Solved: Need help to convert a 881 config to 1921

Brad Krakow · ‎06-01-2013

Here is a copy of my cisco 881 easy vpn config. Can someone please let me know what I need to modify so this will work on a cisco 1921.

Thanks in advance

hostname BTLvpn

boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-11.T3.bin
boot-end-marker

no logging buffered
enable secret 5 XXXXXX

no aaa new-model
clock timezone EASTERN -5

crypto pki trustpoint TP-self-signed-733417695
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-733417695
revocation-check none
rsakeypair TP-self-signed-733417695

crypto pki certificate chain TP-self-signed-733417695
certificate self-signed 01
30820244 308201AD A0030201 02020101 300D0609 2A864886 F70D0101 04050030
30312E30 2C060355 04031325 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 37333334 31373639 35301E17 0D303230 33303130 30313130
355A170D 32303031 30313030 30303030 5A303031 2E302C06 03550403 1325494F
532D5365 6C662D53 69676E65 642D4365 72746966 69636174 652D3733 33343137
36393530 819F300D 06092A86 4886F70D 01010105 0003818D 00308189 02818100
DB8C973C EA391850 0A1FC496 CD6DFAA8 36F72E3B 51542A05 DF0B3BD0 6080C367
CE76E4AD 24EFD4D6 1562B1B8 63C27FED 2810B02A 18D5B8AF 349BDB51 9D735584
C46B5844 A1B46B23 9C9C449C 8C61E97F 4585FB64 BA5359AC 981DFDCA 6E87B423
B9F3269D EA9EF97E 74B0AC75 3906ED58 E87F317E 1D8CE583 2DDFFCAB 84278123
02030100 01A36E30 6C300F06 03551D13 0101FF04 05300301 01FF3019 0603551D
11041230 10820E45 41467670 6E2E7375 6E2E696E 73301F06 03551D23 04183016
8014638B 4C4459E4 18E06ADD 8A145115 1BE39596 9834301D 0603551D 0E041604
14638B4C 4459E418 E06ADD8A 1451151B E3959698 34300D06 092A8648 86F70D01
01040500 03818100 8180553B 6FCFDB9F 0307DE6C F9758A0C 775D22DA B084AAEA
8FD8C674 DC13A65D 97A76CB7 41D62861 6513E641 AA348740 2108A58F 68DE29A8
9A2161FE 0B37D8C5 1FD7B9C9 540AC637 64DBC58B 3D89E8E1 C391FBDE 54ACFC4D
7FCAE855 978ED9CA 75AED32B 19D516FB FAC6769B F9DA9892 F27EA1E9 2AF3B757
58F84AF8 FCDB2D8E
quit

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXXX
mode network-extension
peer X.X.X.X default
acl 100
username BTLuser password XXXXX
xauth userid mode local

no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.86.1
ip dhcp excluded-address 172.30.86.2
ip dhcp excluded-address 172.30.86.31 172.30.86.255
ip dhcp excluded-address 172.31.86.1
ip dhcp excluded-address 172.31.86.2
ip dhcp excluded-address 172.31.86.31 172.31.86.255
ip dhcp excluded-address 172.31.86.3

ip dhcp pool DHCP-Voice
   import all
   network 172.30.86.0 255.255.255.0
   default-router 172.30.86.1
   dns-server 10.10.10.45
   option 150 ip 192.168.64.4 192.168.64.3

ip dhcp pool DHCP-Data
   import all
   network 172.31.86.0 255.255.255.0
   default-router 172.31.86.1
dns-server 10.10.10.45

no ip domain lookup
ip domain name XXXX

username admin privilege 15 password XXXXX
archive
log config
hidekeys

ip tftp source-interface Vlan10

class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31

policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Parent
class class-default
shape average 768000
service-policy AutoQoS-Policy-Trust

interface FastEthernet0
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut

interface FastEthernet1
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut

interface FastEthernet2
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut

interface FastEthernet3
switchport access vlan 10
switchport mode access
switchport voice vlan 1
no shut

interface FastEthernet4
description Connection-to-Internet$ES_WAN$
ip address dhcp client-id FastEthernet4
ip access-group 124 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
cdp enable
crypto ipsec client ezvpn VPN3000
service-policy output Parent
no shut

interface Vlan1
description Voice-VLAN
ip address 172.30.86.1 255.255.255.0
ip access-group 123 in
crypto ipsec client ezvpn VPN3000 inside

interface Vlan10
description Data-VLAN
ip address 172.31.86.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN3000 inside

ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000

access-list 100 permit ip 172.30.86.0 0.0.0.255 any
access-list 100 permit ip 172.31.86.0 0.0.0.255 any
access-list 123 permit ip any any dscp ef
access-list 123 permit ip any any
access-list 124 permit ip any any dscp ef
access-list 124 permit esp any any
access-list 124 permit ip any any

rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS

line con 0
password 7 XXXXX
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXX
logging synchronous
login local
length 0

scheduler max-task-time 5000

webvpn cef
end

Karsten Iwen · ‎06-02-2013

All in all it looks correct, only some small corrections:

The boot system comand is not needed as it loads an image for the old router

ip tftp source-interface Vlan10

has to be changed to

ip tftp source-interface GigabitEthernet0/1.10

In ACLs 123 and 124 there is no need to allow traffic in the first ACEs if you later have "permit ip any any" unless you want to see the hitcounts.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎06-02-2013

The 1921 will have different interface-identifiers. SO you need to change the config from "interface FastEthernet4" to "interface Gig0/0" for example. The inside interface has to be a trunk which is implemented as subinterfaces on the 1921 as you use two vlans for data and voice. Or you add a switch-module into the 1921, then you have a similar config as on the 800 router, but again there will be different identifiers.

After setting up the 1921 you use a new trustpoint and certificate for accessing the device with CCP, so you don't need to copy the "crypto pki ..." commands.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Brad Krakow · ‎06-02-2013

I think I understand how to set up the wan interface under inter gig 0/0. I am just not sure how to set up the lan interface. If I use interface gig 0/1, how do I go about setting up the sub interfaces? How would interface gig 0/1 look and what would the sub interfaces look like? I feel I am close, just need this last bit of info.

Thanks again for any help

Karsten Iwen · ‎06-02-2013

Instead of the VLans you have subinterfaces:

interface Gig0/1

! here you only have speed and duplex

interface Gig0/1.1

encapsulation dot1Q 1

ip address ...

! other commands

interface Gig0/1.10

encapsulation dot1Q 10

ip address ...

! other commands

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Brad Krakow · ‎06-02-2013

Does this look correct?

hostname BTLvpn

boot-start-marker
boot system flash:c870-advipservicesk9-mz.124-11.T3.bin
boot-end-marker

no logging buffered
enable secret 5 XXXXXX

no aaa new-model
clock timezone EASTERN -5

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXXX
mode network-extension
peer X.X.X.X default
acl 100
username BTLuser password XXXXX
xauth userid mode local

no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.86.1
ip dhcp excluded-address 172.30.86.2
ip dhcp excluded-address 172.30.86.31 172.30.86.255
ip dhcp excluded-address 172.31.86.1
ip dhcp excluded-address 172.31.86.2
ip dhcp excluded-address 172.31.86.31 172.31.86.255
ip dhcp excluded-address 172.31.86.3

ip dhcp pool DHCP-Voice
   import all
   network 172.30.86.0 255.255.255.0
   default-router 172.30.86.1
   dns-server 10.10.10.45
   option 150 ip 192.168.64.4 192.168.64.3

ip dhcp pool DHCP-Data
   import all
   network 172.31.86.0 255.255.255.0
   default-router 172.31.86.1
dns-server 10.10.10.45

