1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Modified 871w VPN Site-to-Site Template

Discussion in 'Other Cisco Equipment' started by DocLarge, Jul 17, 2007.

Thread Status:
Not open for further replies.
  1. DocLarge

    DocLarge Super Moderator Staff Member Member


    with notes in hand from Eric.Stewart, a whole lot of caffeine, and an undaunting will to refuse sleep until it worked, I've finally got a fairly decent vpn template that includes dhcp assignment, username assignment, spi firewall configuration, and a simple portforward to a MS vpn server is you have one in your environment

    version 12.4
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    hostname Router
    no logging buffered
    no logging console
    no aaa new-model
    resource policy
    ip subnet-zero
    ip cef
    no ip dhcp use vrf connected
    ip dhcp excluded-address
    ip dhcp excluded-address
    ip dhcp pool guardtower
    ip inspect name Outbound tcp
    ip inspect name Outbound udp
    ip inspect name Outbound icmp
    no ip domain lookup
    ip domain name guardtower.biz
    ip host guard2
    ip name-server
    ip name-server
    crypto pki trustpoint TP-self-signed-3833788792
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-3833788792
    revocation-check none
    rsakeypair TP-self-signed-3833788792
    crypto pki certificate chain TP-self-signed-3833788792
    certificate self-signed 01
    3082023F 308201A8 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
    31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
    69666963 6174652D 33383333 37383837 3932301E 170D3037 30373136 30313239
    34375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
    4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 38333337
    38383739 3230819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
    8100C3D1 A5CB9607 84E0C7BA 2E77C00A 29D8BB00 50CE91DF 83691C30 76C0A7C0
    ACC2B38E 3DA427AE 94E81AFD C9B15F2B 14525243 60A2AE21 420466F9 A66FFCE9
    2525A391 FB0BF675 09181445 B9910369 0CC2CC0A 93534474 973DCC65 44998582
    1BACF085 2D2EDDB3 1C28FA7D D4BAD99B 1ABA9B4B 926A453B B31C3181 8E9A3F60
    2E6B0203 010001A3 67306530 0F060355 1D130101 FF040530 030101FF 30120603
    551D1104 0B300982 07526F75 7465722E 301F0603 551D2304 18301680 142CA4B7
    AB85CAA1 D6E3D7D9 0984B87F 3AB08F49 56301D06 03551D0E 04160414 2CA4B7AB
    85CAA1D6 E3D7D909 84B87F3A B08F4956 300D0609 2A864886 F70D0101 04050003
    81810048 61098D20 DD6036BE 56C56308 00FB720C 04975B61 661F4A44 926EFEF2
    52D00017 D96609D4 D559E54F 81B5FF44 0CB6ABBC 4243488B 14CD7E95 6673FD2C
    64A7C0D5 2874DF19 58B41A87 D9EF874F 58146A87 BCFC0150 6E21A023 FC750FC9
    A489DF2C FE28CC41 40733AA4 62ADDB57 5FF33915 59C717F9 C42DBB3D 3EDD8EA9 6A1A99
    username doclarge privilege 15 password 0 whoisthaman#1
    username eric.stewart privilege 15 password 0 ciscoismylife#1
    crypto isakmp policy 10
    encr 3des
    authentication pre-share
    group 2
    lifetime 28800
    crypto isakmp key wrv2001234 address (Remote WAN ip/Subnet here) no-xauth
    crypto isakmp keepalive 10
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec transform-set smcbr18vpn esp-3des esp-sha-hmac
    no crypto ipsec nat-transparency udp-encaps
    crypto map smcbr18vpn 110 ipsec-isakmp
    set peer (remote WAN ip here)
    set transform-set smcbr18vpn
    set pfs group2
    match address 110
    bridge irb
    interface FastEthernet0
    interface FastEthernet1
    interface FastEthernet2
    interface FastEthernet3
    interface FastEthernet4
    description WAN
    ip address dhcp
    ip nat outside
    ip virtual-reassembly
    speed 100
    crypto map smcbr18vpn
    interface Dot11Radio0
    no ip address
    encryption mode ciphers tkip
    ssid testingwireless!
    authentication open
    authentication key-management wpa
    wpa-psk ascii 0 abcd12349876
    speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
    station-role root
    bridge-group 1
    bridge-group 1 subscriber-loop-control
    bridge-group 1 spanning-disabled
    bridge-group 1 block-unknown-source
    no bridge-group 1 source-learning
    no bridge-group 1 unicast-flooding
    interface Vlan1
    no ip address
    interface BVI1
    description LAN
    ip address
    ip access-group 115 in
    ip inspect Outbound in
    ip nat inside
    ip virtual-reassembly
    ip classless
    ip http server
    ip http secure-server
    ip nat inside source static tcp 1723 interface FastEthernet4 1723 (port forwarding to vpn server)
    ip nat inside source route-map nonat interface FastEthernet4 overload
    access-list 110 permit ip
    access-list 111 deny ip
    access-list 111 permit ip any
    access-list 115 permit ip any
    access-list 115 deny ip any any
    route-map nonat permit 10
    match ip address 111
    bridge 1 protocol ieee
    bridge 1 route ip
    line con 0
    no modem enable
    line aux 0
    line vty 0 4
    login local
    transport input telnet ssh
    scheduler max-task-time 5000

    Where you see "smcbr18vpn" is just the name I assigned for the vpn tag (for lack of a better term). If you have any questions while viewing this config, just refer to the previous "871w Site-to-Site" sticky where Eric.Stewart explains the functions of the vpn commands in detail.

    If time permits, I'll try and do a video showing the actual setup.

    I'm no whiz, yet I strive :) :)

Thread Status:
Not open for further replies.

Share This Page