09-06-2005 11:44 AM - edited 02-21-2020 12:22 AM
Hello,
I am setting up multiple terminal Servers (2600 - running Advance Security IOS) for reverse telnet sessions to our equipment in the physical location of each 2600.
What would be the most secure way to access the 2600? I may not know what IP the user is coming from. I have SSH only, but would like the user to perhaps VPN/PPTP or something to the 2600 prior being able to access a VTY.
I can't seem to get IPSEC to work in transport mode with the client (does the cisco VPN client even support this?)
my thoughts were, some sort of ipsec to the public IP of the 2600, then you get handed a private IP (loopback interface of 2600 is member of this private IP segment) then from your ipsec private IP, you are allowed to ssh to the loopback IP. The global (fa0/0) interface is locked down to only allow ipsec traffic.
Any thoughts on this setup or any advise of what others have done? is IPSec transport mode the best way? how can I get this to work? Different client software? Any docs on how to configure this?
I can get it to work with PPTP properly although it is extremely slow, and I do not like PPTP :)
Thanks
Solved! Go to Solution.
09-06-2005 06:23 PM
you may configure remote vpn access. the user needs to connect the ipsec vpn then will be able to telnet to the inside interface of the router via ipsec.
username cisco password 7 xxxxxx
aaa new-model
aaa authentication login myauthen local
aaa authorization network myauthor local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group mygroup
key AaBbCcDd
pool vpnpool
acl 130
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map mymap client authentication list myauthen
crypto map mymap isakmp authorization list myauthor
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface Ethernet0
ip address 192.168.8.1 255.255.255.0
interface Dialer0
ip nat outside
crypto map mymap
ip local pool vpnpool 10.12.12.1 10.12.12.10
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 130 permit ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255
route-map nonat permit 10
match ip address 101
above is a sample code. once the remote vpn established, the remote user will get a private address from the pool (10.12.12.0). then the user can telnet to the router inside interface (192.168.8.1) via the ipsec tunnel.
feel free to post your config and we will assist you further to modify the existing code
09-06-2005 06:23 PM
you may configure remote vpn access. the user needs to connect the ipsec vpn then will be able to telnet to the inside interface of the router via ipsec.
username cisco password 7 xxxxxx
aaa new-model
aaa authentication login myauthen local
aaa authorization network myauthor local
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group mygroup
key AaBbCcDd
pool vpnpool
acl 130
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map dynmap 10
set transform-set myset
crypto map mymap client authentication list myauthen
crypto map mymap isakmp authorization list myauthor
crypto map mymap client configuration address respond
crypto map mymap 10 ipsec-isakmp dynamic dynmap
interface Ethernet0
ip address 192.168.8.1 255.255.255.0
interface Dialer0
ip nat outside
crypto map mymap
ip local pool vpnpool 10.12.12.1 10.12.12.10
ip nat inside source route-map nonat interface Dialer0 overload
access-list 101 deny ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255
access-list 101 permit ip 192.168.8.0 0.0.0.255 any
access-list 130 permit ip 192.168.8.0 0.0.0.255 10.12.12.0 0.0.0.255
route-map nonat permit 10
match ip address 101
above is a sample code. once the remote vpn established, the remote user will get a private address from the pool (10.12.12.0). then the user can telnet to the router inside interface (192.168.8.1) via the ipsec tunnel.
feel free to post your config and we will assist you further to modify the existing code
09-07-2005 05:09 AM
Part of the original question asked about using transport mode. It is my impression that transport mode is more for gateway to gateway IPSec. For use with a client implementation I think you would be better to use tunnel mode.
HTH
Rick
09-07-2005 05:36 AM
Thanks for the reply,
I am trying your setup, it was similar to what I have previously tried (I didn't have the nat statements) but I will try them anyway. my 2600 only has one interface, so I am using loopbacks for the "private" network.
I can get the VPN to work, but am not able to SSH to the private address.
I can't seem to ping the 172.17.60.1 address.
My VPN client shows the route, the encrypted counter increases, but no return traffic. I do have a default route pointing the the next hop of the fa0/0 interface, so it should be hitting my crypto map.
Based on what you posted and the next post, it seems it is recommended to use tunnel mode as your example and not transport? Even though the router is the end destination? Strange I never had a problem configuring VPN's before.. never had to access the router from it though :)
Thanks for all the help
here's my config:
aaa new-model
aaa authentication login VPN local-case
aaa authorization network VPN local
password encryption aes
crypto isakmp policy 10
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group VPN
key 6
pool VPN
acl 130
crypto ipsec transform-set VPNSET esp-3des esp-md5-hmac
crypto dynamic-map VPN 10
set transform-set VPNSET
crypto map VPN client authentication list VPN
crypto map VPN isakmp authorization list VPN
crypto map VPN client configuration address respond
crypto map VPN 10 ipsec-isakmp dynamic VPN
interface Loopback0
ip address 172.17.60.1 255.255.255.255
ip nat inside (tried it with this removed too)
ip virtual-reassembly
interface FastEthernet0/0
ip address
ip verify unicast reverse-path
no ip redirects
no ip unreachables
no ip proxy-arp
ip ips AUDIT in
ip nat outside
ip virtual-reassembly
no ip mroute-cache
speed 100
full-duplex
crypto map VPN
ip local pool VPN 192.168.1.1 192.168.1.7
ip nat inside source route-map NONAT interface FastEthernet0/0 overload
access-list 101 deny ip host 172.17.60.1 192.168.1.0 0.0.0.7
access-list 101 permit ip host 172.17.60.1 any
access-list 130 permit ip host 172.17.60.1 192.168.1.0 0.0.0.7
route-map NONAT permit 10
match ip address 101
access-list 10 permit 192.168.1.0 0.0.0.7
line vty 0 4
access-class 10 in
exec-timeout 15 0
logging synchronous
login authentication VTY
transport input telnet ssh
line vty 5 15
access-class 10 in
exec-timeout 15 0
logging synchronous
login authentication VTY
transport input telnet ssh
09-07-2005 11:09 AM
Thanks,
I got it working with your config sample..
I had 2 additional problems (dumb user)--
1: I was testing it going through my PIX, the esp fixup was not enabled due to the pix itself having isakmp enabled so I bypassed the pix....
2: I had null routes for private addresses, so I added reverse-route in the crypto map to add a specific host route when logged in via VPN.
Thanks again. Last time I had this config I kept getting disconnected. For some reason it seems solid now.. not sure the difference this time.
Thanks again for your help.
09-07-2005 04:26 PM
Hi,
It's good to know that the issue has been resolved. Perhaps to rate the particular post that resolves the issue.
09-07-2005 05:20 PM
I would, however, I accidentaly put it to a 4, and it won't let me change it, or mark is as resolved.. so I guess it will have to stay at a 4...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide