Hallo allemaal,
Momenteel ben ik bezig een Cisco 871 te configureren om pptp vpn te ondersteunen.
De configuratie is bijna klaar, alleen ik loop vast op het volgende:
Als mensen een VPN verbinding willen initiëren met de Cisco 871 (zonder gebruik te maken van de cisco vpn client, dus via windows) moet het vinkje "Use default gateway on remote network" aan staan, om iets te kunnen bereiken in het bedrijfsnetwerk (vlan2 (192.168.0.0))
Als dit vinkje uit staat moet er op de "VPN client" handmatig een static route worden toegevoegd mocht je het bedrijfsnetwerk (vlan2) toch willen bereiken.
Ik weet dat via spittunnel het encrypted verkeer over de tunnel gaat en unencrypted verkeer op de lokale ISP van de VPN client. Dit is ideale situatie die ik graag wil bereiken, mochten er betere alternatieven zijn dan hoor ik dat ook graag!
Hopelijk kunnen jullie me hiermee verder kunnen helpen, ik ben hier namelijk al enige weken mee bezig. Ik heb al wel voorbeelden gevonden waarin het wordt uitlegt alleen dan niet via pptp maar via ipsec:
https://supportforums.cis...BE1454305D5E3FADD4E.node0
De configuratie die ik heb (sommige waardes zijn vervangen door xxx):
Building configuration...
Current configuration : 6235 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname C871
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxxx
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool IAS
import all
origin ipcp
dns-server 213.75.63.70 213.75.63.36
!
!
no ip domain lookup
ip name-server 213.75.63.70
ip name-server 213.75.63.36
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group VPDN-GROUP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username xxx password 7 xxx
!
!
archive
log config
hidekeys
!
!
!
policy-map custom-shaper-10Mbps
class class-default
shape average 9400000
!
!
!
!
interface Loopback1
description Loopback interface for main public IP (always up)
ip address xxx.xxx.xxx.xxx 255.255.255.255
!
interface FastEthernet0
switchport access vlan 2
duplex full
speed 100
no cdp enable
!
interface FastEthernet1
duplex full
speed 100
no cdp enable
!
interface FastEthernet2
duplex full
speed 100
no cdp enable
!
interface FastEthernet3
duplex full
speed 100
no cdp enable
!
interface FastEthernet4
description Link to EVPN CPE
no ip address
load-interval 30
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
service-policy output custom-shaper-10Mbps
!
interface Virtual-Template1
description for VPDN
ip address 192.168.1.210 255.255.255.0
peer default ip address pool VPN_POOL
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
ip address pool IAS
ip access-group 99 out
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
shutdown
!
interface Vlan2
ip address 192.168.0.210 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Customer Traffic PPPoE Connection
mtu 1492
ip unnumbered Loopback1
ip access-group 99 out
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username xxx password 7 002F2342
ppp ipcp mask request
ppp ipcp address accept
!
ip local pool VPN_POOL 192.168.1.1 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat pool NATPOOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
ip nat inside source list 100 pool NATPOOL overload
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.2 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.0.2 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.0.2 443 xxx.xxx.xxx.xxx 443 extendable
!
ip access-list extended nonat_nat
remark NOTE: Since this router is acting as both a VPN endpoint and
remark a firewall with a single IP address (overload/PAT), encrypted
remark VPN traffic should not be NAT'd (deny) while traffic to the
remark internet should (permit).
remark .
remark ..
remark No NAT local network to remote vpn network (rfc1918)
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
remark ...
remark NAT local network to Internet
permit ip 192.168.1.0 0.0.0.255 any
!
logging 192.168.0.1
access-list 99 remark Access-list needed for KPN
access-list 99 deny 10.0.0.0 0.255.255.255
access-list 99 deny 172.16.0.0 0.15.255.255
access-list 99 deny 192.168.0.0 0.0.255.255
access-list 99 permit any
access-list 100 remark Configured for PAT (NAT)
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark inside_access_in
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 5756
access-list 101 permit tcp any any eq 5758
access-list 101 permit tcp any any eq 5721
access-list 101 permit tcp any any eq 8053
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp host 192.168.0.2 any eq smtp
access-list 101 permit udp host 192.168.0.1 any eq ntp
access-list 101 permit udp any any eq domain
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq syslog
access-list 102 remark outside_access_in
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 1723
access-list 102 permit gre any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NONAT_NAT permit 1
match ip address nonat_nat
!
