Tag: Cisco IOS
This took me several hours of research and trial and error to get working, but in these 2 configurations (one for the main router and one for the intergrated Access Point, AP, you can cut and paste these into your router and they will work just fine. (save for caveat all the way below)
What these will give you is the following:
- Two SSID's, one guest and one that connects to themain LAN
- A site to site VPN with a Cisco ASA device (5540 if you must know!) which I will publish a configuration for at a later date.
- A configured SSLVPN gateway on the 881W (you get a 90 day trial which will be activated as soon as you enter "webvpn"..... then you have to buy a license)
- static route to a provider, in this case time warner
- A Few sample DHCP Reservations for some nodes
First, let's put in the router configuration:
the usual, ssh to the box, and get to provilidge mode, enable:
----------------Main 881W Configuration-----------------
!
! Last configuration change at 10:05:24 PDT Thu Nov 3 2011 by boaz
! NVRAM config last updated at 10:05:34 PDT Thu Nov 3 2011 by boaz
!
version 15.0
no service pad
service timestamps debug datetime localtime
service timestamps log datetime localtime
service password-encryption
service udp-small-servers
service sequence-numbers
!
hostname GW01
!
boot-start-marker
boot-end-marker
!
security authentication failure rate 2 log
logging buffered 51200
enable password 7 <password-removed>
!
aaa new-model
!
!
aaa authentication login local_auth local
aaa authentication login webvpn local
!
!
!
!
!
aaa session-id common
memory-size iomem 10
clock timezone PST -8
clock summer-time PDT recurring
!
crypto pki trustpoint local
enrollment selfsigned
revocation-check crl
rsakeypair 777network_ssl_key 1024 1024
!
!
crypto pki certificate chain local
certificate self-signed 0B
3082022B 30820194 A0030201 0202010B 300D0609 2A864886 F70D0101 04050030
22312030 1E06092A 864886F7 0D010902 16114757 30312E73 706F7468 6F6D652E
636F6D30 1E170D31 31313032 35323034 3431345A 170D3230 30313031 30303030
30305A30 22312030 1E06092A 864886F7 0D010902 16114757 30312E73 706F7468
6F6D652E 636F6D30 819F300D 06092A86 4886F70D 01010105 0003818D 00308189
02818100 9BF230A3 E931D354 879B6552 12696C4E 403DC9A0 BED040B2 2C6A79C5
E808542F 7FC25E15 FD634FC6 233858D8 F66EB9A6 9EE3B4EB 988F2005 5E3F7DE9
185F6630 0D623809 576431EC B33D4DCA 48F68116 22B94299 03E4B2A4 EA7F486A
DBEB11C5 BD7C0F9F 2D766D8B 86FA392C C2219E95 8B112F9D ADD94410 4F82B990
EDA963A3 02030100 01A37130 6F300F06 03551D13 0101FF04 05300301 01FF301C
0603551D 11041530 13821147 5730312E 73706F74 686F6D65 2E636F6D 301F0603
551D2304 18301680 14B3733F 97620715 E43936B7 2FF8392E F64D78A8 63301D06
03551D0E 04160414 B3733F97 620715E4 3936B72F F8392EF6 4D78A863 300D0609
2A864886 F70D0101 04050003 81810084 3730FC57 E22E00F7 C90E591E E2562A1C
9E079E2B BAFDC51A 43F61F71 56724634 324DE652 2CF09F81 4030DFE0 A43BAABB
44C389FF DDD6FC1B 437618CE A964AA5A 3F1E8FA5 22CAED0A 0C49366F E2C4B3C9
C67804C7 CEEAA04C C9DF38A0 740B2893 65A5AAB7 DA17DD7B B4B59808 121FFB69
589EDA03 D7E77F79 EF0837D4 78578A
quit
ip source-route
!
!
ip dhcp excluded-address 192.168.230.1 192.168.230.99
ip dhcp excluded-address 192.168.230.201 192.168.230.254
ip dhcp excluded-address 192.168.231.1 192.168.231.50
ip dhcp excluded-address 192.168.231.60 192.168.231.254
!
ip dhcp pool sdm-pool1
network 192.168.230.0 255.255.255.0
domain-name domain.com
option 66 ascii "192.168.230.9"
option 160 ascii "192.168.230.9"
default-router 192.168.230.1
dns-server 192.168.230.20
lease 0 2
!
ip dhcp pool Domain-Reservation-1-Printer
host 192.168.230.202 255.255.255.0
client-identifier 0100.8077.f359.83
client-name Brother-MFC-9840CDW
default-router 192.168.230.1
dns-server 4.2.2.2
lease 7
!
ip dhcp pool VLAN-GUEST
network 192.168.231.0 255.255.255.0
default-router 192.168.231.1
domain-name domain.com
dns-server 4.2.2.2 8.8.8.8
lease 0 12
!
ip dhcp pool Domain-Reservation-2-cube1
host 192.168.230.65 255.255.255.0
client-identifier 0100.065b.b4bd.eb
client-name Telemarkter-PC-cubicle-01
default-router 192.168.230.1
dns-server 192.168.250.1
lease 0 2
!
ip dhcp pool Domain-Reservation-3-cube2
host 192.168.230.66 255.255.255.0
client-identifier 0100.0f1f.8c1f.30
client-name Telemarkter-PC-cubicle-02
default-router 192.168.230.1
dns-server 192.168.250.1
lease 0 2
!
!
ip cef
ip domain name domain.com
ip name-server 192.168.230.20
no ipv6 cef
!
!
license udi pid CISCO881W-GN-A-K9 sn FTX1534811A
!
!
archive
log config
logging enable
hidekeys
object-group network GUEST-WLAN
description Guest VLAN (ssid SpotGuest)
192.168.231.0 255.255.255.0
!
object-group network Domain-LAN
description Local Lan for DomainHome
192.168.230.0 255.255.255.0
!
username admin privilege 15 password 7 <password-removed>
username boaz privilege 15 password 7 <password-removed>
username jaymie privilege 0 password 7 <password-removed>
username afe privilege 0 password 7 <password-removed>
username david privilege 0 password 7 <password-removed>
!
!
ip tcp synwait-time 10
ip ssh time-out 60
ip ssh authentication-retries 2
!
!
crypto isakmp policy 9
encr 3des
authentication pre-share
group 2
lifetime 900
crypto isakmp key branch2vpnkey address 64.74.10.10
!
crypto ipsec security-association lifetime seconds 900
!
crypto ipsec transform-set SpotEquinixSET esp-3des esp-sha-hmac
!
crypto map EquinixTunnel 9 ipsec-isakmp
description Tunnel from Wilshire to Equinix
set peer 64.74.10.10
set transform-set SpotEquinixSET
match address 150
reverse-route static
!
!
!
!
!
interface Loopback2
description interface for SSL_VPN
ip address 192.168.232.1 255.255.255.0
!
interface FastEthernet0
switchport access vlan 20
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet1
switchport access vlan 20
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet2
switchport access vlan 20
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet3
switchport access vlan 20
switchport mode trunk
spanning-tree portfast
!
interface FastEthernet4
ip address 173.196.143.178 255.255.255.248
no ip redirects
no ip unreachables
no ip proxy-arp
ip flow ingress
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map EquinixTunnel
!
interface wlan-ap0
description Service module interface to manage the embedded AP
ip address 1.1.1.1 255.255.255.252
arp timeout 0
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
!
interface Vlan1
description Vlan for the Wireless AP
ip address 192.168.230.1 255.255.255.0
ip nat inside
ip virtual-reassembly
ip tcp adjust-mss 1452
!
interface Vlan20
description Guest Wireless Network (DomainGuest)
ip address 192.168.231.1 255.255.255.0
ip access-group Guest-ACL in
ip nat inside
ip virtual-reassembly
!
ip local pool webvpn1 192.168.232.5 192.168.232.10
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source route-map NAT-RMap interface FastEthernet4 overload
ip route 0.0.0.0 0.0.0.0 173.196.143.177
!
ip access-list standard LocalRoute-Acl
permit 192.168.230.0 0.0.0.255
!
ip access-list extended Guest-ACL
deny ip any 192.168.230.0 0.0.0.255
permit ip any any
ip access-list extended Inside-Out-Acl
permit icmp any any echo
permit icmp any any echo-reply
permit icmp any any time-exceeded
permit ip host 192.168.230.111 any
permit ip 192.168.230.64 0.0.0.31 host 173.196.143.180
permit ip 192.168.230.0 0.0.0.63 any
permit ip 192.168.230.128 0.0.0.127 any
ip access-list extended TerminalAccess
permit tcp any any eq 22 log
permit tcp host 192.168.230.111 any eq telnet log
deny tcp any any log
ip access-list extended test
ip access-list extended webvpn-acl
permit icmp any any
permit tcp 192.168.232.0 0.0.0.255 any eq 3389 log
permit tcp 192.168.232.0 0.0.0.255 any eq domain
permit udp 192.168.232.0 0.0.0.255 any eq domain
deny ip any host 192.168.230.9 log
permit tcp 192.168.232.0 0.0.0.255 any eq www
deny ip any any log
!
logging trap debugging
access-list 110 deny ip 192.168.230.0 0.0.0.255 10.0.0.0 0.255.255.255
access-list 110 permit ip 192.168.230.0 0.0.0.255 any
access-list 110 permit ip 192.168.231.0 0.0.0.255 any
access-list 150 permit ip 192.168.230.0 0.0.0.255 10.0.10.0 0.0.0.255
no cdp run
!
!
!
!
route-map LocalRoute-RMap permit 9
match ip address LocalRoute-Acl
!
route-map NAT-RMap permit 9
match ip address 110
!
snmp-server community SNMPRW
snmp-server community SNMPRO
snmp-server location CiscoHouse
snmp-server contact Cisco
!
control-plane
!
privilege exec level 0 ping
banner login C
*** WARNING ***
You have reached an Official Corporate Computer System.
Unauthorized access is prohibited by Public Law 99-474.
