SolutionBase: Configuring a Cisco VPN concentrator as a remote-access VPN server

Cisco does more than make routers. It also makes a VPN concentrator that makes it easy for you to allow remote users to access your network from anywhere. Here's how you configure it to allow access from Windows clients.

In the article, "Using a Cisco IOS router as a VPN server", we discussed using a router as a VPN server for a Microsoft Windows client. In that article, our goal was to not have to make any changes or install any software on the Windows client. Here's how to configure a Cisco VPN 3005 server as a remote access VPN server for that same Windows client. Again, we have the same goal, to not have to change any settings or install any software on the Windows client.

What's the difference?

As the VPN concentrator is specifically designed as a remote access VPN server or a site-to-site VPN endpoint, the overall configuration of the VPN concentrator will be less difficult than that of a command-line based, IOS router. Besides just dealing with the command line, the router is more challenging to configure as it would normally have a variety of other services running on it, that would interfere with the role of VPN server. The VPN concentrator is dedicated solely to the function of being a VPN server.

In this example, we are using a Cisco VPN 3005 concentrator running software 4.1.7.H. When a Cisco VPN concentrator boots, it has no configuration and the interfaces must be configured using the command line and the console. We have done this and have our network running. No other changes have been made to the VPN 3005 concentrator, other than this basic network configuration.

Figure A

This is the sample topology we'll be dealing with.

Configuring the concentrator

Go to Configuration | User Management | Base Group. Click on the PPTP/L2TP tab. The defaults should look like the screen shown in Figure B and should function fine for a default Windows XP PPTP VPN Client.

Figure B

Click on Configuration | Tunneling and Security | PPTP. Verify that the Enabled checkbox is marked, as shown in Figure C.

Figure C

Go to Configuration | User Management | Groups as seen in Figure D.

Figure D

Click on Add Group. For the group name, type PPTP. For the group password type techrepublic. This will be an internal group as we aren't yet configuring any type of external authentication server. You can see the screen in Figure E.

Figure E

Click on the General tab. This will display the screen shown in Figure F.

Figure F

Uncheck all Tunneling Protocols except PPTP. Click Add, at the bottom of the screen, to add this new group.

Next, go to Configuration | User Management | Users. You'll then see the screen shown in Figure G.

Figure G

Click Add. This will display the screen shown in Figure H. For the username, type frank. For the password type SecurePassword1. Select that this user belongs to the PPTP user group.

Figure H

Click Add. Now we need to define a pool of IP addresses to assign to clients. To do this, go to Configuration | System | Address Management | Pools. You'll wind up on the screen shown in Figure I.

Figure I

Click Add. For the Range Start, enter For the Range End, enter The subnet mask is When you finish filling out the fields, they'll resemble the ones shown in Figure J.

Figure J

Click Add. You'll then see the IP Address Pools screen appear as shown in Figure K.

Figure K

Now, go to Configuration | System | Address Management | Assignment. Uncheck all checkboxes, except Use Address Pools, as shown in Figure L.

Figure L

Click Apply and the configuration is complete on the VPN concentrator.

Configuring the Windows Client

To connect to the new PPTP VPN server, simply go to Start | Control Panel |Network Connections. Click on New Connection Wizard. Click Next on the welcome screen. Select Connect To A Network At My Workplace.

Select Virtual Private Network Connection. Type in a name for the connection and click Next again.

When the VPN Server Selection screen appears, type in the IP address or hostname for the VPN server's outside interface. For the purposes of this article, this is

Take the default on the next screen (that this is for anyone's use) and click Next. Click Finish on the next screen. When done, you will see the window below. Type in your test username (frank) and test password (SecurePassword1), as shown in Figure M.

Figure M

Click Connect.

Once connected, you should see the VPN icon in your Windows tray, at the bottom right of your screen. If you open the VPN connection and click on details, you should see that you received an IP address from the pool, as you can see in Figure N.

Figure N

You should be able to ping the LAN side of the router (the inside, private network) and any host on that network.

Other things you can do

The configuration for a Windows XP PPTP VPN client to connect to the VPN concentrator is complete. Likely things you would want to add would be:

DNS & WINS Servers
If using a static pool, like we are here, you would likely want to go into the PPTP group and add your internal DNS and WINS server IP addresses. This way, the VPN client can resolve your internal network domain names. Figure O gives an example

Figure O

Many companies would use DHCP instead of a static pool. This way, there is just one repository for IP addressing information. To do this, you can: Add a DHCP server under Configuration | System | Servers | DHCP. Disable the static pool and enable DHCP under Configuration | System | Address Management | Assignment. RADIUS or Windows AD Authentication
Using a local database of users and passwords might be fine for a handful of users but won't work for more than that. Most companies use RADIUS or Windows AD for authentication. To do this, you can change the type of group, for the PPTP group, from internal to external on the General tab. Then add an authentication server in the Groups section to point to a RADIUS or Windows AD/Kerberos server. This must be configured on the authentication server as well. Split Tunneling
While this is a security risk, many admins allow users machines to send traffic both to the Internet and to the VPN tunnel. This is called split tunneling. This is disabled by default. It can, however, be enabled in the PPTP group configuration under Client Configuration.

The VPN concentrator can do more

Besides these options, the Cisco VPN concentrator can do other things like SSL VPN, VPN Quarantine if a client doesn't meet parameters (like Firewall installed or AV client installed), update Cisco VPN Clients automatically, or site-to-site VPN tunnels.