cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1762
Views
5
Helpful
49
Replies

VPN

Hamid Amir
Level 1
Level 1

 

Question

I have a Cisco 877 router which connects my network to the Internet using an ADSL line, static IP address and NAT; the IOS version is 15.

Everything is working ok, but I'd like to configure this router to be a VPN server, to be able to connect to the network from the outside.

letting single remote computers access the internal network

I can connect  to my vpn from home using router ip as server name in vpn client (is this wright) but I can not from the outside using public internet

And, finally: how to set up this?

 

my config


Current configuration : 5563 bytes
!
! Last configuration change at 15:16:15 UTC Mon Aug 28 2017 by me
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
--More--
*Aug 28 15:18:19.652: %LINEPROTO-5-UPDOWN: Line protocol on Interface Virtual-Access3, changed state to down
*Aug 28 15:18:19.660: %LINK-3-UPDOWN: Interface Virtual-Access3, changed staaaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username me privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username she secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENTvpn
key firewallvpn
dns 10.0.0.10
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENTvpn
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile VPN-Profile-1-ike-profile-1
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 8059afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 8059afb35580@skydsl password 0 efrtyuie
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.0.20 192.168.0.25
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
permit ip any any
ip access-list extended vpn_resources
permit ip 192.168.0.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0

 

 
49 Replies 49

Glad it works now.

There're no stupid questions only people increasing their knowledge!

It works without changing the config right?
Thanks

Don't forget to rate helpful answers

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Hi

Yes did work without any further change.

Again thank you and George for your great help!!!

 

Best Regards

 

Hamid

Hamid,

just for clarification, what is the latest working configuration ?

Hi

Sorry for delay.

Below is the working configuration.

 

 

 


User Access Verification

Username: faieza
Password:

Router>en
Router#sh run
Building configuration...

Current configuration : 6198 bytes
!
version 15.3
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
aqm-register-fnf
!
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login vpn_xauth_ml_1 local
aaa authentication login sslvpn local
aaa authentication login CCLIENT-VPN local
aaa authorization exec default local
aaa authorization network vpn_group_ml_1 local
aaa authorization network CCLIENT-VPN local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
!
crypto pki trustpoint TP-self-signed-4137654229
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4137654229
revocation-check none
rsakeypair TP-self-signed-4137654229
!
!
crypto pki certificate chain TP-self-signed-4137654229
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313337 36353432 3239301E 170D3137 30383231 32323233
32305A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31333736
35343232 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100B351 E41443AA 2B10054F C5A54FCF 6BDABFB5 9F616CD9 81EA1B64 F8ECFCF7
2985201D 05AC032C A6909FB0 6FEEB950 CBCF796E 1130ECBC 827DC26D FDEED551
4C6C26F5 C937EAE9 8F5057E3 BC2C84A0 C3874EB6 2A93345F 6871C540 71ED581E
91865692 694679EA EDD45E19 D628BCD9 2920CA24 91F1E364 2EE8A360 3D8312F4
72010203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 1498E627 5AC17ECC A8F0F4C9 6F08D23E 23FC51D2 34301D06
03551D0E 04160414 98E6275A C17ECCA8 F0F4C96F 08D23E23 FC51D234 300D0609
2A864886 F70D0101 05050003 81810000 B42EA07A FBF1422B D453E67D DD23EDCD
537C9B69 6CE7D568 4EB45C86 D20C6F08 205A9660 C9904827 551C9AD8 4BF23B2D
A7CD58D7 A116D134 B4445C2B 3DC9E3BD 3EA196DB 3DF06E2F C63CBD5E 843D556F
0538D39F 450D26ED 66EFB07D FCA3D8AA 9ABD41CB 1CE132D8 6B723EC4 B2839CDF
285CDA82 7DF7AB74 3485ED2A FC39EA
quit
!
!
!
!


!
no ip dhcp use class
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.1.0 192.168.1.99
ip dhcp excluded-address 192.168.1.200 192.168.1.210
!
ip dhcp pool vlan1
import all
network 192.168.1.0 255.255.255.0
default-router 192.168.1.1
dns-server 90.207.238.97 90.207.238.99
!
!
!
ip domain name yourdomain.com
ip cef
no ipv6 cef
!
!
!
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
license udi pid C887VA-K9 sn FCZ1843C42Y
license boot module c800 level advipservices
!
!
vtp domain SKYBB
vtp mode transparent
username faieza privilege 15 secret 5 $1$9BoE$Zz74ymPxsv0oQu/5NTfdj.
username admin secret 5 $1$HjSK$puFAwr96lu1Pdmdzt/4tB.
!
!
!
!
!
controller VDSL 0
!
!
!
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
!
crypto isakmp policy 2
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group CCLIENT-VPN
key firewall.cx
pool VPN-Pool
acl vpn_resources
max-users 5
crypto isakmp profile vpn-ike-profile-1
match identity group CCLIENT-VPN
client authentication list vpn_xauth_ml_1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
crypto isakmp profile VPN-Profile-1-ike-profile-1
match identity group group2
match identity group group1
isakmp authorization list vpn_group_ml_1
client configuration address respond
virtual-template 2
!
!
crypto ipsec transform-set encrypt-method-1 esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile VPN-Profile-1
set transform-set encrypt-method-1
set isakmp-profile vpn-ike-profile-1
!
!
!
!
!
!
!
!
interface ATM0
no ip address
ip policy route-map voip
atm vc-per-vp 64
no atm ilmi-keepalive
pvc 0/38
encapsulation aal5mux ppp dialer
dialer pool-member 1
!
!
interface Ethernet0
no ip address
shutdown
!
interface FastEthernet0
no ip address
!
interface FastEthernet1
no ip address
!
interface FastEthernet2
no ip address
!
interface FastEthernet3
no ip address
!
interface Virtual-Template2 type tunnel
ip unnumbered Vlan1
tunnel mode ipsec ipv4
tunnel protection ipsec profile VPN-Profile-1
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 192.168.1.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname 7050afb35580@skydsl
ppp chap password 0 df59b51e
ppp pap sent-username 7050afb35580@skydsl password 0 df59b51e
ppp ipcp dns request
no cdp enable
!
ip local pool VPN-Pool 192.168.1.200 192.168.1.210
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip dns server
ip nat inside source list any interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
!
ip access-list extended any
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.200
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.201
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.202
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.203
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.204
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.205
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.206
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.207
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.208
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.209
deny ip 192.168.1.0 0.0.0.255 host 192.168.1.210
permit ip 192.168.1.0 0.0.0.255 any
ip access-list extended vpn_resources
permit ip 192.168.1.0 0.0.0.255 any
!
no cdp run
!
!
!
!
control-plane
!
!
!
mgcp behavior rsip-range tgcp-only
mgcp behavior comedia-role none
mgcp behavior comedia-check-media-src disable
mgcp behavior comedia-sdp-force disable
!
mgcp profile default
!
!
!
!
!
line con 0
no modem enable
line aux 0
line vty 0 4
transport input all
!
scheduler allocate 20000 1000
!
end

Hi

In addition of what Georg asked for public IP, apply this file (only few changes: on the NAT ACL, deletion of useless isakmp profile not used, create a loopback specifically for virtual-template)

Is it the full config you shared? because I see an acl 23 applied for http but not seeing that acl in your config.

Thanks


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: