Menu

Cisco Site to Site + Remote Access VPN


There are some small office brunches needing both remote access to the office itself,
The remote access clients, like configured HERE and a permanent connection to another SITE (to the HQ for example).
Here is a quick guide for configuring multiple VPN types on a Cisco Router.

In this case I have configured a tunnel to a Fortinet FW (1.1.1.1),
For the authentication I used 3DES and SHA1 for the hashing.
Cisco Lan 10.100.100.0/24, Forti Lan 192.168.0.0/24

Here is my configuration:

Set a password for the tunnel ( may use a certificate instead )
crypto keyring Site-Key
  pre-shared-key address 1.1.1.1 key 0 Cisco2Forti
Configure VPN Phase 1 Policy
crypto isakmp policy 1
encr 3des
hash sha
authentication pre-share
group 2
lifetime 28800

crypto isakmp profile Site-PH1
   keyring Site-Key
   match identity address 1.1.1.1 255.255.255.255
Configure VPN Phase 2
crypto ipsec transform-set Site_Set esp-3des esp-sha-hmac
Set Split-tunnel - what will be routed through
IP access-list Extended Site_ACL
permit ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
combine all the Settings to a VPN Tunnel :
crypto map clientmap 10 ipsec-isakmp
 set peer 1.1.1.1
 set transform-set Site_Set
 set isakmp-profile Site-PH1
 match address Site_ACL
Almost same thing for the Client access
crypto isakmp policy 2
encr 3des
authentication pre-share
group 2

crypto isakmp client configuration group Client-Access
key Client2Site
pool ippool
acl Client_ACL

crypto isakmp profile Client
   match identity group alicenet
   client authentication list auth
   isakmp authorization list auth
   client configuration address respond

crypto ipsec transform-set Client_Set esp-3des esp-sha-hmac

crypto dynamic-map dynmap 10
 set transform-set Client_Set
 set isakmp-profile Client

IP access-list Extended Client_ACL
permit ip 10.100.100.0 0.0.0.255 172.16.0.0 0.0.0.3

crypto map clientmap 100 ipsec-isakmp dynamic dynmap
Client to site VPN will also require configuring an ip pool - Basically DHCP for VPN
ip local pool ippool 172.16.0.0 172.16.0.3
For both of them to work we need to enable the Crypto (VPN) on the external interface,
in my case FastEthernet4
interface FastEthernet4
ip address 2.2.2.2 255.255.255.255
crypto map clientmap 
And one last thing, in case there is NAT enabled – make sure to disable the NAT in the VPN
for example:
ip access-list extended NAT
deny ip 10.100.100.0 0.0.0.255 172.16.0.0 0.0.0.3
deny ip 10.100.100.0 0.0.0.255 192.168.0.0 0.0.0.255
permit ip 10.100.100.0 0.0.0.255 any

Hope this post was helpful, If it was please consider a donation:
BTC Address: 1CnyMpjd1RntRDxSus2hu2aDMyzL4Kj29N
LTC Address: LUqrKbzGihTU2GEnL3EwsuuLHCsxCJMdtR

1 comment:

  1. I can see that you are an expert at your field! I am launching a website soon, and your information will be very useful for me.. Thanks for all your help and wishing you all the success in your business. WWW

    ReplyDelete