Setting up VPN on 1811 router

Discussion in 'Cisco' started by googlegroups@scottsavarese.com, Nov 13, 2009.

  1. Guest

    I have a Cisco 1811 as my router. Inside there are 2 VLAN's. One VLAN
    for my desktops and one VLAN as a DMZ for my servers. Both VLAN's use
    NAT to map the private internal IPs to the external IP address.

    I'd like to add a VPN Server to allow my Mac laptop and iphone to
    access resources inside my network. I tried adding it via the web GUI
    however connections aren't working with no errors that it can tell
    me.

    Attached is my running configuration. Can somebody please tell me what
    I need to add in order to set up the VPN? My preference is to use the
    IOS CLI and not the Cisco web thing.

    !
    ! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by
    root
    ! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by
    root
    !
    version 12.4
    no service pad
    service tcp-keepalives-in
    service tcp-keepalives-out
    service timestamps debug datetime msec localtime show-timezone
    service timestamps log datetime msec localtime show-timezone
    service password-encryption
    service sequence-numbers
    !
    hostname <myhostname>
    !
    boot-start-marker
    boot-end-marker
    !
    security authentication failure rate 3 log
    security passwords min-length 6
    logging buffered 51200 debugging
    logging console critical
    enable secret 5 $1$45Pl$xpQQD4Z2a6U1RuCAlI5h21
    !
    aaa new-model
    !
    !
    aaa authentication login default local
    aaa authorization exec default local
    aaa authorization network sdm_vpn_group_ml_1 local
    aaa authorization network sdm_vpn_group_ml_2 local
    !
    aaa session-id common
    !
    resource policy
    !
    clock timezone NewYork -5
    clock summer-time NewYork date Apr 6 2003 2:00 Oct 26 2003 2:00
    mmi polling-interval 60
    no mmi auto-configure
    no mmi pvc
    mmi snmp-timeout 180
    ip subnet-zero
    no ip source-route
    !
    !
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address 192.168.1.1 192.168.1.127
    !
    ip dhcp pool sdm-pool1
    import all
    network 192.168.1.0 255.255.255.0
    default-router 192.168.1.1
    domain-name scottsavarese.com
    dns-server 192.168.2.2
    !
    ip dhcp pool wireless-pool
    import all
    network 192.168.3.0 255.255.255.0
    default-router 192.168.3.1
    domain-name scottsavarese.com
    dns-server 192.168.2.2
    !
    !
    ip tcp synwait-time 10
    no ip bootp server
    ip domain name <mydomain>
    ip name-server 192.168.2.2
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip inspect name DEFAULT100 cuseeme
    ip inspect name DEFAULT100 ftp
    ip inspect name DEFAULT100 h323
    ip inspect name DEFAULT100 icmp
    ip inspect name DEFAULT100 netshow
    ip inspect name DEFAULT100 rcmd
    ip inspect name DEFAULT100 realaudio
    ip inspect name DEFAULT100 rtsp
    ip inspect name DEFAULT100 esmtp
    ip inspect name DEFAULT100 sqlnet
    ip inspect name DEFAULT100 streamworks
    ip inspect name DEFAULT100 tftp
    ip inspect name DEFAULT100 tcp
    ip inspect name DEFAULT100 udp
    ip inspect name DEFAULT100 vdolive
    no ip ips deny-action ips-interface
    ip ips notify SDEE
    !
    !
    crypto pki trustpoint TP-self-signed-4111549971
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-4111549971
    revocation-check none
    rsakeypair TP-self-signed-4111549971
    !
    !
    crypto pki certificate chain TP-self-signed-4111549971
    certificate self-signed 01
    <crypto key here>
    quit
    username root privilege 15 secret 5 <pasword>
    username savarese privilege 0 view SDM_EasyVPN_Remote secret 5
    <password>
    !
    !
    class-map match-all nbar
    class-map match-all p2p
    match protocol bittorrent
    class-map match-all voice
    !
    !
    crypto isakmp xauth timeout 15

    !
    !
    !
    interface Dot11Radio0
    ip address 192.168.3.1 255.255.255.0
    ip access-group wireless-in in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    shutdown
    !
    encryption mode ciphers tkip
    !
    ssid <ssid>
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 7 <password>
    !
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0
    36.0 48.0 54.0
    !
    interface Dot11Radio1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    speed basic-6.0 9.0 basic-12.0 18.0 basic-24.0 36.0 48.0 54.0
    station-role root
    !
    interface FastEthernet0
    description $ES_WAN$$FW_OUTSIDE$$ETH-WAN$
    ip address <outside-3octet>.2 255.255.255.248 secondary
    ip address <outside-3octet>.1 255.255.255.248
    ip access-group 101 in
    ip verify unicast reverse-path
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat outside
    ip inspect DEFAULT100 out
    ip virtual-reassembly
    ip route-cache flow
    duplex auto
    speed auto
    !
    interface FastEthernet1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip route-cache flow
    shutdown
    duplex auto
    speed auto
    !
    interface FastEthernet2
    shutdown
    !
    interface FastEthernet3
    shutdown
    !
    interface FastEthernet4
    shutdown
    !
    interface FastEthernet5
    description DMZ Interface
    switchport access vlan 2
    !
    interface FastEthernet6
    shutdown
    !
    interface FastEthernet7
    shutdown
    !
    interface FastEthernet8
    switchport access vlan 3
    !
    interface FastEthernet9
    description LAN Interface
    !
    interface Vlan1
    description Inside LAN
    ip address 192.168.1.1 255.255.255.0
    ip access-group 100 in
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    ip nat inside
    ip virtual-reassembly
    ip route-cache flow
    ip tcp adjust-mss 1452
    !
    interface Vlan2
    description Inside DMZ
    ip address 192.168.2.1 255.255.255.0
    ip access-group vlan2-in in
    ip nat inside
    ip virtual-reassembly
    !
    interface Async1
    no ip address
    no ip redirects
    no ip unreachables
    no ip proxy-arp
    shutdown
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 <outside-3octet>.6 permanent
    !
    !
    ip http server
    ip http authentication local
    ip http secure-server
    ip http timeout-policy idle 5 life 86400 requests 10000
    ip nat inside source route-map wireless-rmap interface FastEthernet0
    overload
    ip nat inside source static udp 192.168.2.2 53 interface FastEthernet0
    53
    ip nat inside source static tcp 192.168.2.2 53 interface FastEthernet0
    53
    ip nat inside source static tcp 192.168.2.2 993 interface
    FastEthernet0 993
    ip nat inside source static tcp 192.168.2.2 465 interface
    FastEthernet0 465
    ip nat inside source static tcp 192.168.2.2 443 interface
    FastEthernet0 443
    ip nat inside source static tcp 192.168.2.2 25 interface FastEthernet0
    25
    ip nat inside source route-map SDM_RMAP_1 interface FastEthernet0
    overload
    ip nat inside source route-map SDM_RMAP_2 interface FastEthernet0
    overload
    ip nat inside source static tcp 192.168.2.2 80 interface FastEthernet0
    80
    ip nat inside source static tcp 192.168.2.2 8080 interface
    FastEthernet0 8080
    ip nat inside source static tcp 192.168.2.2 587 interface
    FastEthernet0 587
    ip nat inside source static tcp 192.168.2.3 443 <outside-3octet>.2 443
    extendable
    !
    ip access-list extended vlan2-in
    permit tcp 192.168.2.0 0.0.0.255 eq 22 192.168.1.0 0.0.0.255
    permit tcp 192.168.2.0 0.0.0.255 eq 22 host 192.168.2.1
    permit tcp 192.168.2.0 0.0.0.255 eq smtp 192.168.1.0 0.0.0.255
    permit udp host 192.168.2.2 eq domain 192.168.0.0 0.0.255.255
    permit tcp host 192.168.2.2 eq domain 192.168.0.0 0.0.255.255
