AcmeLabs

I recently had the need to configure an IOS router to accept VPN connections from the Cisco VPN client. I know it’s easier to use PPTP with Windows, but I wanted a configuration that would support anything the CVPN client could run on, and to be honest I’m just not a very big fan of Microsoft. Being that Cisco is trying to force people to use Anyconnect/SSL VPN these days it’s convenient that none of their instructions on Cisco.com actually work with up to date software revisions.

aaa new-model
!
!
aaa authentication login userauthen local
aaa authorization network groupauthor local
!
!
username acme privilege 15 secret 5 .
!
crypto isakmp policy 5
encr aes
hash md5
authentication pre-share
group 2
!
crypto isakmp client configuration group cvpnclient
key acme
domain acme-labs.net
pool vpnpool
acl 110
!
!
crypto ipsec transform-set acmeset esp-3des esp-sha-hmac
!
crypto dynamic-map dynmap 10
set transform-set acmeset
!
!
crypto map acmemap client authentication list userauthen
crypto map acmemap isakmp authorization list groupauthor
crypto map acmemap client configuration address respond
crypto map acmemap 10 ipsec-isakmp dynamic dynmap
!
!
!
!
interface FastEthernet0/0
description Public Internet
ip address 1.2.3.4 255.255.255.0
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map acmemap
!
interface FastEthernet0/1
description Internal LAN
ip address 192.168.0.1 255.255.255.0
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
!
ip local pool vpnpool 192.168.50.20 192.168.50.100
ip route 0.0.0.0 0.0.0.0 1.2.3.1
!
!
ip nat inside source list 100 interface FastEthernet0/0 overload
ip nat inside source static 192.168.0.7 65.16.102.187
!
access-list 100 deny   ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
access-list 100 permit ip 192.168.0.0 0.0.0.255 any
access-list 110 permit ip 192.168.0.0 0.0.0.255 192.168.50.0 0.0.0.255
!
!
end

To configure the Cisco VPN client, use the group name as defined in your config (in this case it’s cvpnclient) and the password is what you set the key to in the above config. Take a close look at access-list 100, that’s what allows this to function correctly with NAT applied. You first have to deny the packet to the tunnel endpoints in the NAT statement, so that it can go to the encryption process and traverse the tunnel. Without that first deny, your tunnel endpoints will get a packet with a source address of your public overload interface. That would be bad.