Cisco 881 VPN concentrator and WAN router

ACorbettSS · ‎12-18-2013

Hello,

I used the Cisco Configuration Professional tool to set up VPN on my Cisco 881 router, and am able to connect using the Cisco VPN client applicaiton. However, when the tunnel is established I lose the ability to access the WAN and I am not able to access any of the devices on the network. Clearly I am missing something, but I'm unable to tell what. I did find another forum thread which indicated that using the Virtual Template type VPN doesn't work correctly on the 881, but that that's also the only way that CP will configure VPN.

Can someone please take a look at this and let me know what I'm missing?

Config File:

version 15.2

no service pad

service timestamps debug datetime msec localtime show-timezone

service timestamps log datetime msec localtime show-timezone

no service password-encryption

service sequence-numbers

!

hostname SSRouter

!

boot-start-marker

boot-end-marker

!

security passwords min-length 6

logging buffered 51200 warnings

!

aaa new-model

!

aaa authentication login default local

aaa authentication login ciscocp_vpn_xauth_ml_1 local

aaa authorization exec default local

aaa authorization network ciscocp_vpn_group_ml_1 local

!

aaa session-id common

memory-size iomem 10

clock timezone AZ -7 0

!

no ip source-route

!

ip dhcp excluded-address 192.168.20.1

ip dhcp excluded-address 192.168.30.1

ip dhcp excluded-address 192.168.40.1

ip dhcp excluded-address 192.168.10.1

!

ip dhcp pool WiFi

import all

network 192.168.20.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.20.1

!

ip dhcp pool Office

import all

network 192.168.30.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.30.1

!

ip dhcp pool CMS

import all

network 192.168.40.0 255.255.255.0

dns-server 8.8.8.8 8.8.4.4

default-router 192.168.40.1

!

ip dhcp pool Servers

import all

network 192.168.10.0 255.255.255.0

default-router 192.168.10.1

dns-server 8.8.8.8 8.8.4.4

!

no ip bootp server

ip domain name SecureSourceUSA.com

ip name-server 8.8.8.8

ip name-server 8.8.4.4

ip cef

no ipv6 cef

!

ip ssh time-out 60

ip ssh version 2

!

crypto ctcp port 10000

!

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

!

crypto isakmp client configuration group SSource

key XXXXXXXXXX

dns 8.8.8.8 8.8.4.4

domain SecureSourceUSA.com

pool SDM_POOL_1

max-users 10

crypto isakmp profile ciscocp-ike-profile-1

match identity group SSource

client authentication list ciscocp_vpn_xauth_ml_1

isakmp authorization list ciscocp_vpn_group_ml_1

client configuration address respond

virtual-template 1

!

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

mode tunnel

!

crypto ipsec profile CiscoCP_Profile1

set security-association idle-time 2700

set transform-set ESP-3DES-SHA

set isakmp-profile ciscocp-ike-profile-1

!

interface Null0

no ip unreachables

!

interface FastEthernet0

description Servers

no ip address

!

interface FastEthernet1

description WiFi

switchport access vlan 2

no ip address

!

interface FastEthernet2

description Office

switchport access vlan 3

no ip address

!

interface FastEthernet3

description CMS

switchport access vlan 4

no ip address

!

interface FastEthernet4

description WAN$FW_OUTSIDE$

ip address x.x.x.x 255.255.255.252

no ip redirects

no ip unreachables

ip nat outside

ip virtual-reassembly in

duplex auto

speed auto

!

interface Virtual-Template1 type tunnel

description $FW_INSIDE$

ip unnumbered FastEthernet4

no ip redirects

no ip unreachables

tunnel mode ipsec ipv4

tunnel protection ipsec profile CiscoCP_Profile1

!

interface Vlan1

description Servers$FW_INSIDE$

ip address 192.168.10.1 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly in

ip tcp adjust-mss 1452

!

interface Vlan2

description WiFi$FW_INSIDE$

ip address 192.168.20.1 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly in

!

interface Vlan3

description Office$FW_INSIDE$

ip address 192.168.30.1 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly in

!

interface Vlan4

description CMS$FW_INSIDE$

ip address 192.168.40.1 255.255.255.0

no ip redirects

no ip unreachables

ip nat inside

ip virtual-reassembly in

!

ip local pool SDM_POOL_1 192.168.50.2 192.168.50.100

no ip classless

ip forward-protocol nd

ip http server

ip http access-class 23

ip http authentication local

ip http secure-server

ip http timeout-policy idle 60 life 86400 requests 10000

ip flow-top-talkers

top 50

sort-by packets

cache-timeout 30000

!