no ip domain lookup
ip domain name XXXX

username admin privilege 15 password XXXXX
archive
log config
hidekeys

ip tftp source-interface Vlan10

class-map match-any AutoQoS-VoIP-RTP-Trust
match ip dscp ef
class-map match-any AutoQoS-VoIP-Control-Trust
match ip dscp cs3
match ip dscp af31

policy-map AutoQoS-Policy-Trust
class AutoQoS-VoIP-RTP-Trust
priority percent 70
class AutoQoS-VoIP-Control-Trust
bandwidth percent 5
class class-default
fair-queue
policy-map Parent
class class-default
shape average 768000
service-policy AutoQoS-Policy-Trust

interface GigabitEthernetEthernet0/1
speed auto
duplex auto
no shut

interface interface GigabitEthernet0/0
description Connection-to-Internet$ES_WAN$
ip address dhcp client-id GigabitEthernet0/0
ip access-group 124 out
ip virtual-reassembly
load-interval 30
duplex auto
speed auto
cdp enable
crypto ipsec client ezvpn VPN3000
service-policy output Parent
no shut

interface GigabitEthernet0/1.1
encapsulation dot1q 1
description Voice-VLAN
ip address 172.30.86.1 255.255.255.0
ip access-group 123 in
crypto ipsec client ezvpn VPN3000 inside

interface GigabitEthernet0/1.10
encapsulation dot1q 10 native
description Data-VLAN
ip address 172.31.86.1 255.255.255.0
ip virtual-reassembly
ip tcp adjust-mss 1452
crypto ipsec client ezvpn VPN3000 inside

ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 5 life 86400 requests 10000

access-list 100 permit ip 172.30.86.0 0.0.0.255 any
access-list 100 permit ip 172.31.86.0 0.0.0.255 any
access-list 123 permit ip any any dscp ef
access-list 123 permit ip any any
access-list 124 permit ip any any dscp ef
access-list 124 permit esp any any
access-list 124 permit ip any any

rmon event 33333 log trap AutoQoS description "AutoQoS SNMP traps for Voice Drops" owner AutoQoS

line con 0
password 7 XXXXX
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
password 7 XXXXX
logging synchronous
login local
length 0

scheduler max-task-time 5000

webvpn cef
end

Karsten Iwen · ‎06-02-2013

All in all it looks correct, only some small corrections:

The boot system comand is not needed as it loads an image for the old router

ip tftp source-interface Vlan10

has to be changed to

ip tftp source-interface GigabitEthernet0/1.10

In ACLs 123 and 124 there is no need to allow traffic in the first ACEs if you later have "permit ip any any" unless you want to see the hitcounts.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Brad Krakow · ‎06-02-2013

Thanks. Here is my final config that I will try out tomorrow when I get into work. Thanks again for all your help!

hostname BTLvpn

no logging buffered
enable secret 5 XXXXXX

no aaa new-model
clock timezone EASTERN -5

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac

crypto ipsec client ezvpn VPN3000
connect auto
group Community key XXXXX
mode network-extension
peer X.X.X.X default
acl 100
username BTLuser password XXXXX
xauth userid mode local

no ip dhcp use vrf connected
ip dhcp excluded-address 172.30.86.1
ip dhcp excluded-address 172.30.86.2
ip dhcp excluded-address 172.30.86.31 172.30.86.255
ip dhcp excluded-address 172.31.86.1
ip dhcp excluded-address 172.31.86.2
ip dhcp excluded-address 172.31.86.31 172.31.86.255
ip dhcp excluded-address 172.31.86.3

ip dhcp pool DHCP-Voice
   import all
   network 172.30.86.0 255.255.255.0
   default-router 172.30.86.1
   dns-server 10.10.10.45
   option 150 ip 192.168.64.4 192.168.64.3

ip dhcp pool DHCP-Data
   import all
   network 172.31.86.0 255.255.255.0
   default-router 172.31.86.1
dns-server 10.10.10.45

no ip domain lookup
ip domain name XXXX

username admin privilege 15 password XXXXX
archive
log config
hidekeys

ip tftp source-interface gigether 0/1.10