cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1763
Views
5
Helpful
49
Replies

VPN

Hamid Amir
Level 1
Level 1

 

Question

I have a Cisco 877 router which connects my network to the Internet using an ADSL line, static IP address and NAT; the IOS version is 15.

Everything is working ok, but I'd like to configure this router to be a VPN server, to be able to connect to the network from the outside.

letting single remote computers access the internal network

I can connect  to my vpn from home using router ip as server name in vpn client (is this wright) but I can not from the outside using public internet

And, finally: how to set up this?

 

my config


Current configuration : 5563 bytes
!
! Last configuration change at 15:16:15 UTC Mon Aug 28 2017 by me
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
--More--
*Aug 28 15:18:19.652: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug 28 15:18:19.660: %LINK-3-UPDOWN: Interface Virtual-Access3, changed staaaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username me privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username she secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENTvpn
key firewallvpn
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENTvpn
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile VPN-Profile-1-ike-profile-1
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8059afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8059afb35580@skydsl password 0 efrtyuie
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.0.20 192.168.0.25
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
ip access-list extended vpn_resources
permit ip 192.168.0.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0

 

 
49 Replies 49

Hello,

there is another detai in your configuration that warrants a question: do you have an existing DNS server with IP address 10.0.0.10 on your network ?

Also, try and change the key to something different like 'cisco':

crypto isakmp client configuration group CCLIENT-VPN
key cisco
dns 10.0.0.10 ?

Hi

No!

Hey,

Wait a minute. You're testing with Anyconnect of legacy Cisco VPN client?
Because Anyconnect only support IKEv2.
If you want to use anyconnect, you need to configure another vpn access using ikev2 like flexvpn for example.

Otherwise you'll need to install Legacy Cisco VPN client

Thanks

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

 

I am using cisco client VPN and I concifigured windows VPN Client to remote access

 as well.

 

Regards

 

Hamid

OK weird because you said you were using anyconnect 4.3 and I see some ikev2 logs...

If you're using the Cisco VPN client, here is a link how to generate logs :
https://supportforums.cisco.com/t5/security-blogs/software-vpn-client-logging-common-issues/ba-p/3102276

Do that, try to connect again and pasted the logs please.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

Please see the attachments as requested.

Thanks for your time!!!

Best Regards

Hamid

 

Hello,

what is the output of:

show crypto key mypubkey rsa TP-self-signed-4137654229

That said, WEBVPN might be another option (I think that is what Francisco is referring to), I'll send the configs.

Can you post the output of ;show version' ?

Hi

Please see the attachement as requsted.

 

Best Regards

 

Hamid

 

When you connect using Cisco VPN client, did it connect and not and to reach internal resources or it doesn't connect. 

 

I see there tunnel coming up and also they exchange dpd.... 

 

While connected with vpn client, can you share output of show crypto isakmp sa and show crypto ipsec sa?

 

For anyconnect, i want taking essentially for webvpn, but also for ipsec. You can use anyconnect for pure ipsec as soon as you use ikev2 and not ikev1. 

 

My confusion was that there were discussions based on anyconnect 4.3 and this logs is for legacy vpn client 5.

 

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

AS I mentioned I am trying to use both Cisco VPN client and Anyconnect to connect from outside..

I can connect using Cisco VPN client from home but I cannot establish connection from outside.

So the issues I cannot connect from outside (when I use public internet for example).

Please see the attachment as requested.

Hamid,

stupid question maybe, but how do you connect from the outside ? Dialer0 has ip address negotiated, make sure you use the IP address assigned to Dialer0 to connect...

It is cleaver question. I am not professional in cisco VPN.

I use to have static ip address from internet provider but know I have dynamic ip address.

I did use router ip address as server as input in cisco vpn client as I mentioned in my first question.

So how to assigned IP address to Dialer0. may be use dyn.com?

Hello,

show ip int brief

should show you the IP address assigned by your ISP to the dialer interface. That is the address you need...

Yes it is working now with Dial0 ip address on my iPhone!!!

I hope my final stupid question. DO I need to register

with DynDNS.com for my static ip address?  

Thanks you and Francesco for your help and patience with stupid old man.

 

 

DynDNS.com

DDNS is definitely a good idea, since 'ip address negotiated' means that the IP address can change. DynDNS is free as far as I know...

Glad that you got it working, let us know if you are running into any other issues...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: