Results tagged “Cisco IOS”

In response to a recent comment regarding my Connect to Cisco 851 with Cisco VPN Client post from a couple years back the following code is a revision that includes split tunneling support and updated comments within the code. If the VPN client appears to connect successfully but you are unable to access network devices then the following tips may help.

• Check, review the access-lists paying special attention to the one that corresponds to your route map. The first line of your route-map access-list should be a deny statement relating to the designated vpn subnet. This line sends VPN client sourced traffic back to your connecting machine.
• Ensure the name of your route-map is referenced correctly in your outside interface ip nat statement
• Confirm ip nat inside and ip nat outside commands are on the appropriate interfaces

The code below is from a working production environment.

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname DEMO851w
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
!
aaa authentication login demousers local
aaa authorization network demogroup local
!
aaa session-id common
!
resource policy
!
clock timezone Hawaii -10
ip subnet-zero
!
!
ip cef
ip inspect name DEFAULT100 cuseeme
ip inspect name DEFAULT100 ftp
ip inspect name DEFAULT100 h323
ip inspect name DEFAULT100 icmp
ip inspect name DEFAULT100 rcmd
ip inspect name DEFAULT100 realaudio
ip inspect name DEFAULT100 rtsp
ip inspect name DEFAULT100 esmtp <consider removing this line for Exchange 2007 compatibility>
ip inspect name DEFAULT100 sqlnet
ip inspect name DEFAULT100 streamworks
ip inspect name DEFAULT100 tftp
ip inspect name DEFAULT100 tcp
ip inspect name DEFAULT100 udp
ip inspect name DEFAULT100 vdolive
ip tcp synwait-time 10
no ip bootp server
no ip domain lookup
ip domain name domain.local
ip name-server <internal dns>
!
username sysadmin privilege 15 secret 5 <password hash>
<add more vpn users here>
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool
!
crypto isakmp client configuration group demogroup <VPN client Group Authentication name>
 key <group passphrase for vpn client>
 dns <internal dns>
 domain domain.local
 pool dynpool
 acl 105
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
crypto map dynmap client authentication list demousers
crypto map dynmap isakmp authorization list demogroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description ** WAN **
 ip address <external ip> 255.255.255.x
 ip access-group 101 in
 ip verify unicast reverse-path
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect DEFAULT100 out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto map dynmap
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid AP851G
    vlan 1
    authentication open
    authentication key-management wpa
    guest-mode
    wpa-psk ascii 0 <password>
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool dynpool 192.168.15.1 192.168.15.5
ip classless
ip route 0.0.0.0 0.0.0.0 <isp gateway>
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
ip nat inside source static tcp <internal server> 25 <external ip> 25 extendable
ip nat inside source static tcp <internal server> 80 <external ip> 80 extendable
ip nat inside source static tcp <internal server> 443 <external ip> 443 extendable
!
access-list 1 permit 192.168.0.0 0.0.255.255
access-list 101 remark ** Permit Inbound IPSEC Traffic & Split Tunnel **
access-list 101 permit ip host 192.168.15.1 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.2 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.3 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.4 192.168.1.0 0.0.0.255
access-list 101 permit ip host 192.168.15.5 192.168.1.0 0.0.0.255
access-list 101 permit udp any host <external ip> eq non500-isakmp
access-list 101 permit udp any host <external ip>
access-list 101 permit esp any host <external ip>
access-list 101 permit ahp any host <external ip>
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Deny netbios from the internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 remark ** Permit Exchange Related Traffic **
access-list 101 permit tcp any host <external ip> eq smtp
access-list 101 permit tcp any host <external ip> eq www
access-list 101 permit tcp any host <external ip> eq 443
access-list 101 permit udp any host <external ip> eq ntp
access-list 101 deny   ip any host <external ip>
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 101 permit ip any any
access-list 105 remark ** VPN Traffic **
access-list 105 permit ip 192.168.1.0 0.0.0.255 any
access-list 110 deny   ip 192.168.1.0 0.0.0.255 192.168.15.0 0.0.0.255
access-list 110 permit ip 192.168.1.0 0.0.0.255 any
snmp-server community public RO
no cdp run
route-map nonat permit 10
 match ip address 110
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
ntp clock-period 17175022
ntp server 140.31.199.8 prefer
end
DEMO851w#

Comments questions welcomed.

