Cisco 827/827H/SOHO97/837 ADSL Firewall IPSec configuration

This recipe is designed for those Cisco 827’s that have the Firewall and the VPN (IPSec56) feature set.

Gotcha #1: Use the same version of the IOS on both ends of the VPN. You can usually get away mixing versions (such as 12.1 with 12.2), but there are a couple of combinations that will not work.

Gotcha #2: Make sure you use one of software versions that IFM recommends, and pay special attention to any memory requirements mentioned. You have been warned.

To use this configuration, download the template file, 827_fw_ipsec_nz.tpl, and use Cisco FastStep to install it. You will be asked these questions:

Router NameA name you assign to the router. Not important.
Router IPThe internal IP address of the router. Both sites must have unique internal network numbers.
NetworkThe network being used internally by the router.
NetmaskThe netmask used for the internal network.
Pre-shared KeyThe VPN password. Must be the same on both ends.
VPN End PointThe public IP address of the router at the other site
UsernameThe username assigned to you by the ISP for the ADSL connection.
PasswordThe password assigned to you by the ISP for the ADSL connection.

Important bits of the config are:

                    ! This defines the firewall inspection rules.
                    ip inspect name Dialer_0 tcp
                    ip inspect name Dialer_0 udp
                    ip inspect name Dialer_0 cuseeme
                    ip inspect name Dialer_0 ftp
                    ip inspect name Dialer_0 h323
                    ip inspect name Dialer_0 rcmd
                    ip inspect name Dialer_0 realaudio
                    ip inspect name Dialer_0 streamworks
                    ip inspect name Dialer_0 vdolive
                    ip inspect name Dialer_0 sqlnet
                    ip inspect name Dialer_0 tftp
                    
                    ! ISAKMP is a key exchange poilicy.  This is basically used to negotiate a
                    ! "password" and parameters for the two tunnel ends.
                    crypto isakmp policy 1
                     authentication pre-share
                    crypto isakmp key {vpn password} address {public IP of other end}
                    !
                    ! This basically says how to encrypt the data.  It says to encrypt the data
                    ! using DES, and use SHA for message authentication.
                    crypto ipsec transform-set cm-transformset-1 esp-des esp-sha-hmac 
                    !
                    ! This tells the data which traffic to encrypt, and where to send it.
                    crypto map cm-cryptomap 1 ipsec-isakmp   
                     set peer {public IP of other end}
                     set transform-set cm-transformset-1 
                     match address 110
                    !
                    !
                    interface Dialer0
                     ! This enables IPSec on this interface.
                     crypto map cm-cryptomap 1 ipsec-isakmp   
                     ! One of the biggest mistakes I come across is people missing out these two lines.
                     no ip route-cache
                     no ip mroute-cache
                    !
                    ! You must tell the router not to NAT VPN traffic.
                    ip nat inside source list 105 interface Dialer0 overload
                    access-list 105 deny   ip ...
                    access-list 105 permit ip ...
                    

Cisco Systems Partner - Premier Certified