Skip to content

Archive

Category: VPN

DMVPN

Mar 13

 

Goal :-  To run complete DMVPN setup between  Global Data Center and  remote locations . Remote location can use  3G dongel and/or ADSL connection.

 

Hardware Used :- Cisco 1941 router (Product ID – CISCO1941/K9)

Cisco 881W router (Product ID – C881W-E-K9)

 

IOS Used :- CIsco 881W :- c800-universalk9-mz.SPA.152-4.M4.bin

CIsco 1941 :- c1900-universalk9-mz.SPA.152-4.M5.bin

 

Licenses Used :- Advanced Security  license on cisco 881W and 1941.

Also for Unified wireless image Advanced IP Services license on C881W router. License portal URL and other information related to licensing.

 

http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9000827

 

 

 

Test 1:-  DMVPN with remote location having ADSL connection :-

 

 

 

 

GDC Setup:- 

We have a public ip on cisco 1941 outside interface and inside interface is connected to DMZ firewall on vlan 31, through which LAN is accessible. Default route towards internet.

 

Remote Setup:-

We have cisco 881W router , outside interface has a static public ip assigned and a static route towards DSL router.

 

This is simple DMVPN setup with static public ip on both sides , i have used below link for configuration.

 

http://www.firewall.cx/cisco-technical-knowledgebase/cisco-routers/901-cisco-router-dmvpn-configuration.html

 

 

Test 2:-  DMVPN with remote location having 3G dongel. Here we have used IPSEC over GRE with Nat traversal.

 

GDC Setup:-

We have a public ip on cisco 1941 outside interface and inside interface is connected to DMZ firewall on vlan 31, through which LAN is accessible. Default route towards internet.

 

Remote Setup:-

C 881W –> Wireless router –> 3G Dongel

We have cisco 881W router , outside interface has a static private ip assigned and a static route towards wireless router inside interface. Although we have DHCP configured on wireless router , instead we have used static ip assignment.

3G dongel is connected to outside interface of wireless router.

 

Configuration:-

 

GDC 1941 router:-

 

