Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

HELP!! How to configure Cisco 1721 as a VPN gateway! 1

Status
Not open for further replies.

justinxie

Instructor
May 2, 2002
12
AU
Hi professionals,

Could anyone help me with how to configure Cisco 1721 (with VPN module installed) as a VPN gateway??? Does vpn client has to install Cisco Secure VNP client to access through this vpn router?

Many thanks.
 
could you describe in better detail what you are trying to accomplish....are multiple sites trying to connect....individual users from their homes???
 
ok, all I have to do is to set up this 1721 router as an access vpn router to support users using pcs that running different version of windows. One thing I forgot to mention last time is that this router is configured with DDS through it's serial interface and function as an internet gateway for internal users and it hosts a few web and email services.
Is it possible for this router function as a vpn router and an internet gateway at the same time? (through a single DDS connection only)

Many thanks!
 
You can but it will probably be overkill on the 1721 and 1751 would be better equipped to handle your intended duties. You will also need a IOS that has the IPsec DES or 3DES feature set but more importantly the ability to type this command:

crypto crypto isakmp client configuration group


First you will need a radius server or configure the usernames on the 1721 itself (painful). If you have a WIN2K server is has Internet Authentication Service built in (Radius Server).

Let me know how you plan to authenticate the users and whether you want the people who vpn in to do split tunneling (be able to surf the internet will VPN'nd in.)

If you do that I will post up a config that will make you dream a reality!

CiscoGod
 
Thanks for your last post.
My 1721 router does have a vpn module installed and i have upgraded it with the lastest ios that support the 3des vpn module. Further more I did a configuration according a sample configuration on cisco site.
1721#sh run
Building configuration...

Current configuration : 3176 bytes
!
version 12.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
no service password-encryption
!
hostname 1721
!
logging buffered 10000 informational
no logging console
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username justin password 0 justin
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
crypto isakmp client configuration group vpnclient
key share1
pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
ip address 203.21.1.252 255.255.255.0
half-duplex
no cdp enable
crypto map clientmap
!
interface FastEthernet0
ip address 192.19.21.1 255.255.255.0
speed auto
no cdp enable
!
interface Serial0
bandwidth 1984
no ip address
shutdown
no fair-queue
no cdp enable
!
ip local pool ippool 192.19.21.191 192.9.201.199
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 203.21.1.251
ip route 203.21.1.251 255.255.255.255 Ethernet0
no ip http server
ip pim bidir-enable
!
!
ip access-list extended dns-servers
ip access-list extended key-exchange
!
!
line con 0
line aux 0
line vty 0 4
exec-timeout 30 0
password 7 xxxxxxxxxx
!
no scheduler allocate
end


The problem now is that the vpn 3.6 client can establish the link to the 1721 vpn server and it shows an IP that from the range configured above, but the pc can't even ping other computers in the same IP range.

Any help will be appreciate!!!
 
Good job, the problem is rather simple. You have a routing problem here. You are giving out a range of 192.19.21.191 thru 192.9.201.199 which is already used for interface FastEthernet0. I you change that your "ip local pool ippool 192.19.21.191 192.9.201.199" to "ip local pool ippool 172.16.1.1 172.16.1.100" your clients should be able to hit "THE 1721 VPN Router only" your next step is to propagate the new route via a dynamic routing protocol i.e. EIGRP or OSPF. Or you can staticly put the new VPN subnet on your internal gateway's that your inside servers and PC's use to point to your VPN Router for anything addressed to the subnet of 172.16.1.0. This will test the reachability real quick and it will work just fine. Now do you want to keep with this new subnet for vpn access, well thats your decision to make, the point you have to keep in mind is *DO not use an existing IP subnet range**.

Hope this helps.

CiscoGod
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top