03-02-2010 05:00 AM - edited 02-21-2020 04:31 PM
Hi All
I want to change an existing Cisco 871 config, so it will support VPN client access.
I had several tries but without luck. Seems i am doing something wrong. Hope to get a good course on this subject in the near future. But for the short term perhaps someone can look this over and leave a comment.
Below first the original config. After that the things that - IMHO - should be added.
I tried to use CCP and SDM but they leave all kinds of rubbish, enormous access-lists and so on.
Thanks in advance,
Erik
==
- IOS version = c870-advipservicesk9-mz.124-24.T2.bin
- local radius authentication
- NAT
!
version 12.4
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
!
hostname Router
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 16348 informational
enable secret 5 xxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa group server radius rad_eap
server 10.128.7.5 auth-port 1645 acct-port 1646
!
aaa group server radius rad_mac
!
aaa group server radius rad_acct
!
aaa group server radius rad_admin
!
aaa group server tacacs+ tac_admin
!
aaa group server radius rad_pmip
!
aaa group server radius dummy
!
aaa authentication login default local
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa authorization ipmobile default group rad_pmip
aaa accounting network acct_methods
action-type start-stop
group rad_acct
!
!
!
aaa session-id common
clock timezone MET 1
clock summer-time MET-DST recurring last Sun Mar 2:00 last Sun Oct 2:00
!
crypto pki trustpoint TP-self-signed-127833653
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-127833653
revocation-check none
rsakeypair TP-self-signed-127833653
!
!
crypto pki certificate chain TP-self-signed-127833653
certificate self-signed 01
3082024A 308201B3 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31323738 33333635 3336301E 170D3039 31303237 32313237
32395A17 0D323030 31303130 30303030 305A3031 312A302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 32373833
33363533 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008B56 5902F5DF FCE1A56E 45956514 3A63350E 1767EF73 FEC6CD16 7E982A82
B0AF8546 ABB3D35A B7C3A7E3 37A02103 3ACCB34A 8B655C97 F103DBD5 9AAEFEFC
4EFC398B 0C8B6BE5 B28E568E 6CB69F87 CBCA0785 EAED0A28 726F2F0A B0B0453E
32E6B3B7 861F87FA 2E4197DD 3410D8A9 35939E9B CBF95F20 B8DA6ADE BF460F5C
BF8F0203 010001A3 72307030 0F060355 1D130101 FF040530 030101FF 301D0603
551D1104 16301482 12444341 4E495430 302E6361 6E2D6974 2E657530 1F060355
1D230418 30168014 84C9223E 661B2EB4 5BAB0B0E 1BE3A27A 64B3AEB0 301D0603
551D0E04 16041484 C9223E66 1B2EB45B AB0B0E1B E3A27A64 B3AEB030 0D06092A
864886F7 0D010104 05000381 81002F4A F3E4AF9D 8693B599 70EC1B1A D2995276
17E3583A 46C749F9 38743E6F F5E60478 5B9B5091 E944C689 7BA6DCA2 94D2FBD3
AFDE4500 A0A3644E 603A852D 55ED7A87 93501D5C 1662DAED 3FFFEC5A F1C38ED4
E0787561 BA5C14A3 6D065FCF 7DBDEBB6 9186C2D9 AA253FBF A9E381C3 342C3AC9
2BEF6821 E4C50277 493AD5B6 2AFE
quit
dot11 syslog
!
dot11 ssid xxxxxxxxxxx
vlan 10
authentication open
authentication key-management wpa
guest-mode
wpa-psk ascii 7 xxxxxxxxxxxxxxx
!
ip source-route
!
!
ip dhcp excluded-address 10.128.7.0 10.128.7.100
ip dhcp excluded-address 10.128.7.250 10.128.7.254
!
ip dhcp pool VLAN10-STAFF-SERVERS
import all
network 10.128.7.0 255.255.255.0
default-router 10.128.7.254
dns-server 10.128.7.5 10.128.7.15
netbios-name-server 10.128.7.5
domain-name xxxx.xx
lease 4
!
!
ip cef
no ip domain lookup
ip domain name xxxxxxxx.xx
ip inspect name MYFW tcp
ip inspect name MYFW udp
no ipv6 cef
!
multilink bundle-name authenticated
!
vpdn enable
!
!
!
username cisco privilege 15 secret 5 cisco
!
!
!
archive
log config
hidekeys
!
!
!
bridge irb
!
!
interface FastEthernet0
switchport access vlan 10
!
interface FastEthernet1
switchport access vlan 10
!
interface FastEthernet2
switchport access vlan 10
!
interface FastEthernet3
switchport access vlan 10
!
interface FastEthernet4
description Connection to ISP
no ip address
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
!
interface Dot11Radio0
no ip address
!
encryption vlan 10 mode ciphers aes-ccm
!
ssid xxxxxxxxxxxxxxx
!
speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0 54.0
station-role root
no cdp enable
!
interface Dot11Radio0.10
encapsulation dot1Q 10
bridge-group 10
bridge-group 10 subscriber-loop-control
bridge-group 10 spanning-disabled
bridge-group 10 block-unknown-source
no bridge-group 10 source-learning
no bridge-group 10 unicast-flooding
!
interface Vlan1
ip address aaa.bbb.140.177 255.255.255.240
no ip redirects
no ip proxy-arp
ip nat outside
no ip virtual-reassembly
no autostate
hold-queue 100 out
!
interface Vlan10
description STAFF wired
no ip address
ip nat inside
no ip virtual-reassembly
no autostate
bridge-group 10
bridge-group 10 spanning-disabled
!
interface Dialer1
mtu 1492
ip unnumbered Vlan1
no ip redirects
no ip proxy-arp
ip nat outside
ip inspect MYFW out
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication pap callin
ppp pap sent-username xxxx@isp.com password 7 xxxxxxxxxxx
!
interface BVI10
description Bridge to Staff server network
ip address 10.128.7.254 255.255.255.0
ip nat inside
ip virtual-reassembly
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
ip http server
ip http authentication local
ip http secure-server
ip http secure-ciphersuite 3des-ede-cbc-sha
ip http secure-client-auth
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list 101 interface Vlan1 overload
ip nat inside source static tcp 10.128.7.1 25 aaa.bbb.140.178 25 extendable
ip nat inside source static tcp 10.128.7.1 80 aaa.bbb.140.178 80 extendable
ip nat inside source static tcp 10.128.7.1 443 aaa.bbb.140.178 443 extendable
ip nat inside source static tcp 10.128.7.2 25 aaa.bbb.140.179 25 extendable
ip nat inside source static tcp 10.128.7.2 80 aaa.bbb.140.179 80 extendable
ip nat inside source static tcp 10.128.7.2 443 aaa.bbb.140.179 443 extendable
ip nat inside source static tcp 10.128.7.3 25 aaa.bbb.140.180 25 extendable
ip nat inside source static tcp 10.128.7.3 80 aaa.bbb.140.180 80 extendable
ip nat inside source static tcp 10.128.7.3 443 aaa.bbb.140.180 443 extendable
ip nat inside source static tcp 10.128.7.4 25 aaa.bbb.140.181 25 extendable
ip nat inside source static tcp 10.128.7.4 80 aaa.bbb.140.181 80 extendable
ip nat inside source static tcp 10.128.7.4 443 aaa.bbb.140.181 443 extendable
ip nat inside source static tcp 10.128.7.5 25 aaa.bbb.140.182 25 extendable
ip nat inside source static tcp 10.128.7.5 80 aaa.bbb.140.182 80 extendable
ip nat inside source static tcp 10.128.7.5 443 aaa.bbb.140.182 443 extendable
ip nat inside source static tcp 10.128.7.6 25 aaa.bbb.140.183 25 extendable
ip nat inside source static tcp 10.128.7.6 80 aaa.bbb.140.183 80 extendable
ip nat inside source static tcp 10.128.7.6 443 aaa.bbb.140.183 443 extendable
ip nat inside source static tcp 10.128.7.7 25 aaa.bbb.140.184 25 extendable
ip nat inside source static tcp 10.128.7.7 80 aaa.bbb.140.184 80 extendable
ip nat inside source static tcp 10.128.7.7 443 aaa.bbb.140.184 443 extendable
ip nat inside source static tcp 10.128.7.8 25 aaa.bbb.140.185 25 extendable
ip nat inside source static tcp 10.128.7.8 80 aaa.bbb.140.185 80 extendable
ip nat inside source static tcp 10.128.7.8 443 aaa.bbb.140.185 443 extendable
ip nat inside source static tcp 10.128.7.9 25 aaa.bbb.140.186 25 extendable
ip nat inside source static tcp 10.128.7.9 80 aaa.bbb.140.186 80 extendable
ip nat inside source static tcp 10.128.7.9 443 aaa.bbb.140.186 443 extendable
ip nat inside source static tcp 10.128.7.10 25 aaa.bbb.140.187 25 extendable
ip nat inside source static tcp 10.128.7.10 80 aaa.bbb.140.187 80 extendable
ip nat inside source static tcp 10.128.7.10 110 aaa.bbb.140.187 110 extendable
ip nat inside source static tcp 10.128.7.10 143 aaa.bbb.140.187 143 extendable
ip nat inside source static tcp 10.128.7.10 443 aaa.bbb.140.187 443 extendable
ip nat inside source static tcp 10.128.7.10 110 aaa.bbb.140.187 993 extendable
ip nat inside source static tcp 10.128.7.10 110 aaa.bbb.140.187 995 extendable
ip nat inside source static tcp 10.128.7.11 25 aaa.bbb.140.188 25 extendable
ip nat inside source static tcp 10.128.7.11 80 aaa.bbb.140.188 80 extendable
ip nat inside source static tcp 10.128.7.11 443 aaa.bbb.140.188 443 extendable
ip nat inside source static tcp 10.128.7.12 25 aaa.bbb.140.189 25 extendable
ip nat inside source static tcp 10.128.7.12 80 aaa.bbb.140.189 80 extendable
ip nat inside source static tcp 10.128.7.12 443 aaa.bbb.140.189 443 extendable
!
ip access-list extended Guest-ACL
deny ip any 10.128.7.0 0.0.0.255
permit ip any any
ip access-list extended Internet-inbound-ACL
permit udp any eq bootps any eq bootpc
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
permit gre any any
permit esp any any
!
access-list 1 permit 10.128.7.0 0.0.0.255
access-list 101 permit ip 10.128.7.0 0.0.0.255 any
dialer-list 1 protocol ip list 1
!
!
!
!
radius-server vsa send accounting
!
control-plane
!
bridge 10 route ip
banner motd ^
******************** Unauthorized access forbidden ****************
^
!
line con 0
password 7 xxxxxxxxxxxxxxxx
no modem enable
line aux 0
line vty 0 4
privilege level 15
transport input telnet ssh
!
scheduler max-task-time 5000
ntp server 111.222.111.222
end
To be added - crypto/local radius/isakmp/local ip pool/ACLs:
!
!−−− configure local radius server
!
radius-server local
nas 10.128.7.254 key local-radius
user user1 password password1 group radius
!
!−−− Enable authentication, authorization and accounting (AAA)
!−−− for user authentication and group authorization.
!
aaa new-model
!
!−−− In order to enable extended authentication (Xauth) for user authentication,
!−−− enable the aaa authentication commands.
!−−− "Group radius local" specifies RADIUS user authentication
!−−− to be used by default and to use local database if RADIUS server is not reachable.
!
aaa authentication login userauthen group radius local
!
!−−− In order to enable group authorization,
!−−− enable the aaa authorization commands.
!
aaa authorization network groupauthor group radius local
!
aaa group server radius radius server 10.128.7.254 auth-port 1812 acct-port 1813
!