L00DC1BAR01#sh run
Building configuration…

Current configuration : 4201 bytes
!
! Last configuration change at 07:18:39 UTC Fri Feb 21 2014 by admin
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname L00DC1BAR01
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
!
ip cef
!
!
!
!
!
!
ip domain name yourdomain.com
no ipv6 cef
!
multilink bundle-name authenticated
!
!
crypto pki trustpoint TP-self-signed-4147504180
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-4147504180
revocation-check none
rsakeypair TP-self-signed-4147504180
!
!
crypto pki certificate chain TP-self-signed-4147504180
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 34313437 35303431 3830301E 170D3133 31323238 31393036
32375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D34 31343735
30343138 3030819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
810095F2 F7FAE4A5 D0DFB9BF B9E7DB4A 942055A4 FDFC6E4B BAD1CF2B 103248D2
405D05A0 0E0F7F41 9BF36864 D18BD257 14DEF1C7 34A1F4C9 F77BFC05 01D4915A
9B9A1C40 DE947F24 31BBD7ED 9E51B088 17E1B9FA 5C0EF0AF 538C4138 ED6CAE96
F2FF5EA0 6A329E38 1E0EB449 1F3B3092 42C85A5E 7C6F47A9 54F51DB9 05DC6107
F5790203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 143F41EC C6DF2A2B A77226D6 A3CE6911 3E81C996 C8301D06
03551D0E 04160414 3F41ECC6 DF2A2BA7 7226D6A3 CE69113E 81C996C8 300D0609
2A864886 F70D0101 05050003 81810004 50172C02 0B4AFEE4 F0714AAF FB4F4C52
1F1EC70B 115B0C11 CF545CB5 CFFEAC9E 71BA1E1E 3383BCD8 49999907 C6948372
429002DE 441A223D E81718DA 2472E01B B16F2131 7B2AFB66 0A711EB4 B3126E7F
4511D94B 70889125 F4EDF215 5C60A8D2 013862C5 FCEF15F7 9F61955D 7B158428
83A2C322 E019B085 D3E16A0B EB7652
quit
license udi pid CISCO1941/K9 sn FCZf2218py
license boot module c1900 technology-package securityk9
!
!
username admin privilege 15 password 0 admin
!
redundancy
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address 0.0.0.0
!
!
crypto ipsec transform-set DELTA esp-3des esp-md5-hmac
mode tunnel
crypto ipsec transform-set DELTA1 esp-3des esp-md5-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile DELTA
set transform-set DELTA
!
!
!
!
!
!
!
interface Tunnel0
description #mGRE- DMVPN Tunnel#
ip address 10.110.72.1 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
ip nhrp network-id 1
cdp enable
tunnel source y.y.y.y
tunnel mode gre multipoint
tunnel protection ipsec profile DELTA
!
interface Embedded-Service-Engine0/0
no ip address
shutdown
!
interface GigabitEthernet0/0
description #Connected to L00DC1EXTSW01#
ip address y.y.y.y 255.255.255.224
duplex auto
speed auto
!
interface GigabitEthernet0/1
description #Connected to L00DC1DMZSW01#
ip address d.d.d.d 255.255.255.0
duplex auto
speed auto
!
ip forward-protocol nd
!
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip route 0.0.0.0 0.0.0.0 z.z.z.z (Outside interface of external internet switch)
ip route 10.110.74.4 255.255.255.255 192.194.135.1
ip route 10.240.1.0 255.255.255.0 10.110.72.2 (remote tunnel interface)
ip route 141.172.0.0 255.255.0.0 c.c.c.c (Inside interface of DMZ FW)
ip route 141.172.191.0 255.255.255.0 c.c.c.c (Inside interface of DMZ FW)
ip route 192.194.154.0 255.255.255.0 c.c.c.c (Inside interface of DMZ FW)
ip route 194.252.225.32 255.255.255.224 z.z.z.z (Outside interface of external internet switch)
!
ip access-list extended GRE
permit gre any any
!
access-list 101 permit gre any any
!
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
stopbits 1
line vty 0 4
privilege level 15
login local
transport input all
line vty 5 15
privilege level 15
login local
transport input all
!
scheduler allocate 20000 1000
!
end

 

Remote C881W router:-

 

Reference:- http://www.cisco.com/en/US/docs/routers/access/800/880/software/configuration/guide/880_basic_device_wireless_config.html

 

https://supportforums.cisco.com/docs/DOC-16145

 

http://www.nerdosaur.com/wireless/cisco-881w-router-with-built-in-access-point/

 

Learnings:-

 

1.Make sure AP should be in unified mode, else LWAPP wil not work.

 

Converting wireless service-module into unified mode.

Step 1 To change the access point boot image to a Cisco Unified upgrade image (also known as a recovery image), issue the service-module wlan-ap 0 bootimage unified command in global configuration mode.

 

Router# configure terminal

 

Router(config)# service-module wlan-ap 0 bootimage unified

 

Router(config)# end

 


Note If the service-module wlan-ap 0 bootimage unified command does not work, check whether the advipservices or advipsevices_npe software license is enabled or not.


To identify the access point’s boot image path, use the show boot command in privileged EXEC mode on the access point console:

 

autonomous-AP# show boot

BOOT path-list: flash:/ap802-rcvk9w8-mx/ap802-rcvk9w8-mx

Step 2 To perform a graceful shutdown and reboot of the access point to complete the upgrade process, issue the service-module wlan-ap 0 reload command in privileged EXEC mode. Establish a session into the access point and monitor the upgrade process.

 

2.After converting image into unified:-

You need to assign ip address in Management range (vlan 10, 10.240.1.2 ) into AP BVI interface and set default gateway towards vlan 10 ip , here 10.240.1.1.

Also configure router wlan-gig0 interface like this.

interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 10
switchport mode trunk

Make sure that ip address of controller is reachable, by simply pinging the WLC.

Type “capwap ap controller ip address a.a.a.a” or “lwap ap controller ip address a.a.a.a” in order to join the WLC.

