EasyVPN+NAT/PAT

To boot up my lab machines anywhere anytime securely, the solution is VPN home, and wake up the machines through Internet via WOL magic packet.

Cisco 877W, wireless configured, DSL internet, Nat/Pat, to let all my machines get access to internet.

The following is key settings on my router.

no service pad

service timestamps debug datetime msec

service timestamps log datetime msec

no service password-encryption

!

hostname myrouter

!

boot-start-marker

boot-end-marker

!

logging message-counter syslog

logging reload informational

enable secret 5 $1$2AJ5$yF2kRiSSfesmnaoHFkA1l1

!

aaa new-model

!

aaa authentication password-prompt "Enter your Password:"

aaa authentication login default local

aaa authentication login VPN_LOGIN local

aaa authorization network VPN_NETWORK local

!

aaa session-id common

!

crypto pki trustpoint TP-self-signed-1438064445

 enrollment selfsigned

 subject-name cn=IOS-Self-Signed-Certificate-1438064445

 revocation-check none

 rsakeypair TP-self-signed-1438064445

!!

no ip dhcp use vrf connected

ip dhcp excluded-address 192.168.112.200 192.168.112.254

ip dhcp excluded-address 192.168.118.200 192.168.118.254

ip dhcp excluded-address 192.168.117.1 192.168.117.100

ip dhcp excluded-address 192.168.117.128 192.168.117.254

ip dhcp excluded-address 192.168.117.0 192.168.117.63

!

ip dhcp pool Wireless

   network 192.168.114.0 255.255.255.0

   default-router 192.168.114.254

   dns-server 203.12.160.35 203.12.160.36

!

ip dhcp pool vlan200-pool

   network 192.168.117.0 255.255.255.0

   dns-server 203.12.160.35 203.12.160.36

   default-router 192.168.117.254

!

!

ip cef

ip domain name XXXX

ip name-server X.X.X.X

!

multilink bundle-name authenticated

!

username lee privilege 15 secret 5 $1$DqMx$5Pzwo10Aidt2/gtVNkrn2/

!        

!

crypto isakmp policy 10

 encr 3des

 authentication pre-share

 group 2

!

crypto isakmp policy 20

 encr aes

 hash md5

 group 2

crypto isakmp client configuration address-pool local VPN_POOL1

!

crypto isakmp client configuration group LEO_WENLU

 key YOURKEY

 domain itengineer.local

 pool VPN_POOL1

 save-password

crypto isakmp profile VPNclient

   description This is my VPN Client Pro.

   match identity group LEO_WENLU

   client authentication list VPN_LOGIN

   isakmp authorization list VPN_NETWORK

   client configuration address respond

!

!

crypto ipsec transform-set TRAN_3DES esp-3des esp-sha-hmac

!

crypto dynamic-map VPN_MAP 10

 set transform-set TRAN_3DES

 reverse-route

!

!

crypto map VPN_MAP isakmp authorization list VPN_NETWORK

crypto map VPN_MAP client configuration address respond

crypto map VPN_MAP 10 ipsec-isakmp dynamic VPN_MAP

!

ip ssh time-out 30

ip ssh version 2

!

interface Loopback0

 ip address 10.11.0.1 255.255.255.0

 ip broadcast-address 10.11.0.255

 ip nat inside

 ip virtual-reassembly

!

interface ATM0

 no ip address

 no ip route-cache cef

 no ip route-cache

 no atm ilmi-keepalive

 pvc 8/35

  encapsulation aal5snap

  pppoe-client dial-pool-number 1

 !

!

interface FastEthernet0

 switchport access vlan 100

!

interface FastEthernet1

 switchport access vlan 200

!

interface FastEthernet2

 switchport access vlan 200

!

interface FastEthernet3

 switchport access vlan 200

!

interface Vlan1

 description $ES_LAN$

 no ip address

 ip broadcast-address 192.168.113.255

 shutdown

!

interface Vlan100

 ip address 192.168.112.254 255.255.255.0

 ip broadcast-address 192.168.112.255

 ip nat inside

 no ip virtual-reassembly

 ip tcp adjust-mss 1452

!

interface Vlan200

 ip address 192.168.117.254 255.255.255.0

 ip broadcast-address 192.168.117.255

 ip directed-broadcast

 ip nat inside

 no ip virtual-reassembly

 ip tcp adjust-mss 1452

!        

interface Vlan300

 ip address 192.168.113.254 255.255.255.0

 ip broadcast-address 192.168.113.255

ip nat inside

 no ip virtual-reassembly

 ip tcp adjust-mss 1452

interface Dialer0

 ip address negotiated

 no ip redirects

 no ip unreachables

 no ip proxy-arp

 ip flow ingress

no cdp enable

ip nat outside

 no ip virtual-reassembly

 encapsulation ppp

 ip policy route-map VPN_CLIENT

 dialer pool 1

 dialer-group 1

 no cdp enable

 ppp authentication pap callin

 ppp chap hostname XXX@XXX.XXX

 ppp chap password 0 XXX

 ppp pap sent-username XXX@XXX.XXX 0 XXX

 crypto map VPN_MAP

!

ip local pool VPN_POOL1 192.168.117.128 192.168.117.191

ip forward-protocol nd

ip route 0.0.0.0 0.0.0.0 Dialer0

no ip http server

!

ip nat inside source list NAT_ACL interface Dialer0 overload

ip nat inside source static tcp X interface Dialer0 X

ip nat inside source static tcp 192.168.117.1 443 interface Dialer0 443

!

ip access-list extended NAT_ACL

 deny   ip 192.168.117.0 0.0.0.127 192.168.117.128 0.0.0.63

 deny   ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255

 deny   ip host 192.168.117.12 any

 deny   ip 192.168.0.0 0.0.255.255 192.168.119.0 0.0.0.255

 permit ip 192.168.117.0 0.0.0.255 any

permit ip 192.168.113.0 0.0.0.255 any

 permit ip 192.168.114.0 0.0.0.255 any

!

ip access-list extended VPN_IP

permit ip 192.168.117.128 0.0.0.63 any

ip access-list extended VPN_SPLIT_TUNNEL

 permit ip 192.168.117.0 0.0.0.255 192.168.200.0 0.0.0.255

 permit ip 192.168.114.0 0.0.0.255 192.168.200.0 0.0.0.255

 permit ip 192.168.112.0 0.0.0.255 192.168.200.0 0.0.0.255

!

logging trap notifications

!

route-map VPN_CLIENT permit 10

 match ip address VPN_IP

 set ip next-hop 10.11.0.2

!

!

control-plane

!

bridge 10 protocol ieee

bridge 10 route ip

!

line con 0

 no modem enable

line aux 0

line vty 0 4

 transport input ssh

!

scheduler max-task-time 5000

end