Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
461
Views
0
Helpful
3
Replies

VPN Configuration help needed - This can get complicated!

Michael Durham
Level 4
Level 4

‎02-26-2019 04:45 PM - edited ‎02-26-2019 05:14 PM

I have a Cisco 3925 router with IOS c3900-universalk9-mz.SPA.152-4.M1.bin with IPBase, UC, and Security licenses.  

 

Currently I have a Microsoft server connecting to PureVPN with a dedicated IP address so our clients con download files from our FTP server.  All is working well with this configuration.  

 

I would like to have the PureVPN terminate on the 3925 route and port-forward to the FTP server and some other ports forwarded to other computers for RDP like this:

     100.100.100.10 port 9191 --> 192.168.69.61 FTP
     100.100.100.10 port 7070  --> 192.168.69.10 RDP

     100.100.100.10 port 7071 --> 192.168.69.71 RDP 

PureVPN supports OpenVPN and PPTP.

 

I have no clue how to configure this.  Our PureVPN account has a usename and password of course.

 

That was stage one, now for stage to if it can be done.

 

We next need to configure some Site-to-Site VPN DMVPNs so that our remote locations can be connected as needed for remote support for their Cisco router or switch only.  A smiple Telnet or SSH connection is all that is needed.

 

Fpr a DMVPN to work, one side must have a static IP address which is where the PureVPN would come in.  We do not care if this double VPN would slow down this connection since its text only.

 

Now I know some are asking "Why not just get a static IP from our ISP".  Good question... We can only get Verizon 4G service here for internet and they want $500.00 just for the IP.  Far too much to pay.  Plus, a public IP would expose us to much more risk than we have now since we are behind double or triple natting.

 

We use this same 4G connection for ALL of our internet access for our workstations.  These connections do not need to go over the VPN and should not. To manage the remote routers, we will log into our local router and telnet to the remote router.


Suggestions are welcome.

 

Thank You,

 

 

Michael

Labels:
0 Helpful
3 Replies 3

Francesco Molino
VIP Alumni
VIP Alumni

‎02-27-2019 01:35 AM

Hi

 

You can configure PPTP vpn client feature.

Here a link how to do it:

https://www.cisco.com/c/en/us/support/docs/ip/point-to-point-tunneling-protocol-pptp/29781-pptp-ios.html

 

For port forwarding, here an example:

ip nat inside source static tcp 192.168.69.61 21 100.100.100.10 9191 extendable

 

 

For the dynamic IP thing, I misunderstood your requirement. Is the dynamic IP on the HUB side or SPOKE side.

 

For spoke side, this is ok and you can use basic DMVPN configurations. If dynamic IP is on hub side, then you can use fqdn based nbma (https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_dmvpn/configuration/15-mt/sec-conn-dmvpn-15-mt-book/sec-conn-dmvpn-conf-using-fqdn.pdf) or you can have some specific configs using EEM to change the nbma public ip on spoke sides by pinging the fqdn dns hub.

The 1st option with fqdn nbma is straight forward.

 

 


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

evabrown
Level 1
Level 1
In response to Francesco Molino

‎02-27-2019 02:38 AM

The VPN is not Working on my device. It was running properly previously. But now it is showing Windows 10 Preparing Automatic Repair Error. Please help me to fix it.

0 Helpful

Michael Durham
Level 4
Level 4
In response to Francesco Molino

‎02-28-2019 12:16 PM - edited ‎02-28-2019 12:36 PM

That information is to set up my router as the VPN server (not talking about the DMVPN tunnel).  

 

We need our router to be a CLIENT of PureVPN so that our router gets the public IP address.  Only specific traffic should go out the VPN.  Our Web/FTP server, some RDP{ connections, and our DMVPN tunnel ONLY.

I found the following on the net but its not working yet.  Any suggestions?

 

service internal <-- #### HIDDEN COMMAND, REQUIRED ###
ip auth-proxy max-nodata-conns 3
ip admission max-nodata-conns 3
multilink bundle-name authenticated
vpdn enable
vpdn-group PureVPN
request-dialin
protocol pptp
rotary-group 0
initiate-to ip 209.129.129.1

l2tp tunnel receive-window 1024

interface Dialer0
ip address dhcp
encapsulation ppp
dialer in-band
dialer idle-timeout 0
dialer string 123456
dialer vpdn
dialer-group 1
ppp encrypt mppe auto
ppp chap hostname purevpn9999
ppp chap password 7 14999590D7E3E3D
no cdp enable
!
no ip forward-protocol nd
dialer-list 1 protocol ip permit

 

When I debug INT DIA 0 and vpdn there is no responses.

Preview file
32 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card