Cisco 1811 VLAN and Routing Questions

[CBRRyda]

All,

I'm a newbie and in charge of upgrading our existing VPN and routing solution. I'm looking at the 1811 w\wireless and had some questions:

1. If you separate FE2-5 ports to VLan1 (IP x.x.1.1), and FE6-9 to VLan2 (IP x.x.2.1) for local inside subnets; does the router support DHCP Relay between these VLans and subnets?

2. With FE0 connected Ethernet (IP y.y.y.y) to a WAN source, will VPN work to the subnets mentioned above?

3. How do you make sure the subnets from above both route between each other and out of FE0 to the Internet?

Summary: My goal is to have 2 local inside (NAT) routeable interfaces\subnets; a VPN solution for remote access to the inside subnets (Does anyone know how many connections the 1811 supports); I'm thinking wireless connections in their own third VLan and routeable like above;

Basically an upgrade to our existing Linksys RV042 solution in place now.

Thank you in advance for your support and assistance.

Regards,

CBRRyda

 

[burtsbees]

1.Yes, with the ip helper-address command---I have never done this between VLANs, but if needed, the router with pass broadcasts with this command.
2. Yes
3. The gateway must be set to fe0, and a default route (ip route 0.0.0.0 0.0.0.0 next hop address or fe0)

http://www.cisco.com/en/US/products/sw/secursw/ps5318/products_data_sheet0900aecd800fd118.html

This gives you supported platforms, and sdm is free. I believe this will help you greatly getting sdm. If the 1811 comes with the k9 feature set (security), it says the router with this IOS will come shipped with it. Be sure to ask your vendor about this.

Burt

 

[CBRRyda]

All,

I now have the Cisco 1811W. I am trying to do the following:

1. Create 3 VLAN's for: LAN1, LAN2, and Wireless
2. Route between the VLAN's and to Internet
3. Configure some of the ports on the Router for specific
VLAN's; FE4-5 VLAN11, FE6-9 VLAN12
4. FE2-3 are Trunk Ports to connect to 2 Cisco 2960 Switches
5. Allow VPN access to the internal LAN\Subnets\VLAN's
6. Use WPA-PSK for the Wireless setup
7. Forward DHCP traffic between VLAN's

My current config is below, but I don't think it's setup completely correct. I can't test it in production until I am sure it will "work", but I'll try to setup a test scenario. If anybody out there can critique the config and offer and suggestions or corrections, I'd greatly appreciate it. Thank you in advance for your assistance.

Current Config:
---------------------

Building configuration...

Current configuration : 5680 bytes
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Cisco1811W
!
boot-start-marker
boot-end-marker
!
enable secret 5 xxxxxx
enable password xxxxxx
!
aaa new-model
!
!
aaa authentication login rtr-remote local
aaa authorization network rtr-remote local
!
aaa session-id common
resource policy
!
!
!
ip cef
!
!
!
!
crypto pki trustpoint TP-self-signed-2680913853
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2680913853
revocation-check none
rsakeypair TP-self-signed-2680913853
!
!
crypto pki certificate chain TP-self-signed-2680913853
certificate self-signed 01
quit
username xxxxxx password 0 xxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 480
!
crypto isakmp client configuration group rtr-remote
key secret-password
dns 192.168.12.70 4.2.2.1
domain smi.kateaspen.net
!
crypto ipsec security-association lifetime seconds 86400
!
crypto ipsec transform-set vpn1 esp-3des esp-sha-hmac
!
crypto ipsec client ezvpn ezvpnclient
connect auto
group ezvpnclient key secret-password
mode client
xauth userid mode interactive
!
!
crypto dynamic-map dynmap 1
set transform-set vpn1
reverse-route
!
crypto map dynmap isakmp authorization list rtr-remote
crypto map dynmap client configuration address respond
!
crypto map static-map 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
!
interface FastEthernet0
description WAN Port
ip address x.x.x.x 255.255.255.224
ip nat outside
ip virtual-reassembly
duplex auto
speed 100
crypto map static-map
crypto ipsec client ezvpn ezvpnclient
!
interface FastEthernet1
no ip address
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description Trunk to 2960_(11.9)
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet3
description Trunk to 2960_(11.10)
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet4
duplex full
speed 100
vlan-id dot1q 11
exit-vlan-config
!
!
interface FastEthernet5
duplex full
speed 100
vlan-id dot1q 11
exit-vlan-config
!
!
interface FastEthernet6
duplex full
speed 100
vlan-id dot1q 12
exit-vlan-config
!
!
interface FastEthernet7
duplex full
speed 100
vlan-id dot1q 12
exit-vlan-config
!
!
interface FastEthernet8
duplex full
speed 100
vlan-id dot1q 12
exit-vlan-config
!
!
interface FastEthernet9
duplex full
speed 100
vlan-id dot1q 12
exit-vlan-config
!
!
interface Dot11Radio0
no ip address
shutdown
!
encryption mode ciphers tkip
!
ssid Smartmark
vlan 13
!
ssid smartmark
authentication open
authentication key-management wpa
wpa-psk ascii 0 xxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 spanning-disabled
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
!
interface Dot11Radio1
no ip address
shutdown
!
ssid smartmark
authentication open
wpa-psk ascii 0 xxxxxx
!
speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
station-role root
!
interface Vlan1
no ip address
!
interface Vlan12
description Server vLAN
ip address 192.168.12.4 255.255.255.0
no ip redirects
no ip unreachables
!
interface Vlan11
description User vLAN
ip address 192.168.11.4 255.255.255.0
ip helper-address 192.168.12.70
no ip redirects
no ip unreachables
!
interface Vlan13
description Wireless vLAN
ip address 192.168.13.4 255.255.255.0
ip helper-address 192.168.12.70
no ip redirects
no ip unreachables
crypto ipsec client ezvpn ezvpnclient inside
bridge-group 1
!
interface Async1
no ip address
encapsulation slip
shutdown
!
interface BVI1
ip address 192.168.14.1 255.255.255.0
ip helper-address 192.168.12.70
!
ip local pool dynpool 192.168.13.201 192.168.13.250
!
!
ip http server
ip http secure-server
!
!
!
!
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
line vty 0 4
!
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end


Thanks,

CBRRyda

 

[vbahuse]

CBRRyda,

I see that nobody has answered your question. Have you managed to get this working yet?

I also have the 1811 router and am having difficulty routing from a VPN client to devices connected to a 3560 switch (which has a trunk connection to the 1811 on FE3) on a VLAN other than the VPN VLAN.

I am however able to route from a VPN client to any devices directly connected to the 1811 on different VLANs. Also devices connected to the 3560 can communicate with devices on the same VLAN connected to the 1811 so the Trunk is working.

Any suggestions would be greatly appreciated...

 

[burtsbees]

You'll need to at least post the config of the 3560, if not the 1800 also. Does the 3560 do the routing for the VLANs? (I hope!).

Burt

 

[CBRRyda]

vbahue,

Thanks for inquiring. I have all of my VLAN and Routing issues taken care of. I am however, still working on my VPN IPSEC setup, have not quite got that working correctly yet. I will also be looking at any posts to the thread.

Regards,

CBRRyda

 

[vbahuse]

burtsbees,

I figured it out! The problem was in fact on the 3560. It only had a route in one direction, oops!

Thanks anyway...

 

[vbahuse]

CBRRyda,

I found it much easier to cheat on the VPN setup and used the CNA (Cisco Network Assistant). Once I got the VPN working I then used the CLI to do the rest... The only problem I have encountered has to do with the security certificates (i.e. I got a message when logging in the first time saying that the certificate was tampered with) but it has worked ever since

 

[CBRRyda]

vbahuse,

Did you mean the SDM (Security Device Manager) for the 1811 Router config? I think the CNA is for configuring the switches. I too, am trying to get VPN Clients to connect to devices on VLANs defined and connected to my Cisco 2960 switches; which are trunked to the 1811 of course. Does your VPN setup use Split Tunneling or not? Thanks for the communique'.

 

[vbahuse]

You are correct. SDM not CNA!

I have not configured Split Tunnelling, only Full. I haven't tackled protected tunnels and ACLs yet (just a beginner). Though I can definitely see the advantages as I often need to drop the VPN connection in order to check something online, print, etc.

If you manage to figure this one out I would be interested in seeing you're sanitised run con.

For interest sake here's mine (keep in mind that all of the VPN config was auto generated by the SDM). Also note that my Outside IP is actually behind another router so the address is a private ip -> 10.0.1.233/24:

