Cisco Configs - ADSL 3 Site VPN + Remote User VPN

Return to Main page
Return to Cisco page

Page contains 3x837 configs, Head Office + 2 remote sites. Head Office deals with remote users

Now those of you who are observant, will notice that the remote users are restricted accessing the internal network, and have no split tunnel for web traffic. This is because there is only 1 external IP address for the Head Office.
If a secondary External IP address is added to the Head office (eg 1.1.1.1) and then nat'd to the internal server (ip nat inside source static 192.168.0.1 1.1.1.1) then you could remove the port 80/110/25 nats currently on the head office router. That would allow remote users out as the traffic is no longer forced inside.
If on the other hand you don't have access to a second IP, then the internal server structure would have to have ISA/squid/Exchange for MSN and other such goodness for the remote VPN users to function with file access/web access and msn access.

Head Office

Head Office Details:
External IP: W.X.Y.Z
External Gateway IP: W1.X1.Y1.Z1
Internal IP: 192.168.0.254/Class C
Traffic forwarded to internal server 192.168.0.1 are mail(25),pop3(110) and web(80)
Users: Admin/password, vpnclient1/password, vpnclient2/password

Remote Users Details:
Internal IP: 192.168.8.x/Class C

Remote Office 1:
External IP: A.B.C.D
External Gateway IP: A1.B1.C1.D1
Internal IP: 192.168.1.254/Class C

Remote Office 2:
External IP: E.F.G.H
External Gateway IP: E1.F1.G1.H1
Internal IP: 192.168.2.254/Class C
Head Office 


Current configuration : 5302 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 837-HO
!
enable secret 0 cisco
!
username admin password 0 password
username vpnclient1 password 0 password
username vpnclient2 password 0 password
aaa new-model
!
!
aaa authentication login default local
aaa authorization network groupauthor local
aaa session-id common
ip subnet-zero
ip name-server 61.88.88.88
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 10
 encr 3des

 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
crypto isakmp key 0 namevpnk3y address A.B.C.D no-xauth
crypto isakmp key 0 namevpnk3y address E.F.G.H no-xauth
crypto isakmp keepalive 20
!
crypto isakmp client configuration group namevpn
 key 0 namevpnk3y
 dns 192.168.0.1 61.88.88.88
 domain client.com.au
 pool vpnpool
!
!
crypto ipsec transform-set clientHO_to_clientro1 esp-3des esp-md5-hmac
crypto ipsec transform-set clientHO_to_clientro2 esp-3des esp-md5-hmac
crypto ipsec transform-set remoteuser esp-3des esp-sha-hmac
!
crypto dynamic-map remotedynmap 10
 set transform-set remoteuser
!
!
crypto map namevpn client authentication list default
crypto map namevpn isakmp authorization list groupauthor
crypto map namevpn client configuration address respond
crypto map namevpn 3 ipsec-isakmp dynamic remotedynmap
crypto map namevpn 10 ipsec-isakmp
 set peer A.B.C.D
 set transform-set clientHO_to_clientro1
 match address 101
crypto map namevpn 20 ipsec-isakmp
 set peer E.F.G.H
 set transform-set clientHO_to_clientro2
 match address 102
!
!
bridge irb
!
!
interface Ethernet0
 ip address 192.168.0.254 255.255.255.0
 ip access-group 120 in
 ip nat inside
 hold-queue 1 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface BVI1
 ip address W.X.Y.Z 255.255.255.0
 ip access-group 120 in
 ip nat outside
 crypto map namevpn
!
ip local pool vpnpool 192.168.8.20 192.168.8.50
ip nat inside source list 177 interface BVI1 overload
ip nat inside source static tcp 192.168.0.1 110 interface BVI1 110
ip nat inside source static tcp 192.168.0.1 80 interface BVI1 80
ip nat inside source static tcp 192.168.0.1 25 interface BVI1 25
ip classless
ip route 0.0.0.0 0.0.0.0 W1.X1.Y1.Z1
ip route 192.168.1.0 255.255.255.0 A.B.C.D
ip route 192.168.2.0 255.255.255.0 E.F.G.H
no ip http server
no ip http secure-server
!
!
access-list 101 permit ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 102 permit ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 120 permit ip any any
access-list 177 deny   ip 192.168.0.0 0.0.0.255 192.168.1.0 0.0.0.255
access-list 177 deny   ip 192.168.0.0 0.0.0.255 192.168.2.0 0.0.0.255
access-list 177 deny   ip 192.168.0.0 0.0.0.255 192.168.8.0 0.0.0.255
access-list 177 permit ip 192.168.0.0 0.0.0.255 any
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password cisco
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password cisco
!
scheduler max-task-time 5000
!
end
Remote Office 1 

