Setup 887va so that one port is always private vpn and other ports are direct to internet.

ICTinfrastructure · ‎05-12-2021

Greetings,

I have been tasked with setting up 887va so that Port 0 is configured for connection to private vpn and that ports 1-2-3 are configured for general internet acccess. Currently all the ports are setup for Private VPN (Corporate network) Really looking for a place to start with this one, We used to setup 837's so that 1 port was VPN and 2nd port was internet facing, but that used static addresses to do stuff. New config will only have 1 corp device with static address, any public devices connecting should receive address from router.

Ideally I would like to connect a Zyxel wifi router to one of the additional ports and have that deliver dhcp and connectivity to devices although for now would also be satisfied if can wire in directly from pc to Cisco and get internet access.

balaji.bandi · ‎05-12-2021

as per the config, you have only 1 internet link, that is conenct to VPN, so you need split tunnel to split the traffic as expected:

below example help you to undertand (is this what you looking ?) - if not please give us more information for us to understand :

https://www.cisco.com/c/en/us/support/docs/routers/1700-series-modular-access-routers/71462-rtr-l2l-ipsec-split.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ICTinfrastructure · ‎05-13-2021

I've had a look through that document before, I think it is partly what I need. Basically we want port port 0 to stay as is so that the printer which has to talk to corp directly will still work. But ports 1/2/3 need to be configured for dhcp from router and connect directly to the internet. I assume we need to add and make some changes to enable DHCP etc. I'm at the following stage with a config currently.

If someone with more experience then me can cast their eye over it looking for any obvious errors and or omissions I would be most appreciative.

no service slave-log
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime
service timestamps log datetime localtime
service password-encryption
service dhcp
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
logging buffered 16384 informational
enable password *PASSWORD*
!
no aaa new-model
clock summer-time BST recurring last Sun Mar 1:00 last Sun Oct 2:00
!
no ip source-route
!
!
no ip domain lookup
ip domain name *DOMAIN*
ip inspect name IOSFW tcp timeout 3600
ip inspect name IOSFW udp timeout 30
ip inspect name IOSFW ftp timeout 3600
ip inspect name IOSFW h323 timeout 3600
ip inspect name IOSFW http timeout 3600
ip inspect name IOSFW rcmd timeout 3600
ip inspect name IOSFW realaudio timeout 3600
ip inspect name IOSFW smtp timeout 3600
ip inspect name IOSFW sqlnet timeout 3600
ip inspect name IOSFW streamworks timeout 3600
ip inspect name IOSFW tftp timeout 30
ip inspect name IOSFW vdolive timeout 3600
ip cef
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
username *USER* privilege 15 password *PASSWORD*
!
controller vdsl 0
operating mode auto
!
interface Vlan 1
Description Internet
ip address 192.168.3.1 255.255.255.0
ip access-group 116 in
ip inspect IOSFW in
ip nat inside
ip virtual-reassembly
no ip mroute-cache
!
interface Vlan10
Description Corporate
ip address 192.168.231.49 255.255.255.248
ip access-group 115 in
!
crypto isakmp policy 10
encr aes 256
authentication pre-share
group 5
crypto isakmp key *KEY* address *ASA ADDRESS*
!
!
crypto ipsec transform-set 1 esp-aes 256 esp-sha-hmac
mode tunnel
!
!
crypto map VPN 10 ipsec-isakmp
set peer *ASA ADDRESS*
set transform-set 1
match address 112
!
interface ATM0
description ADSL PHYSICAL INTERFACE
no shutdown
no ip address
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
interface FastEthernet0
description CORPORATE ACCESS
switchport access vlan 10
no ip address
!
interface FastEthernet1
description Internet ACCESS
switchport access vlan 1
!
interface FastEthernet2
description Internet ACCESS
switchport access vlan 1
!
interface FastEthernet3
description Internet ACCESS
switchport access vlan 1
!
Interface Dialer1
description ADSL VIRTUAL INTERFACE
no shutdown
ip address negotiated
ip access-group 111 in
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap pap callin
ppp chap hostname *ISP USERNAME*
ppp chap password *ISP PASSWORD*
ppp pap sent-username *ISP USER* password *ISP PASS*
ppp ipcp dns request
ppp ipcp wins request
crypto map VPN
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
!
ip nat inside source route-map NONAT interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit
!
route-map NONAT permit 10
match ip address 114
!
Router(config)#ip dns server
Router(config)#ip domain lookup
Router(config)#ip dhcp excluded-address 192.168.3.1 192.168.3.99
Router(config)#service dhcp
Router(config)#ip dhcp pool DHCP-POOL
Router(dhcp-config)#network 192.168.3.0 255.255.255.0
Router(dhcp-config)#default-router 192.168.3.1
Router(dhcp-config)#dns-server 192.168.3.1
Router(dhcp-config)#domain-name home.local
Router(dhcp-config)#import all
Router(dhcp-config)#exit
Router(config)#end

ip access-list standard aclQuietMode
permit 192.168.0.0 0.0.0.255

ip access-list standard aclTelnet
permit 192.168.0.0 0.0.0.255

access-list 1 permit *ASA ADDRESS* 0.0.0.63
access-list 1 permit *INTERNAL VLAN* 0.0.0.255
access-list 1 permit 192.168.231.48 0.0.0.7
access-list 1 permit 192.168.3.1 0.0.0.7
access-list 100 permit ip 192.168.231.0 0.0.0.255 *ASA ADDRESS* 0.0.0.63
access-list 111 remark OUTSIDE-IN-ACL
access-list 111 permit icmp *ASA ADDRESS* 0.0.0.63 any echo
access-list 111 permit icmp *ASA ADDRESS* 0.0.0.63 any echo-reply
access-list 111 permit icmp *ASA ADDRESS* 0.0.0.63 any traceroute
access-list 111 permit esp *ASA ADDRESS* 0.0.0.63 any
access-list 111 permit udp *ASA ADDRESS* 0.0.0.63 any eq isakmp
access-list 111 permit udp *ASA ADDRESS* 0.0.0.63 any eq 10000
access-list 111 permit tcp *ASA ADDRESS* 0.0.0.63 any eq 22
access-list 111 permit ip 192.168.0.0 0.0.255.255 192.168.231.48 0.0.0.7
access-list 112 remark CORPORATE-SUBNET-CRYPTO
access-list 112 permit ip 192.168.231.48 0.0.0.7 any
access-list 113 remark Internet-Subnet
access-list 113 permit ip 192.168.3.1 0.0.0.7 any
access-list 114 remark NONAT-LIST
access-list 114 permit ip 192.168.3.1 0.0.0.7 any
access-list 114 deny ip 192.168.231.48 0.0.0.7 any
access-list 115 remark CORPORATE-INTERNET-ACL
access-list 115 deny ip 192.168.231.48 0.0.0.7 192.168.3.1 0.0.0.7
access-list 115 permit ip 192.168.231.48 0.0.0.7 any
access-list 116 remark Internet-Corporate-ACL
access-list 116 deny ip 192.168.3.1 0.0.0.7 192.168.231.49 0.0.0.7
access-list 116 permit ip 192.168.3.1 0.0.0.7 any

dialer-list 1 protocol ip permit
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
banner login ^C
######################################
# #
# THIS IS A RESTRICTED DEVICE #
# #
# DO NOT LOG IN #
# #
######################################
^C
!
line con 0
exec-timeout 60 0
password *Password*
logging synchronous
login local
no modem enable
stopbits 1
line aux 0
line vty 0 4
exec-timeout 60 0
password *Password*
logging synchronous
login local
transport input ssh
transport output ssh
!
scheduler allocate 20000 1000
!
end