VPN Configuration for 2811

jay · ‎02-12-2013

Thank you for taking the time to look at this discussion. I am trying to setup remote client VPN and my attempts have failed. I would like Administrators to be able to VPN in using the Cisco VPN Client with a local login and password on the router. VLAN 5 is for the Administrative network. Here is the current running config:

Current configuration : 3996 bytes

!

version 12.4

service timestamps debug datetime msec

service timestamps log datetime msec

service password-encryption

!

hostname FCC-1811-Router

!

boot-start-marker

boot-end-marker

!

enable secret 5 XXXX

!

no aaa new-model

!

ip cef

no ip dhcp use vrf connected

ip dhcp excluded-address 10.35.5.1 10.35.5.49

ip dhcp excluded-address 10.35.5.100 10.35.5.254

ip dhcp excluded-address 10.35.10.1 10.35.10.9

!

ip dhcp pool FCC-Admin

import all

network 10.35.5.0 255.255.255.0

default-router 10.35.5.1

!

ip dhcp pool FCC-Guest

import all

network 10.35.10.0 255.255.255.0

default-router 10.35.10.1

!

ip domain name faithcountrychapel.net

ip inspect name FW tcp router-traffic

ip inspect name FW udp router-traffic

ip inspect name FW icmp router-traffic

ip inspect name FW dns

ip inspect name FW ftp

ip inspect name FW tftp

ip auth-proxy max-nodata-conns 3

ip admission max-nodata-conns 3

!

voice-card 0

no dspfarm

!

username XXXX privilege 15 secret 5 XXXX

!

interface Loopback0

ip address 172.16.1.1 255.255.255.240

!

interface FastEthernet0/0

ip address dhcp

ip access-group INBOUND in

ip nat outside

ip inspect FW out

no ip virtual-reassembly

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1

no ip address

duplex auto

speed auto

no cdp enable

!

interface FastEthernet0/1.1

encapsulation dot1Q 1 native

ip address 10.35.1.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.5

encapsulation dot1Q 5

ip address 10.35.5.1 255.255.255.0

ip nat inside

ip virtual-reassembly

!

interface FastEthernet0/1.10

encapsulation dot1Q 10

ip address 10.35.10.1 255.255.255.0

ip access-group 100 in

ip nat inside

ip virtual-reassembly

!

no ip forward-protocol nd

!

ip http server

no ip http secure-server

ip nat inside source list NAT interface FastEthernet0/0 overload

!

ip access-list extended INBOUND

permit icmp any any echo-reply

permit icmp any any unreachable

permit icmp any any time-exceeded

permit tcp any any eq 22

permit tcp any any established

permit udp any eq domain any

permit udp any eq bootps any eq bootpc

ip access-list extended NAT

permit ip 10.35.5.0 0.0.0.255 any

permit ip 10.35.10.0 0.0.0.255 any

!

access-list 100 permit udp any eq bootpc host 255.255.255.255 eq bootps

access-list 100 permit udp host 0.0.0.0 eq bootpc host 10.35.5.1 eq bootps

access-list 100 permit udp 10.35.10.0 0.0.0.255 eq bootpc host 10.35.5.1 eq bootps

access-list 100 deny tcp 10.35.10.0 0.0.0.255 any eq telnet

access-list 100 deny ip 10.35.10.0 0.0.0.255 10.35.5.0 0.0.0.255

access-list 100 deny ip 10.35.10.0 0.0.0.255 10.35.1.0 0.0.0.255

access-list 100 permit ip any any

!

control-plane

!

line con 0

password 7 XXXX

login

line aux 0

line vty 0 4

login local

transport input telnet ssh

line vty 5 15

login local

transport input telnet ssh

!

scheduler allocate 20000 1000

!

end

Andrew Phirsov · ‎02-12-2013

Here's the typical example of how to configure easyvpn server using virtual-template interfaces:

http://www.cisco.com/en/US/customer/docs/ios-xml/ios/sec_conn_esyvpn/configuration/12-4t/sec-easy-vpn-srvr.html#GUID-DE302E14-A0A0-4DF9-BB09-AE3F7211AD83

At least, look through the document to understand what u're doing if u've never done this before.

jay · ‎02-12-2013

Thanks but I cannot access that link.