    permit tcp 192.168.2.0 0.0.0.255 eq 443 192.168.1.0 0.0.0.255
    permit tcp 192.168.2.0 0.0.0.255 eq www 192.168.1.0 0.0.0.255
    permit tcp 192.168.2.0 0.0.0.255 eq 465 192.168.1.0 0.0.0.255
    permit tcp 192.168.2.0 0.0.0.255 eq 993 192.168.1.0 0.0.0.255
    permit udp 192.168.2.0 0.0.0.255 eq 5060 192.168.1.0 0.0.0.255
    permit udp 192.168.2.0 0.0.0.255 eq 4569 192.168.1.0 0.0.0.255
    permit udp 192.168.2.0 0.0.0.255 eq 5036 192.168.1.0 0.0.0.255
    permit udp 192.168.2.0 0.0.0.255 range 10000 20000 192.168.1.0
    0.0.0.255
    permit udp 192.168.2.0 0.0.0.255 eq 2727 192.168.1.0 0.0.0.255
    deny ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.255.255
    deny ip <outside-3octet>.0 0.0.0.7 any
    deny ip host 255.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    permit ip any any
    ip access-list extended vlan3-in
    permit ip any any
    ip access-list extended wireless-in
    deny ip <outside-3octet>.0 0.0.0.7 any
    deny ip host 255.255.255.255 any
    deny ip 127.0.0.0 0.255.255.255 any
    deny ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255
    permit ip any any
    ip access-list extended wireless-ips
    permit ip 192.168.3.0 0.0.0.255 any
    !
    logging trap debugging
    access-list 1 remark INSIDE_IF=Vlan1
    access-list 1 remark SDM_ACL Category=2
    access-list 1 permit 192.168.1.0 0.0.0.255
    access-list 2 remark SDM_ACL Category=2
    access-list 2 permit 192.168.2.0 0.0.0.255
    access-list 100 remark auto-generated by Cisco SDM Express firewall
    configuration
    access-list 100 remark SDM_ACL Category=1
    access-list 100 deny ip <outside-3octet>.0 0.0.0.7 any
    access-list 100 deny ip host 255.255.255.255 any
    access-list 100 deny ip 127.0.0.0 0.255.255.255 any
    access-list 100 permit ip any any
    access-list 101 permit udp host 64.73.32.134 eq ntp host
    <outside-3octet>.1 eq ntp
    access-list 101 permit udp host 66.96.96.29 eq ntp host
    <outside-3octet>.1 eq ntp
    access-list 101 permit udp host 132.160.49.93 eq ntp host
    <outside-3octet>.1 eq ntp
    access-list 101 permit udp any host <outside-3octet>.1 eq domain
    access-list 101 permit tcp any host <outside-3octet>.1 eq domain
    access-list 101 permit tcp any host <outside-3octet>.1 eq 993
    access-list 101 permit tcp any host <outside-3octet>.1 eq 465
    access-list 101 permit tcp any host <outside-3octet>.1 eq 587
    access-list 101 permit tcp any host <outside-3octet>.1 eq 443
    access-list 101 permit tcp any host <outside-3octet>.1 eq www
    access-list 101 permit tcp any host <outside-3octet>.1 eq smtp
    access-list 101 permit ahp any host <outside-3octet>.1
    access-list 101 permit esp any host <outside-3octet>.1
    access-list 101 permit udp any host <outside-3octet>.1 eq isakmp
    access-list 101 permit udp any host <outside-3octet>.1 eq non500-
    isakmp
    access-list 101 permit tcp any host <outside-3octet>.2 eq 443
    access-list 101 deny ip any host <outside-3octet>.2
    access-list 101 deny ip 192.168.1.0 0.0.0.255 any
    access-list 101 deny ip 10.0.0.0 0.255.255.255 any
    access-list 101 deny ip 172.16.0.0 0.15.255.255 any
    access-list 101 deny ip 192.168.0.0 0.0.255.255 any
    access-list 101 deny ip 127.0.0.0 0.255.255.255 any
    access-list 101 deny ip host 255.255.255.255 any
    access-list 101 deny ip host 0.0.0.0 any
    access-list 101 deny ip any any
    access-list 102 permit ip 192.168.1.0 0.0.0.255 any
    access-list 103 permit ip 192.168.2.0 0.0.0.255 any
    no cdp run
    !
    route-map wireless-rmap permit 1
    match ip address wireless-ips
    !
    route-map SDM_RMAP_1 permit 1
    match ip address 102
    !
    route-map SDM_RMAP_2 permit 1
    match ip address 103
    !
    !
    !
    !
    control-plane
    !
    banner login Authorized access only!
    Disconnect IMMEDIATELY if you are not an authorized user!