!
control-plane
!
banner exec ^CC
*****************************************************************
UNAUTORIZED ACCESS STRICTLY PROHIBITED!
PLEASE DISCONNECT IMMEDIATELY!
*****************************************************************
^C
banner login ^CC
*****************************************************************
UNAUTORIZED ACCESS STRICTLY PROHIBITED!
PLEASE DISCONNECT IMMEDIATELY!
*****************************************************************
^C
!
line con 0
exec-timeout 30 0
password 7 xxx
no modem enable
notify
line aux 0
transport output none
line vty 0 4
access-class 98 in
exec-timeout 20 0
password 7 xxx
login
notify
transport input telnet
transport output none
!
scheduler max-task-time 5000
end
Momenteel ben ik bezig een Cisco 871 te configureren om pptp vpn te ondersteunen.
De configuratie is bijna klaar, alleen ik loop vast op het volgende:
Als mensen een VPN verbinding willen initiëren met de Cisco 871 (zonder gebruik te maken van de cisco vpn client, dus via windows) moet het vinkje "Use default gateway on remote network" aan staan, om iets te kunnen bereiken in het bedrijfsnetwerk (vlan2 (192.168.0.0))
Als dit vinkje uit staat moet er op de "VPN client" handmatig een static route worden toegevoegd mocht je het bedrijfsnetwerk (vlan2) toch willen bereiken.
Ik weet dat via spittunnel het encrypted verkeer over de tunnel gaat en unencrypted verkeer op de lokale ISP van de VPN client. Dit is ideale situatie die ik graag wil bereiken, mochten er betere alternatieven zijn dan hoor ik dat ook graag!
Hopelijk kunnen jullie me hiermee verder kunnen helpen, ik ben hier namelijk al enige weken mee bezig. Ik heb al wel voorbeelden gevonden waarin het wordt uitlegt alleen dan niet via pptp maar via ipsec:
https://supportforums.cis...BE1454305D5E3FADD4E.node0
De configuratie die ik heb (sommige waardes zijn vervangen door xxx):
Building configuration...
Current configuration : 6235 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
no service dhcp
!
hostname C871
!
boot-start-marker
boot-end-marker
!
enable password 7 xxxxx
!
no aaa new-model
!
!
dot11 syslog
ip cef
!
!
no ip dhcp use vrf connected
!
ip dhcp pool IAS
import all
origin ipcp
dns-server 213.75.63.70 213.75.63.36
!
!
no ip domain lookup
ip name-server 213.75.63.70
ip name-server 213.75.63.36
!
multilink bundle-name authenticated
vpdn enable
!
vpdn-group VPDN-GROUP
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
!
!
!
username xxx password 7 xxx
!
!
archive
log config
hidekeys
!
!
!
policy-map custom-shaper-10Mbps
class class-default
shape average 9400000
!
!
!
!
interface Loopback1
description Loopback interface for main public IP (always up)
ip address xxx.xxx.xxx.xxx 255.255.255.255
!
interface FastEthernet0
switchport access vlan 2
duplex full
speed 100
no cdp enable
!
interface FastEthernet1
duplex full
speed 100
no cdp enable
!
interface FastEthernet2
duplex full
speed 100
no cdp enable
!
interface FastEthernet3
duplex full
speed 100
no cdp enable
!
interface FastEthernet4
description Link to EVPN CPE
no ip address
load-interval 30
speed 100
full-duplex
pppoe enable group global
pppoe-client dial-pool-number 1
no cdp enable
service-policy output custom-shaper-10Mbps
!
interface Virtual-Template1
description for VPDN
ip address 192.168.1.210 255.255.255.0
peer default ip address pool VPN_POOL
ppp encrypt mppe auto required
ppp authentication ms-chap ms-chap-v2
!
interface Vlan1
ip address pool IAS
ip access-group 99 out
ip verify unicast reverse-path
ip tcp adjust-mss 1452
load-interval 30
shutdown
!
interface Vlan2
ip address 192.168.0.210 255.255.255.0
ip nat inside
ip virtual-reassembly
!
interface Dialer1
description Customer Traffic PPPoE Connection
mtu 1492
ip unnumbered Loopback1
ip access-group 99 out
ip verify unicast reverse-path
ip nat outside
ip virtual-reassembly
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username xxx password 7 002F2342
ppp ipcp mask request
ppp ipcp address accept
!
ip local pool VPN_POOL 192.168.1.1 192.168.1.99
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer1
!
!
no ip http server
no ip http secure-server
ip nat pool NATPOOL xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx netmask 255.255.255.248
ip nat inside source list 100 pool NATPOOL overload
ip nat inside source route-map NONAT_NAT interface FastEthernet4 overload
ip nat inside source static tcp 192.168.0.2 25 xxx.xxx.xxx.xxx 25 extendable
ip nat inside source static tcp 192.168.0.2 80 xxx.xxx.xxx.xxx 80 extendable
ip nat inside source static tcp 192.168.0.2 443 xxx.xxx.xxx.xxx 443 extendable
!
ip access-list extended nonat_nat
remark NOTE: Since this router is acting as both a VPN endpoint and
remark a firewall with a single IP address (overload/PAT), encrypted
remark VPN traffic should not be NAT'd (deny) while traffic to the
remark internet should (permit).
remark .
remark ..
remark No NAT local network to remote vpn network (rfc1918)
deny ip 192.168.1.0 0.0.0.255 10.0.0.0 0.255.255.255
deny ip 192.168.1.0 0.0.0.255 172.16.0.0 0.15.255.255
remark ...
remark NAT local network to Internet
permit ip 192.168.1.0 0.0.0.255 any
!
logging 192.168.0.1
access-list 99 remark Access-list needed for KPN
access-list 99 deny 10.0.0.0 0.255.255.255
access-list 99 deny 172.16.0.0 0.15.255.255
access-list 99 deny 192.168.0.0 0.0.255.255
access-list 99 permit any
access-list 100 remark Configured for PAT (NAT)
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 101 remark inside_access_in
access-list 101 permit tcp any any eq www
access-list 101 permit tcp any any eq 443
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq 22
access-list 101 permit tcp any any eq telnet
access-list 101 permit tcp any any eq 5756
access-list 101 permit tcp any any eq 5758
access-list 101 permit tcp any any eq 5721
access-list 101 permit tcp any any eq 8053
access-list 101 permit tcp any any eq 1723
access-list 101 permit tcp any any eq 3389
access-list 101 permit tcp host 192.168.0.2 any eq smtp
access-list 101 permit udp host 192.168.0.1 any eq ntp
access-list 101 permit udp any any eq domain
access-list 101 permit udp any any eq tftp
access-list 101 permit udp any any eq syslog
access-list 102 remark outside_access_in
access-list 102 permit tcp any any eq www
access-list 102 permit tcp any any eq 443
access-list 102 permit tcp any any eq smtp
access-list 102 permit tcp any any eq 1723
access-list 102 permit gre any any
dialer-list 1 protocol ip permit
no cdp run
!
!
!
route-map NONAT_NAT permit 1
match ip address nonat_nat
!
!
control-plane
!
banner exec ^CC
*****************************************************************
UNAUTORIZED ACCESS STRICTLY PROHIBITED!
PLEASE DISCONNECT IMMEDIATELY!
*****************************************************************
^C
banner login ^CC
*****************************************************************
UNAUTORIZED ACCESS STRICTLY PROHIBITED!
PLEASE DISCONNECT IMMEDIATELY!
*****************************************************************
^C
!
line con 0
exec-timeout 30 0
password 7 xxx
no modem enable
notify
line aux 0
transport output none
line vty 0 4
access-class 98 in
exec-timeout 20 0
password 7 xxx
login
notify
transport input telnet
transport output none
!
scheduler max-task-time 5000
end