Remote Access VPN to a Cisco Router with different access profiles

Remote Access VPN to a Cisco Router with different access profiles

To continue solving Joaquim’s problem we will create an Easy VPN Remote Access Server on a Cisco router with two different profiles. One profile will be dedicated to the client access  and the other profile will be dedicated to staff access. We will use DVTI (Dynamic Virtual Tunnels Interface) to be able to differentiate the two profile in term of connection permissions.

Initial Configuration
UNetLab Topology

rdp2.2.gif

R-Joaquim
hostname R-Joaquim
!
interface Ethernet0/0
 description Joaquim's Local Lan
 ip address 192.168.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Internet Connection
 ip address 10.0.0.1 255.255.255.252
 ip nat outside
 no shutdown
!
! PAT CONFIGURATION FOR INTERNET ACCESS
ip nat inside source list NAT interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.2
!
ip access-list extended NAT
 permit ip 192.168.0.0 0.0.0.255 any
 deny   ip any any
R-Client
hostname R-Client
!
ip dhcp excluded-address 172.16.0.254
!
! DHCP for the WIN-Client
ip dhcp pool LAN
 network 172.16.0.0 255.255.255.0
 dns-server 8.8.8.8 
 domain-name bsnetworking.bllog
 default-router 172.16.0.254 
 lease 2
!
interface Ethernet0/0
 description Client's Local Lan
 ip address 172.16.0.254 255.255.255.0
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Internet Connection
 ip address 10.0.0.6 255.255.255.252
 ip nat outside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/1 overload
ip route 0.0.0.0 0.0.0.0 10.0.0.5
!
ip access-list extended NAT
 permit ip 172.16.0.0 0.0.0.255 any
 deny   ip any any
Internet
hostname INTERNET
!
interface Ethernet0/0
 description Connects to R1
 ip address 10.0.0.2 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/1
 description Connects to R2
 ip address 10.0.0.5 255.255.255.252
 ip nat inside
 no shutdown
!
interface Ethernet0/2
 description Connects to Real Internet
 ip address dhcp
 ip nat outside
 no shutdown
!
interface Ethernet0/3
 description Connects to Internet Host
 ip address 10.0.0.9 255.255.255.252
 ip nat inside
 no shutdown
!
ip nat inside source list NAT interface Ethernet0/2 overload
!
! Default route to my gateway
ip route 0.0.0.0 0.0.0.0 172.16.210.254
!
ip access-list extended NAT
 permit ip 10.0.0.0 0.0.0.3 any
 permit ip 10.0.0.4 0.0.0.3 any
 permit ip 10.0.0.8 0.0.0.3 any
 deny   ip any any
Configuration Steps:
  1. Configure AAA for user authentication (Xauth)
  2. Configure ISAKMP policies for secure connectivity
  3. Configure group policies to be pushed to clients
  4. Configure IPSEC transform-set for the IPSec Security Association
  5. Configure Dynamic Virtual Tunnel Interfaces (DVTI) to apply the previous configuration to the Server
! STEP 1
! Authentication Authorization and Accounting configured for the 
! x-Auth (user authentication) and for the network authorization 
! (network access)
aaa new-model
 ! Authentication and authorization a made locally for the ease 
 ! of the demonstration
 aaa authentication login EZuser local
 aaa authorization network EZgroup local
! Local authentication database - One client user and one other staff
username client password clientpass
username staff password staffpass
! STEP 2
! IKE Phase 1 policy (+info) 
crypto isakmp policy 10
 encryption 3des
 hash md5
 group 2
 authentication pre-share
!STEP 3
! Group Parameter Configuration 
! Group configuration for the client
! CLIENT-GP is the group name
crypto isakmp client configuration group CLIENT-GP
 ! Group password
 key clientsecret
 ! ACL to control access from the user in this group
 acl 100
 ! Address pool for the clients that connect to this group   
 pool CLIENTPOOL

! Group configuration for the staff
! STAFF-GP is the group name
crypto isakmp client configuration group STAFF-GP
 key staffsecret
 acl 150 
 pool STAFFPOOL
! STEP 3 (Cont.)
! ACL's and Address Pools
! The client can only access the RDP-Target (192.168.0.1)
access-list 100 permit tcp host 192.168.0.1 eq 3389 any
! Client address pool
ip local pool CLIENTPOOL 192.168.100.1 192.168.100.10

! The staff will be allow the entire 192.168.0.0/24 network
access-list 150 permit ip 192.168.0.0 0.0.0.255 any
! Staff address pool
ip local pool STAFFPOOL 192.168.150.1 192.168.150.10
! STEP 4
! IPSec transform-set will be the same for both (+ info)
crypto ipsec transform-set EZVPNTSET esp-3des esp-md5-hmac
! Configure an IPSec profile to protect the DVTI that will
! be created in step 5 
crypto ipsec profile EZVPN-IPSEC-PF 
 set transform-set EZVPNTSET
 set reverse-route distance 
! STEP 5
! Profile Profile Configuration
! All configuration parameters get together and are associated 
! with a virtual template
! The virtual template number will reference the interface configured 
! in the next step
! Client Profile
crypto isakmp profile CLIENT-PF
 ! Group
 match identity group CLIENT-GP
 ! Authentication
 client authentication list Ezuser
 ! Authorization
 isakmp authorization list EZgroup
 ! Allow dynamic address distribution from the pool
 client configuration address respond
 ! Identify the virtual template number
 virtual-template 1

! Staff
crypto isakmp profile STAFF-PF
 match identity group STAFF-GP
 client authentication list Ezuser
 isakmp authorization list EZgroup
 client configuration address respond
 virtual-template 2
! STEP 5 (cont.)
! DVTI for the client
interface Virtual-Template 1 type tunnel
 ! using the ip address of the interface Ethernet 0/1
 ip unnumbered Ethernet 0/1
 ! Tunnel mode is ipsec
 tunnel mode ipsec ipv4
 ! The ipsec protection will be the previously configured ipsec profile  
 tunnel protection ipsec profile EZVPN-IPSEC-PF

! DVTI for the staff
interface Virtual-Template 2 type tunnel
 ip unnumbered Ethernet 0/1
 tunnel mode ipsec ipv4 
 tunnel protection ipsec profile EZVPN-IPSEC-PF

There was another requisite that was to limite the access from the client to his external address. But since both the staff and the client are accessing the same external interface on Joaquim’s Router there is no way to distinguish both connection.

I found a work-around that can be easily bypassed but it is also an alternative to differentiate the traffic from the client and the staff. The Cisco VPN Client can be configured to Transparent NAT using TCP in a user defined port. So we can block the access just to the pre-defined ports and this way block the client port to its address.

Client VPN Configuration (client)

rdp2-3

Client VPN Configuration (staff)

rdp2-5

Watch the video for the connectivity test.

Until the next post, stay good.

Advertisements

4 thoughts on “Remote Access VPN to a Cisco Router with different access profiles

  1. For many reasons, some our internal resources need to be accessed form specific suppliers, client, and so on.
    But with this profiles, we can create manage specifics profiles for specifics clients,
    I will test this solution soon and, for sure, it will work like I want.

    Nice post,
    Joaquim

    Like

Comments are closed.