Re: Genius needed - Easy VPN Configuration on 881W

ROBERT ISAACS · ‎11-13-2010

I know nothing more than to get to the point:

Business need:

1) I need to go to another company with some cohorts and work from that site for a while.

2) There will be several laptops involved and a couple of printers.

Technical need:

1) I know that I can use my current VPN methodology to get back to my company's internal network. We have been using the Cisco VPN client back to an old VPN3005 concentrator for years (Yes we are going to replace it soon with an ASA device but not quite yet). And I know that we could hook up the printers to a couple of laptops and network them. Where we will be working has Internet access via a T1 and they will allow us out through their LAN.

2) What I would like to be able to do is this.

. Put a series 800 series VPN router in place at the site we are going.

. Plug this 800 series device into that company's internal LAN via the WAN connection.

. Plug my laptops and printers into the VPN router on the LAN ports making them be on the network.

. My preference would be to have a DHCP scope that coincides with my subnetted class B private network schema.

. Direct all of these devices back to my VPN3005 and be able to print reports on the printers at the remote site where I will be worked through my Oracle system here at the Home Office.

3) I don't know the IP setup for the other location but I do know that when I get Internet Access from them my current VPN situation works just fine.

4) I have been told that I can do this with Easy VPN in a certain mode but I have no idea how to configure it.

5) I have a Cisco 881w that I can test with.

Any help will be greatly appreciate and I know there is someone out there that can tell me all I need to know. I am looking forward to finding said person!!!

Thanks,

RI

apothula · ‎11-13-2010

Yes, Robert you could use Easy VPN with Network Extension Mode (NEM) for your scenario.

Check this document out for an example and better understanding.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080808395.shtml

Regarding the DHCP scope, i would assume that you want to use an IP range in the same class B range as your office's so as to prevent any routing issues.

Be sure not to have any overlap of IP addresses or subnets.

ROBERT ISAACS · ‎11-13-2010

Avinash,

First of all let me thank you for the quick reply. I appreciate it very much. I downloaded the document you sent and then went to another document that it pointed to on EzVPN with NEM on IOS Router with VPN 3000 Concentrator Configuratin Example.

That document has a nice diagram on the second page that gives you an overview of the network. It is showing that the external or public interface to the Internet on the concentrator is 172.16.172.41 and that the external interface on the router on the other side of the Internet connection is 172.23.172.46. This is obviously not a 30 bit subnet mask network. My VPN is on a 30 bit subnet mask (255.255.255.252). So I have only 2 addresses to work with and they are both taken. Is that going to kill my ability to configure this solution?

A second question is the DHCP scope on the 881. I was going to set that up as a private subnetted class B address on for example 172.23.20.0 network with a 24 bit subnet mask. In this scenario my Home Office LAN (where the concentrator is, servers, and all are) is on a 172.23.1.0 network with a 24 bit subnet mask also. Is that the wrong way to do that or can I put in routes on both ends to handle it?

Thanks,

RI

apothula · ‎11-13-2010

Robert,

My VPN is on a 30 bit subnet mask (255.255.255.252). Could you please throw a little more light on this statement.

The DHCP scope you chose is fine, should not be an issue as long as the 172.23.20.0/24 is not being used in the N/W at the concentrator.

To be true, i guess you could set up a Site to Site VPN between your 881 and the concentrator and it is way more easy from a configuration standpoint.

For this all you need is your partner to allow a static translation for your 881 IP address and allow UDP 500,4500 and ESP packets to your Router.

Avinash.

ROBERT ISAACS · ‎11-14-2010

Hello Avinash,

What I was trying to say is the I have an Public IP address range that only has two IP addresses that can be used. There are four addresses of course. The first is the network, addresses 2 and 3 can be used, and address 4 is the broadcast address. I am sure you are very familiar with that I just didn't explain myself very well. One of the usable addresses is currently being used for the VPN3005 itselft and the other is being used on the router port that the VPN Concentrator is attached to.

That works fine for my current situation where my remote users have Cisco VPN Client software and create a tunnel into the concentrator. But I will have several devices at the remote site I will be working from and I had hoped to just be able to plug into one device and have an instant network at that site". I know that I could create a LAN to LAN connection but I would like to use the EasyVPN connection in Network Extension Mode if I can.

My concern is that the Cisco article I was looking at showed that the 800 series router having an external IP address that was in the same network space as the device on the other end (in my case the concentrator). This would be a great problem for me since I don't own the space and if I change the IP addressing scheme on the concentrator I have many many remote users that would have to be changed or they could no longer access my internal network. I hope I have answered your question.

Thanks,

Robert

apothula · ‎11-15-2010

Robert,

That was just a configuration example and just explains how things work over Easy VPN.

Doesn't neccessarily be required that the EZVPN server and Client be in the same address range.

Avinash.