Академический Документы
Профессиональный Документы
Культура Документы
By Guest Contributor December 14, 2005, 8:00am PST In the article, "Using a Cisco IOS router as a VPN server", we discussed using a router as a VPN server for a Microsoft Windows client. In that article, our goal was to not have to make any changes or install any software on the Windows client. Here's how to configure a Cisco VPN 3005 server as a remote access VPN server for that same Windows client. Again, we have the same goal, to not have to change any settings or install any software on the Windows client.
Click on Configuration | Tunneling and Security | PPTP. Verify that the Enabled checkbox is marked, as shown in Figure C. Figure C
Click on Add Group. For the group name, type PPTP. For the group password type techrepublic. This will be an internal group as we aren't yet configuring any type of external authentication server. You can see the screen in Figure E. Figure E
Click on the General tab. This will display the screen shown in Figure F.
Figure F
Uncheck all Tunneling Protocols except PPTP. Click Add, at the bottom of the screen, to add this new group. Next, go to Configuration | User Management | Users. You'll then see the screen shown in Figure G. Figure G
Click Add. This will display the screen shown in Figure H. For the username, type frank. For the password type SecurePassword1. Select that this user belongs to the PPTP user group. Figure H
Click Add. Now we need to define a pool of IP addresses to assign to clients. To do this, go to Configuration | System | Address Management | Pools. You'll wind up on the screen shown in Figure I.
Figure I
Click Add. For the Range Start, enter 10.253.15.200. For the Range End, enter 10.253.15.210. The subnet mask is 255.255.255.0. When you finish filling out the fields, they'll resemble the ones shown in Figure J. Figure J
Click Add. You'll then see the IP Address Pools screen appear as shown in Figure K.
Figure K
Now, go to Configuration | System | Address Management | Assignment. Uncheck all checkboxes, except Use Address Pools, as shown in Figure L. Figure L
Click Connect. Once connected, you should see the VPN icon in your Windows tray, at the bottom right of your screen. If you open the VPN connection and click on details, you should see that you received an IP address from the pool, as you can see in Figure N. Figure N
You should be able to ping the LAN side of the router (the inside, private network) and any host on that network.
DHCP Many companies would use DHCP instead of a static pool. This way, there is just one repository for IP addressing information. To do this, you can: Add a DHCP server under Configuration | System | Servers | DHCP. Disable the static pool and enable DHCP under Configuration | System | Address Management | Assignment. RADIUSor WindowsAD Authentication Using a local database of users and passwords might be fine for a handful of users but won't work for more than that. Most companies use RADIUS or Windows AD for authentication. To do this, you can change the type of group, for the PPTP group, from internal to external on the General tab. Then add an authentication server in the Groups section to point to a RADIUS or Windows AD/Kerberos server. This must be configured on the authentication server as well. Split Tunneling While this is a security risk, many admins allow users machines to send traffic both to the Internet and to the VPN tunnel. This is called split tunneling. This is disabled by default. It can, however, be enabled in the PPTP group configuration under Client Configuration.
Besides these options, the Cisco VPN concentrator can do other things like SSL VPN, VPN Quarantine if a client doesn't meet parameters (like Firewall installed or AV client installed), update Cisco VPN Clients automatically, or site-to-site VPN tunnels.
http://www.techrepublic.com/article/solutionbase-configuring-a-cisco-vpnconcentrator-as-a-remote-access-vpn-server/5967956