2801 VPN

[Deepseadata]

First I want to paste this great post Burt made (in a closed thread) on how to setup VPN on a router. Then I will start to ask my stupid questions

From Burt:

Basically, you'll want a remote access VPN using IPSEC to encrypt interesting traffic and use pre-shared keys to authenticate...here's my config...
I enabled AAA and instructed the router to use the local username and password to authenticate once connected with these commands

aaa new-model
aaa authentication login my_vpn_xauth local
aaa authorization network my_vpn_group local
aaa session-id common

Then I configure the username, privelege level, and password for local access...

username xxxxxx privilege 15 secret xxxxxxxxx

I then create the isakmp (key management protocol) policy and tell the router what encryption level to use for key exchange, and what Diffie-Hellman group to use

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

I then create the group for authentication, and tell the router what the key is, group name, what IP address pool to use for the client, and netmask. I believe the "include-local-lan" lets me still have access on the client LAN when connected to the remote VPN pool

crypto isakmp client configuration group xxxxxx
key xxxxxxxx
pool vpn_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0

I configure a transform set for IPSEC

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

I create a dynamic map...here's an explanation from Cisco...
"A dynamic crypto map allows you to accept requests for new security associations from previously unknown peers. (However, these requests are not processed until the Internet Key Exchange authentication has completed successfully.)"

crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route

I create a map to be applied to the outgoing interface (incoming in the case of a VPN server)...these parameters are associated with the AAA login commands...

crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1

I apply this crypto map to my outgoing interface...

interface Dialer0
crypto map vpn_cmap_1 I create the local pool that will be assigned to the client once authenticated. In my case, I have my pool configured in the same pool as my LAN on the VPN server, but I exclude these addresses (VPN addresses) from being NATted back out...

ip local pool vpn_pool_1 10.69.69.69 10.69.69.70

then to exclude them in the NAT acl...

access-list 101 deny ip any 10.69.69.68 0.0.0.3
access-list 101 permit ip 10.69.69.0 0.0.0.255 any

As you can see, my LAN is 10.69.69.0/24, and the VPN addresses that will be configured on the remote client are in the same pool---acl 101 denies the two addresses from being NATted and allows all others in the range to be NATted so that my local LAN still has access to the internet. Then I create a route-map and point it to acl 101, and make the NAT inside source this route-map...

I create the route-map and associate acl 101 with it...

route-map vpn_routemap_1 permit 1
match ip address 101

The last thing in the router is to make the NAT statement...

ip nat inside source route-map vpn_routemap_1 interface Dialer0 overload

Now there's the client configuration on the remote machine. Open the client, click new, and give the connection a name, description, and host address. Mine is adsl, so I give it a dns name as configured on dyndns.org. Choose group authentication---name is the group name, and password is the key. Leave everything else at the defaults, and click save. Then you double click the named connection, and it should connect, provided a firewall doesn't block you. Once it connects to the router, it will prompt you for a username and password. The username and password are from what you configured in the router with this command...

username xxxx priv 15 secret xxxxx

Good luck.

Burt
____________________________________________

Now it's time for Deepseadata to ask some dumb ones:

Is this the setup for the server side? I was following you intil we got to the incoming/outgoing interfaces.

The reason I ask is I will need to setup, at least, one client that will do remote maintenance on multiple vLANs. And internet access for testing reasons.

Will this config do that?

Because I'm very new to VPN's, I used SDM to do to setup my easyVPN server then studied the CLI cmmands it sent to the router.

It keeps modifying my NAT entries. I think NAT is going to be the major hurdle with this task isn't it?

 

[Deepseadata]

I figured I'd follow your instructions and give it a go. I'm almost at the bottom. I keep getting confused by what I should have in my NAT entries.

My outside interface is 192.168.15.224 (because it's behind a stupid Netgear router connected to our DSL line). Then I use nat to switch to.... ah screw it.

Here's a config.

sh run
Building configuration...