ip nat inside source list 23 interface FastEthernet4 overload

ip nat inside source static tcp 192.168.10.205 1024 x.x.x.x 1024 extendable

ip nat inside source static udp 192.168.10.205 1024 x.x.x.x 1024 extendable

ip nat inside source static tcp 192.168.10.205 1025 x.x.x.x 1025 extendable

ip nat inside source static udp 192.168.10.205 1025 x.x.x.x 1025 extendable

ip nat inside source static tcp 192.168.10.205 1026 x.x.x.x 1026 extendable

ip nat inside source static udp 192.168.10.205 1026 x.x.x.x 1026 extendable

ip nat inside source static tcp 192.168.10.205 1027 x.x.x.x 1027 extendable

ip nat inside source static udp 192.168.10.205 1027 x.x.x.x 1027 extendable

ip nat inside source static tcp 192.168.10.205 3061 x.x.x.x 3061 extendable

ip nat inside source static udp 192.168.10.205 3061 x.x.x.x 3061 extendable

ip nat inside source static tcp 192.168.10.205 3064 x.x.x.x 3064 extendable

ip nat inside source static udp 192.168.10.205 3064 x.x.x.x 3064 extendable

ip nat inside source static tcp 192.168.10.210 888 x.x.x.x 888 extendable

ip nat inside source static tcp 192.168.10.93 1024 x.x.x.x1024 extendable

ip nat inside source static tcp 192.168.10.93 1026 x.x.x.x1026 extendable

ip nat inside source static tcp 192.168.10.93 1027 x.x.x.x1027 extendable

ip nat inside source static tcp 192.168.10.93 3060 x.x.x.x3060 extendable

ip nat inside source static tcp 192.168.10.93 6901 x.x.x.x6901 extendable

ip nat inside source static udp 192.168.10.93 6901 x.x.x.x6901 extendable

ip nat inside source static tcp 192.168.10.250 88 x.x.x.x 88 extendable

ip nat inside source static tcp 192.168.10.250 37777 x.x.x.x 37777 extendable

ip route 0.0.0.0 0.0.0.0 x.x.x.x

!

access-list 23 remark CCP_ACL Category=19

access-list 23 permit 192.168.10.0 0.0.0.255

access-list 23 permit 192.168.20.0 0.0.0.255

access-list 23 permit 192.168.30.0 0.0.0.255

access-list 23 permit 192.168.40.0 0.0.0.255

access-list 23 remark VPN Internet acccess

access-list 23 permit 192.168.50.0 0.0.0.255

access-list 150 remark Split Tunnel

access-list 150 permit ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255

access-list 150 permit ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255

access-list 150 permit ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255

access-list 150 permit ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255

no cdp run

!

banner login ^CProperty of Secure Source. Unauthorized Access Prohibited^C

!

line con 0

session-timeout 10

no modem enable

line aux 0

session-timeout 10

no exec

line vty 0 4

session-timeout 10

access-class 23 in

transport input ssh

!

scheduler allocate 20000 1000

ntp update-calendar

ntp server 192.189.54.33

ntp server 150.101.221.106

ntp server 27.50.91.108

!

end

lmediavilla · ‎12-20-2013

You need to setup a split tunnel in order to keep access to the corporate servers and your local resources (or browse the internet wihtout sending traffic to the vpn router)

cheers

ACorbettSS · ‎12-20-2013

I did run across at least one reference to split routing in my troubleshooting and am currently reading up on how to make that work. Unfortunately, my biggest issue is actually the fact that when the tunnel is established I can't access any of the network devices either. I don't think I made that part as clear as I should have in the original post.

Thank you,

Adam Corbett

ACorbettSS · ‎12-30-2013

Just to follow up. Can anyone help me identify why I cannot access my internal network devices once I connect to the network over VPN?

Additionally, can someone recommend a good split tunnel guide so I can begin working on that?

Thank you,

Adam

Ross McCurry · ‎02-10-2014

I cant even get that far.

How do I get Cisco 881 to take the below command?

aaa authorization login CONSOLE-AUTHEN group tac

When I type aaa authorization ?

I receive the below:

Router(config)#aaa authorization ?

auth-proxy For Authentication Proxy Services

cache For AAA cache configuration

commands For exec (shell) commands.

config-commands For configuration mode commands.

configuration For downloading configurations from AAA server

console For enabling console authorization

exec For starting an exec (shell).

multicast For downloading Multicast configurations from an AAA server

network For network services. (PPP, SLIP, ARAP)

prepaid For diameter prepaid services.

reverse-access For reverse access connections

template Enable template authorization

No login option, any advice?

ACorbettSS · ‎02-10-2014

I did my configuration using the Cisco Configuration Professional tool's built-in VPN wizard

However, looking over the configuration file, isn't the command:

aaa authentication login ...