To continue solving Joaquim’s problem we will create an Easy VPN Remote Access Server on a Cisco router with two different profiles. One profile will be dedicated to the client access and the other profile will be dedicated to staff access. We will use DVTI (Dynamic Virtual Tunnels Interface) to be able to differentiate the two profile in term of connection permissions.
hostname R-Joaquim ! interface Ethernet0/0 description Joaquim's Local Lan ip address 192.168.0.254 255.255.255.0 ip nat inside no shutdown ! interface Ethernet0/1 description Internet Connection ip address 10.0.0.1 255.255.255.252 ip nat outside no shutdown ! ! PAT CONFIGURATION FOR INTERNET ACCESS ip nat inside source list NAT interface Ethernet0/1 overload ip route 0.0.0.0 0.0.0.0 10.0.0.2 ! ip access-list extended NAT permit ip 192.168.0.0 0.0.0.255 any deny ip any any
hostname R-Client ! ip dhcp excluded-address 172.16.0.254 ! ! DHCP for the WIN-Client ip dhcp pool LAN network 172.16.0.0 255.255.255.0 dns-server 22.214.171.124 domain-name bsnetworking.bllog default-router 172.16.0.254 lease 2 ! interface Ethernet0/0 description Client's Local Lan ip address 172.16.0.254 255.255.255.0 ip nat inside no shutdown ! interface Ethernet0/1 description Internet Connection ip address 10.0.0.6 255.255.255.252 ip nat outside no shutdown ! ip nat inside source list NAT interface Ethernet0/1 overload ip route 0.0.0.0 0.0.0.0 10.0.0.5 ! ip access-list extended NAT permit ip 172.16.0.0 0.0.0.255 any deny ip any any
hostname INTERNET ! interface Ethernet0/0 description Connects to R1 ip address 10.0.0.2 255.255.255.252 ip nat inside no shutdown ! interface Ethernet0/1 description Connects to R2 ip address 10.0.0.5 255.255.255.252 ip nat inside no shutdown ! interface Ethernet0/2 description Connects to Real Internet ip address dhcp ip nat outside no shutdown ! interface Ethernet0/3 description Connects to Internet Host ip address 10.0.0.9 255.255.255.252 ip nat inside no shutdown ! ip nat inside source list NAT interface Ethernet0/2 overload ! ! Default route to my gateway ip route 0.0.0.0 0.0.0.0 172.16.210.254 ! ip access-list extended NAT permit ip 10.0.0.0 0.0.0.3 any permit ip 10.0.0.4 0.0.0.3 any permit ip 10.0.0.8 0.0.0.3 any deny ip any any
- Configure AAA for user authentication (Xauth)
- Configure ISAKMP policies for secure connectivity
- Configure group policies to be pushed to clients
- Configure IPSEC transform-set for the IPSec Security Association
- Configure Dynamic Virtual Tunnel Interfaces (DVTI) to apply the previous configuration to the Server
! STEP 1 ! Authentication Authorization and Accounting configured for the ! x-Auth (user authentication) and for the network authorization ! (network access) aaa new-model ! Authentication and authorization a made locally for the ease ! of the demonstration aaa authentication login EZuser local aaa authorization network EZgroup local ! Local authentication database - One client user and one other staff username client password clientpass username staff password staffpass! STEP 2 ! IKE Phase 1 policy (+info) crypto isakmp policy 10 encryption 3des hash md5 group 2 authentication pre-share!STEP 3 ! Group Parameter Configuration ! Group configuration for the client ! CLIENT-GP is the group name crypto isakmp client configuration group CLIENT-GP ! Group password key clientsecret ! ACL to control access from the user in this group acl 100 ! Address pool for the clients that connect to this group pool CLIENTPOOL ! Group configuration for the staff ! STAFF-GP is the group name crypto isakmp client configuration group STAFF-GP key staffsecret acl 150 pool STAFFPOOL! STEP 3 (Cont.) ! ACL's and Address Pools ! The client can only access the RDP-Target (192.168.0.1) access-list 100 permit tcp host 192.168.0.1 eq 3389 any ! Client address pool ip local pool CLIENTPOOL 192.168.100.1 192.168.100.10 ! The staff will be allow the entire 192.168.0.0/24 network access-list 150 permit ip 192.168.0.0 0.0.0.255 any ! Staff address pool ip local pool STAFFPOOL 192.168.150.1 192.168.150.10! STEP 4 ! IPSec transform-set will be the same for both (+ info) crypto ipsec transform-set EZVPNTSET esp-3des esp-md5-hmac ! Configure an IPSec profile to protect the DVTI that will ! be created in step 5 crypto ipsec profile EZVPN-IPSEC-PF set transform-set EZVPNTSET set reverse-route distance! STEP 5 ! Profile Profile Configuration ! All configuration parameters get together and are associated ! with a virtual template ! The virtual template number will reference the interface configured ! in the next step ! Client Profile crypto isakmp profile CLIENT-PF ! Group match identity group CLIENT-GP ! Authentication client authentication list Ezuser ! Authorization isakmp authorization list EZgroup ! Allow dynamic address distribution from the pool client configuration address respond ! Identify the virtual template number virtual-template 1 ! Staff crypto isakmp profile STAFF-PF match identity group STAFF-GP client authentication list Ezuser isakmp authorization list EZgroup client configuration address respond virtual-template 2! STEP 5 (cont.) ! DVTI for the client interface Virtual-Template 1 type tunnel ! using the ip address of the interface Ethernet 0/1 ip unnumbered Ethernet 0/1 ! Tunnel mode is ipsec tunnel mode ipsec ipv4 ! The ipsec protection will be the previously configured ipsec profile tunnel protection ipsec profile EZVPN-IPSEC-PF ! DVTI for the staff interface Virtual-Template 2 type tunnel ip unnumbered Ethernet 0/1 tunnel mode ipsec ipv4 tunnel protection ipsec profile EZVPN-IPSEC-PF
There was another requisite that was to limite the access from the client to his external address. But since both the staff and the client are accessing the same external interface on Joaquim’s Router there is no way to distinguish both connection.
I found a work-around that can be easily bypassed but it is also an alternative to differentiate the traffic from the client and the staff. The Cisco VPN Client can be configured to Transparent NAT using TCP in a user defined port. So we can block the access just to the pre-defined ports and this way block the client port to its address.
Client VPN Configuration (client)
Client VPN Configuration (staff)
Watch the video for the connectivity test.
Until the next post, stay good.