Re: VPN Setup Cisco Router 2821 Help

Austin54757 · ‎06-11-2020

Hey, I have a Cisco Router 2821 (Cannot replace with ASA or anything else). I'm doing a project where I'm trying to set up a client-site VPN for remote access to just one server. The networking setup I have so far is the following:

Server -> VPN Router (can add a switch between if needed)

VPN Router -> Switch (added port security etc, but unsure if the switch is best placed here or between server/VPN router)

Switch -> ISP Port

I have a public address availble and have a rough sanitized config which is attached. I can only use older versions of Cisco AnyConnect and the Cisco VPN client.

Here are my questions:

1. Is this sanitized configuration correct?

2. Is the design of the networking equipment correct?

3. Do I need to add the public address to the outside port of the VPN Router or do I make it an internal IP?

4. Do I need to do any port forwarding?

Thank you for any and all help.

Here's a rough guide I used to get started. http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/809-cisco-router-vpn-client.html

I realize this didn't cover the ISP router issue, so that's my biggest dilemma.

Francesco Molino · ‎06-11-2020

Hi

What version are you running?
I would connect the iso directly to the router interface and define an acl to deny any traffic except ipsec.
To increase security, i would add ZBF feature (https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html).
On the von config, i would increase the encryption to aes instead if 3des and increase the dh group to 14 if your IOS supports it.
Then, no need to do port forwarding as you want to access your server when connected onto VPN.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Austin54757 · ‎06-12-2020

Okay, so I did some research and found some of these links to make the sample config below.
Links:
https://www.cisco.com/c/en/us/support/docs/routers/3800-series-integrated-services-routers/112051-zbf-vpn-access-config.html
https://community.cisco.com/t5/vpn/how-to-block-all-traffic-except-vpn-traffic-and-the-traffic-from/td-p/1710127
https://www.cisco.com/c/en/us/support/docs/security/ios-firewall/98628-zone-design-guide.html#topic5

Those are some of the links I used, I believe that's what you mentioned? From what I understood I needed to get rid of all of my old policies and do traffic based ACL's (VPN traffic) instead of only allowing specific clients from the local IP Pool. Would the config below work?

service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname <RouterName>
!
boot-start-marker
boot-end-marker
!
!
aaa new-model
!
!
!

aaa authentication login default local
aaa authorization network default local
!
!
!

!
!
!

crypto isakmp policy 1
encr aes
authentication pre-share
group 2
!
crypto isakmp key <VPNKEY> address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10
!
!
!

crypto isakmp client configuration group <VPNGroup>
key <keyname>
dns 6.0.0.2 <sample>
wins 7.0.0.1 <sample>
domain cisco.com <sample>
pool dpool <sample>
acl 101
!
!

crypto isakmp profile <VPNCryptoProfile>
match identity group <VPNGroup>
isakmp authorization list default
client configuration address respond
virtual-template 2
!
!
!

crypto ipsec transform-set set esp-aes esp-sha-hmac
!
!
!

crypto ipsec profile <VPNCryptoProfile>
set transform-set <VPNTransform-Set>
set isakmp-profile <VPNCryptoProfile>
!
!
!
!
!
!
*
username cisco privilege 15 password 0 cisco – Sample user
archive
log config
hidekeys
*
!
!
!
!
class-map type inspect match-any <VPNInternetClassMap>
match protocol icmp
match protocol tcp
match protocol udp
match protocol http
match protocol https
match protocol pop3
match protocol pop3s
match protocol smtp
class-map type inspect match-all <ICMPClassMap>
match access-group name ICMP
class-map type inspect match-all <IPSECClassMap>
match access-group name ISAKMP_IPSEC
class-map type inspect match-all <SSHClassMap>
match access-group name SSHaccess
!
!

policy-map type inspect <InsideToOutsidePolicyMap>
class type inspect <VPNInternetClassMap>
inspect
class type inspect <ICMPClassMap>
inspect
class class-default
drop
policy-map type inspect <OutsideToInsidePolicyMap>
class type inspect <ICMPClassMap>
inspect
class class-default
drop
policy-map type inspect <OutOfRouterPolicyMap>
class type inspect <SSHClassMap>
inspect
class type inspect <ICMPClassMap>
inspect
class type inspect <IPSECClassMap>
pass
class class-default
drop
!
!
!

zone security inside
zone security outside
!
!
!

zone-pair security <InsideToOutside> source inside destination outside
service-policy type inspect <InsideToOutsidePolicyMap>
zone-pair security <OutOfRouter> source outside destination self
service-policy type inspect <OutOfRouterPolicyMap>
zone-pair security <OutsideToInside> source outside destination inside
service-policy type inspect <OutsideToInsidePolicyMap>
!
!
!
Interface gigabitEthernet 0/0
ip address 192.168.1.0 255.255.255.0
!

zone-member security inside
half-duplex
!
interface gigabitEthernet 0/1
ip address <WAN IP AND SUB NET>
!

zone-member security outside
speed auto
!
interface Virtual-Template2 type tunnel
ip unnumbered gigabitEthernet 0/0 (LAN PORT)
!

zone-member security outside
tunnel source gigabitEthernet 0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile <VPNCryptoProfile>
!
!
!

ip local pool dpool 192.168.1.x 192.168.1.x (Internal IP pool for clients)
!
!
!

!
ip access-list extended ICMP
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any traceroute
!
ip access-list extended ISAKMP_IPSEC
permit udp any any eq isakmp
permit ahp any any
permit esp any any
permit udp any any eq non500-isakmp
!
ip access-list extended SSHaccess
permit tcp any any eq 22
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 any
!
!
!
control-plane
!
!
!
!
!
Banner login ^C <MOTD> ^C
!
line con 0
line aux 0
line vty 0 4
access-class 1 in
exec-timeout 10 0
logging synchronous
transport input ssh
!
Scheduler allocate 10000 1000
!
end

Richard Burts · ‎06-12-2020

There are some things that are not clear to me and I would appreciate some clarification. My understanding of the original post was that this was to be a Remote Access VPN to allow a client to access a single server. What I am seeing in the revised config recently posted looks more like site to site VPN (especially with interface Virtual-Template2 type tunnel). Are we aiming for site to site or Remote Access?

If it is to be Remote Access then what client do you plan to use? There is not anything in the config about enabling AnyConnect and there is some configuration for isakmp client. Does this suggest that you are planning to use the old Cisco VPN client which used IPSEC? Or something else? The Cisco VPN client is quite old, is not supported any more, and I believe that it has problems running under several modern OS. I would think you would be better off using AnyConnect.

HTH

Rick

Austin54757 · ‎06-15-2020

My intention was to make a client-to-site VPN, from what I read cisco vpn client was the only one that would work barring some older versions of AnyConnect. This isn't a site-to-site, the clients just need to reach one server from home. Would there be other configurations I would have to make for a client-to-site AnyConnect VPN to work?

Richard Burts · ‎06-15-2020

This link has information that I hope you will find helpful about configuring AnyConnect on an IOS router.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_sslvpn/configuration/15-mt/sec-conn-sslvpn-15-mt-book/sec-conn-sslvpn-ssl-vpn.html

HTH

Rick