Current configuration : 4058 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BD2801
!
boot-start-marker
boot system flash c2801-adventerprisek9-mz.124-17.bin
boot-end-marker
!
logging buffered 51200 warnings
enable password v@ncouver
!
aaa new-model
!
!
aaa authentication login my_vpn_group local
!
aaa session-id common
ip cef
!
!
voice-card 0
!
!
crypto pki trustpoint TP-self-signed-3884018817
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3884018817
revocation-check none
rsakeypair TP-self-signed-3884018817
!
!
crypto pki certificate chain TP-self-signed-3884018817
certificate self-signed 01
3082023E 308201A7 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33383834 30313838 3137301E 170D3038 30383232 31303435
35385A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38383430
31383831 3730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100DE4B 1FA895ED D8E3CB73 7C37B315 4FB6EBFD 66896B08 CC3D8434 67ED39C8
32B03EED 3A19208D B257BF8C 9B3DEF27 8B380015 3C91B783 A3FB87A9 BE6539A5
178C9956 FD4FCAA4 0BB0793B 527CC81C 4EA0BCDF C67DC20C 622A1606 1D326A07
9B312497 988115CD 15BD12C8 A7397C64 02523C8A CA012E08 AA802609 B384DF78
BD5D0203 010001A3 66306430 0F060355 1D130101 FF040530 030101FF 30110603
551D1104 0A300882 06424432 38303130 1F060355 1D230418 30168014 9EEF1003
11802913 381F3060 34D190E7 A5EC24F4 301D0603 551D0E04 1604149E EF100311
80291338 1F306034 D190E7A5 EC24F430 0D06092A 864886F7 0D010104 05000381
8100806F 85240824 ADEB4646 318B733E 936A689D 7CAE21BD 9AD0636E C2556971
186FCA17 04795D6A 3D239EC3 1B099A90 A6BDB44A DED85E9E 4CC7A12C 6E0333AC
-99D8639F 706B5B2C A4FB73A4 A0070084 8ED7ECD3 169AD86C FE62FD36 46320A80
2507D859 02F1041E 0EA64AFB FF697BD2 4B8BE92D 78FCC46D 48FC5AE8 ED4B337E 747E
quit
username oceantech privilege 15 password 0 vancouver
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group madcow
key madcowkey
pool vpm_pool_1
include-local-lan
max-users 2
netmask 255.255.255.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map vpn_dynmap_1 1
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map vpn_cmap_1 client authentication list my_vpn_xauth
crypto map vpn_cmap_1 isakmp authorization list my_vpn_group
crypto map vpn_cmap_1 client configuration address respond
crypto map vpn_cmap_1 65535 ipsec-isakmp dynamic vpn_dynmap_1
!
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 192.168.15.224 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
crypto map vpn_cmap_1
!
router eigrp 1
network 192.168.15.0
network 192.168.49.0
auto-summary
!
ip local pool vpn_pool_1 192.168.50.150 192.168.50.151
ip default-gateway 192.168.15.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.15.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 192.168.15.224 192.168.15.224 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
control-plane
!
!
voice-port 0/2/0
voice-port 0/2/1
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
password v@ncouver
transport input telnet ssh
line vty 5 15
privilege level 15
password v@ncouver
transport input telnet ssh
!
scheduler allocate 20000 1000
end

 

[burtsbees]

Is the Netgear doing the NAT? If you can, I would just get a WIC-1ADSL card to do the adsl. If the netgear is NATting, then you don't need to NAT in the Cisco. Also, make sure you forward all ports in the Netgear (vpn-passthru), like 1720, 10000, etc.

Burt

 

[Deepseadata]

Thanks Burt,

Actually I don't have access to the Netgear. It's been the thorn in my side all along. Someone setup this DSL line and Netgear for the previous tennant. Nobody knows the password to it, nobody knows the DSL login info.

The only info I have is the Netgear LAN and

http://www.mywanip.com

which told me the WAN IP of the netgear.

Is it possible for me to setup a VPN with that Netgear NAT in the middle?

 

[burtsbees]

Only if the Netgear forwards all VPN ports, and then remove the NAT statements from the 2801.

Burt

 

[Deepseadata]

Hi Burt,

I going to wake this old thread I had you biting on.

I now have the router onsite and can telnet to it using an address the ISP gave me. They are forwarding all VPN ports to my true WAN IP.

Can I show you my working config and maybe we can fgure out what my access list and NAT entries will look like?

Here we go:

*note to self* This config works with voice and remote access.
I'll be using it as a marker before I implement
VPN.

Building configuration...

Current configuration : 2895 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BD2801
!
boot-start-marker
boot system flash c2801-adventerprisek9-mz.124-17.bin
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
!
aaa session-id common
ip cef
!
voice-card 0
!
!
voice call carrier capacity active
voice rtp send-recv
voice dsp release early
!
voice service voip
fax protocol t38 nse force ls-redundancy 0 hs-redundancy 0 fallback cisco
!
!
!
fax interface-type fax-mail
!
!
!
interface FastEthernet0/0
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet0/1
description Starboard Stratos VSAT$FW_OUTSIDE$
ip address 10.20.46.20 255.255.255.0
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
!
interface FastEthernet0/3/0
!
interface FastEthernet0/3/1
!
interface FastEthernet0/3/2
!
interface FastEthernet0/3/3
!
interface Vlan1
description $FW_INSIDE$
ip address 192.168.49.1 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer0
no ip address
!
router eigrp 1
network 192.168.49.0
auto-summary
!
ip local pool vpn_pool_1 192.168.50.150 192.168.50.151
ip default-gateway 10.20.46.1
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.20.46.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 600 life 86400 requests 10000
ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
!
!
control-plane
!
!
voice-port 0/2/0
echo-cancel coverage 32
no comfort-noise
cptone GB
timeouts interdigit 3
music-threshold -70
!
voice-port 0/2/1
echo-cancel coverage 32
no comfort-noise
cptone GB
timeouts interdigit 3
music-threshold -70
!
ccm-manager mgcp
!
mgcp
mgcp call-agent 10.129.48.11 service-type mgcp version 0.1
mgcp dtmf-relay voip codec all mode nse
mgcp codec g729r8 packetization-period 60
mgcp playout adaptive 100 50 200
mgcp playout fax 500
no mgcp timer receive-rtcp
mgcp timer net-cont-test 1000
mgcp timer nse-response t38 1000
mgcp sdp simple
no mgcp fax t38 ecm
mgcp fax t38 nsf 000000
!
mgcp profile default
!
!
dial-peer cor custom
!
!
dial-peer voice 1 pots
service mgcpapp
port 0/2/0
!
dial-peer voice 2 pots
service mgcpapp
port 0/2/1
!
gateway
timer receive-rtp 1200
!
!
!
call-manager-fallback
max-conferences 4 gain -6
ip source-address 10.20.46.20 port 2000
max-ephones 24
max-dn 24
!
!
line con 0
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
line vty 5 15
privilege level 15
transport input telnet ssh
!
scheduler allocate 20000 1000
end

Burt - When I got to your NAT stuff I got confused. And when I use SDM to do this job it changed my NAT and access-list so that all my internet users lost connectivity! That hurt for a while as I tried to figure out what had happened...

 

[burtsbees]

Get rid of these

ip nat pool MADNATPOOL 10.20.46.20 10.20.46.20 netmask 255.255.255.0
ip nat inside source list 1 pool MADNATPOOL overload
!
access-list 1 permit 192.168.0.0 0.0.255.255

and add these

access-list 101 deny ip any host 192.168.50 150
access-list 101 deny ip any host 192.168.50.151
access-list 101 permit ip 192.168.49.0 0.0.0.255 any
route-map no_nat permit 1
match address 101
ip nat inside source route-map no_nat int fa0/1 over

Here's the tricky thing...I have not had any luck using a different subnet for my vpn addresses when doing the vpn in a router. I have in a PIX, but not a router. The only way I have gotten this to work is by using a few addresses that could be subnetted in one little block (like a /30) so that the acl can deny NAT to these addresses in one statement. But the pool I had to put into the same subnet as my LAN, but just deny them and permit the rest of the LAN for NAT.

You may not even need the route map stuff---just permit the LAN subnet and that's it---no need to even deny the vpn subnet---if it is not included in the acl, then it won't be considered for NAT anyway.

Burt

 

[Deepseadata]

I'm going to give that a try in the morning. It sucks being 9 hours ahead here because I always get the good answers when I'm out cold.

The 192.168.49.1 (inside) interface is just my link to the layer 3 3560's routed interface. It's doing all the inter-vlan routing for my vlans.

all my vlans are 192.168.50.x, 192.168.51.x, 192.168.52.x etc.

Does this mean I should ad a permit entry in the access list for all my vlans?

Sorry man, ACL's give me the heebeegeebee's

 

[burtsbees]

That is if you have a public IP address on fa0/1---that's the only way you'll be able to NAT. Right now, I see a private IP on fa0/1.
If you do NAT, then yes, all vlan subnets must be included.

Burt

 

[Deepseadata]

So what you're saying is that because my Fa0/1 is private already... I don't need to do nat at all? I don't want to do NAT if I don't need to. I think when I was preconfiguring all my stuff I assumed the ISP was going to give me a public IP.

Now that it's not... maybe I could turn off nat. That would mean I'd just have my firewall for security then.. once I turned it on.

Thanks for getting back to me Burt. I'm really feeling the stress on this one.

 

[burtsbees]

Well, I myself would rather do the NAT myself, and not let the ISP do it. You can let them know what you are trying to do---you want to configure a remote access VPN in the 2801, as it has Advanced Enterprise 12.4(7) on it, and you therefor need a public IP address on fa0/1.
But to answer your question---exactly---you don't want the NAT with a private IP address on the outside interface---everything is already being NATted by the ISP. You don't want to double-NAT.

Burt

 

[Deepseadata]

I can't seem to get my head around this for some reason.

If I turned off NAT, would that get me any closer to my internal LAN? It's so strange... when I hit the public IP they gave me I can get into my router just like it's my WAN int. I wish I could just point my client to that.

 

[burtsbees]

Why can't you point your client to that?

Burt

 

[Deepseadata]

When I point my client to that address it doesn't do anything... it just times out.

I'm not sure I have my server setup properly but I thought it would at least say that it found the server and fail to negotiate.

Yesterday I thought I had it made.. VPN was working. I didn't test voice so I didn't know it now only worked in one direction. I went back to a working config and slowly entered the VPN stuff while I checked voice along the way.

As soon as I entered the Loopback0 and it's IP address.. voice stopped working in one direction.

What a drag. I'm up crap creek now because I only have a couple more days to get it going.