Announcement

Collapse
No announcement yet.

Cisco 1811 Router and VPN Clients

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Cisco 1811 Router and VPN Clients

    Hi all,

    I would like to ask if somebody can help me with an advice setting up my 1811 Router so that it can handle Cisco VPN clients.

    I have successfully been able to set it up so that clients can connect to the router from outside.

    The Cisco VPN client, when connected, is able to ping the inside gateway interface 192.168.1.1 but is not able to ping the other inside hosts nor access any internal resources.

    I have first tried to give the client an ip adress on the 192.168.1.0 net as the other inside hosts and also tried to give the client an ip adress on the 192.168.2.0 net. Both did not work.

    What should I be aware of here?

    It runs Cisco IOS 12.4(6)T5.

    Should I use a PIX or an ASA instead of the 1811 to do this? I also have a mailserver and a couple of other servers behind the router.

    I have implemented ACL's and CBAC to secure the network.

    I also have a problem accessing one of my clients Microsoft VPN's after implementing this router. The Microsoft VPN client stops when it verifies username and password with the Microsoft VPN Server and gives a timeout error. Any ideas?

    Thanks in advance.

    Regards,

    Nikolaj

  • #2
    Re: Cisco 1811 Router and VPN Clients

    Hi Nikolaj7,

    Thanks for your post.

    The 1811 should be find for this as long as long as it can handle the overall load of all the different services (the amount of traffic going through it, the VPN, the CBAC, ACLs, etc).

    If I remember correctly, the VPN clients will need to be on thier own network. Thus, if you have 192.168.1.0/24 on the inside LAN, the VPN clients need to be on another network like 192.168.2.0/24 (like you said you tried).

    I suggest that you post your config (with passwords removed) so that we can review it and try to figure out the issue.
    David Davis - Petri Forums Moderator & Video Training Author
    Train Signal - The Global Leader in IT Video Training
    TrainSignalTraining.com - Free IT Training Products
    Personal Websites: HappyRouter.com & VMwareVideos.com

    Comment


    • #3
      Re: Cisco 1811 Router and VPN Clients

      Hi David,

      Thanks for your reply.

      Here is the config in two replies:


      Building configuration...

      Current configuration : 13693 bytes
      !
      version 12.4
      no service pad
      service tcp-keepalives-in
      service tcp-keepalives-out
      service timestamps debug datetime msec localtime show-timezone
      service timestamps log datetime msec localtime show-timezone
      service password-encryption
      service sequence-numbers
      !
      hostname *******
      !
      boot-start-marker
      boot-end-marker
      !
      security authentication failure rate 3 log
      security passwords min-length 6
      logging buffered 51200 debugging
      logging console critical
      enable secret 5 ************
      !
      aaa new-model
      !
      !
      aaa authentication login default local
      aaa authentication login sdm_vpn_xauth_ml_1 local
      aaa authentication login sdm_vpn_xauth_ml_2 local
      aaa authentication login local_authen local
      aaa authorization exec default local
      aaa authorization exec local_author local
      aaa authorization network sdm_vpn_group_ml_1 local
      aaa authorization network sdm_vpn_group_ml_2 local
      !
      aaa session-id common
      !
      resource policy
      !
      clock timezone PCTime 1
      clock summer-time PCTime date Mar 30 2003 2:00 Oct 26 2003 3:00
      no ip source-route
      !
      !
      ip cef
      no ip dhcp use vrf connected
      ip dhcp excluded-address 192.168.1.65 192.168.1.254
      ip dhcp excluded-address 192.168.1.1 192.168.1.32
      !
      ip dhcp pool sdm-pool1
      import all
      network 192.168.1.0 255.255.255.0
      dns-server 192.168.1.6
      default-router 192.168.1.1
      !
      !
      ip tcp synwait-time 10
      no ip bootp server
      ip domain name ********
      ip name-server 192.168.1.6
      ip ssh time-out 60
      ip ssh authentication-retries 2
      ip inspect log drop-pkt
      ip inspect name DEFAULT100 cuseeme
      ip inspect name DEFAULT100 ftp
      ip inspect name DEFAULT100 h323
      ip inspect name DEFAULT100 icmp
      ip inspect name DEFAULT100 netshow
      ip inspect name DEFAULT100 rcmd
      ip inspect name DEFAULT100 realaudio
      ip inspect name DEFAULT100 rtsp
      ip inspect name DEFAULT100 esmtp
      ip inspect name DEFAULT100 sqlnet
      ip inspect name DEFAULT100 streamworks
      ip inspect name DEFAULT100 tftp
      ip inspect name DEFAULT100 tcp
      ip inspect name DEFAULT100 udp
      ip inspect name DEFAULT100 vdolive
      ip inspect name SDM_MEDIUM appfw SDM_MEDIUM
      ip inspect name SDM_MEDIUM cuseeme
      ip inspect name SDM_MEDIUM dns
      ip inspect name SDM_MEDIUM ftp
      ip inspect name SDM_MEDIUM h323
      ip inspect name SDM_MEDIUM icmp
      ip inspect name SDM_MEDIUM imap reset
      ip inspect name SDM_MEDIUM pop3 reset
      ip inspect name SDM_MEDIUM netshow
      ip inspect name SDM_MEDIUM rcmd
      ip inspect name SDM_MEDIUM realaudio
      ip inspect name SDM_MEDIUM rtsp
      ip inspect name SDM_MEDIUM esmtp
      ip inspect name SDM_MEDIUM sqlnet
      ip inspect name SDM_MEDIUM streamworks
      ip inspect name SDM_MEDIUM tftp
      ip inspect name SDM_MEDIUM tcp
      ip inspect name SDM_MEDIUM udp
      ip inspect name SDM_MEDIUM vdolive
      !
      appfw policy-name SDM_MEDIUM
      application im aol
      service default action allow alarm
      service text-chat action allow alarm
      server permit name login.oscar.aol.com
      server permit name toc.oscar.aol.com
      server permit name oam-d09a.blue.aol.com
      audit-trail on
      application im msn
      service default action allow alarm
      service text-chat action allow alarm
      server permit name messenger.hotmail.com
      server permit name gateway.messenger.hotmail.com
      server permit name webmessenger.msn.com
      audit-trail on
      application http
      port-misuse im action reset alarm
      port-misuse p2p action reset alarm
      application im yahoo
      service default action allow alarm
      service text-chat action allow alarm
      server permit name scs.msg.yahoo.com
      server permit name scsa.msg.yahoo.com
      server permit name scsb.msg.yahoo.com
      server permit name scsc.msg.yahoo.com
      server permit name scsd.msg.yahoo.com
      server permit name cs16.msg.dcn.yahoo.com
      server permit name cs19.msg.dcn.yahoo.com
      server permit name cs42.msg.dcn.yahoo.com
      server permit name cs53.msg.dcn.yahoo.com
      server permit name cs54.msg.dcn.yahoo.com
      server permit name ads1.vip.scd.yahoo.com
      server permit name radio1.launch.vip.dal.yahoo.com
      server permit name in1.msg.vip.re2.yahoo.com
      server permit name data1.my.vip.sc5.yahoo.com
      server permit name address1.pim.vip.mud.yahoo.com
      server permit name edit.messenger.yahoo.com
      server permit name messenger.yahoo.com
      server permit name http.pager.yahoo.com
      server permit name privacy.yahoo.com
      server permit name csa.yahoo.com
      server permit name csb.yahoo.com
      server permit name csc.yahoo.com
      audit-trail on
      !
      !
      crypto pki trustpoint TP-self-signed-2425955784
      enrollment selfsigned
      subject-name cn=IOS-Self-Signed-Certificate-2425955784
      revocation-check none
      rsakeypair TP-self-signed-2425955784
      !
      !
      crypto pki certificate chain TP-self-signed-2425955784
      certificate self-signed 01
      ****
      ******

      quit
      username ***** privilege 15 secret 5 ********
      username ***** privilege 7 secret 5 *******
      !
      !
      class-map match-any sdm_p2p_kazaa
      match protocol fasttrack
      match protocol kazaa2
      class-map match-any sdm_p2p_edonkey
      match protocol edonkey
      class-map match-any sdm_p2p_gnutella
      match protocol gnutella
      class-map match-any sdm_p2p_bittorrent
      match protocol bittorrent
      !
      !
      policy-map sdmappfwp2p_SDM_MEDIUM
      class sdm_p2p_gnutella
      class sdm_p2p_bittorrent
      class sdm_p2p_edonkey
      class sdm_p2p_kazaa
      !
      !
      !
      crypto isakmp policy 1
      encr 3des
      authentication pre-share
      group 2
      !
      crypto isakmp client configuration group *********
      key *********
      dns 192.168.1.6
      pool SDM_POOL_1
      max-users 10
      netmask 255.255.255.0
      !
      !
      crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
      crypto ipsec transform-set ESP-3DES-SHA1 esp-3des esp-sha-hmac
      !
      crypto dynamic-map SDM_DYNMAP_1 1
      set transform-set ESP-3DES-SHA1
      reverse-route
      !
      !
      crypto map SDM_CMAP_1 client authentication list sdm_vpn_xauth_ml_2
      crypto map SDM_CMAP_1 isakmp authorization list sdm_vpn_group_ml_2
      crypto map SDM_CMAP_1 client configuration address respond
      crypto map SDM_CMAP_1 65535 ipsec-isakmp dynamic SDM_DYNMAP_1
      !
      !
      !
      !
      Last edited by Nikolaj7; 8th February 2007, 08:13.

      Comment


      • #4
        Re: Cisco 1811 Router and VPN Clients

        And the second half:

        interface Null0
        no ip unreachables
        !
        interface FastEthernet0
        no ip address
        no ip redirects
        no ip unreachables
        no ip proxy-arp
        ip route-cache flow
        shutdown
        duplex auto
        speed auto
        !
        interface FastEthernet1
        description $ES_WAN$$FW_OUTSIDE$
        ip address <Outside IP> 255.255.255.252
        ip access-group 101 in
        ip verify unicast reverse-path
        no ip redirects
        no ip unreachables
        no ip proxy-arp
        ip nat outside
        ip inspect SDM_MEDIUM out
        ip virtual-reassembly
        ip route-cache flow
        duplex auto
        speed auto
        crypto map SDM_CMAP_1
        service-policy input sdmappfwp2p_SDM_MEDIUM
        service-policy output sdmappfwp2p_SDM_MEDIUM
        !
        interface FastEthernet2
        !
        interface FastEthernet3
        !
        interface FastEthernet4
        !
        interface FastEthernet5
        !
        interface FastEthernet6
        !
        interface FastEthernet7
        !
        interface FastEthernet8
        !
        interface FastEthernet9
        !
        interface Vlan1
        description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$$ES_LAN$$FW_INSIDE$
        ip address 192.168.1.1 255.255.255.0
        ip access-group 105 in
        no ip redirects
        no ip unreachables
        no ip proxy-arp
        ip nat inside
        ip virtual-reassembly
        ip route-cache flow
        ip tcp adjust-mss 1452
        !
        interface Async1
        no ip address
        no ip redirects
        no ip unreachables
        no ip proxy-arp
        encapsulation slip
        !
        ip local pool SDM_POOL_1 192.168.2.150 192.168.2.151
        ip route 0.0.0.0 0.0.0.0 <Outside IP Gateway>
        !
        !
        ip http server
        ip http access-class 2
        ip http authentication local
        ip http secure-server
        ip http timeout-policy idle 60 life 86400 requests 10000
        ip nat inside source route-map SDM_RMAP_1 interface FastEthernet1 overload
        ip nat inside source static tcp <Webserver inside IP> 80 interface FastEthernet1 80
        ip nat inside source static tcp <Webserver inside IP> 443 interface FastEthernet1 443
        ip nat inside source static tcp <SSHserver inside IP> 1863 interface FastEthernet1 1863
        ip nat inside source static tcp <Mailserver inside IP> 25 interface FastEthernet1 25
        ******
        !
        logging trap debugging
        access-list 1 remark INSIDE_IF=Vlan1
        access-list 1 remark SDM_ACL Category=2
        access-list 1 permit 192.168.1.0 0.0.0.255
        access-list 2 remark Auto generated by SDM Management Access feature
        access-list 2 remark SDM_ACL Category=1
        access-list 2 permit 192.168.1.0 0.0.0.255
        access-list 100 remark auto generated by Cisco SDM Express firewall configuration
        access-list 100 remark SDM_ACL Category=1
        access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 22
        access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq 443
        access-list 100 permit tcp 192.168.1.0 0.0.0.255 host 192.168.1.1 eq cmd
        access-list 100 deny tcp any host 192.168.1.1 eq telnet
        access-list 100 deny tcp any host 192.168.1.1 eq 22
        access-list 100 deny tcp any host 192.168.1.1 eq www
        access-list 100 deny tcp any host 192.168.1.1 eq 443
        access-list 100 deny tcp any host 192.168.1.1 eq cmd
        access-list 100 deny udp any host 192.168.1.1 eq snmp
        access-list 100 deny ip <Outside network> 0.0.0.3 any
        access-list 100 deny ip host 255.255.255.255 any
        access-list 100 deny ip 127.0.0.0 0.255.255.255 any
        access-list 100 permit ip any any
        access-list 101 remark auto generated by Cisco SDM Express firewall configuration
        access-list 101 remark SDM_ACL Category=1
        access-list 101 permit ip 192.168.2.150 0.0.0.1 any
        access-list 101 permit udp any host <Outside IP> eq non500-isakmp
        access-list 101 permit udp any host <Outside IP> eq isakmp
        access-list 101 permit esp any host <Outside IP>
        access-list 101 permit ahp any host <Outside IP>
        access-list 101 permit udp host 192.168.1.6 eq domain host <Outside IP>
        *****
        *****
        *****
        access-list 101 permit tcp any host <Outside IP> eq smtp
        access-list 101 permit tcp any host <Outside IP> eq 1863
        access-list 101 permit tcp any host <Outside IP> eq 443
        access-list 101 permit tcp any host <Outside IP> eq www
        access-list 101 permit icmp any host <Outside IP> echo-reply
        access-list 101 permit icmp any host <Outside IP> time-exceeded
        access-list 101 permit icmp any host <Outside IP> unreachable
        access-list 101 deny ip 10.0.0.0 0.255.255.255 any
        access-list 101 deny ip 172.16.0.0 0.15.255.255 any
        access-list 101 deny ip 192.168.0.0 0.0.255.255 any
        access-list 101 deny ip 192.168.1.0 0.0.0.255 any
        access-list 101 deny ip 127.0.0.0 0.255.255.255 any
        access-list 101 deny ip host 255.255.255.255 any
        access-list 101 deny ip host 0.0.0.0 any
        access-list 101 deny ip any any
        access-list 102 remark Auto generated by SDM Management Access feature
        access-list 102 remark SDM_ACL Category=1
        access-list 102 permit ip 192.168.1.0 0.0.0.255 any
        access-list 103 remark Auto generated by SDM Management Access feature
        access-list 103 remark SDM_ACL Category=1
        access-list 103 permit ip 192.168.1.0 0.0.0.255 any
        access-list 104 remark SDM_ACL Category=2
        access-list 104 deny ip any 192.168.2.150 0.0.0.1
        access-list 104 deny ip any host 192.168.1.150
        access-list 104 deny ip any host 192.168.1.151
        access-list 104 permit ip 192.168.1.0 0.0.0.255 any
        access-list 105 remark auto generated by SDM firewall configuration
        access-list 105 remark SDM_ACL Category=1
        access-list 105 deny ip <Outside net> 0.0.0.3 any
        access-list 105 deny ip host 255.255.255.255 any
        access-list 105 deny ip 127.0.0.0 0.255.255.255 any
        access-list 105 permit ip any any
        no cdp run
        !
        !
        !
        route-map SDM_RMAP_1 permit 1
        match ip address 104
        !
        !
        !
        !
        control-plane
        !
        banner login ^CAuthorized access only!
        Disconnect IMMEDIATELY if you are not an authorized user!^C
        !
        line con 0
        login authentication local_authen
        transport output telnet
        line 1
        modem InOut
        stopbits 1
        speed 115200
        flowcontrol hardware
        line aux 0
        login authentication local_authen
        transport output telnet
        line vty 0 4
        access-class 102 in
        authorization exec local_author
        login authentication local_authen
        transport input ssh
        line vty 5 15
        access-class 103 in
        authorization exec local_author
        login authentication local_authen
        transport input ssh
        !
        scheduler allocate 4000 1000
        scheduler interval 500
        !
        webvpn context Default_context
        ssl authenticate verify all
        !
        no inservice
        !
        end

        Comment


        • #5
          Re: Cisco 1811 Router and VPN Clients

          Hi Nikola,

          WOW, that is a heck of a long config! SDM can generate HUGE configs like that, the more features you select. The config is just so big it is very difficult to disect.

          One thing I noticed is that the VPN clients are getting their IP from this pool-
          ip local pool SDM_POOL_1 192.168.2.150 192.168.2.151

          However, I don't see any default gateway or DNS info for the VPN clients once they connect. Are you configuring that manually? Once a VPN client is connected, if you do a IPCONFIG /ALL, what are the IP configs on the VPN adaptor?

          I think that the pool needs to be modified to set the router as the default gateway for the VPN clients.

          Just my inital thought. I really haven't finished disecting the long config.

          We can get it working, one way or the other.

          Thanks for posting the config
          David Davis - Petri Forums Moderator & Video Training Author
          Train Signal - The Global Leader in IT Video Training
          TrainSignalTraining.com - Free IT Training Products
          Personal Websites: HappyRouter.com & VMwareVideos.com

          Comment


          • #6
            Re: Cisco 1811 Router and VPN Clients

            Hi David,

            Thanks for your reply.

            The Ipconfig /all shows:

            LAN Connection (ISP Connection):
            ...
            ...
            ..
            ..


            VPN Connection
            Ipadress: 192.168.2.151
            Subnetmask: 255.255.255.0
            Standard gateway: 192.168.2.151
            DNS Servers: 192.168.1.6


            Somehow I have managed to be able to ping inside ressources (do not know how I did it....), but I am not able to access internal ressources like a webserver or mailserver.

            When I do a nslookup of an internal server it first asks the DNS servers of the ISP of the LAN interface connected to to ISP and then next asks the internal DNS server and get the correct answer.

            How can I get it to access the internal ressources?

            Thanks.

            Regards,
            Nikolaj

            Comment


            • #7
              Re: Cisco 1811 Router and VPN Clients

              Hi David,

              When I send a testmail from Outlook while connected through VPN it fails to send a test message, even though it says that it can find the mailserver (both pop3 and smtp).

              Regarding webserver: It just says that the server was not found. And I am not able to access any webservers on the Internet.

              Can it be that there is no ACL or something that allows to send traffic to the VPN network?

              BTW I can access a server on the internal network through the VPN tunnel by means of RDP.

              Split tunneling is not enabled. I want to control all the traffic while the laptop is connected to the VPN.

              Thanks.

              Regards,
              Nikolaj
              Last edited by Nikolaj7; 10th February 2007, 16:43.

              Comment


              • #8
                Re: Cisco 1811 Router and VPN Clients

                HI Nikolaj7,

                Hmm, there are just so many features applied that could affect what you are doing, it is hard to narrow it down to something. If it were my config, I would wipe it out and start from scratch, entering only the required configs and then test it without a ton of optional configs. SDM can generate a awefully complex config with just a few clicks of the mouse.

                If I had to try to do something to troubleshoot this existing config, I would add the "log" keyword at the end of any existing ACL that says to deny ip any any. If there is an ACL that doesn't end in deny any any, I would add
                deny ip any any log

                From this, any traffic denied will begin to appear in your router's log file and on the console. I would retest to see if you can narrow down the ACl that is denying the traffic. Also, potentially remove ip verify and ip inspect - only going with ACLs to try to narrow the problem down.
                David Davis - Petri Forums Moderator & Video Training Author
                Train Signal - The Global Leader in IT Video Training
                TrainSignalTraining.com - Free IT Training Products
                Personal Websites: HappyRouter.com & VMwareVideos.com

                Comment

                Working...
                X