One of the things I think is cool is that you dont necessarily need a firewall to do VPN remote-access. You can do this with a Cisco router just as well. This is really good if you have a Cisco router laying around not being used for anything. Lets look at the configuration for this.
This was on a 1841 Cisco router. Lets first define what we will NAT and what we will not NAT. The deny statements are what you do NOT want to NAT. The permit statements DO NAT.
access-list 111 deny ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 deny ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 111 permit ip any any
Now, lets make an ACL that will do the encryption. Source and Destination. Notice that in both of these ACLs, the subnet mask is backwards. It can be a little confusing, but its just the way the IOS is.
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 192.168.10.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.5.1.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 101 permit ip 10.1.10.0 0.0.0.255 192.168.50.0 0.0.0.255
Now, the DHCP pool for the Cisco remote-access clients:
ip local pool ippool 192.168.50.50 192.168.50.250
The NAT statement on what to NAT. Place this on the external interface:
ip nat inside source list 111 interface FastEthernet1/0 overload
Lets tell the router to use local authentication:
aaa new-model
aaa authentication login userauthen local
aaa authorization network groupauthor local
Create a username and password for local authentication:
username tech password passwordstring
Configure Phase I:
crypto isakmp policy 3
encr aes-256
hash sha
authentication pre-share
group 2
Create Phase II:
crypto ipsec transform-set myset esp-aes-256 esp-sha-hmac
Configure the group, pcf password, DNS name, DHCP pool to use, and the encryption ACL to use:
crypto isakmp client configuration group vpnclient
key companypassword
company.com
pool ippool
acl 101
Create the crypto piece where you will apply Phase II:
crypto dynamic-map dynmap 10
set transform-set myset
reverse-route
Crypto Maps:
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
Apply to the external interface:
interface FastEthernet1/0
crypto map clientmap
Now, test your Cisco VPN client and verify you can log in with the local credentials. Thats it.
