7/28/2019 Solution Base

1/13

SolutionBase: Configuring a Cisco VPN

concentrator as a remote-access VPN

serverBy Guest Contributor

December 14, 2005, 8:00am PST

In the article, "Using a Cisco IOS router as a VPN server", we discussed using a router as

a VPN server for a Microsoft Windows client. In that article, our goal was to not have to

make any changes or install any software on the Windows client. Here's how to

configure a Cisco VPN 3005 server as a remote access VPN server for that same

Windows client. Again, we have the same goal, to not have to change any settings or

install any software on the Windows client.

What's the difference?As the VPN concentrator is specifically designed as a remote access VPN server or a

site-to-site VPN endpoint, the overall configuration of the VPN concentrator will be less

difficult than that of a command-line based, IOS router. Besides just dealing with the

command line, the router is more challenging to configure as it would normally have a

variety of other services running on it, that would interfere with the role of VPN server.

The VPN concentrator is dedicated solely to the function of being a VPN server.

In this example, we are using a Cisco VPN 3005 concentrator running software 4.1.7.H.

When a Cisco VPN concentrator boots, it has no configuration and the interfaces must

be configured using the command line and the console. We have done this and have ournetwork running. No other changes have been made to the VPN 3005 concentrator,

other than this basic network configuration.

Figure A

http://techrepublic.com.com/5100-6350_11-5926395.htmlhttp://techrepublic.com.com/5100-6350_11-5926395.html

7/28/2019 Solution Base

2/13

This is the sample topology we'll be dealing with.

Configuring the concentrator

Go to Configuration | User Management | Base Group. Click on the PPTP/L2TP tab. The

defaults should look like the screen shown in Figure B and should function fine for a

default Windows XP PPTP VPN Client.

Figure B

7/28/2019 Solution Base

3/13

Click on Configuration | Tunneling and Security | PPTP. Verify that the Enabled checkbox

is marked, as shown in Figure C.

Figure C

7/28/2019 Solution Base

4/13

Go to Configuration | User Management | Groups as seen in Figure D.

Figure D

7/28/2019 Solution Base

5/13

Click on Add Group. For the group name, type PPTP. For the group password

type techrepublic. This will be an internal group as we aren't yet configuring any type of

external authentication server. You can see the screen in Figure E.

Figure E

Click on the General tab. This will display the screen shown in Figure F.

7/28/2019 Solution Base

6/13

Figure F

Uncheck all Tunneling Protocols except PPTP. Click Add, at the bottom of the screen, to

add this new group.

Next, go to Configuration | User Management | Users. You'll then see the screen shown

in Figure G.

Figure G

7/28/2019 Solution Base

7/13

Click Add. This will display the screen shown in Figure H. For the username, type frank.

For the password type SecurePassword1. Select that this user belongs to the PPTP user

group.

Figure H

Click Add. Now we need to define a pool of IP addresses to assign to clients. To do this,

go to Configuration | System | Address Management | Pools. You'll wind up on the

screen shown in Figure I.

7/28/2019 Solution Base

8/13

Figure I

Click Add. For the Range Start, enter 10.253.15.200. For the Range End, enter

10.253.15.210. The subnet mask is 255.255.255.0. When you finish filling out the fields,

they'll resemble the ones shown in Figure J.

Figure J

Click Add. You'll then see the IP Address Pools screen appear as shown in Figure K.

7/28/2019 Solution Base

9/13

Figure K

Now, go to Configuration | System | Address Management | Assignment. Uncheck all

checkboxes, except Use Address Pools, as shown in Figure L.

Figure L

Click Apply and the configuration is complete on the VPN concentrator.

7/28/2019 Solution Base

10/13

Configuring the Windows Client

To connect to the new PPTP VPN server, simply go to Start | Control Panel |Network

Connections. Click on New Connection Wizard. Click Next on the welcome screen. Select

Connect To A Network At My Workplace.

Select Virtual Private Network Connection. Type in a name for the connection and click

Next again.

When the VPN Server Selection screen appears, type in the IP address or hostname for

the VPN server's outside interface. For the purposes of this article, this is 1.1.1.1.

Take the default on the next screen (that this is for anyone's use) and click Next. Click

Finish on the next screen. When done, you will see the window below. Type in your test

username (frank) and test password (SecurePassword1), as shown in Figure M.

Figure M

Click Connect.

Once connected, you should see the VPN icon in your Windows tray, at the bottom right

of your screen. If you open the VPN connection and click on details, you should see that

you received an IP address from the pool, as you can see in Figure N.

Figure N

7/28/2019 Solution Base

11/13

You should be able to ping the LAN side of the router (the inside, private network) and

any host on that network.

Other things you can do

The configuration for a Windows XP PPTP VPN client to connect to the VPN concentrator

is complete. Likely things you would want to add would be:

DNS& WINSServers

If using a static pool, like we are here, you would likely want to go into the PPTP group and add your

internal DNS and WINS server IP addresses. This way, the VPN client can resolve your internal

network domain names. Figure O gives an example

Figure O

7/28/2019 Solution Base

12/13

DHCP

Many companies would use DHCP instead of a static pool. This way, there is just one repository forIP addressing information. To do this, you can:

Add a DHCP server under Configuration | System | Servers | DHCP.

Disable the static pool and enable DHCP under Configuration | System | Address Management |

Assignment.

RADIUSor WindowsAD Authentication

Using a local database of users and passwords might be fine for a handful of users but won't work

for more than that. Most companies use RADIUS or Windows AD for authentication. To do this, you

can change the type of group, for the PPTP group, from internal to external on the General tab. Then

add an authentication server in the Groups section to point to a RADIUS or Windows AD/Kerberos

server. This must be configured on the authentication server as well.

Split TunnelingWhile this is a security risk, many admins allow users machines to send traffic both to the Internet

and to the VPN tunnel. This is called split tunneling. This is disabled by default. It can, however, be

enabled in the PPTP group configuration under Client Configuration.

The VPN concentrator can do more

7/28/2019 Solution Base

13/13

Besides these options, the Cisco VPN concentrator can do other things like SSL VPN,

VPN Quarantine if a client doesn't meet parameters (like Firewall installed or AV client

installed), update Cisco VPN Clients automatically, or site-to-site VPN tunnels.

http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-

concentrator-as-a-remote-access-vpn-server/5967956

http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956