Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   Cisco (http://www.velocityreviews.com/forums/f27-cisco.html)
-   -   Newbie Question regarding VPN, NAT, remote VPN setup (http://www.velocityreviews.com/forums/t514892-newbie-question-regarding-vpn-nat-remote-vpn-setup.html)

brad 06-15-2007 07:09 PM

Newbie Question regarding VPN, NAT, remote VPN setup
 
Group,

I apologize in advance for not knowing more about this stuff.

But our company has 3 locations, all running windows xp; a static ip
address for each, and each has a cisco 1700 series router; There are
currently VPN tunnels set up so that each office can access the other.

This setup was created by a network consultant, who is no longer in
the picture.

I need to change the setup so a remote user, hopefully using the CISCO
VPN 4.6 client software can connect to one of the three external IP
addresses, and connect through to the internal network, hopefully with
some authentication/password prompting.

I'm tempted to ask what should I do now, at this point but, I will
ask: where can I look to learn how to do this? What terminology
should I be using?

My instinct tells me this should be super easy because everybody does
it, but I can't understand what needs to be done from the router help
files alone.

Is authentication handled at the router?
Is there separate server software that needs to run on an actual
windows box or domain server?
Once a connection and NAT to an internal address is established, what
next? how do I restrict access via Windows login?

Thanks in advance and please direct me to the appropriate place if
this is the wrong forum for this sort of topic,

Brad


Chad Mahoney 06-15-2007 07:33 PM

Re: Newbie Question regarding VPN, NAT, remote VPN setup
 
brad wrote:
> Group,
>
> I apologize in advance for not knowing more about this stuff.


No problems, people post in NG's to get help, welcome!

>
> But our company has 3 locations, all running windows xp; a static ip
> address for each, and each has a cisco 1700 series router; There are
> currently VPN tunnels set up so that each office can access the other.


Sounds good
>
> This setup was created by a network consultant, who is no longer in
> the picture.


OK

>
> I need to change the setup so a remote user, hopefully using the CISCO
> VPN 4.6 client software can connect to one of the three external IP
> addresses, and connect through to the internal network, hopefully with
> some authentication/password prompting.


Easy enough

>
> I'm tempted to ask what should I do now, at this point but, I will
> ask: where can I look to learn how to do this? What terminology
> should I be using?


You would be connecting to the router using a IPSEC VPN, this VPN is
encrypted and very secure. It is not uncommon. Go to the cisco website
click on support and look through the documentation, take a read a this:

http://cisco.com/en/US/products/hw/r...08007cfa7.html

>
> My instinct tells me this should be super easy because everybody does
> it, but I can't understand what needs to be done from the router help
> files alone.


I would not say easy, but once you get the hang of it, it becomes easier :)
>
> Is authentication handled at the router?


Could be, or you can pass authentication off to a internal RADIUS server
such as Windows IAS or *NIX platform

> Is there separate server software that needs to run on an actual
> windows box or domain server?


Does not need to be, you can create user accounts on the router itself,
but people find it easier using the same password as there login to the
network.

> Once a connection and NAT to an internal address is established, what
> next? how do I restrict access via Windows login?


You create a pool of IP address that the clients are given when they
connect, there does not need to be any NAT as the IP POOL is local to
the network, in most cases, I would have to see how your network is defined.

>
> Thanks in advance and please direct me to the appropriate place if
> this is the wrong forum for this sort of topic,
>
> Brad
>



What you need to ensure is that the IOS version you are running supports
VPN, I can not tell you what IOS version that would be, but you will
need to ensure the router is running it.


HTH,

Chad

brad 06-15-2007 08:35 PM

Re: Newbie Question regarding VPN, NAT, remote VPN setup
 
Thanks Chad, that was a step in the right direction.

We don't have the VPN Series 3000 concentrator mentioned in the
documentation, but there appears to be a simultaneous client/server
setup that may work for us.

Regarding NAT, our 3 external fixed IPs are something like 69.x.x.x
and all of the internal ones 10.x.x.x. I thought NAT had to map the
incoming 69 packets to the destination 10 packets and visa versa for
outward bound packets.

My simplified use case is this:
Brad takes train to Chicago, loses thumbdrive containing important
files in the seats
Stops at starbucks or mcdonalds and connects to big-bad-internet
Turns on wireless adapter radio and fires up CISCO VPN client .exe
Points it to one of the 69 addresses at one of our offices (ideally
would like to choose ANY).
A CISCO 1700 miracle happens and suddenly I'm a 10.x.x.x address
Brad drags and drops important files to laptop, slams an egg mcmuffin
and is back on track.

Anyway, thanks again, I see there is also a website in the easyvpn doc
file that has some configuration examples.

Brad



On Jun 15, 2:33 pm, Chad Mahoney <c...@nospam.mah0ney.com> wrote:
> brad wrote:
> > Group,

>
> > I apologize in advance for not knowing more about this stuff.

>
> No problems, people post in NG's to get help, welcome!
>
>
>
> > But our company has 3 locations, all running windows xp; a static ip
> > address for each, and each has a cisco 1700 series router; There are
> > currently VPN tunnels set up so that each office can access the other.

>
> Sounds good
>
>
>
> > This setup was created by a network consultant, who is no longer in
> > the picture.

>
> OK
>
>
>
> > I need to change the setup so a remote user, hopefully using the CISCO
> > VPN 4.6 client software can connect to one of the three external IP
> > addresses, and connect through to the internal network, hopefully with
> > some authentication/password prompting.

>
> Easy enough
>
>
>
> > I'm tempted to ask what should I do now, at this point but, I will
> > ask: where can I look to learn how to do this? What terminology
> > should I be using?

>
> You would be connecting to the router using a IPSEC VPN, this VPN is
> encrypted and very secure. It is not uncommon. Go to the cisco website
> click on support and look through the documentation, take a read a this:
>
> http://cisco.com/en/US/products/hw/r...onfiguration_g...
>
>
>
> > My instinct tells me this should be super easy because everybody does
> > it, but I can't understand what needs to be done from the router help
> > files alone.

>
> I would not say easy, but once you get the hang of it, it becomes easier :)
>
>
>
> > Is authentication handled at the router?

>
> Could be, or you can pass authentication off to a internal RADIUS server
> such as Windows IAS or *NIX platform
>
> > Is there separate server software that needs to run on an actual
> > windows box or domain server?

>
> Does not need to be, you can create user accounts on the router itself,
> but people find it easier using the same password as there login to the
> network.
>
> > Once a connection and NAT to an internal address is established, what
> > next? how do I restrict access via Windows login?

>
> You create a pool of IP address that the clients are given when they
> connect, there does not need to be any NAT as the IP POOL is local to
> the network, in most cases, I would have to see how your network is defined.
>
>
>
> > Thanks in advance and please direct me to the appropriate place if
> > this is the wrong forum for this sort of topic,

>
> > Brad

>
> What you need to ensure is that the IOS version you are running supports
> VPN, I can not tell you what IOS version that would be, but you will
> need to ensure the router is running it.
>
> HTH,
>
> Chad





All times are GMT. The time now is 10:00 PM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.