!−−− Create an Internet Security Association and
!−−− Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.
!
crypto isakmp policy 3
encr 3des
authentication pre-share
group 2
!
!−−− Create a pool of addresses to be assigned to the VPN Clients.
!
ip local pool ippool 10.16.20.1 10.16.20.200
!
!−−− Create a group that will be used to specify the
!−−− Windows Internet Naming Service (WINS) and Domain Naming Service (DNS) server
!−−− addresses to the client, along with the pre-shared key for authentication.
!
crypto isakmp client configuration group crypto-client
key cisco123
dns 10.128.7.5
wins 10.128.7.5
domain xxxx.xx
pool ippool
!
!−−− Create the Phase 2 policy for actual data encryption.
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
!−−− Create a dynamic map and
!−−− apply the transform set that was created.
!
crypto dynamic-map dynmap 10
set transform-set myset
!
!−−− Create the actual crypto map,
!−−− and apply the AAA lists that were created earlier.
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!−−− Apply the crypto map on the outside interface.
!
interface vlan1
crypto map clientmap
!
!−−− Specify the IP address of the RADIUS server,
!−−− along with the RADIUS shared secret key.
!
radius-server host 10.128.7.254 auth-port 1812 acct-port 1813 key local-radius
radius-server retransmit 3
ip radius source-interface BVI10
!
!−−− NAT exemption rule
!−−− exempt traffic destined for VPN tunnel from NAT process
!
!Do i need this??
!Do i need this??
!
!−−− NAT Split tunnel ACL to define what traffic to encrypt
!
access-list 20 permit 10.128.7.0 0.0.0.255
crypto isakmp client configuration group crypto-client
acl 20
!
end
03-02-2010 06:11 AM
Hi Erik,
The following links has some easy vpn server configuration examples; you can use it as reference to start your configure.
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t8/feature/guide/ftunity.html
HTH,
Lei Tian
03-03-2010 05:29 AM
Thanks for your valuable input. This gives me a new perspective on the matter. It leaves me with just the following qiestions:
- do i need a NAT exemption ACL rule in order to exempt traffic destined for VPN tunnel from NAT process?
- do i need a split tunnelling ACL?
Erik
03-03-2010 07:45 AM
Hi Erik,
erikisme1 wrote:
Thanks for your valuable input. This gives me a new perspective on the matter. It leaves me with just the following qiestions:
- do i need a NAT exemption ACL rule in order to exempt traffic destined for VPN tunnel from NAT process?
- do i need a split tunnelling ACL?
Erik
Yes, you need to change your NAT statements.
For dynamic NAT or PAT, exclude traffic from LAN subnet to VPN pool network range; for static NAT, use conditional NAT to exclude traffic from LAN subnet to VPN pool network range.The conditional NAT is to use route-map at the end of static nat statement. Here is the configuration guide
http://www.cisco.com/en/US/docs/ios/12_2t/12_2t4/feature/guide/ftnatrt.html
If you want VPN remote/client only route VPN traffic to VPN server and route internet traffic to internet, then you need use split tunneling ACL.
HTH,
Lei Tian
03-05-2010 03:55 AM
Thanks,
The "CONFIGURING CISCO VPN CLIENT AND EASY VPN SERVER WITH XAUTH" did the trick. Now i only need to enable routing on the 871 because i am not able to get into the LAN.
One question is still left. Now i get an error on the console of the router stating:
*Mar 4 16:30:57.051: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=XXX.YYY.213.27, prot=50, spi=0x94040000(2483290112), srcaddr=AAA.BBB.180.2
Do i have an issue here? CCO error message decoder is not very clear on this one IMHO.
Erik
Message was edited by: erik There seems to be a difference in vpn clients. I get this message when i use VPN client version 5.0.06.0110 and when i use 5.0.06.0160 it is not theren anymore.
03-05-2010 08:03 AM
Hi Erik,
That error message indicates something wrong with the ipsec SA on one side. You can clear crypto sa to force it re-negotiate.
HTH,
Lei Tian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide