Cisco 800 to be used in VPN from remote site.

[tekkid]

Hey folks,

I've been handed a new project. The project is that my manager wants to setup a VPN connection to our router from a remote facility using a cisco 800 router. While I'm new to programming routers.. I have been successful in getting them to work through our current config. using our T1.
I am however not sure how to program the router for setup for this VPN connection. If anyone has a white paper or can give me a link or help me in any way please post. My manager has a lot of confidence in me and I dont want to let him down, hence the stress I feel at the moment .

His plan is this..

Remote Facility:

PC's connected to hub > connects to Cisco 800 router > connects to DSL > connects to Internet > connects to home office router Cisco 3600 router > Connects to ISA Server.

The client machines at the remote site will be accessing terminal servers and logging into a single domain.

If there is any other info needed please post and I will respond ASAP.

Thanks in advance for any help.

kidd

 

[tekkid]

I forgot to add that pc's will have an ip of 172.16.xx.xxx


Not sure if this helps.

Thanks


kidd

 

[jimmyzz]

kidd,
Always good to see someone keen on learning how to do something new. To establish a VPN between the routers, each router will require an IOS which will support the IPSEC feature set (with either DES or 3DES). The IPSEC IOS file may require you to upgrade your router RAM/FLASH. You'll need to check the cisco IOS compatibility matrix to determine what your router needs to run the feature. If you haven't already got the IPSEC feature set in your current IOS, then you will have to buy/download it.

Here is a link to the IPSEC/VPN docs. Go down the list to IPSEC on Router to Router which will have sample configs similar to your current scenario.

http://www.cisco.com/pcgi-bin/Support/browse/psp_view.pl?p=Technologies:IPSec

The pre-share key method would be the simplest method for you to implement. Let us know if you need further assistance.

JimmyZ

 

[tekkid]

Thanks JimmyZ,

How do I determine if I have the correct IPSEC feature. I'm going to guess that I do NOT have it. Currently all remote sites are using a T1 at the facility.


kidd

 

[tekkid]

Hey guys, Thought i'd go ahead and post my config progress from this. If you guys dont mind please let me know what I'm missing. From the remote site ( cisco 800 ) I cant ping the internet through the router.

Thanks for any help in advance again


version 12.2
no service pad
service timestamps debug uptime
service timestamps log uptime
service password-encryption
!
hostname Router
!
no logging buffered
!
ip subnet-zero
ip name-server 205.152.132.252
ip dhcp excluded-address 10.10.10.1
!
ip dhcp pool CLIENT
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 205.152.132.252
domain-name bellsouth.net
lease 0 2
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface Ethernet0
ip address 10.10.10.1 255.255.255.0
ip nat inside
no ip mroute-cache
no cdp enable
hold-queue 32 in
hold-queue 100 out
!
interface Ethernet1
ip address 192.168.0.2 255.255.255.0
ip nat outside
no ip mroute-cache
no cdp enable
!
ip nat inside source list 102 interface Ethernet1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
ip http server
!
!
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 102 permit ip 10.10.10.0 0.0.0.255 any
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end

 

[IllegalOperation]

If this is just going to be a single static connection, why not use the ever popular GRE tunnel? Cisco 800's might not have enough horsepower to efficiently use IPSEC, along with everything else running on top. Perhaps maybe I just misunderstood this post...

 

[jimmyzz]

tekkid,
If you do a "show version" it should display your IOS image file name, which you can check against the cisco feature matrix.

You could create a GRE Tunnel as IllegalOperation stated. GRE is not as secure as IPSEC as it provides data tunneling not data encryption by default. The security is in that GRE creates a private tunnel between two end-points, and encapsulates data to travel through the tunnel. Data can only enter via one end-point and leave via the other end-point, but is not encrypted by default. IPSEC provides data encryption through DES/3DES protocol. Hence it really depends on your requirement (and budget) on which model you use.

JimmyZ

 

[tekkid]

Hey guys,

Update on my progress.. I have verified that the router does have the correct IOS file needed to do my task.

I have also been able to trace route to the DSL router, I cant however trace route the DNS from my carrier as of yet. If you guys might have any answers at where I'm going wrong I would be so greatful!

Thanks,

kidd

 

[tekkid]

Hey guys,, Well I've made some progress but now I'm to the point where I dont know whats going on If you could have a look at my config and help me find the solution I will be greatly in your debt.

What is going on now is.. I can log into the router and ping both directions. I can ping from the router to the DSL modem and can ping the machine on the other end. So at that poing everything is good. But when I attempt to ping from the Ethernet1 computer, I cant ping the DSL router. I can ping Ethernet0 but its not going through. I have no idea what im missing I'm sure its something silly. Please have a look at my code.


hostname brandon
!
!
username isp password
ip subnet-zero
ip dhcp excluded-address 172.16.xx.xx
!
ip dhcp pool client
import all
network 172.16.xx.xx 255.255.255.0
dns-server 172.16.xx.xx
default-router 172.16.xx.xx
!
ip audit notify log
ip audit po max-events 100
!
!
!
!
interface Ethernet0
ip address 172.16.xx.xx 255.255.255.0
ip nat inside
no ip route-cache
no ip mroute-cache
no cdp enable
!
interface Ethernet1
ip address 192.168.xx.xx 255.255.255.0
ip nat outside
no ip route-cache
no ip mroute-cache
no cdp enable
!
ip classless
ip route 0.0.0.0 0.0.0.0 Ethernet1
no ip http server
!
!
no cdp run
!
line con 0
exec-timeout 120 0
no modem enable
stopbits 1
line aux 0
stopbits 1
line vty 0 4
access-class 23 in
exec-timeout 120 0
login local
length 0
!
scheduler max-task-time 5000
end

Please help if can I think I'm close

thanks again!

kidd

 

[jimmyzz]

kidd,
I'm a little confused with your config. It seems to have changed from the previous one. Better you draw up a diagram which explains your network, detailing which interface is your LAN connection and which is your DSL connection. From my understading..

ISP
|
DSL router
|
[e1]
Cisco router
[e0]
|
Internal LAN
PC

Is this correct? - Please fill the IPs in the diagram. Are the ethernet interfaces the right way? How are your public address assigned? - to the DSL router? Is the DSL router configurable? Does it do the NAT for your internal network? Could be a problem with the DSL config.

JimmyZ