm why are you configuring a loopback on an internal virtual interface with an external IP address - that relates to voice?

The way around it is - do not configure the loopback interface?

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

Oh man is it nice to see your reply.

I was just going to remove the loopback until I saw:

interface Virtual-Template1 type tunnel

ip unnumbered Loopback0

tunnel mode ipsec ipv4

tunnel protection ipsec profile SDM_Profile1

I don't really know how it ties together but it sounds important.

They originally landed my VPN on an outside interface. Then I moved it to that 192.168.254.o network like you suggested. It worked so I thought I was in the clear.

Can I remove all the related loopback stuff?

Re: Trying to configure a 2801 to let in VPN client PC's

Virtual-Templates are not my bag to be honest but a quick search on Cisco:-

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/prod_white_paper0900aecd803645b5.html

As I read the above - to be honest as you are only using the VPN for remote client access, I would say you can remove the loopback interface config.

HTH>

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

OK,

I'll give it a try. It really sucks that I'm on the yacht right now... the WAN link is so slow that it makes it hard for me to research much.

I'll just try to remove it and see what happens.

Thanks dude.

Re: Trying to configure a 2801 to let in VPN client PC's

On a yacht huh!

Yeah I can see how that can be bad!!

Just remove the loopback interface, see what happens

Community Member

Re: Trying to configure a 2801 to let in VPN client PC's

I needed to get off the boat to come to a place where I could test remotely.

It timed out... I'm not sure if that's because of the lack of loopback or what.

So I wiped it out and now I may have opened up another can of worms with the crypto pki chain... it looks different now. I'm not sure if my client is expecting to use the previously generated key.

Time to read again... wow this is hard.

376
Views
5
Helpful
18
Replies
CreatePlease to create content