1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Cisco 1811 router - remote user VPN and firewall

Discussion in 'Internet, Connectivity and Communications' started by Beerbaron, Feb 20, 2013.

  1. Beerbaron

    Beerbaron Megabyte Poster

    545
    9
    76
    I have been asked by work to configure a Cisco 1811 integrated router for remote user VPN access to the office and setup a firewall. Firstly, is this even doable with a very basic Cisco configuration knowledge? This is a small office in a larger building where the internet is supplied to the whole building by a 3rd party company. As far as we have access to is a patch panel in our office, no physical network equipment.

    So far i have gained access via the console port and reset to factory default (this was acquired from another company). This is where is starts to get difficult.

    I have to decide if this project is doable or that i look at other alternatives. Maybe something with boxes to tick rather than command line :oops:


    Thanks.
     
    Certifications: BSc (Hons), MSc, ITIL v3F, MCP, MCDST, MCITP: edst7, MCTS, MCSA: Server 2003, MCSA: Windows 7, N+, NVQ IT lvl 3, MCSA Windows 7, VCP5, CCENT, CEH
    WIP: CISSP
  2. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    You might be able to use the SDM to configure the VPN but first you need to know if this is a remote access VPN or a site to site VPN?

    I've not configured a Cisco VPN but have done many on Checkpoint and Juniper and the principals are the same.

    Its not a simple thing to configure, and you would probably be better off with an ASA as I think this has a good GUI for viewing policies etc...

    (assuming its site to site VPN - Policy based)
    1. Configure the remote gateway to use the same Phase 1 and Phase 2 proposal (same encryption) so you don't get any errors when the router/firewall tried to decrypt the packet.

    2. Set a policy to allow packets to enter the network from the remote site and back again.

    3. Use a preshared key / secret (this will need to be the same on both sites for authentication)

    4. Add the networks that you are wanting packets to be encrypted to the Encryption Domain.

    You should at this point see the VPN come up and try running a few pings across to the remote site. For detailed commands I would use a Cisco step by step guide.

    Its not an easy matter to grasp and especially not on a router, you would probably be better off with a firewall.

    Hope this helps.
     
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+
  3. Beerbaron

    Beerbaron Megabyte Poster

    545
    9
    76
    Thanks for your reply.

    This will be for remote users to access the test servers we currently have in the office.
     
    Certifications: BSc (Hons), MSc, ITIL v3F, MCP, MCDST, MCITP: edst7, MCTS, MCSA: Server 2003, MCSA: Windows 7, N+, NVQ IT lvl 3, MCSA Windows 7, VCP5, CCENT, CEH
    WIP: CISSP
  4. BraderzTheDog

    BraderzTheDog Kilobyte Poster

    276
    2
    49
    Ok so does that mean the remote users are going to be connecting from their home machines, or are the remote users in an office lets say?
     
    Certifications: CCNA R&S, CCNA-SEC, CCSA, JNCIA FWV, MCITP, MCTS, MTA, A+
  5. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    My understanding of this is your want to supply remote access to your internal network, via the internet, using your Cisco 1811 router? With client connecting using the Cisco software VPN client on their PC's?

    Couple of points needing clarified:

    Your office sounds like a serviced office i.e. you rent your services from the building owner/manager, such as desk space, rack space, Internet service etc...Is this correct? If so, you will need to engage the company and find out how your internet service is provisioned currently..(how does your current network look? Any diagrams?). In terms of what you need for the VPN, you will need a public IP, with a connection into their external DMZ from your Cisco router.......or a public IP which they will NAT to an internal IP for you, which you will assign to the router. This Public IP will be what your clients use to connect to you. You may also want to arrange a DNS service for this.

    This Cisco will also need to have a secure image (k9) in order to do the IPSec stuff.

    The configuration of the 1811 will be easy enough, first things first will be to confirm the router image and engage you service provider.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  6. cisco lab rat

    cisco lab rat Megabyte Poster

    660
    62
    116
    Step 1: Enable authentication, authorization and accounting (AAA) for user authentication and group authorization.

    R1(config)# aaa new-model


    Step 2: Create a local username and password that your remote users will use to authenticate.

    R1(config)# username user1 password pass1


    Step 3: In order to enable extended authentication (Xauth) for user authentication, enable the aaa authentication commands. local specifies user authentication to use local database

    R1(config)# aaa authentication login AAA-VPN local



    Step 4: In order to enable group authorization, enable the aaa authorization commands.

    R1(config)# aaa authorization network AAA-VPN local


    Step 5: Create an IP Pool of address. These pool of addresses will be used to assigned addresses to remote clients

    R1(config)# ip local pool REMOTE-VPN-POOL "START OF POOL" "END OF POOL"


    Step 6: Create a group that will be used to specify the Domain Naming Service (DNS) server addresses to the client, along with the pre-shared key for authentication.

    R1(config)# crypto isakmp client configuration group VPN-GROUP
    R1(config-isakmp-group)# key GROUP-PASS
    R1(config-isakmp-group)# dns 8.8.8.8
    R1(config-isakmp-group)# pool REMOTE-VPN-POOL
    R1(config-isakmp-group)# exit


    Step 7: Create an Internet Security Association and Key Management Protocol (ISAKMP) policy for Phase 1 negotiations.

    R1(config)# crypto isakmp policy 1
    R1(config-isakmp)# authentication pre-share
    R1(config-isakmp)# encryption 3des
    R1(config-isakmp)# hash sha
    R1(config-isakmp)# group 2
    R1(config-isakmp)# exit


    Step 8: Create the Phase 2 policy for actual data encryption.

    R1(config)# crypto ipsec transform TRANSFORM-SET esp-3des esp-sha-hmac


    Step 9: Create a dynamic map and apply the transform set that was created.

    R1(config)# crypto dynamic-map dynmap 10
    R1(config-crypto-map)# set transform-set TRANSFORM-SET
    R1(config-crypto-map)# reverse-route
    R1(config-crypto-map)# exit


    Step 10: Create the actual crypto map, and apply the AAA lists that were created earlier.


    R1(config)# crypto map vpn 10 ipsec-isakmp dynamic dynmap
    R1(config)# crypto map vpn client configuration address respond
    R1(config)# crypto map vpn client authentication list AAA-VPN
    R1(config)# crypto map vpn isakmp authorization list AAA-VPN

    Step 11: Apply the crypto map on the outside interface.

    R1(config)# int fas 0/0
    R1(config-if)# crypto map vpn
    %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is ON
    R1(config-if)# exit

    Step 12: Go to the CLIENT open the Cisco VPN Client, Enter the Group Name, IP address of the outside and away you, TWEAK AS YOU NEED
     
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree
  7. Beerbaron

    Beerbaron Megabyte Poster

    545
    9
    76
    Users will connect from home or wherever they need access from. Every user in my office has a MacBook.

    I have the contact details of the server provider so that's not a problem.

    Cisco lab rat, thanks for the commands. I have been reading through something similar online but wasnt 100% sure what i was doing.

    Do you have to install the Cisco VPN client to connect to this type of VPN?

    Code:
    Router>show version
    Cisco IOS Software, C181X Software (C181X-ADVIPSERVICESK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)
    Technical Support: http://www.cisco.com/techsupport
    Copyright (c) 1986-2010 by Cisco Systems, Inc.
    Compiled Fri 03-Sep-10 13:34 by prod_rel_team
    
    ROM: System Bootstrap, Version 12.3(8r)YH13, RELEASE SOFTWARE (fc1)
    
    Router uptime is 3 minutes
    System returned to ROM by power-on
    System image file is "flash:c181x-advipservicesk9-mz.124-24.T4.bin"
    
     
    Certifications: BSc (Hons), MSc, ITIL v3F, MCP, MCDST, MCITP: edst7, MCTS, MCSA: Server 2003, MCSA: Windows 7, N+, NVQ IT lvl 3, MCSA Windows 7, VCP5, CCENT, CEH
    WIP: CISSP
  8. danielno8

    danielno8 Gigabyte Poster

    1,305
    48
    92
    Ok so your router support IPSec. Yes you will need to install the Cisco VPN client on the computers you want to VPN in from.
     
    Certifications: CCENT, CCNA
    WIP: CCNP
  9. Beerbaron

    Beerbaron Megabyte Poster

    545
    9
    76
    Is it worth updating the IOS software version first?

    This is the back (not my actual one but same model) of the router. Going back to basics here, i should connect the internet line into our office into one of the FE ports and then connect a switch port from the router to a switch to connect it into our network. Our network consists of one unmanaged switch and an Apple Airport for the DHCP and wireless.


    [​IMG]
     
    Certifications: BSc (Hons), MSc, ITIL v3F, MCP, MCDST, MCITP: edst7, MCTS, MCSA: Server 2003, MCSA: Windows 7, N+, NVQ IT lvl 3, MCSA Windows 7, VCP5, CCENT, CEH
    WIP: CISSP
  10. Beerbaron

    Beerbaron Megabyte Poster

    545
    9
    76
    The plot thickens.....

    Looks like a Cisco 2911 integrated services router is going to be purchased for our other office due to the bandwidth limitations. This would likely lead to setting up a site to site VPN between the cisco 1811 and the 2911 routers. Is this possible?


    Thanks.
     
    Certifications: BSc (Hons), MSc, ITIL v3F, MCP, MCDST, MCITP: edst7, MCTS, MCSA: Server 2003, MCSA: Windows 7, N+, NVQ IT lvl 3, MCSA Windows 7, VCP5, CCENT, CEH
    WIP: CISSP

Share This Page

Loading...