I recently serviced a customer who had a spare Cisco 851w router and asked if I could configure it as a standalone access point. It would be used for a branch office that already had an existing Cisco 2811 router and a Cisco 2960 switch in place. The client wanted to provide some basic, secure wireless access for the branch office users with equipment already on hand. DHCP for the wireless clients was served up from the Cisco 2811 router. Below is the 851w working code used for access point only functionality.

Current configuration : 3804 bytes
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname AP851
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
!
aaa new-model
!
aaa session-id common
!
dot11 ssid AP851G
   vlan 1
   authentication open
   authentication key-management wpa
   guest-mode
   wpa-psk ascii 0  < wireless passphrase >
!
ip cef
no ip bootp server
no ip domain lookup
!
no spanning-tree vlan 1
username sysadmin privilege 15 secret 5 < password >
archive
 log config
  hidekeys
!
bridge irb
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3 <- Connect to your existing switch
 no cdp enable
 spanning-tree portfast
!
interface FastEthernet4
 no ip address
 ip virtual-reassembly
 shutdown
 duplex auto
 speed auto
!
interface Dot11Radio0
 no ip address
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid AP851G
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 ip address 192.168.1.10 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
no ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 192.168.1.1 <- internal gateway core router ip
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
access-list 1 permit 192.168.0.0 0.0.255.255
snmp-server community public RO
no cdp run
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
line aux 0
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
end

AP851#

Enter the following command in config mode "no spanning-tree portfast bpduguard" if you are connecting to a Cisco switch to prevent port blocking. Comments, questions welcomed.

Instructions for upgrading IOS images on Cisco routers is already well documented and can easily be found on the Cisco website or general web search. This post is a review of the upgrade procedure as it relates to the 851 router.

Last week I received a new 851 router for a customers new office buildout. I skipped the web based initial setup procedure outlined in the setup guide and instead dropped in a template config through a console port session. Upgrading to the latest IOS image is part of my usual new router deployment routine. (See related entries section below for sample configs)

Prior to upgrading, have available or install and configure a tftp server. On my connecting pc, I have SolarWinds tftp server installed. From console or telnet session issue the "sh ver" command in privileged exec mode to view the current image:

Cisco851#sh ver
Cisco IOS Software, C850 Software (C850-ADVSECURITYK9-M), Version 12.4(15)T7, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 14-Aug-08 07:18 by prod_rel_team

ROM: System Bootstrap, Version 12.3(8r)YI4, RELEASE SOFTWARE

Cisco851 uptime is 48 minutes
System returned to ROM by power-on
System image file is "flash:c850-advsecurityk9-mz.124-15.T7.bin"

The current image file is c850-advsecurityk9-mz.124-15.T7.bin. The latest available image from CCO, as of this post is c850-advsecurityk9-mz.124-15.T9.bin

Download the latest image to your tftp root directory. (In order to download IOS images from CCO you'll need to be registered and associated with a SMARTnet or Comprehensive Maintenance service contract)

Next, issue the "sh flash" command to view the flash contents.

Cisco851#sh flash
20480K bytes of processor board System flash (Intel Strataflash)

Directory of flash:/

    2  -rwx    12701008   --- -- ---- --:--:-- -----  c850-advsecurityk9-mz.124-15.T7.bin
    3  -rwx        3179   Mar 1 2002 00:04:00 +00:00  sdmconfig-8xx.cfg
    4  -rwx      931840   Mar 1 2002 00:04:18 +00:00  es.tar
    5  -rwx     1505280   Mar 1 2002 00:04:41 +00:00  common.tar
    6  -rwx        1038   Mar 1 2002 00:04:55 +00:00  home.shtml
    7  -rwx      112640   Mar 1 2002 00:05:07 +00:00  home.tar

19353600 bytes total (4091904 bytes free)

Delete the existing image file. Issue the following command then enter and confirm.