Current configuration : 2422 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 837-RO1
!
enable secret 0 cisco
!
username admin password 0 password
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip name-server 61.88.88.88
ip dhcp excluded-address 192.168.1.1 192.168.1.100
ip dhcp excluded-address 192.168.1.200 192.168.1.254
!
ip dhcp pool CLIENT
   import all
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.254
   dns-server 192.168.0.1 61.88.88.88
   lease 0 2
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
crypto isakmp key 0 namevpnk3y address W.X.Y.Z
crypto isakmp keepalive 20
!
!
crypto ipsec transform-set clientHO_to_clientro1 esp-3des esp-md5-hmac
!
crypto map namevpn 10 ipsec-isakmp
 set peer W.X.Y.Z
 set transform-set clientHO_to_clientro1
 match address 101
!
!
bridge irb
!
!
interface Ethernet0
 ip address 192.168.1.254 255.255.255.0
 ip access-group 120 in
 ip nat inside
 hold-queue 1 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 no ip address
!
interface BVI1
 ip address A.B.C.D 255.255.255.0
 ip access-group 120 in
 ip nat outside
 crypto map namevpn
!
ip nat inside source list 175 interface BVI1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 A1.B1.C1.D1
ip route 192.168.0.0 255.255.255.0 W.X.Y.Z
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip any any
access-list 175 deny   ip 192.168.1.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 permit ip 192.168.1.0 0.0.0.255 any
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password cisco
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password cisco
!
scheduler max-task-time 5000
!
end
Remote Office 2 

Building configuration...

Current configuration : 2422 bytes
!
version 12.3
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname 837-RO2
!
enable secret 0 cisco
!
username admin password 0 password
aaa new-model
!
!
aaa session-id common
ip subnet-zero
ip name-server 61.88.88.88
ip dhcp excluded-address 192.168.2.1 192.168.2.100
ip dhcp excluded-address 192.168.2.200 192.168.2.254
!
ip dhcp pool CLIENT
   import all
   network 192.168.2.0 255.255.255.0
   default-router 192.168.2.254
   dns-server 192.168.0.1 61.88.88.88
   lease 0 2
!
!
ip cef
ip audit notify log
ip audit po max-events 100
no ftp-server write-enable
!
!
!
!
crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 hash md5
 authentication pre-share
crypto isakmp key 0 namevpnk3y address W.X.Y.Z
crypto isakmp keepalive 20
!
!
crypto ipsec transform-set clientHO_to_clientro1 esp-3des esp-md5-hmac
!
crypto map namevpn 10 ipsec-isakmp
 set peer W.X.Y.Z
 set transform-set clientHO_to_clientro1
 match address 101
!
!
bridge irb
!
!
interface Ethernet0
 ip address 192.168.2.254 255.255.255.0
 ip access-group 120 in
 ip nat inside
 hold-queue 1 out
!
interface ATM0
 no ip address
 no atm ilmi-keepalive
 dsl operating-mode auto
!
interface ATM0.1 point-to-point
 pvc 8/35
  encapsulation aal5snap
 !
 bridge-group 1
!
interface FastEthernet1
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet2
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet3
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface Dialer1
 no ip address
!
interface BVI1
 ip address E.F.G.H 255.255.255.0
 ip access-group 120 in
 ip nat outside
 crypto map namevpn
!
ip nat inside source list 175 interface BVI1 overload
ip classless
ip route 0.0.0.0 0.0.0.0 E1.F1.G1.H1
ip route 192.168.0.0 255.255.255.0 W.X.Y.Z
no ip http server
no ip http secure-server
!
access-list 101 permit ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 120 permit ip any any
access-list 175 deny   ip 192.168.2.0 0.0.0.255 192.168.0.0 0.0.0.255
access-list 175 permit ip 192.168.2.0 0.0.0.255 any
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 password cisco
 no modem enable
 stopbits 1
line aux 0
 stopbits 1
line vty 0 4
 password cisco
!
scheduler max-task-time 5000
!
end

Hosted by www.Geocities.ws

1