Cisco 1811 router - remote user VPN and firewall

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I have been asked by work to configure a Cisco 1811 integrated router for remote user VPN access to the office and setup a firewall. Firstly, is this even doable with a very basic Cisco configuration knowledge? This is a small office in a larger building where the internet is supplied to the whole building by a 3rd party company. As far as we have access to is a patch panel in our office, no physical network equipment.

So far i have gained access via the console port and reset to factory default (this was acquired from another company). This is where is starts to get difficult.

I have to decide if this project is doable or that i look at other alternatives. Maybe something with boxes to tick rather than command line


Thanks.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

You might be able to use the SDM to configure the VPN but first you need to know if this is a remote access VPN or a site to site VPN?

I've not configured a Cisco VPN but have done many on Checkpoint and Juniper and the principals are the same.

Its not a simple thing to configure, and you would probably be better off with an ASA as I think this has a good GUI for viewing policies etc...

(assuming its site to site VPN - Policy based)
1. Configure the remote gateway to use the same Phase 1 and Phase 2 proposal (same encryption) so you don't get any errors when the router/firewall tried to decrypt the packet.

2. Set a policy to allow packets to enter the network from the remote site and back again.

3. Use a preshared key / secret (this will need to be the same on both sites for authentication)

4. Add the networks that you are wanting packets to be encrypted to the Encryption Domain.

You should at this point see the VPN come up and try running a few pings across to the remote site. For detailed commands I would use a Cisco step by step guide.

Its not an easy matter to grasp and especially not on a router, you would probably be better off with a firewall.

Hope this helps.

 

Thanks for your reply.

This will be for remote users to access the test servers we currently have in the office.

 

Ok so does that mean the remote users are going to be connecting from their home machines, or are the remote users in an office lets say?

 

My understanding of this is your want to supply remote access to your internal network, via the internet, using your Cisco 1811 router? With client connecting using the Cisco software VPN client on their PC's?

Couple of points needing clarified:

Your office sounds like a serviced office i.e. you rent your services from the building owner/manager, such as desk space, rack space, Internet service etc...Is this correct? If so, you will need to engage the company and find out how your internet service is provisioned currently..(how does your current network look? Any diagrams?). In terms of what you need for the VPN, you will need a public IP, with a connection into their external DMZ from your Cisco router.......or a public IP which they will NAT to an internal IP for you, which you will assign to the router. This Public IP will be what your clients use to connect to you. You may also want to arrange a DNS service for this.

This Cisco will also need to have a secure image (k9) in order to do the IPSec stuff.

The configuration of the 1811 will be easy enough, first things first will be to confirm the router image and engage you service provider.

 

Step 1: Enable authentication, authorization and accounting (AAA) for user authentication and group authorization.

R1(config)# aaa new-model


Step 2: Create a local username and password that your remote users will use to authenticate.

R1(config)# username user1 password pass1


Step 3: In order to enable extended authentication (Xauth) for user authentication, enable the aaa authentication commands. local specifies user authentication to use local database

R1(config)# aaa authentication login AAA-VPN local



Step 4: In order to enable group authorization, enable the aaa authorization commands.

R1(config)# aaa authorization network AAA-VPN local


Step 5: Create an IP Pool of address. These pool of addresses will be used to assigned addresses to remote clients

R1(config)# ip local pool REMOTE-VPN-POOL "START OF POOL" "END OF POOL"


Step 6: Create a group that will be used to specify the Domain Naming Service (DNS) server addresses to the client, along with the pre-shared key for authentication.

R1(config)# crypto isakmp client configuration group VPN-GROUP
R1(config-isakmp-group)# key GROUP-PASS
R1(config-isakmp-group)# dns 8.8.8.8
R1(config-isakmp-group)# pool REMOTE-VPN-POOL
R1(config-isakmp-group)# exit


Step 7: Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

R1(config)# crypto isakmp policy 1
R1(config-isakmp)# authentication pre-share
R1(config-isakmp)# encryption 3des
R1(config-isakmp)# hash sha
R1(config-isakmp)# group 2
R1(config-isakmp)# exit


Step 8: Create the Phase 2 policy for actual data encryption.

R1(config)# crypto ipsec transform TRANSFORM-SET esp-3des esp-sha-hmac


Step 9: Create a dynamic map and apply the transform set that was created.

R1(config)# crypto dynamic-map dynmap 10
R1(config-crypto-map)# set transform-set TRANSFORM-SET
R1(config-crypto-map)# reverse-route
R1(config-crypto-map)# exit


Step 10: Create the actual crypto map, and apply the AAA lists that were created earlier.


R1(config)# crypto map vpn 10 ipsec-isakmp dynamic dynmap
R1(config)# crypto map vpn client configuration address respond
R1(config)# crypto map vpn client authentication list AAA-VPN
R1(config)# crypto map vpn isakmp authorization list AAA-VPN

Step 11: Apply the crypto map on the outside interface.

R1(config)# int fas 0/0
R1(config-if)# crypto map vpn
%CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
R1(config-if)# exit

Step 12: Go to the CLIENT open the Cisco VPN Client, Enter the Group Name, IP address of the outside and away you, TWEAK AS YOU NEED

 

Users will connect from home or wherever they need access from. Every user in my office has a MacBook.

I have the contact details of the server provider so that's not a problem.

Cisco lab rat, thanks for the commands. I have been reading through something similar online but wasnt 100% sure what i was doing.

Do you have to install the Cisco VPN client to connect to this type of VPN?

Code:

Router>show version
Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2010 by Cisco Systems, Inc.
Compiled Fri 03-Sep-10 13:34 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)

Router uptime is 3 minutes
System returned to ROM by power-on
System image file is "flash:c181x-advipservicesk9-mz.124-24.T4.bin"

 

Ok so your router support IPSec. Yes you will need to install the Cisco VPN client on the computers you want to VPN in from.

 

Is it worth updating the IOS software version first?

This is the back (not my actual one but same model) of the router. Going back to basics here, i should connect the internet line into our office into one of the FE ports and then connect a switch port from the router to a switch to connect it into our network. Our network consists of one unmanaged switch and an Apple Airport for the DHCP and wireless.

 

The plot thickens.....

Looks like a Cisco 2911 integrated services router is going to be purchased for our other office due to the bandwidth limitations. This would likely lead to setting up a site to site VPN between the cisco 1811 and the 2911 routers. Is this possible?


Thanks.