 

BA-LAB#sh run
Building configuration…

Current configuration : 6095 bytes
!
version 15.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname BA-LAB
!
boot-start-marker
boot-end-marker
!
!
logging buffered 51200 warnings
!
no aaa new-model
service-module wlan-ap 0 bootimage unified
!
crypto pki trustpoint TP-self-signed-3930288585
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3930288585
revocation-check none
rsakeypair TP-self-signed-3930288585
!
!
crypto pki certificate chain TP-self-signed-3930288585
certificate self-signed 01
3082022B 30820194 A0030201 02020101 300D0609 2A864886 F70D0101 05050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 33393330 32383835 3835301E 170D3133 31313136 30313332
30345A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D33 39333032
38383538 3530819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100E18E 14F064A4 2A9F8880 3D2FB47C E8C030C5 A0699210 2F80CF7B 08DA66B1
AC64C80A 8CBCEEA5 9F881245 DEF13857 5B5CF731 770A5B5D BB6E9A20 842BD87B
601EF57D 706E8FA9 636F6F30 BB053705 574613D0 F55788DF F8F0B4AC 4D4C5790
90858A9E 71592CDB 407C9832 3CE4509C 89D442B2 A023E1B9 CB0F4BD2 FB355250
032F0203 010001A3 53305130 0F060355 1D130101 FF040530 030101FF 301F0603
551D2304 18301680 14B036BC 2CD18A4E C753466C 750D78D9 BE406F2D A8301D06
03551D0E 04160414 B036BC2C D18A4EC7 53466C75 0D78D9BE 406F2DA8 300D0609
2A864886 F70D0101 05050003 8181006A BD33A609 A7E1F591 CCC04873 46003508
1F55544F 38386070 8166DDFA ED66A11F 992BA3E7 2BCA4C19 A6B4576C A4D7A267
65EFF4F6 BAEBDA3B 1C2D63FA B50F2F64 7C1B6846 03B74E44 AFEEBDAD ACC3AD8B
099D6D01 F72AFB2C C218C25D 333D3836 AF36B7C4 0C10F91C 5816D21E BF83E0F9
6819CF1B 49843F29 E90B6EA4 C90005
quit
ip cef
!
!
!
!

!
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.240.1.97
ip dhcp excluded-address 10.240.1.129
!
ip dhcp pool GUEST-VLAN
network 10.240.1.96 255.255.255.224
dns-server 8.8.8.8 8.8.4.4
default-router 10.240.1.97
lease 0 6
!
ip dhcp pool USER-VLAN
network 10.240.1.128 255.255.255.224
default-router 10.240.1.129
dns-server (internal DNS servers)
lease 0 6
!
!
!
no ip domain lookup
ip domain name yourdomain.com
no ipv6 cef
!
!
multilink bundle-name authenticated
license udi pid C881W-E-K9 sn FCZf3348rr
license accept end user agreement
license boot module c800 level advipservices
!
!
username admin privilege 15 secret 4 7.jZ4Dex7mHRhj/CulqZZbF6pyUlk6mDe08.brH568Y
!
!
!
!
!
!
!
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
crypto isakmp key CISCO address y.y.y.y
!
!
crypto ipsec transform-set DELTA esp-3des esp-md5-hmac
mode tunnel
crypto ipsec df-bit clear
!
crypto ipsec profile DELTA
set transform-set DELTA
!
!
!
!
!
!
!
interface Loopback0
ip address 10.240.1.254 255.255.255.255
!
interface Tunnel0
description #Remote mGRE + DMVPN Tunnel#
ip address 10.110.72.2 255.255.255.0
ip nhrp map 10.110.72.1 y.y.y.y
ip nhrp map multicast y.y.y.y
ip nhrp network-id 1
ip nhrp nhs 10.110.72.1
cdp enable
tunnel source FastEthernet4
tunnel destination y.y.y.y
tunnel protection ipsec profile DELTA
!
interface FastEthernet0
description USER-WIRED-PC
switchport access vlan 50
no ip address
!
interface FastEthernet1
description WIRELESS AP
switchport access vlan 10
no ip address
!
interface FastEthernet2
description PRINTER
switchport access vlan 20
no ip address
!
interface FastEthernet3
description GUEST WIRED PC
switchport access vlan 40
no ip address
!
interface FastEthernet4
description OUTSIDE INTERFACE
ip address 192.168.20.100 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport trunk native vlan 10
switchport mode trunk
no ip address
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip unnumbered Vlan10
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.248
ip tcp adjust-mss 1452
!
interface Vlan10
description MGMT-VLAN
ip address 10.240.1.1 255.255.255.224
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Vlan20
description PRINTER-VLAN
ip address 10.240.1.33 255.255.255.224
no autostate
!
interface Vlan30
description VOICE-VLAN
ip address 10.240.1.65 255.255.255.224
no autostate
!
interface Vlan40
description GUEST-VLAN
ip address 10.240.1.97 255.255.255.224
ip nat inside
ip virtual-reassembly in
no autostate
!
interface Vlan50
description USER-VLAN
ip address 10.240.1.129 255.255.255.224
ip nat inside
ip virtual-reassembly in
no autostate
!
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
!
ip nat inside source list guestlan interface FastEthernet4 overload
ip nat inside source list mgmtlan interface FastEthernet4 overload
ip nat inside source list userlan interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 192.168.20.1
ip route 10.110.74.4 255.255.255.255 10.110.72.1
ip route 141.172.0.0 255.255.0.0 10.110.72.1
ip route 192.194.135.0 255.255.255.0 10.110.72.1
ip route 192.194.154.0 255.255.255.0 10.110.72.1
!
ip access-list standard guestlan
permit 10.240.1.96 0.0.0.31
ip access-list standard mgmtlan
permit 10.240.1.0 0.0.0.31
ip access-list standard userlan
permit 10.240.1.128 0.0.0.31
!
access-list 23 permit 10.10.10.0 0.0.0.7
access-list 101 permit ip any host y.y.y.y
!
!
control-plane
!
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
login local
transport input telnet ssh
line vty 5 15
login local
transport input telnet ssh
!
scheduler allocate 20000 1000
!
end

 

We will be working on following topology.

ASA 8.4 Gns3 topo

First of all we gather requirement for our ClientLess VPN, the requirement portion is  inspired by the Keith CBT video.

Requirement:
Type of VPN:- Clientless VPN
Randon machines on Internet
They all support global PKI (SSL)
Not managed by company

Stage 1
Group Level:
Banner message: No
Custom Bookmark: Yes
WebType ACL: No
Allow portal URL browsing: yes

Stage 2
Connection profile
Use LOCAL AAA
Name:- finance-con-profile
Alias:- finance-con-alias
Custom URL:- https://136.1.0.12/finance
Connections supported:- SSL ClientLess only
Connection profile linked to finance group:

Stage 3
User Level:
New user in new Finance group -“finance-user”
Require use of specific connection profile

Goal:- Our goal is to use Clientless VPN from outside Windows XP box(136.1.0.254) to connect to inside Webserver(136.1.121.254) and Backtrack (136.1.121.254) machine , we will configure this setup using ASDM.

We will first do it with the inbuilt wizards of ASDM. Click on Wizards>VPN Wizards>Clientless SSL VPN Wizard. The screen will look like this.

Screen gives us overview of SSL Clientless VPN.Click on Next.

Now in the next screen, it will ask for Connection Profile name and other parameters, configure as follows, this is also mentioned in the start. Check the box “Display Group Alias List at the login page”. And click on Next.

Now on this screen, we can use our AD or ACS database as AAA method , as of now we will use Local database of the ASA. Fill in the user details and password and then click on Add.The screen will like below , then click on next.

Now on the next page we will define our Group Policies for finance users. Create a name for the group like “finance-group” and then click on Next.

On this page it will ask for Bookmark,  Click on Manage to create a new bookmark or we can use existing from the dropdown.

Now on the small screen we can configure our bookmark, click on ADD and specify the bookmark name and on the right side click on Add button. A new Screen will pop-up where we configure the parameters of the Web Server as follows.