The Computer Fraud and Abuse Act of 1986.
***********************************************************
FOR ACCESS TO THIS SYSTEM
CONTACT
THE SYSTEMS INTEGRATION GROUP
***********************************************************
**** FOR OFFICIAL CORPORATE BUSINESS ONLY ****
T H E G R O U P
** Unauthorized use is Prohibited and Punishible by Law **
***********************************************************
banner motd C
***********************************************************
GW01.domain.com
contact Boaz at DataStability.com for any Questions
***********************************************************
!
line con 0
privilege level 15
logging synchronous
login authentication local_auth
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
line vty 0 4
access-class TerminalAccess in
exec-timeout 30 0
privilege level 0
logging synchronous
login authentication local_auth
transport preferred ssh
transport input all
!
scheduler max-task-time 5000
ntp master
ntp update-calendar
!
webvpn gateway 777network
hostname gw01
ip address 173.196.143.178 port 443
http-redirect port 80
ssl trustpoint local
inservice
!
webvpn install svc flash:/webvpn/anyconnect-win-2.4.1012-k9.pkg sequence 1
!
webvpn install svc flash:/webvpn/anyconnect-macosx-i386-2.4.1012-k9.pkg sequence 2
!
webvpn install svc flash:/webvpn/anyconnect-linux-2.4.1012-k9.pkg sequence 3
!
webvpn context 777network
title "777network Secure Gateway"
ssl authenticate verify all
!
url-list "InternalWebServers"
heading "Email Servers"
url-text "Outlook Web Access" url-value "http://exchange.domain.com"
!
nbns-list "NBNSServers"
nbns-server 192.168.230.20
login-message "Enter your credentials"
!
policy group 777networkpolicy
url-list "InternalWebServers"
nbns-list "NBNSServers"
functions file-access
functions file-browse
functions file-entry
functions svc-enabled
banner "Welcome to 777 Network, Authentication Successful"
filter tunnel webvpn-acl
svc address-pool "webvpn1"
svc default-domain "domain.com"
svc keep-client-installed
svc homepage "http://exchange.domain.com"
svc rekey method new-tunnel
svc split include 192.168.230.0 255.255.255.0
svc dns-server primary 192.168.230.20
default-group-policy 777networkpolicy
aaa authentication list webvpn
gateway 777network
inservice
!
end
----------------end main 881W Configuration-----------------
and now, we need to get to the AP, which you can do either by telnetting to the IP/port (more on that in another post) or by doing:
881W#service-module wlan-ap 0 session
Trying 1.1.1.1, 2002 ... Open
c
now you can put in the configuration below:
----------------AP for 881W Configuration-----------------
!
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname ap
!
enable secret 5 password1234-removed
!
no aaa new-model
!
!
dot11 syslog
!
dot11 ssid SpotGuest
vlan 20
authentication open
authentication key-management wpa
mbssid guest-mode
wpa-psk ascii 0 password1234-removed
!
dot11 ssid 777network
vlan 1
authentication open
authentication key-management wpa
guest-mode
mbssid guest-mode
wpa-psk ascii 0 password1234-removed
!
dot11 network-map
!
!
username admin privilege 15 secret 5 password1234-removed
username boaz privilege 15 password 7 password1234-removed
!
!
bridge irb
!
!
interface Dot11Radio0
no ip address
no ip route-cache
!
encryption vlan 1 mode ciphers aes-ccm
!
encryption vlan 20 mode ciphers aes-ccm
!
ssid SpotGuest
!
ssid 777network
!
antenna gain 0
mbssid
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m8. m9. m10. m11. m12. m13. m14. m15.
channel width 40-above
station-role root
!
interface Dot11Radio0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
!
interface Dot11Radio0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
bridge-group 20 subscriber-loop-control
bridge-group 20 block-unknown-source
no bridge-group 20 source-learning
no bridge-group 20 unicast-flooding
bridge-group 20 spanning-disabled
!
interface GigabitEthernet0
description the embedded AP GigabitEthernet 0 is an internal interface connecting AP with the host router
no ip address
no ip route-cache
!
interface GigabitEthernet0.1
encapsulation dot1Q 1 native
no ip route-cache
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
!
interface GigabitEthernet0.20
encapsulation dot1Q 20
no ip route-cache
bridge-group 20
no bridge-group 20 source-learning
bridge-group 20 spanning-disabled
!
interface BVI1
ip address 192.168.230.2 255.255.255.0
no ip route-cache
!
ip default-gateway 192.168.230.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
!
ip access-list extended Guest-ACL
permit icmp any any
deny ip any 192.168.230.0 0.0.0.255
permit ip any any
bridge 1 protocol ieee
bridge 1 route ip
!
!
!
line con 0
privilege level 15
login local
no activation-character
line vty 0 4
login local
!
cns dhcp
end
----------------End AP for 881W Configuration-----------------
Caveat: Since this article doesnt cover the certificates you need to create for both the SSLVPN and the Site to Site VPN, you will get some errors. You first need to create these certificates and so on (self signed) or buy them from a CA like verisign etc.
No comments:
Post a Comment