Tag: Cisco

Cisco IOS VPN Server with MS IAS User Authentication against Active Directory

This is how I have successfully configured a Cisco 2921 Integrated Services Router as a VPN server for remote users…

! [SNIP]
!
aaa new-model
!
!
aaa authentication login VPN_UserAuth group radius
aaa authentication login CLI_UserAuth local
aaa authentication login userauthen group radius
aaa authorization network VPN_GroupAuth local
!
! [SNIP]
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group group1
 key secretp4ssw0rd
 pool group1pool
 acl 101
 save-password
crypto isakmp profile vpn1-ra
   match identity group group1
   client authentication list VPN_UserAuth
   isakmp authorization list VPN_GroupAuth
   client configuration address respond
   virtual-template 3
!
!
crypto ipsec transform-set VTI-TS esp-3des esp-sha-hmac
!
!
crypto ipsec profile test-vti1
 set transform-set VTI-TS
!
!
! [SNIP]
interface Virtual-Template3 type tunnel
 ip unnumbered GigabitEthernet0/0
 ip virtual-reassembly in
 tunnel mode ipsec ipv4
 tunnel protection ipsec profile test-vti1
!
ip local pool group1pool 172.18.1.1 172.18.1.25
!
! [SNIP]
access-list 101 permit ip 10.0.0.0 0.0.0.255 172.18.1.0 0.0.0.255
!
! [SNIP]
ip radius source-interface GigabitEthernet0/1
radius-server host 10.0.0.10 key remoteauth

Cisco IOS IPSec VPN NAT Woes…

Oi… this is complicated for me.
I’m trying to setup IPSec VPN on a Cisco 2900 series router. I set it up previously using the MS IAS for radius authentication/authorization and using local group authentication in this post.
Now, I connect to the router with my VPN client OK but I can’t communicate with the remote LAN (Router-side inside network) for some reason… I don’t even see the ACLs incrementing for the ACL specified in the VPN configuration!
Through googling, I found this information:

! Doesn't work: ip nat inside source route-map nonat interface Serial0 overload
ip nat inside source list 1 interface Serial0 overload

So, I incorporated that and also split-tunneling and have this:

!NEW
ip nat inside source list 101 interface GigabitEthernet0/0 overload
!OLD
!ip nat inside source route-map nonat interface GigabitEthernet0/0 overload
access-list 1 permit 10.0.0.0 0.0.0.255
access-list 101 deny ip 10.0.0.0 0.0.0.255 172.16.1.0 0.0.0.255
access-list 101 permit ip 10.0.0.0 0.0.0.255 any
route-map nonat permit 10
match ip address 100
interface GigabitEthernet0/0
!OLD
!ip policy route-map nonat

If I show access-list, I do not see access-list 100 incrementing!
Why is this happening? =(

Cisco IOS Port Forwarding

So I recently replaced a Cisco ASA with a Cisco 2900 series router and needed to port forward SMTP, HTTP/HTTPS to an internal address from a global outside address.
This is the method I used that worked.  For some reason, when I tried to apply it via the route-map, it kept giving me a duplicate IP address warning on the actual server and on the router.  I am confused by that, but the following did work for me.

access-list 100 permit tcp any any eq smtp
access-list 100 permit tcp any any eq www
access-list 100 permit tcp any any eq 443
ip nat pool MAILSERVER 10.10.0.14 10.10.0.14 netmask 255.255.255.0 type rotary
ip nat inside destination list 100 pool MAILSERVER

The following did NOT work for me and I’m *not* sure why… can someone shed light?

routerA(config)#ip nat inside source static tcp 74.219.241.254 10.10.0.14 25 route-map lan2wan

Here’s part of the config (that should be relevant…)

interface GigabitEthernet0/0
 description Time Warner Cable 15x2
 ip address 74.219.241.254 255.255.255.0
 ip nat outside
 ip virtual-reassembly in
 no ip route-cache
 duplex auto
 speed auto
end
access-list 10 permit 10.10.0.0 0.0.0.255
ip nat inside source route-map lan2wan interface GigabitEthernet0/0 overload
route-map lan2wan permit 10
match ip address 10

Cisco IOS VPN Authentication via Windows Radius/IAS

Here are the important pieces of the puzzle…
Router:

aaa new-model
!
!
aaa authentication login default group radius
aaa authentication login userauthen group radius
aaa authorization network groupauthor local
!
aaa session-id common
!
crypto isakmp policy 3
 encr 3des
 authentication pre-share
 group 2
!
crypto isakmp client configuration group vpnclient
 key remote
 dns 10.0.0.10
 domain techish.net
 pool ippool
 acl 105
!
!
crypto ipsec transform-set myset esp-3des esp-sha-hmac
crypto dynamic-map dynmap 10
 set transform-set myset
!
!
crypto map clientmap client authentication list userauthen
crypto map clientmap isakmp authorization list groupauthor
crypto map clientmap client configuration address respond
crypto map clientmap 10 ipsec-isakmp dynamic dynmap
!
interface FastEthernet0/1
 ip address dhcp
 ip nat outside
 ip virtual-reassembly
 no ip route-cache cef
 no ip route-cache
 duplex auto
 speed auto
 crypto map clientmap
!
ip radius source-interface FastEthernet0/1
!
! Split tunnel VPN traffic
access-list 105 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
radius-server host 10.147.204.12 auth-port 1645 acct-port 1646 key cisco

Windows Server 2003 IAS:
Screenshots soon…

Cisco Configuration Audit Tool

Came across a nice tool (a bit old, but apparently still used as a baseline) called Router Audit Tool (RAT) from Center for Internet Security (CIS).

http://benchmarks.cisecurity.org/en-us/?route=downloads.show.single.rat.windows.installer

Note: This tool does not reflect the Center’s current configuration guidance, is currently unsupported, and remain so until updated.