Cisco 827/827H/SOHO97/837 ADSL Firewall IPSec configuration
This recipe is designed for those Cisco 827’s that have the Firewall and the VPN (IPSec56) feature set.
Gotcha #1: Use the same version of the IOS on both ends of the VPN. You can usually get away mixing versions (such as 12.1 with 12.2), but there are a couple of combinations that will not work.
Gotcha #2: Make sure you use one of software versions that IFM recommends, and pay special attention to any memory requirements mentioned. You have been warned.
To use this configuration, download the template file, 827_fw_ipsec_nz.tpl, and use Cisco FastStep to install it. You will be asked these questions:
Router Name | A name you assign to the router. Not important. |
---|---|
Router IP | The internal IP address of the router. Both sites must have unique internal network numbers. |
Network | The network being used internally by the router. |
Netmask | The netmask used for the internal network. |
Pre-shared Key | The VPN password. Must be the same on both ends. |
VPN End Point | The public IP address of the router at the other site |
Username | The username assigned to you by the ISP for the ADSL connection. |
Password | The password assigned to you by the ISP for the ADSL connection. |
Important bits of the config are:
! This defines the firewall inspection rules. ip inspect name Dialer_0 tcp ip inspect name Dialer_0 udp ip inspect name Dialer_0 cuseeme ip inspect name Dialer_0 ftp ip inspect name Dialer_0 h323 ip inspect name Dialer_0 rcmd ip inspect name Dialer_0 realaudio ip inspect name Dialer_0 streamworks ip inspect name Dialer_0 vdolive ip inspect name Dialer_0 sqlnet ip inspect name Dialer_0 tftp ! ISAKMP is a key exchange poilicy. This is basically used to negotiate a ! "password" and parameters for the two tunnel ends. crypto isakmp policy 1 authentication pre-share crypto isakmp key {vpn password} address {public IP of other end} ! ! This basically says how to encrypt the data. It says to encrypt the data ! using DES, and use SHA for message authentication. crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac ! ! This tells the data which traffic to encrypt, and where to send it. crypto map cm-cryptomap 1 ipsec-isakmp set peer {public IP of other end} set transform-set cm-transformset-1 match address 110 ! ! interface Dialer0 ! This enables IPSec on this interface. crypto map cm-cryptomap 1 ipsec-isakmp ! One of the biggest mistakes I come across is people missing out these two lines. no ip route-cache no ip mroute-cache ! ! You must tell the router not to NAT VPN traffic. ip nat inside source list 105 interface Dialer0 overload access-list 105 deny ip ... access-list 105 permit ip ... |