Configuring a Client to Site IPSec VPN Tunnel on a Cisco ISR Router

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so behind me are two cisco isl routers that i need to configure a client-to-site ipsec vpn tunnel on uh reason for that is is uh because if the ssl vpn server were to become unavailable for any reason it gives me a a backup remote access method into the network so i thought it would be a good idea to make a video tutorial on it and before i actually move on to the final uh production configuration i thought i would do more of like a sample config for the sake of this video and that's for obvious reasons uh pre-shared keys usernames etc and uh but it's obviously going to be a working config and i'll show that uh towards the end of the video uh so with that being said if you're interested in learning how to set this up stay tuned and i'll show you how to get it configured okay so let's get to it uh before i open up putty and ssh into the router uh just to give you a brief overview of what we're going to be doing uh is uh first we need to enable uh aaa for authentication and authorization then we need to configure phase one so we need to configure isocamp and all those uh parameters and then configure phase 2 for the ipsec tunnel we need to configure an ip pool for uh so addresses can be dynamically assigned to the the client when they connect we need to configure an acl for interesting traffic so the traffic that's going to uh traverse the tunnel so uh traffic that will be encapsulated uh with additional uh transport headers uh versus uh traffic that's just going to be um going over the internet and then we need to modify the access control list for our nat configuration uh so that way traffic that is uh destined uh to traverse the uh tunnel uh does not end up being uh translated by nat and then one extra thing might be kind of a bonus thing is since i'm also running cisco's zone based firewall on this router i also need to configure an exception in the firewall to allow all traffic that is originating from the tunnel to pass down into my lan network so let's start by opening up putty and we will uh ssh into that router so uh the management ips1050.2 okay let's go into privileged exec mode and then jump right up into global config okay so uh first step we'll enable aaa so the command is aaa new model and then we'll go aaa authentication login and then we need to choose a name so i'll just put user auth and we will make that local so it's going to reference the local user database on the router itself next is aaa authorization network and then we get to choose a name for this as well and i'll put group off uh this will be defined in phase one uh of the tunnel negotiations so you'll see in a second here we're going to create a um some parameters that define certain things about the tunnel so uh the pre-shared key dns domain the ipool access controllers for interesting traffic etc um and we'll also put local for that as well okay so let's create a username so i'll just uh make it real generic so username will be user password will be cisco okay let's move on to phase one uh the configuration of uh phase one for the um the tunnel so uh crypto whoops uh crypto isocamp policy uh we'll use um triple uh des encryption authentication will be a pre-shared key and also the diffie-hellman group um as uh two okay now it's time to create that uh group i was talking about so when we put aaa authorization network group off and then local this is what it will be referencing so the command is crypto isocamp client configuration group and uh uh we'll choose a name and the name will be a vpn client that pre-share key i'll set as a cisco one cisco123 again just keeping it really generic for this tutorial dns i will use one of my internal dns servers and for the domain i will set that as my active directory domain and then for the pool uh i'll create an ip pool named ipool uh towards the end of this configuration but we'll reference it here for now so uh the pool will be ippool and the acl to define that interesting interesting traffic will be acl 102. so um when the client connects it will once it is negotiating um you know phase one of this tunnel uh part of the process will be assigning an ip address to the uh virtual interface on the client which will pull an ip from this uh ip pool that will name ippool that's pretty straightforward um kind of like dhcp uh the acl to find the interesting traffic will be uh a numbered extended access list um and the number will be 102. so this is stuff that we still need to create and that will be towards the end of the configuration okay that's all we need to do there okay now we'll move on to phase two of the configuration so uh that means we need to create a transform set so uh we'll go crypto ipsec transform set and we'll just name it ts and we will use uh esp and then triple des and esp uh md5 for the hashing and hmac okay so that's that for the uh creation of the transform set let's move on to uh creating the uh uh dynamic map so we'll just name it dm and give it a sequence number of 10. here we define that uh define that transform set we just created which was um ts so we'll go set transform set ts and we'll also add the reverse route command i don't actually need this here because of the way my network's set up but essentially what it's going to do is is whatever addresses that are defined in this pool here when the client connects it will actually add a static