Smart questions
Smart answers
Smart people
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

HELP!! How to configure Cisco 1721 as a VPN gateway!Helpful Member! 

justinxie (Instructor) (OP)
29 Oct 02 5:12
Hi professionals,

Could anyone help me with how to configure Cisco 1721 (with VPN module installed) as a VPN gateway??? Does vpn client has to install Cisco Secure VNP client to access through this vpn router?

Many thanks.
netmediasystems (MIS)
29 Oct 02 12:46
could you describe in better detail what you are trying to accomplish....are multiple sites trying to connect....individual users from their homes???  
justinxie (Instructor) (OP)
30 Oct 02 0:49
ok, all I have to do is to set up this 1721 router as an access vpn router to support users using pcs that running different version of windows. One thing I forgot to mention last time is that this router is configured with DDS through it's serial interface and function as an internet gateway for internal users and it hosts a few web and email services.
Is it possible for this router function as a vpn router and an internet gateway at the same time? (through a single DDS connection only)

Many thanks!
Helpful Member!  CiscoGod (TechnicalUser)
1 Nov 02 12:09
You can but it will probably be overkill on the 1721 and 1751 would be better equipped to handle your intended duties.  You will also need a IOS that has the IPsec DES or 3DES feature set but more importantly the ability to type this command:

crypto crypto isakmp client configuration group


First you will need a radius server or configure the usernames on the 1721 itself (painful).  If you have a WIN2K server is has Internet Authentication Service built in (Radius Server).

 Let me know how you plan to authenticate the users and whether you want the people who vpn in to do split tunneling (be able to surf the internet will VPN'nd in.)

If you do that I will post up a config that will make you dream a reality!

CiscoGod
justinxie (Instructor) (OP)
1 Nov 02 23:58
Thanks for your last post.
My 1721 router does have a vpn module installed and i have upgraded it with the lastest ios that support the 3des vpn module. Further more I did a configuration according a sample configuration on cisco site.
1721#sh run
Building configuration...
 
Current configuration : 3176 bytes
!
version 12.2
service timestamps debug datetime msec show-timezone
service timestamps log datetime msec show-timezone
no service password-encryption
!
hostname 1721
!
logging buffered 10000 informational
no logging console
aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
aaa session-id common
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
username justin password 0 justin
ip subnet-zero
!
!
!
ip audit notify log
ip audit po max-events 100
!
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnclient
 key share1
 pool ippool
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface Ethernet0
 ip address 203.21.1.252 255.255.255.0
 half-duplex
 no cdp enable
 crypto map clientmap
!
interface FastEthernet0
 ip address 192.19.21.1 255.255.255.0
 speed auto
 no cdp enable
!
interface Serial0
 bandwidth 1984
 no ip address
 shutdown
 no fair-queue
 no cdp enable
!
ip local pool ippool 192.19.21.191 192.9.201.199
ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp time
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 203.21.1.251
ip route 203.21.1.251 255.255.255.255 Ethernet0
no ip http server
ip pim bidir-enable
!
!
ip access-list extended dns-servers
ip access-list extended key-exchange
!
!
line con 0
line aux 0
line vty 0 4
 exec-timeout 30 0
 password 7 xxxxxxxxxx
!
no scheduler allocate
end


The problem now is that the vpn 3.6 client can establish the link to the 1721 vpn server and it shows an IP that from the range configured above, but the pc can't even ping other computers in the same IP range.

Any help will be appreciate!!!
CiscoGod (TechnicalUser)
8 Nov 02 13:00
Good job, the problem is rather simple.  You have a routing problem here.  You are giving out a range of 192.19.21.191 thru 192.9.201.199 which is already used for interface FastEthernet0.  I you change that your "ip local pool ippool 192.19.21.191 192.9.201.199" to "ip local pool ippool 172.16.1.1 172.16.1.100" your clients should be able to hit "THE 1721 VPN Router only" your next step is to propagate the new route via a dynamic routing protocol i.e. EIGRP or OSPF. Or you can staticly put the new VPN subnet on your internal gateway's that your inside servers and PC's use to point to your VPN Router for anything addressed to the subnet of 172.16.1.0.  This will test the reachability real quick and it will work just fine.  Now do you want to keep with this new subnet for vpn access, well thats your decision to make, the point you have to keep in mind is *DO not use an existing IP subnet range**.

Hope this helps.

CiscoGod

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Back To Forum

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close