As network engineers, many of us spend lots of time on the road. On nights not spent working on the install, a quiet hotel room can be a great place to study. In a previous post, you learned how to configure your Cisco router for dynamic DNS. This post will show you how to configure remote access vpn on a Cisco router to access your home lab remotely.

 



 

 

Basic Cisco VPN Client Configuration

The first part covers the basic remote access vpn configuration. All traffic from your PC will be encrypted and only traffic from the PC to the home network (10.10.10.x). The PC will not have internet access. This initial configuration also assumes the router being configured is currently a basic internet router with NAT and a firewall already configured.

  • Configure a username and AAA 
  • Configure encryption parameters
  • Configured policy based NAT to disable NAT for VPN traffic
  • Configure firewall ACL to permit encryption protocols

 

—–

 

 

username josh password blindhog1@

aaa authentication login AAA-VPN local
aaa authorization network AAA-VPN local

 

ip local pool VPNALLPOOL 10.9.0.1 10.9.0.254

crypto isakmp client configuration group vpnall
  key blindhog1@
  dns 4.2.2.2
  pool VPNALLPOOL

crypto isakmp policy 1
  authentication pre-share
  encryption 3des
  hash sha
  group 2

crypto ipsec transform 3des-sha esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
  set transform-set 3des-sha

crypto map vpn 10 ipsec-isakmp dynamic dynmap
crypto map vpn client configuration address respond
crypto map vpn client authentication list AAA-VPN
crypto map vpn isakmp authorization list AAA-VPN

interface f0/1
  description *** Outside ***
  crypto map vpn

 

ip access-list extended ACL-POLICY-NAT
  deny ip 10.10.10.0 0.0.0.255 10.9.0.0 0.0.0.255
  permit ip 10.10.10.0 0.0.0.255 any

route-map RM-POLICY-NAT permit 10
  match ip address ACL-POLICY-NAT

no ip nat inside source list 10 interface f0/1 overload
ip nat inside source route-map RM-POLICY-NAT interface f0/1 overload

 

ip access-list extended acl_firewall
  11 permit esp any any
  12 permit udp any any eq 4500
  13 permit udp any any eq 500

 

 

Provide Internet access through the router

 

Providing internet access through the VPN requires a little trick. The traffic is policy routed on the outside interface … around the loopback interface, through a NAT and back out to the internet.

 

If the traffic is from a VPN client ip address and destined for a LAN address, the traffic will go unaltered.

 

If the traffic is from a VPN client ip address and destined for an IP address not on the local area network, it is policy routed to an IP address in the same subnet as the loopback interface, through the loopback interface and to the internet. It is important that the ‘ip next-hop’ command in the route-map not be the loopback interface. It must be a different IP address on the same subnet as the loopback interface.

 

An entry must also be added to the policy nat access list to NAT traffic from the VPN client.

 

—–

 

 

interface Loopback 0
  ip address 10.1.1.1 255.255.255.0
  ip nat inside

 

ip access-list extended ACL-OUTSIDE-PBR
  deny ip 10.9.0.0 0.0.0.255 10.10.10.0 0.0.0.255
  permit ip 10.9.0.0 0.0.0.255 any

route-map RM-OUTSIDE-PBR permit 10
  match ip address ACL-OUTSIDE-PBR
  set ip next-hop 10.1.1.2

interface FastEthernet 0/1
  ip policy route-map RM-OUTSIDE-PBR

 

ip access-list extended ACL-POLICY-NAT
  permit ip 10.9.0.0 0.0.0.255 any

 

Add another VPN group for split tunneling

 

On my personal internet router, I have two vpn groups. One for routing all traffic through my router and then to the internet and another for split tunneling. If you are not familiar with split tunneling … it only encrypts traffic destined for the LAN behind the VPN router. All other traffic is sent directly to the internet without encryption.  I also create two different VPN entries in my Cisco VPN client for each group so I can choose how I would like to connect easily.

 

I think it is best to use different subnets for each VPN group … one for the VPN group encrypting all traffic and another for split tunneling. The commands below add an entry to the policy-based NAT access-list to prevent NAT for traffic between the LAN and the VPN clients.

 

The ‘SPLIT-TUNNEL’ access-list defines what traffic should be encrypted. Only traffic between the VPN client ip addresses and the LAN ip addresses. The ‘ip local pool’ and client group configurations are identical to the VPN group above with the exception of the ‘acl’ command that is used to reference the ‘SPLIT-TUNNEL’ access-list.

 

—–

 

 

ip access-list extended ACL-POLICY-NAT
  9 deny 10.10.10.0 0.0.0.255 10.9.1.0 0.0.0.255

 

ip access-list extended SPLIT-TUNNEL
  permit ip 10.9.1.0 0.0.0.255 10.10.10.0 0.0.0.255

ip local pool VPNSPLITPOOL 10.9.1.1 10.9.1.254

crypto isakmp client configuration group vpnsplit
  key blindhog1@
  dns 4.2.2.2
  acl SPLIT-TUNNEL
  pool VPNSPLITPOOL

 

 

Having a home vpn router is cheap enough.  1711 vpn routers sell for as little $50. Go on ebay or contact a used cisco dealer. I use Douglas King (Myriad Supply) or Matt Freeman (Express Computer Systems). 

Disclaimer: I was not paid to endorse Douglas or Matt. They have just been very good to work with in the past.

Random Posts