Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
881
Views
0
Helpful
6
Replies

VPN Concept possible?

phuayhow01
Level 1
Level 1

‎03-28-2013 12:07 AM - edited ‎03-04-2019 07:26 PM

    Hi Everyone,

          Before i start, below is my setup diagram:

                                           PCs at remote (192.168.4.x, 255.255.255.0, default gateway 192.168.4.254)

                                                                                     !

                                                                                     !    

                                                                           Internet Cloud

                                                                                     !

                                                                                     !

                                                                  g0/1 (DHCP ip address of 10.0.0.135)

                                                                                router 1941

                                                                          g0/0 (10.10.10.1)

                                                                                     !

                                                                                     !

                                                                              PCs at local

     The PCs at remote obtain their ip address from a internet modem with default gateway 192.168.4.254. This 192.168.4.254 is obtained when i use one of the PCs at remote to perform a "ipconfig" at its command prompt terminal.

     My objective is all the PCs at remote must be able to access one of the PC shared folder at the local via VPN. At the same time, when this VPN is implemented, it shall not interupt any of the internet access for both the remote and local PCs

      My concern is that is it possible to configure a vpn for this case? If it is possible, anyone could provide me as much detail as possible on how to go about doing it?

Thank and Regards,

Raymond

Labels:
0 Helpful
6 Replies 6

Ajay Raj
Level 1
Level 1

‎03-28-2013 03:41 AM

You can creater Tunnel between two sites link GRE or go for site to site VPN

0 Helpful

phuayhow01
Level 1
Level 1
In response to Ajay Raj

‎04-01-2013 01:56 AM

Hi Ajay Raj,

     As this is my first time touching on VPN, i perform some research and got hold of one example that is very close to my concept. So i try to use this example and after some days of trying, i managed to use the PCs at the remote to access into a shared folder of the PC at local but under one condition, the pcs at remote is within the same subnet of g0/1. But when i go home and use my internet access which is in the range of 192.168.4.x, i could not even ping the g0/1 and i think this portion i had not configure properly inside my router. The Second Problem i encountered is that with my current router configuration, after the cisco VPN client software is connected, the PCs at remote could not surf the internet anymore. Only when i disconnected the cisco VPN client software, the PCs at remote could surf the internet.

     Below is my router configuration file:

hostname Pioneer

!

boot-start-marker

boot-end-marker

!

!

security authentication failure rate 3 log

security passwords min-length 4

logging buffered 51200 warnings

logging console critical

enable secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

!

aaa new-model

!

!

aaa authentication login default local

aaa authentication login vpn_xauth_m1_q local

aaa authorization exec default local

aaa authorization network vpn_group_m1_1 local

!

!

aaa session-id common

!

clock timezone PCTime 8 0

!

no ipv6 cef

no ip source-route

ip cef

!

!

no ip dhcp use vrf connected

ip dhcp excluded-address 10.10.10.1 10.10.10.10

!

ip dhcp pool mydhcppool

network 10.10.10.0 255.255.255.0

default-router 10.10.10.1

dns-server 165.21.83.88 165.21.100.88 4.2.2.2

!

!

no ip bootp server

ip domain name yourdomain

ip name-server 165.21.83.88

ip name-server 8.8.8.8

!

multilink bundle-name authenticated

!

crypto pki token default removal timeout 0

!

crypto pki trustpoint TP-self-signed-625968446

enrollment selfsigned

subject-name cn=IOS-Self-Signed-Certificate-625968446

revocation-check none

rsakeypair TP-self-signed-625968446

!

!

crypto pki certificate chain TP-self-signed-625968446

certificate self-signed 01

  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274

  69666963 6174652D 36323539 36383434 36301E17 0D313231 31323830 36313231

  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F

  6634571E 9325D46C 25BE3EEF 393CD6C4 2D151BB8 03FBE75E C2C9AA10 1696FB07

  BC9901D6 C764E91D 735B4628 22

   quit

license udi pid CISCO1941/K9 sn FHK144672KZ

!

!

archive

log config

  hidekeys

username tcisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY

username puriy password 7 11190C171E

!

redundancy

!

!

ip tcp synwait-time 10

!

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp keepalive 10

!

crypto isakmp client configuration group vpnclients

key cisco

pool ippool

max-users 14

browser-proxy pioneerbrowser

!

crypto isakmp client configuration browser-proxy pioneerbrowser

crypto isakmp profile vpn-ike-profile-1

match identity group vpnclient

   client authentication list vpn_xauth_m1_q

   isakmp authorization list vpn_group_m1_1

   client configuration address respond

   virtual-template 1

!

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

!

crypto ipsec profile VPN_Profile1

set security-association idle-time 86400

set transform-set ESP-3DES-SHA

set isakmp-profile vpn-ike-profile-1

!

!

!

interface Embedded-Service-Engine0/0

no ip address

shutdown

!

interface GigabitEthernet0/0

description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$

ip address 10.10.10.1 255.255.255.0

ip nat inside

ip virtual-reassembly in

duplex auto

speed auto

!

interface GigabitEthernet0/1

ip address dhcp

no ip redirects

no ip unreachables

ip flow ingress

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

ip unnumbered GigabitEthernet0/0

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_Profile1

!

ip local pool ippool 192.168.1.1 192.168.1.20

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

!

ip nat inside source list 101 interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 10.0.0.2

!

access-list 1 permit 192.168.1.0 0.0.0.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 101 permit ip 10.10.10.0 0.0.0.255 any

!

no cdp run

     Could you help me to solve this two issues? or anyone?

     Really appreciate if anyone of you could help me.

Thank and Regards,

Raymond

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to phuayhow01

‎04-01-2013 03:42 PM

Do these Changes

no ip nat inside source list 101 interface GigabitEthernet0/1 overload

no ip route 0.0.0.0 0.0.0.0 10.0.0.2

!

no access-list 101 permit ip 10.10.10.0 0.0.0.255 any

!

ip access-list EXTENDED INTERNET-ACCESS

deny ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

permit ip 10.10.10.0 0.0.0.255 any

ip nat inside source list INTERNET-ACCESS interface GigabitEthernet0/1 overload

ip route 0.0.0.0 0.0.0.0 gigabitethernet 0/1

For Internet To Work

Use ACL

no access-list 100 permit ip 10.10.10.0 0.0.0.255 10.0.0.0 0.255.255.255

access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255

crypto isakmp client configuration group vpnclients

acl 100

*** Do Rate All Helpful Posts***

Jawad
0 Helpful

phuayhow01
Level 1
Level 1
In response to jawad-mukhtar

‎04-03-2013 07:44 PM

Hi Jawad Mukhtar,

     I followed your steps mentioned and it worked prefectly when my pcs at remote is having the same subnet as g0/1 of the router. For your info, one of the pc at remote is having the following IP address of 10.0.0.125, 255.255.255.0, default gateway 10.0.0.2 after connecting to a wireless internet router. Actually, my pcs at remote and local are sharing the same internet provider when i am performing my testing in the office.

     My real purpose is that when i bring back one of the pc at remote back to my home and connected it to my own wireless internet router (differnet internet provider). my cisco vpn client could not connected to the router anymore. I also cannot ping any of the pcs at the local. This pc is now having the following IP address of 192.168.4.125, 255.255.255.0, default gateway 192.168.4.254.

     Below is my VPN client setting:

   

    

     Is it the router portion need to change something or my vpn client setting is wrong? For your info, the g0/1 of the router ip address should be 10.0.0.138.

     Hope to hear from you soon.

Thank and Regards,

Raymond

0 Helpful

jawad-mukhtar
Level 4
Level 4
In response to phuayhow01

‎04-04-2013 10:20 AM

interface Virtual-Template1 type tunnel

no ip unnumbered GigabitEthernet0/0

ip unnumbered GigabitEthernet0/1

tunnel source GigabitEthernet0/1

tunnel mode ipsec ipv4

tunnel protection ipsec profile VPN_Profile1

*** Do Rate All Helpful Posts***

Jawad
0 Helpful

phuayhow01
Level 1
Level 1
In response to jawad-mukhtar

‎04-07-2013 09:19 PM

Hi Jawad,

     I have not bring the PC at remote to my home to test it yet. I will test it tonight.

    By the way, i encounter another issue and that is after all the configuration, all the PCs at local could not surf internet. I tried to ping 8.8.8.8 from the router but it failed. I tried to browse through my router configuration and it look fine to me.

    Below is my latest configuration from the router:

subject-name cn=IOS-Self-Signed-Certificate-625968446
revocation-check none
rsakeypair TP-self-signed-625968446
!
!
crypto pki certificate chain TP-self-signed-625968446
certificate self-signed 01
  30820229 30820192 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
  30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 36323539 36383434 36301E17 0D313231 31323830 36313231
  385A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
  532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3632 35393638

license udi pid CISCO1941/K9 sn FHK144672KZ
!
!
username cisco secret 4 tnhtc92DXBhelxjYk8LWJrPV36S2i4ntXrpb4RFmfqY
username puri password 7 11190C171E
!
redundancy
!
!
!
!
ip tcp synwait-time 10
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp keepalive 10
!
crypto isakmp client configuration group vpnclients
key xxxx
pool ippool
acl 100
max-users 14
browser-proxy pioneerbrowser
!
crypto isakmp client configuration browser-proxy pioneerbrowser
crypto isakmp profile vpn-ike-profile-1
   match identity group vpnclient
   client authentication list vpn_xauth_m1_q
   isakmp authorization list vpn_group_m1_1
   client configuration address respond
   virtual-template 1
!
!
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
!
crypto ipsec profile VPN_Profile1
set security-association idle-time 86400
set transform-set ESP-3DES-SHA
set isakmp-profile vpn-ike-profile-1
!
!
!
!
!
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1
ip address dhcp
no ip redirects
no ip unreachables
ip flow ingress
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface GigabitEthernet0/1/0
switchport access vlan 100
no ip address
!
interface GigabitEthernet0/1/1
no ip address
!
interface GigabitEthernet0/1/2
no ip address
!
interface GigabitEthernet0/1/3
no ip address
!
interface Virtual-Template1 type tunnel
ip unnumbered GigabitEthernet0/1
tunnel source GigabitEthernet0/1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN_Profile1
!
interface Vlan1
no ip address
!
interface Vlan100
description ***ROUTED PORT FOR G0/1/0***
ip address 11.11.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
!
ip local pool ippool 192.168.1.1 192.168.1.20
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list INTERNET-ACCESS interface GigabitEthernet0/1 overload
ip route 0.0.0.0 0.0.0.0 GigabitEthernet0/1
!
ip access-list extended INTERNET-ACCESS
deny   ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
permit ip 10.10.10.0 0.0.0.255 any
permit ip 11.11.11.0 0.0.0.255 any
deny   ip 11.11.11.0 0.0.0.255 192.168.1.0 0.0.0.255
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 100 permit ip 10.10.10.0 0.0.0.255 192.168.1.0 0.0.0.255
!
no cdp run
!
     Any idea what happened?

Regards,

Raymond

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card