Sunday, December 11, 2011

VPN remote-access into a Cisco IOS router.

One of the things I think is cool is that you dont necessarily need a firewall to do VPN remote-access.  You can do this with a Cisco router just as well.  This is really good if you have a Cisco router laying around not being used for anything.  Lets look at the configuration for this. 
This was on a 1841 Cisco router.  Lets first define what we will NAT and what we will not NAT.  The deny statements are what you do NOT want to NAT.  The permit statements DO NAT.
access-list 111 deny ip
access-list 111 deny ip
access-list 111 deny ip
access-list 111 deny ip
access-list 111 permit ip any any

Now, lets make an ACL that will do the encryption.  Source and Destination.  Notice that in both of these ACLs, the subnet mask is backwards.  It can be a little confusing, but its just the way the IOS is.
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip
access-list 101 permit ip

Now, the DHCP pool for the Cisco remote-access clients:
ip local pool ippool

The NAT statement on what to NAT.  Place this on the external interface:
ip nat inside source list 111 interface FastEthernet1/0 overload

Lets tell the router to use local authentication:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local

Create a username and password for local authentication:
username tech password passwordstring

Configure Phase I:
crypto isakmp policy 3
 encr aes-256
hash sha
 authentication pre-share
 group 2

Create Phase II:
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac

Configure the group, pcf password, DNS name, DHCP pool to use, and the encryption ACL to use:
crypto isakmp client configuration group vpnclient
 key companypassword
pool ippool
 acl 101

Create the crypto piece where you will apply Phase II:
crypto dynamic-map dynmap 10
 set transform-set myset

Crypto Maps:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap

Apply to the external interface:
interface FastEthernet1/0
 crypto map clientmap

Now, test your Cisco VPN client and verify you can log in with the local credentials.  Thats it.