route on the router that points to the uh the tunnel endpoint so the uh the um client address uh in in what you can do with that is is you can you can redistribute that into a routing protocol if you want to so that way you can kind of pipe that down through your network so your routing is correct so uh once you configure that we're done with the dynamic map and now we just move on to the crypto map so uh remember up here when we were uh sticking in those uh aaa commands so uh uh triple a um authentication um login user auth and then authorization network group auth where we then define the group as a vpn client which is right here uh we're going to plug all of that into the um crypto map so we'll go crypto map and uh we need to give it a name so i'll just name it client map client authentication list and then user auth crypto map client map isocamp author not authentication authorization list group auth crypto map client map client configuration address respond and crypto map client map now i'll give it a sequence number 10 in case i need to add anything in there uh later uh okay so uh client a crypto map client map 10 and then ipsec isocamp and here's where we define the dynamic map which we named dm okay so so far we have configured aaa we have configured a username to be able to log into the um vpn so the user user with the password cisco uh we configured the group so the group was uh vpn group i think i know the group was a vpn client and we configured phase one and then phase two so what's left is um we need to apply this crypto map to the uh interface for our uh wan connection and we need to create that access list to define our interesting traffic and we also need to modify the access control list for nat so that way that interesting traffic doesn't end up being translated so gig zero is the uh interface that i'll apply this crypto map so we'll go crypto map uh client map now in most cases this is all you have to do uh to define the crypto map on the interface uh in my scenario i'm running hsrp for redundancy on the um lan side of this router so if i do a do show run interface gig zero you'll see that i have hsrp enabled here and that's because there's another upstream router that handles the connection for this uh provider so i have another i have another redundant router um you know so that way this can uh fail over in in the instance where an interface fails the whole router fails or if there's like a planned uh outage for maintenance or something like that so uh the standby group is named uh h a wan one so in my case i'm going to um i'm going to issue the crypto map client map redundancy and then the name of the hsrp standby group and then uh actually if i had since i'm ssh in it's not going to show any syslog messages so let me enable terminal monitor and then i'll go back into uh gig zero slash zero and show you uh that once you enable that crypto map you should get a uh so you see that it says isocamp is off when you enable it or when you uh first issue the command for the crypto map you'll see a message that isocamp has been turned on okay so whoops i keep getting my microphone okay so we still need to define the ipool and then we need to define the um access control list for the interesting traffic and then uh modify the uh access list for network address translation and then uh like i said at the beginning since i'm running zone based firewall i need to punch a hole through the firewall to allow the vpn traffic through so let me start with the ip pool and the command for that is ip local pool and then since i defined it as ipool up here i need to make sure that i name it ipool and then i will just uh use addresses in the 192.168.20.024 range so we'll start with i'm sorry uh 200. zero so um we'll start with one and then um end at 50. okay now we'll go access list 102 and since most of my internal network on the lan is on the actually all of my internal network on the line it's in the the 10.0 network um i need to define in this access list 102 the interesting traffic is anything in the 10.0 network that would be communicating with the 192168 20.0 network so i'll put access list 102 permit ip10.0.0.0 and then a 16 wild card mask so um which is basically the inverse subnet mask so otherwise if this wasn't a wild card mask if you were using just the subnet mask it would be two five five two five five zero zero which would define the 10 and the zeros the network basically saying anything that's ten zero uh will um apply here so anything in the ten zero um i wish i wouldn't turn on the terminal monitor because i'm just going to see uh random syslog messages uh for my firewall coming up here um so access list 102 permit uh 10 network going to 192.168.200.0.24 so the wild card mask for that would be zero zero zero two five five okay and then our nat access list so do show access list 101 uh this is the access list that is defined in the nat statement so what i'll do is since i have a 30 and 40 here i can squeeze in a uh deny so i'll go i'll just go ip access list extended 101 and then um line 10 deny ip pretty much the same thing that we defined in access list 102. so we want this to be defined as our interesting traffic this will be what is uh those um extra layers of transport headers will be um um added to his traffic that's defined here but uh we also we don't want it to be translated either since it's not actually going out to the internet i mean it's going out to the internet but it's