Current configuration : 8484 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!
hostname xxxxx
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 3 log
security passwords min-length 6
logging buffered 51200 debugging
logging console critical
enable secret 5 xxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -x
no ip source-route
!
!
ip cef
no ip dhcp use vrf connected
!
ip dhcp pool sdm-pool1
import all
network 172.20.0.0 255.255.254.0
dns-server x.x.x.x
default-router 172.20.1.254
!
!
ip tcp synwait-time 10
no ip bootp server
ip domain name xxxx
ip name-server x.x.x.x
ip ssh time-out 60
ip ssh authentication-retries 2
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 netshow
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
!
!
crypto pki trustpoint TP-self-signed-xxxxxx
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-xxxxx
revocation-check none
rsakeypair TP-self-signed-xxxxxx
!
!
crypto pki certificate chain TP-self-signed-xxxxxx
certificate self-signed 01
xxxxx xxxxx xxxxx …
quit
username xxx privilege 15 secret 5 xxxxxx
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group xxxxxx
key xxxxxx
dns x.x.x.x
pool SDM_POOL_1
include-local-lan
max-users 510
netmask 255.255.254.0
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto dynamic-map SDM_DYNMAP_1 1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
reverse-route
!
!
crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_1
crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_1
crypto map SDM_CMAP_1 client configuration address respond
crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
!
!
!
!
interface FastEthernet0
description $ES_WAN$$FW_OUTSIDE$
ip address 10.0.1.233 255.255.255.0
ip access-group 101 in
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat outside
ip inspect DEFAULT100 out
ip virtual-reassembly
ip route-cache flow
duplex auto
speed auto
crypto map SDM_CMAP_1
!
interface FastEthernet1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
ip route-cache flow
shutdown
duplex auto
speed auto
!
interface FastEthernet2
description dot1q Trunk to 3560
switchport mode trunk
duplex full
speed 100
!
interface FastEthernet3
!
interface FastEthernet4
!
interface FastEthernet5
!
interface FastEthernet6
!
interface FastEthernet7
!
interface FastEthernet8
!
interface FastEthernet9
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
ip address 172.20.1.254 255.255.254.0
ip access-group 100 in
no ip redirects
no ip unreachables
no ip proxy-arp
ip nat inside
ip virtual-reassembly
ip route-cache flow
ip tcp adjust-mss 1452
!
interface Vlan2
no ip address
!
interface Vlan198
description xxxxxx
ip address 172.20.198.1 255.255.254.0
!
interface Vlan10
description xxxxxxx
ip address 172.20.10.201 255.255.255.0
!
interface Vlan11
description xxxxxx
ip address 172.20.11.201 255.255.255.0
!
interface Async1
no ip address
no ip redirects
no ip unreachables
no ip proxy-arp
encapsulation slip
!
ip local pool SDM_POOL_1 172.20.198.1 172.20.199.254
ip route 0.0.0.0 0.0.0.0 10.0.1.254
ip route 172.20.8.0 255.255.254.0 172.20.8.1
ip route 172.20.10.0 255.255.255.0 Vlan10
ip route 172.20.11.0 255.255.255.0 Vlan11
ip route 172.20.114.0 255.255.254.0 172.20.114.1
!
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0 overload
!
logging trap debugging
access-list 1 remark INSIDE_IF=Vlan1
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 172.20.0.0 0.0.1.255
access-list 100 remark auto generated by Cisco SDM Express firewall configuration
access-list 100 remark SDM_ACL Category=1
access-list 100 deny ip 10.0.1.0 0.0.0.255 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit ip any any
access-list 101 remark auto generated by Cisco SDM Express firewall configuration
access-list 101 remark SDM_ACL Category=1
access-list 101 permit udp any host 10.0.1.233 eq non500-isakmp
access-list 101 permit udp any host 10.0.1.233 eq isakmp
access-list 101 permit esp any host 10.0.1.233
access-list 101 permit ahp any host 10.0.1.233
access-list 101 permit ip 172.20.198.0 0.0.1.255 any
access-list 101 deny ip 172.20.0.0 0.0.1.255 any
access-list 101 permit icmp any host 10.0.1.233 echo-reply
access-list 101 permit icmp any host 10.0.1.233 time-exceeded
access-list 101 permit icmp any host 10.0.1.233 unreachable
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip host 255.255.255.255 any
access-list 101 deny ip host 0.0.0.0 any
access-list 101 deny ip any any
access-list 102 remark SDM_ACL Category=2
access-list 102 deny ip any 172.20.198.0 0.0.1.255
access-list 102 permit ip 172.20.0.0 0.0.1.255 any
no cdp run
!
!
!
route-map SDM_RMAP_1 permit 1
match ip address 102
!
!
!
!
control-plane
!
banner login ^CAuthorized access only!
Disconnect IMMEDIATELY if you are not an authorized user!^C
!
line con 0
transport output telnet
line 1
modem InOut
stopbits 1
speed 115200
flowcontrol hardware
line aux 0
transport output telnet
line vty 0 4
transport input telnet ssh
line vty 5 15
transport input telnet ssh
!
scheduler allocate 4000 1000
scheduler interval 500
!
webvpn context Default_context
ssl authenticate verify all
!
no inservice
!
end