VPN on a CISCO 2621

[ymmAUDIO]

Hi,

I don't have much knowledge of Cisco. This is my first project. So I hope you excuse my Cisco illiteracy.

I have a Cisco 2621 router, running 12.1(14) IOS. I want to set it up as a VPN Server, if possible, so that remote clients can connect to our network over the internet. If not possible, I would like to configure it to just pass the clients' request to a Windows 2000 VPN Server. We have a ADSL internet connection with a single static IP address. I would like to use fastethernet 0/0 for DSL and 0/1 for the internal network. There are no other fire walls or routers present on the network. I will gladly answer all your questions and clarify anything you would like to undrestand. I thank you in advance for your help.

Joseph

 

[routerman]

This is reasonably straight forward, but I'm concerned by the security issue it poses. The ideal way to secure this is to have the VPN router terminate users, then use a firewall to control their access. However this is a security policy issue, not a technical one!

Here is an example I used recently:

username deria3 password 0 X3kliD0P
aaa new-model
!
!
aaa authorization network VPN-group local
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2

crypto isakmp client configuration group Airedale-VPN
key secure-key
wins 172.31.0.11
domain airedale.co.uk
pool ippool

crypto ipsec transform-set CUSTOMER-VPN esp-3des esp-sha-hmac


crypto dynamic-map CUSTOMER-VPN 10
set transform-set CUSTOMER-VPN
!
!
crypto map VPNCRYPTOMAP client authentication list user
crypto map VPNCRYPTOMAP isakmp authorization list VPN-group
crypto map VPNCRYPTOMAP client configuration address respond


interface Ethernet0
description outside interface
ip address N.N.N.N 255.255.255.0
no ip proxy-arp
no ip unreachables
no ip redirects
ip tcp adjust-mss 1400
no ip mroute-cache
no cdp enable
crypto map VPNCRYPTOMAP


ip local pool ippool 10.255.253.1 10.255.253.254

Have a read over, get back with any questions.

 

[ymmAUDIO]

routerman,

Thank you very much for your help. As I mentioned I am totally new to Cisco. I will try to figure out what these commands and configurations mean and I will let you know the results. I also need to configure NAT. Also, what do you mean by having the router terminate the users?

Thanks a lot for your help.

Joseph

 

[ymmAUDIO]

Hello,

Does anyone have suggestions on a good reading about this subject? Any help would be appreciated. Thanks.


Joseph

 

[routerman]

Have a look at Cisco Secure VPN's by Andrew Mason. Its published by Cisco Press, ISBN 1-58705-033-1

Covers all this in detail.

What I meant by `having the router terminate the users' was you apply individual username and passwords for each user. This way when they connect they are prompted to login before getting access to the network. This can be done using a win2k server to hold the username and password, or they can be configured locally on the router. This book goes into this in some detail.

Also as an extra degree of security you have a firewall between the VPN router and the secure network, so you can control what services the users can access.

 

[ymmAUDIO]

routerman,


Thank you very nuch for your help. I will check out the book you mentioned. Thanks a lot.

Joseph

 

[xyyz]

no offense, i don't mean to knock your abilities. however, in a production environment, if you're new to cisco, i suggest you hire someone to do this properly and watch what they do and take notes.

misconfiguring a router, especially if you have no IOS knowledge can become pretty messy and can open all sorts of security concerns in the network.

 

[ymmAUDIO]

xyyz,


Thanks for your advise. We will not implement this router in a production environment till it is complete and we have a good command of Cisco OSI. We are just learning and experimenting right now.


Joseph