it's it's being tunneled so we don't want um basically we don't want anything you know in the 10 network to be translated to whatever our nat configuration says uh when it's uh traveling over to the 192.162.0 network so we'll go deny ip 10.0.0.0 16 wildcard mask 192.168.200.0 in 24 wildcard mask so do show access list 101. okay so there's the deny statement for nat and before i test this out i am going to configure an exception in my uh firewall so if if this doesn't apply to you you can skip over this part uh i'll do my best to add some pointers in the description below um so you can just click on that and then skip to the next time stamp okay so in order to punch a hole through the firewall i'm going to start with an access list so i'll go access list actually uh it's gonna it's going to be a named extended access list so i p access list extended and i'll put uh fw for firewall so i'll know if i'm looking through access lists uh that this one pertains to a firewall rule and that's normally what i do if if it's an access list for a route map i'll put rmap hyphen uh even if it's an acl it's just being used as an acl output acl hyphen or acl underscore um so that way i know that this is an acl that's just being used it's an acl versus this is an acl that's being used for a route map or this is an acl that's being used for um you know a firewall or what have you so um you know or if i was redistributing uh routes into a routing protocol uh or something like that so um so for this we'll go ipxs list extended fw and then uh vpn to lan we'll go permit ip um 192.168.200.0 slash 24 wild card mask to uh the 10.0 network okay now we need a class map so we'll go class map type inspect vpn to lan cmap and then match access group name i'll just copy it in here okay we need our policy map so we'll go policy map type inspect and i'll just go uh when to land since this will be the actual um service policy that i'll be uh applying to the zone pair so policy map type inspect when to lan pmap class type inspect and we want to inspect the class map that we just created so vpn to lan cmap and we want to inspect that traffic inspect sorry about the uh the syslog messages that uh keep popping up uh randomly okay so now we need to create our zone pair so we'll go zone pair security um when to lan sources when destination is lan apply that policy map so we'll go service policy type inspect and then the policy map that we just created so when to lan pmap okay so we should be good to go we can configure the username the group the uh phase one and two aaa the um ipool uh access control list modified our nat access control list excuse me getting the hiccups um and then modified our firewall to allow the traffic uh through so i think we're good so i'm going to move on to my phone so i'm actually using that phone to record this right now uh since i don't have a super fancy camera or anything like that so i'm gonna have to take myself off the screen but i'll do a screen record on my phone to show you the configuration on my phone and um uh that sort of thing so let's go ahead and do that now so first things first i'm going to switch over to lte so that way i can connect from an external network go to general vpn add vpn configuration ipsec and i'll just name it uh ipsec tutorial server i already have a dns record that points to this router right here so that would be vpn.rmtechcentral.com the account is that user we created named user and the password being cisco and then remember the group name was vpn client and the secret was cisco one two three okay and that should do it so let's select that as the connection and see if we can connect okay we got a login box so that's good we'll type in our password of cisco okay see the vpn connection uh on the top so um let's see if i can access something on my lan let's see if i can access my storage server so since we set the dns as that internal dns server and the uh domain is my active directory domain this should resolve and uh we should be able to access the nas there we go all right so it looks like everything is working so go here to users public okay all right and that is pretty much it i'm just trying to think really quick if there's anything i'm overlooking um [Music] yeah i don't think so um sorry if i went a little bit fast uh for some people i mean i guess that's the good thing about it being a video is the fact that you can go back and you can rewatch it and uh that sort of thing um i'll do my best to link in the description uh if i have a moment to i'll stick in the commands that i used uh so that way uh some of you just want to lab this up uh you can just do a quick copy and paste and then change things to uh suit your network as needed but other than that i think i'm going to wrap it up here so uh thanks for watching this video i hope you learned something if you have any questions leave a comment in the comment section below or you can send me an email to rob at rmtechcentral.com or you can use the contact form at rmtechcentral.com as well like this video if you liked it thumb it down if you hated it uh and i'll see you in the next video thanks for watching
Info
Channel: Robert Mayer
Views: 1,404
Rating: undefined out of 5
Keywords: Cisco, IPSec, VPN, Tunnel, IPSec Tunnel, VPN Tunnel, Client to Site, How to configure IPSec tunnel
Id: CmoBIyiNSzs
Channel Id: undefined
Length: 25min 43sec (1543 seconds)
Published: Fri Apr 09 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.