    !
    line con 0
    transport output telnet
    line 1
    modem InOut
    stopbits 1
    speed 115200
    flowcontrol hardware
    line aux 0
    transport output telnet
    line vty 0 4
    transport input ssh
    line vty 5 14
    transport input ssh
    line vty 15
    transport input ssh
    parser view SDM_EasyVPN_Remote
    secret 5 <password>
    ! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by
    root
    ! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by
    root
    !
    ! Last configuration change at 14:44:50 NewYork Thu Nov 12 2009 by
    root
    ! NVRAM config last updated at 14:08:56 NewYork Thu Nov 12 2009 by
    root
    !
    commands interface include all crypto
    commands interface include all no crypto
    commands interface include no
    commands configure include end
    commands configure include all access-list
    commands configure include all interface
    commands configure include all crypto
    commands configure include ip
    commands configure include no end
    commands configure include all no access-list
    commands configure include all no interface
    commands configure include all no crypto
    commands configure include no ip
    commands configure include no
    commands exec include dir all-filesystems
    commands exec include dir
    commands exec include crypto ipsec client ezvpn connect
    commands exec include crypto ipsec client ezvpn xauth
    commands exec include crypto ipsec client ezvpn
    commands exec include crypto ipsec client
    commands exec include crypto ipsec
    commands exec include crypto
    commands exec include write memory
    commands exec include write
    commands exec include all ping ip
    commands exec include ping
    commands exec include configure terminal
    commands exec include configure
    commands exec include all show
    commands exec include no
    commands exec include all debug appfw
    commands exec include debug
    commands exec include all clear
    !
    !
    scheduler allocate 4000 1000
    scheduler interval 500
    ntp clock-period 17180139
    ntp update-calendar
    ntp server 64.73.32.134 source FastEthernet0
    ntp server 132.160.49.93 source FastEthernet0
    ntp server 66.96.96.29 source FastEthernet0
    end


    Thanks,
    Scott
     
    , Nov 13, 2009
    #1
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. mak007
    Replies:
    0
    Views:
    1,108
    mak007
    Nov 15, 2006
  2. Pappy
    Replies:
    1
    Views:
    2,436
    Pappy
    Jan 30, 2009
  3. Dinobot

    VPN on a CISCO 1811

    Dinobot, Apr 26, 2009, in forum: Cisco
    Replies:
    0
    Views:
    479
    Dinobot
    Apr 26, 2009
  4. mmark751969

    1811 ipsec vpn's

    mmark751969, May 7, 2009, in forum: Cisco
    Replies:
    5
    Views:
    774
    mmark751969
    May 18, 2009
  5. Robert Jacobs

    Site-to-site VPN Cisco 1811 - wireless

    Robert Jacobs, Dec 2, 2009, in forum: Cisco
    Replies:
    5
    Views:
    1,540
    Techno_Guy
    Dec 3, 2009
Loading...

Share This Page