Cisco851#del flash:c850-advsecurityk9-mz.124-15.T7.bin
Delete filename [c850-advsecurityk9-mz.124-15.T7.bin]?
Delete flash:c850-advsecurityk9-mz.124-15.T7.bin? [confirm]
Cisco851#

Just to be safe, startup your tftp server then backup the current config with the following command:

Cisco851#copy running-config tftp
Address or name of remote host []? 192.168.1.78 <-- enter tftp server ip
Destination filename [Cisco851-confg]?
!!!
7031 bytes copied in 0.060 secs (117183 bytes/sec)
Cisco851#

Issue the following command to transfer the new image to the router:

Cisco851#copy tftp flash:
Address or name of remote host []? 192.168.1.78  <-- enter tftp server ip
Source filename []? c850-advsecurityk9-mz.124-15.T9.bin
Destination filename [c850-advsecurityk9-mz.124-15.T9.bin]?
Accessing tftp://192.168.1.78/c850-advsecurityk9-mz.124-15.T9.bin...
Loading c850-advsecurityk9-mz.124-15.T9.bin from 192.168.1.78 (via BVI1):
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 12747284 bytes]

12747284 bytes copied in 277.896 secs (45871 bytes/sec)
Cisco851#

Issue the reload command, confirm or save modified config if prompted. That's it. Any comments or questions welcomed.

 

For terminal server users working remotely via a bandwidth challanged connection from a branch or home office, remote printing can easily consume a good portion if not all of the available bandwidth. Managing printer bandwidth in a Windows 2003 terminal server environment usually requires a 3rd party solution like triCerat ScrewDrivers, converting to Citrix Presentation Server (XenApp) or upgrading to Windows Server 2008 (MSDN Blog Ref) .

Another option if available is traffic shaping.

A few months ago I fielded a trouble call from a client regarding slow terminal server session performance whenever a remote branch office user would print or scan. Around 15 branch office users connect to a Windows 2003 terminal server at the home office via a T1 Point to Point connection. Both ends of the T1 terminate to a pair of Cisco 1841 routers.

Print jobs spool over the wan link from a print server at the home office to one of 2 network copier/printer machines at the branch office. In addition to printing, branch office users consistently send large scan jobs over the wan from the copier/printer machines to a file server at the home office via ftp.

Shaping was implemented on the Cisco 1841 routers to help gaurentee bandwidth for RDP related traffic while throttling the printer and scanning traffic. Below is the relevant home and branch office router shaping code and overview:

Home Office router code:

access-list 115 permit ip any host 192.168.11.202
access-list 115 permit ip any host 192.168.11.203
!
class-map match-all PRINTING-Class
 match access-group 115
!
policy-map RemotePrinting-Policy
 class PRINTING-Class
  bandwidth 30
policy-map WAN-Policy
 class class-default
  shape average 1152000
  service-policy RemotePrinting-Policy
!
interface Serial0/0/0
 description WAN connection to Branch Office
 ip address 192.168.100.1 255.255.255.252
 ip route-cache flow
 service-module t1 clock source internal
 service-module t1 timeslots 1-24
 service-policy output WAN-Policy

First, the printer traffic being sent from the home 192.168.10.x subnet to the branch office 192.168.11.x subnet was identified using a class-map with access-list on the home office router. The ip's listed in access-list 115 correspond to the network copier/printers at the branch office.

Second, a class policy was created for the printer traffic and allocated a maximum of 30 percent overall bandwidth.

Third, the WAN-Policy defines the total available bandwidth for classified and unclassified traffic. The "shape average 115200" command sets the bandwidth limit. It is 75 percent of the total T1 point to point bandwidth as referenced in Cisco's "Class-Based Weighted Fair Queueing" document. The 75 percent can be adjusted as needed with the "max-reserved bandwidth" command (Cisco Ref).

The final step is to apply the shaping policy to the appropriate interface. In this case the "service-policy output WAN-Policy" command is applied to the Serial/0/0/0 interface. The shaping mechanism is applied immediately to any printing traffic destined for the branch office.

Shaping code on the Branch Office router is similar:

access-list 114 permit tcp any any eq ftp
access-list 115 permit tcp any any eq 3389
!
class-map match-all FTP-Class
 match access-group 114
class-map match-all RDP-Class
 match access-group 115
!
policy-map HomeOffice-Policy
 class RDP-Class
  bandwidth 70
 class FTP-Class
  bandwidth 30
policy-map WAN-Policy
 class class-default
  shape average 1152000
  service-policy HomeOffice-Policy
!
interface Serial0/0/0
 description WAN connection to Home Office
 ip address 192.168.100.2 255.255.255.252
 ip route-cache flow
 service-module t1 timeslots 1-24
 service-policy output WAN-Policy

access-list 114 and 115 are used to identify ftp and rdp traffic. A class policy with bandwidth allocations is also created. If needed, 70 percent of the bandwidth will be reserved for rdp traffic. FTP is allocated up to 30 percent bandwidth.

The final bandwidth allocations were established after testing different percentage combinations and user feedback. The 70 30 combination seemed to provide the best overall performance for the number of remote users in this particular environment. Although the print and scan jobs slowed down noticeably, branch office users were no longer experiencing the remote desktop slow down.  Implementing the shaping code on this network resulted in a more stable and consistent overall remote desktop experience. Comments or questions welcomed. 

If your not familiar with Cymphonix Network Composer, here's a brief overview of my experience with it.

First of all it's an appliance based gateway security device. It analyzes, monitors and filters network traffic in and out of your gateway router or firewall and is specifically designed for small to medium sized businesses. Through out the year I've had several clients approach me with the following concerns and questions regarding internet connection troubleshooting and end user web traffic monitoring:

• Is there a way for me to monitor and log what my users are doing on the internet?
• How can I prioritize and or throttle certain types of web traffic?
• I've got a 5mb internet connection but it always seems so slow, can you tell my why?
• How can I block BitTorrent, LimeWire, YouTube, MySpace or FaceBook?

In most cases Cymphonix Network Composer has been my preferred solution for these reasons:

• Appliance based
• Deep packet inspection
• Gateway traffic "total visibility"
•  Prioritize critical traffic
• Throttle, or completely block non critical traffic
• Realtime application, url and bandwidth monitoring
• Spyware and Antivirus protection
• Integrates with Active Directory
• Filter by already established Active Directory groups
• Identify users in realtime

A more thorough review and testimonials can be found at www.cymphonix.com or check out an actual Network Composer for yourself at http://demo.cymphonix.com using demo as the login and password.

A few months ago I had a request from a potential client who wanted to know if the Network Composer could be used on a trunk link. I wasn't sure and had to call Cymphonix tech support to find out. In most implementations the Network Composer is assigned a LAN accessible ip and sits transparently inline between the gateway and the LAN side switch. So what if the gateway is also providing interVLAN routing services?  "As long as the Network Composer is assigned an ip from the untagged or native vlan it should be fine on a trunk link" was the response from Cymphonix tech support. Just to be sure, I setup a test network with a Network Composer DC10 model connected inline on a trunk link and configured it with an ip address (192.168.1.2) on the untagged (192.168.1.x) VLAN.

Here's the relevant router and switch code.

Cisco 2600 Router

ip dhcp pool Native
   network 192.168.1.0 255.255.255.0
   default-router 192.168.1.1
   dns-server 216.136.95.2
!
ip dhcp pool VLAN200
   network 172.16.10.0 255.255.255.0
   default-router 172.16.10.1
   dns-server 216.136.95.2
!
ip dhcp pool VLAN150
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   dns-server 216.136.95.2
!
interface Ethernet0/1
 description Connected to 2950 Switch
 ip address 192.168.1.1 255.255.255.0
 ip nat inside
 full-duplex
!
interface Ethernet0/1.150
 description Data10 VLAN 150
 encapsulation dot1Q 150
 ip address 10.1.1.1 255.255.255.0
 ip nat inside
!
interface Ethernet0/1.200
 description Data VLAN 200
 encapsulation dot1Q 200
 ip address 172.16.10.1 255.255.255.0
 ip nat inside

Cisco 2950 Switch

interface FastEthernet0/9
 description Connected to 2600 Router
 switchport trunk allowed vlan 1,150,200,1002-1005
 switchport mode trunk
 speed 10
 duplex full
 spanning-tree portfast
!
interface FastEthernet0/10
 switchport access vlan 150
 switchport mode access
 spanning-tree portfast
!
interface FastEthernet0/11
 spanning-tree portfast
!
interface FastEthernet0/12
 switchport access vlan 200
 switchport mode access
 spanning-tree portfast

From within Network Composer I setup two VLAN id configured Groups labeled VLAN 150 and VLAN 200.

Separate laptops were plugged into ports 10 & 12 on the 2950 switch. Web traffic was generated from each laptop and almost immediately the Network Composer began to display the traffic correlated by the respective VLAN groups. I tested some of the Internet Usage Rules against the VLAN groups and they worked just fine. Here's a Group Details activity screenshot.

As I mentioned earlier, Network Composer is my preferred choice for web activity monitoring and filtering. It's very flexible, not too difficult to implement and for the most part does what it claims to be able to do. And seems to do it well. Comments, questions, suggestions, personal Network Composer experiences or implementation stories are welcomed.

If you're having an issue where your Cisco 851 or 871 routers DHCP enabled WAN interface isn't pulling an IP from the ISP, check to see if the following command "ip verify unicast reverse-path" is enabled. I was servicing a client with a ClearWire internet connection and a new Cisco 851 router and couldn't figure out why the DHCP enabled WAN interface wasn't pulling up an IP from the ISP. I forwarded the code to Cisco TAC and the first and only edit they had me do was to remove "ip verify unicast reverse-path" on the WAN interface. Got a successful lease after making the change.  Supposedly it enables anti spoofing functionality. Review the details here: http://www.cisco.com/en/US/docs/ios/12_1/security/command/reference/srdrpf.html

Last week I updated an 851 router with the latest IOS image and noticed some errors after reloading the router. The upgrade was from system image file c850-advsecurityk9-mz.124-4.T8.bin to c850-advsecurityk9-mz.124-15.T3.bin. The 4.T8 image was out of the box. On reload with the new image, the router console displayed the following:

no ip dhcp use vrf connected
               ^
% Invalid input detected at '^' marker.

Warning: View-list ezvpn-internal-viewlist does not currently exist - configuring anyway

Configuration failed!

Looks like the ip dhcp use vrf command is no longer an option in the 15.T3 image:

cisco851(config)#ip dhcp use ? <-- 4.T8 image
  class  Configure use of DHCP classes
  vrf    Ignore or use receiving interface VRF

cisco851(config)#ip dhcp use ? <-- 15.T3 image
  class  Configure use of DHCP classes

However, as soon as I created a DHCP pool using the 15.T3 image the "no ip dhcp use vrf connected" command was automatically added to the config. And that is the command that errors out on a 15.T3 reload. Regarding the view list error, Im assuming it is a result of no currently active vpn tunnels, but i dont know for sure. The related commands are as follows:

cisco851W(config)#ip dns ? <-- 4.T8 image
  primary   Configure primary DNS server
  server    Enable DNS server
  spoofing  Configure DNS spoofing

cisco851(config)#ip dns <-- 15.T3 image
  name-list  Regular expression name-list
  primary    Configure primary DNS server
  server     Enable DNS server
  spoofing   Configure DNS spoofing
  view       Configure a DNS view
  view-list  Configure a DNS view-list

This doc from Cisco helped to shed some light on the commands and their function:

http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htspldns.html#wp1049435

I had an interesting couple of days configuring, testing and troubleshooting an 851 router remote client ezvpn configuration for use with a Concentrator 3000. Here's the scenario. The main office network utilizes a Concentrator 3000 for secure remote access as well as a Cisco UC520 IP phone system. The idea is to deploy a couple of the 851 routers along with IP hand sets to homes of remote users. The home users internet connections are non static (dhcp). Always on VPN tunnel would need one time authentication with split tunnel and split dns enabled. Ezpn on the 851 was configured through SDM with http intercept authentication enabled. Sample code:

crypto ipsec client ezvpn REMOTE
 connect auto
 group RemoteUsers key cisco123
 mode client
 peer Concentrator IP
 xauth userid mode http-intercept
!
interface FastEthernet4
 description $ES_WAN$$ETH-WAN$$FW_OUTSIDE$
 ip address dhcp client-id FastEthernet4
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip inspect SDM_LOW out
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 crypto ipsec client ezvpn REMOTE
!
interface BVI1
 description $ES_LAN$$FW_INSIDE$
 ip address 192.168.2.1 255.255.255.0
 ip access-group 100 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat inside
 ip virtual-reassembly
 ip route-cache flow
 ip tcp adjust-mss 1412
 crypto ipsec client ezvpn REMOTE inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 dhcp

Split tunnel with corresponding network list entries was configured on the concentrator. The first time I tried to authenticate from the VPN tunnel Activation Tool webpage, it kept failing. I connected to SDM to try and bring up the VPN tunnel from there, but got an SSH login prompt instead of the XAuth prompt.

 

 

 

 

 

 

 

 

 

 

Logging in with the routers username and password got me past the SSH login prompt and finally brought up the XAuth prompts for the VPN tunnel. I entered my credentials and the tunnel came up after that. I was able to use the http intercept login page only after disabling ip http secure server.

ip http server
ip http authentication local
no ip http secure-server  <-- Disabled this line and was able to bring up the tunnel from the http intercept page

For the ip phone, Option 150 10.1.1.1 was added to the 851 routers local DHCP pool configuration. The phone successfully registered a few moments after the tunnel came up. For split dns, the 851 router DHCP pool was configured with external and main office internal dns and wins ip's. The router's ip domain name setting was configured with the main office network internal dns domain name.

ip dhcp pool sdm-pool1
   import all
   network 192.168.2.0 255.255.255.0
   dns-server 4.2.2.1 192.168.1.x 216.136.95.2
   default-router 192.168.2.1
   option 150 ip 10.1.1.1 <-- UC520
   netbios-name-server 192.168.1.x 192.168.1.x

 

A few years ago I had several requests for secure remote access using the Cisco VPN client and the Cisco 800 series routers. The following code is what I've been using ever since. It can be used on a number of Cisco routers, from the 2600 to the more recent 1800 series. Below is an abbreviated config from a Cisco 851 router in use on a home office network. The basic settings I configured through the SDM gui then completed the rest from the command line. My comments are marked by an arrow -->

851w#sh run
Building configuration...

Current configuration : 6999 bytes
!
version 12.4
no service pad
!
hostname 851w
!
enable secret 5 $1$xNG.$PzxUQYsWHQuhgLFVgKJjG.
!
aaa new-model
!
aaa authentication login remoteusers local
aaa authorization network remotegroup local
!
aaa session-id common
!
resource policy
!
clock timezone PCTime -10
ip subnet-zero
no ip source-route
no ip dhcp use vrf connected
ip dhcp excluded-address 192.168.18.1 192.168.18.9
ip dhcp excluded-address 192.168.18.101 192.168.18.254
!
ip dhcp pool sdm-pool1 --> Remove if you already have a DHCP server on your network
   import all
   network 192.168.18.0 255.255.255.0
   dns-server 216.136.57.90 168.215.210.50
   default-router 192.168.18.1
!
ip cef
ip tcp synwait-time 10
no ip bootp server
ip domain name yourdomain.com
ip name-server 216.136.57.90 --> Change to internal DNS server if your running one
ip name-server 168.215.210.50 --> Change to internal DNS server if your running one
ip ssh time-out 60
ip ssh authentication-retries 2
!
username admin privilege 15 secret 5 $1$R9E.$4wiw3l2oUU7HPQ9uMEonF1
--> create accounts for your vpn users here
!
crypto isakmp policy 1
 encr 3des
 authentication pre-share
 group 2
crypto isakmp client configuration address-pool local dynpool --> Create your VPN client DHCP pool first
!
crypto isakmp client configuration group remotegroup --> this is the group name for the client
 key yourkeyhere --> this will be your group password for the client
 dns 4.2.2.3 --> use your internal network DNS server if you have one
 domain yourdomain.com --> Enter internal domain
 pool dynpool
!
!
crypto ipsec transform-set transform-1 esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 1
 set transform-set transform-1
 reverse-route
!
!
crypto map dynmap client authentication list remoteusers
crypto map dynmap isakmp authorization list remotegroup
crypto map dynmap client configuration address respond
crypto map dynmap 1 ipsec-isakmp dynamic dynmap
!
bridge irb
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 description ** Outside Interface **
 ip address dhcp hostname 851w --> If your connection is static then thats your VPN client host entry
 ip access-group 101 in
 no ip redirects
 no ip unreachables
 no ip proxy-arp
 ip nat outside
 ip virtual-reassembly
 ip route-cache flow
 duplex auto
 speed auto
 no cdp enable
 crypto map dynmap --> Please be sure to include this line
!
interface Dot11Radio0
 no ip address
 !
 encryption mode ciphers tkip
 !
 encryption vlan 1 mode ciphers tkip
 !
 ssid CiscoAP
    vlan 1
    authentication open
    authentication key-management wpa
    wpa-psk ascii 7 14141B180F0B7B7977
 !
 speed basic-1.0 basic-2.0 basic-5.5 6.0 9.0 basic-11.0 12.0 18.0 24.0 36.0 48.0
 54.0
 station-role root
 no dot11 extension aironet
!
interface Dot11Radio0.1
 encapsulation dot1Q 1 native
 no snmp trap link-status
 no cdp enable
 bridge-group 1
 bridge-group 1 subscriber-loop-control
 bridge-group 1 spanning-disabled
 bridge-group 1 block-unknown-source
 no bridge-group 1 source-learning
 no bridge-group 1 unicast-flooding
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$$FW_INSIDE$
 no ip address
 ip tcp adjust-mss 1452
 bridge-group 1
!
interface BVI1
 description $ES_LAN$
 ip address 192.168.18.1 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1412
!
ip local pool dynpool 192.168.25.1 192.168.25.5 --> DHCP pool for VPN clients
ip classless
ip route 0.0.0.0 0.0.0.0 66.193.144.1
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source route-map nonat interface FastEthernet4 overload
!
logging trap debugging
access-list 1 permit 192.168.18.0 0.0.0.255
access-list 101 remark ** Permit Inbound IPSEC Traffic **
access-list 101 permit ip 192.168.25.0 0.0.0.255 any
access-list 101 remark ** Block Telnet **
access-list 101 deny   tcp any any eq telnet
access-list 101 permit tcp any any established
access-list 101 remark ** Deny netbios from the internet **
access-list 101 deny   tcp any any eq 139 log
access-list 101 deny   udp any any eq netbios-ns log
access-list 101 deny   udp any any eq netbios-dgm log
access-list 101 deny   udp any any eq netbios-ss log
access-list 101 remark ** ICMP filter **
access-list 101 deny   icmp any any fragments
access-list 101 permit icmp any any echo
access-list 101 permit icmp any any echo-reply
access-list 101 permit icmp any any packet-too-big
access-list 101 permit icmp any any source-quench
access-list 101 permit icmp any any time-exceeded
access-list 101 deny   icmp any any log
access-list 101 remark ** Permit all other traffic **
access-list 101 permit tcp any any
access-list 101 permit udp any any
access-list 110 deny   ip 192.168.18.0 0.0.0.255 192.168.25.0 0.0.0.255
access-list 110 permit ip 192.168.18.0 0.0.0.255 any
no cdp run
route-map nonat permit 10
 match ip address 110
!
!
control-plane
!
bridge 1 protocol ieee
bridge 1 route ip
!
line con 0
 no modem enable
 transport output telnet
line aux 0
 transport output telnet
line vty 0 4
 privilege level 15
 transport input telnet ssh
!
scheduler max-task-time 5000
scheduler allocate 4000 1000
scheduler interval 500
end

851w#