Sunday, June 12, 2011

EasyVPN+NAT/PAT


To boot up my lab machines anywhere anytime securely, the solution is VPN home, and wake up the machines through Internet via WOL magic packet.
Cisco 877W, wireless configured, DSL internet, Nat/Pat, to let all my machines get access to internet.

The following is key settings on my router.

no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname myrouter
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging reload informational
enable secret 5 $1$2AJ5$yF2kRiSSfesmnaoHFkA1l1
!
aaa new-model
!
aaa authentication password-prompt "Enter your Password:"
aaa authentication login default local
aaa authentication login VPN_LOGIN local
aaa authorization network VPN_NETWORK local
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-1438064445
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-1438064445
 revocation-check none
 rsakeypair TP-self-signed-1438064445
!!
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.112.200 192.168.112.254
ip dhcp excluded-address 192.168.118.200 192.168.118.254
ip dhcp excluded-address 192.168.117.1 192.168.117.100
ip dhcp excluded-address 192.168.117.128 192.168.117.254
ip dhcp excluded-address 192.168.117.0 192.168.117.63
!
ip dhcp pool Wireless
   network 192.168.114.0 255.255.255.0
   default-router 192.168.114.254
   dns-server 203.12.160.35 203.12.160.36
!
ip dhcp pool vlan200-pool
   network 192.168.117.0 255.255.255.0
   dns-server 203.12.160.35 203.12.160.36
   default-router 192.168.117.254
!
!
ip cef
ip domain name XXXX
ip name-server X.X.X.X
!
multilink bundle-name authenticated
!
username lee privilege 15 secret 5 $1$DqMx$5Pzwo10Aidt2/gtVNkrn2/
!        
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp policy 20
 encr aes
 hash md5
 group 2
crypto isakmp client configuration address-pool local VPN_POOL1
!
crypto isakmp client configuration group LEO_WENLU
 key YOURKEY
 domain itengineer.local
 pool VPN_POOL1
 save-password
crypto isakmp profile VPNclient
   description This is my VPN Client Pro.
   match identity group LEO_WENLU
   client authentication list VPN_LOGIN
   isakmp authorization list VPN_NETWORK
   client configuration address respond
!
!
crypto ipsec transform-set TRAN_3DES esp-3des esp-sha-hmac
!
crypto dynamic-map VPN_MAP 10
 set transform-set TRAN_3DES
 reverse-route
!
!
crypto map VPN_MAP isakmp authorization list VPN_NETWORK
crypto map VPN_MAP client configuration address respond
crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_MAP
!
ip ssh time-out 30
ip ssh version 2
!
interface Loopback0
 ip address 10.11.0.1 255.255.255.0
 ip broadcast-address 10.11.0.255
 ip nat inside
 ip virtual-reassembly
!
interface ATM0
 no ip address
 no ip route-cache cef
 no ip route-cache
 no atm ilmi-keepalive
 pvc 8/35
  encapsulation aal5snap
  pppoe-client dial-pool-number 1
 !
!
interface FastEthernet0
 switchport access vlan 100
!
interface FastEthernet1
 switchport access vlan 200
!
interface FastEthernet2
 switchport access vlan 200
!
interface FastEthernet3
 switchport access vlan 200
!
interface Vlan1
 description $ES_LAN$
 no ip address
 ip broadcast-address 192.168.113.255
 shutdown
!
interface Vlan100
 ip address 192.168.112.254 255.255.255.0
 ip broadcast-address 192.168.112.255
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452
!
interface Vlan200
 ip address 192.168.117.254 255.255.255.0
 ip broadcast-address 192.168.117.255
 ip directed-broadcast
 ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452
!        
interface Vlan300
 ip address 192.168.113.254 255.255.255.0
 ip broadcast-address 192.168.113.255
ip nat inside
 no ip virtual-reassembly
 ip tcp adjust-mss 1452

interface Dialer0
 ip address negotiated
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip flow ingress
no cdp enable
ip nat outside
 no ip virtual-reassembly
 encapsulation ppp
 ip policy route-map VPN_CLIENT
 dialer pool 1
 dialer-group 1
 no cdp enable
 ppp authentication pap callin
 ppp chap hostname XXX@XXX.XXX
 ppp chap password 0 XXX
 ppp pap sent-username XXX@XXX.XXX 0 XXX
 crypto map VPN_MAP
!
ip local pool VPN_POOL1 192.168.117.128 192.168.117.191
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 Dialer0
no ip http server
!
ip nat inside source list NAT_ACL interface Dialer0 overload
ip nat inside source static tcp X interface Dialer0 X
ip nat inside source static tcp 192.168.117.1 443 interface Dialer0 443
!
ip access-list extended NAT_ACL
 deny   ip 192.168.117.0 0.0.0.127 192.168.117.128 0.0.0.63
 deny   ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255
 deny   ip host 192.168.117.12 any
 deny   ip 192.168.0.0 0.0.255.255 192.168.119.0 0.0.0.255
 permit ip 192.168.117.0 0.0.0.255 any
permit ip 192.168.113.0 0.0.0.255 any
 permit ip 192.168.114.0 0.0.0.255 any
!
ip access-list extended VPN_IP
permit ip 192.168.117.128 0.0.0.63 any
ip access-list extended VPN_SPLIT_TUNNEL
 permit ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.114.0 0.0.0.255 192.168.200.0 0.0.0.255
 permit ip 192.168.112.0 0.0.0.255 192.168.200.0 0.0.0.255
!
logging trap notifications
!
route-map VPN_CLIENT permit 10
 match ip address VPN_IP
 set ip next-hop 10.11.0.2
!
!
control-plane
!
bridge 10 protocol ieee
bridge 10 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 transport input ssh
!
scheduler max-task-time 5000
end

No comments:

Post a Comment