of 13
7/28/2019 Solution Base
1/13
SolutionBase: Configuring a Cisco VPN
concentrator as a remote-access VPN
serverBy Guest Contributor
December 14, 2005, 8:00am PST
In the article, "Using a Cisco IOS router as a VPN server", we discussed using a router as
a VPN server for a Microsoft Windows client. In that article, our goal was to not have to
make any changes or install any software on the Windows client. Here's how to
configure a Cisco VPN 3005 server as a remote access VPN server for that same
Windows client. Again, we have the same goal, to not have to change any settings or
install any software on the Windows client.
What's the difference?As the VPN concentrator is specifically designed as a remote access VPN server or a
site-to-site VPN endpoint, the overall configuration of the VPN concentrator will be less
difficult than that of a command-line based, IOS router. Besides just dealing with the
command line, the router is more challenging to configure as it would normally have a
variety of other services running on it, that would interfere with the role of VPN server.
The VPN concentrator is dedicated solely to the function of being a VPN server.
In this example, we are using a Cisco VPN 3005 concentrator running software 4.1.7.H.
When a Cisco VPN concentrator boots, it has no configuration and the interfaces must
be configured using the command line and the console. We have done this and have ournetwork running. No other changes have been made to the VPN 3005 concentrator,
other than this basic network configuration.
Figure A
http://techrepublic.com.com/5100-6350_11-5926395.htmlhttp://techrepublic.com.com/5100-6350_11-5926395.html7/28/2019 Solution Base
2/13
This is the sample topology we'll be dealing with.
Configuring the concentrator
Go to Configuration | User Management | Base Group. Click on the PPTP/L2TP tab. The
defaults should look like the screen shown in Figure B and should function fine for a
default Windows XP PPTP VPN Client.
Figure B
7/28/2019 Solution Base
3/13
Click on Configuration | Tunneling and Security | PPTP. Verify that the Enabled checkbox
is marked, as shown in Figure C.
Figure C
7/28/2019 Solution Base
4/13
Go to Configuration | User Management | Groups as seen in Figure D.
Figure D
7/28/2019 Solution Base
5/13
Click on Add Group. For the group name, type PPTP. For the group password
type techrepublic. This will be an internal group as we aren't yet configuring any type of
external authentication server. You can see the screen in Figure E.
Figure E
Click on the General tab. This will display the screen shown in Figure F.
7/28/2019 Solution Base
6/13
Figure F
Uncheck all Tunneling Protocols except PPTP. Click Add, at the bottom of the screen, to
add this new group.
Next, go to Configuration | User Management | Users. You'll then see the screen shown
in Figure G.
Figure G
7/28/2019 Solution Base
7/13
Click Add. This will display the screen shown in Figure H. For the username, type frank.
For the password type SecurePassword1. Select that this user belongs to the PPTP user
group.
Figure H
Click Add. Now we need to define a pool of IP addresses to assign to clients. To do this,
go to Configuration | System | Address Management | Pools. You'll wind up on the
screen shown in Figure I.
7/28/2019 Solution Base
8/13
Figure I
Click Add. For the Range Start, enter 10.253.15.200. For the Range End, enter
10.253.15.210. The subnet mask is 255.255.255.0. When you finish filling out the fields,
they'll resemble the ones shown in Figure J.
Figure J
Click Add. You'll then see the IP Address Pools screen appear as shown in Figure K.
7/28/2019 Solution Base
9/13
Figure K
Now, go to Configuration | System | Address Management | Assignment. Uncheck all
checkboxes, except Use Address Pools, as shown in Figure L.
Figure L
Click Apply and the configuration is complete on the VPN concentrator.
7/28/2019 Solution Base
10/13
Configuring the Windows Client
To connect to the new PPTP VPN server, simply go to Start | Control Panel |Network
Connections. Click on New Connection Wizard. Click Next on the welcome screen. Select
Connect To A Network At My Workplace.
Select Virtual Private Network Connection. Type in a name for the connection and click
Next again.
When the VPN Server Selection screen appears, type in the IP address or hostname for
the VPN server's outside interface. For the purposes of this article, this is 1.1.1.1.
Take the default on the next screen (that this is for anyone's use) and click Next. Click
Finish on the next screen. When done, you will see the window below. Type in your test
username (frank) and test password (SecurePassword1), as shown in Figure M.
Figure M
Click Connect.
Once connected, you should see the VPN icon in your Windows tray, at the bottom right
of your screen. If you open the VPN connection and click on details, you should see that
you received an IP address from the pool, as you can see in Figure N.
Figure N
7/28/2019 Solution Base
11/13
You should be able to ping the LAN side of the router (the inside, private network) and
any host on that network.
Other things you can do
The configuration for a Windows XP PPTP VPN client to connect to the VPN concentrator
is complete. Likely things you would want to add would be:
DNS& WINSServers
If using a static pool, like we are here, you would likely want to go into the PPTP group and add your
internal DNS and WINS server IP addresses. This way, the VPN client can resolve your internal
network domain names. Figure O gives an example
Figure O
7/28/2019 Solution Base
12/13
DHCP
Many companies would use DHCP instead of a static pool. This way, there is just one repository forIP addressing information. To do this, you can:
Add a DHCP server under Configuration | System | Servers | DHCP.
Disable the static pool and enable DHCP under Configuration | System | Address Management |
Assignment.
RADIUSor WindowsAD Authentication
Using a local database of users and passwords might be fine for a handful of users but won't work
for more than that. Most companies use RADIUS or Windows AD for authentication. To do this, you
can change the type of group, for the PPTP group, from internal to external on the General tab. Then
add an authentication server in the Groups section to point to a RADIUS or Windows AD/Kerberos
server. This must be configured on the authentication server as well.
Split TunnelingWhile this is a security risk, many admins allow users machines to send traffic both to the Internet
and to the VPN tunnel. This is called split tunneling. This is disabled by default. It can, however, be
enabled in the PPTP group configuration under Client Configuration.
The VPN concentrator can do more
7/28/2019 Solution Base
13/13
Besides these options, the Cisco VPN concentrator can do other things like SSL VPN,
VPN Quarantine if a client doesn't meet parameters (like Firewall installed or AV client
installed), update Cisco VPN Clients automatically, or site-to-site VPN tunnels.
http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-
concentrator-as-a-remote-access-vpn-server/5967956
http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpn-concentrator-as-a-remote-access-vpn-server/5967956