Downloads |
Table Of Contents
Cisco Easy VPN Remote Phase II
Enhancements Specific to Phase II
Multiple Inside Interface Enhancements
Multiple Outside Interfaces Support
Local Address Support for Easy VPN Remote
Simultaneous Easy VPN Client and Server Support
Cisco Easy VPN Remote Web Manager
Differences Between Cisco Easy VPN Remote Phase II and Phase I
Platform-Specific Documentation
Supported Standards, MIBs, and RFCs
Configuring Manual Tunnel Control
Configuring Multiple Inside Interfaces
Configuring Multiple Outside Interfaces
Verifying Outside Interface Configuration
Configuring Easy VPN Remote Using Cable DHCP Proxy
Configuring Easy VPN Remote with a Static IP Address
Configuring Proxy DNS Server Support
Verifying Proxy DNS Server Support
Configuring and Using the Cisco Easy VPN Remote Web Manager
Configuring the DHCP Server Pool
Verifying the DHCP Server Pool
Configuring and Assigning the Cisco Easy VPN Remote Configuration
Verifying the Cisco Easy VPN Configuration
Configuring the Cisco VPN 3000 Series Concentrator
Cable DHCP Proxy Enhancement Configuration Examples
Local Address Support for Easy VPN Remote Example
PIX Interoperability Support Example
Client Mode Configuration Examples
Cisco Easy VPN Client in Client Mode (Cisco uBR905 and Cisco uBR925) Example
Cisco Easy VPN Client in Client Mode (Cisco 806) Example
Cisco Easy VPN Client in Client Mode (Cisco 827) Example
Cisco Easy VPN Client in Client Mode (Cisco 1700 Series) Example
Network Extension Mode Configuration Examples
Cisco Easy VPN Client in Network-Extension Mode (Cisco uBR905 and Cisco uBR925) Example
Cisco Easy VPN Client in Network-Extension Mode (Cisco 806) Example
Cisco Easy VPN Client in Network-Extension Mode (Cisco 827) Example
Cisco Easy VPN Client in Network-Extension Mode (Cisco 1700 Series) Example
VPN Remote Access Server Configuration Examples
VPN Remote Access Server Without Split Tunneling Example
VPN Remote Access Server Configuration With Split Tunneling Example
VPN Remote Access Server Configuration With XAUTH Example
clear crypto ipsec client ezvpn
crypto ipsec client ezvpn xauth
crypto ipsec client ezvpn (global configuration)
crypto ipsec client ezvpn (interface configuration)
crypto ipsec client ezvpn connect
show crypto ipsec client ezvpn
debug crypto ipsec client ezvpn
Cisco Easy VPN Remote Phase II
Feature History
This document describes the Cisco Easy VPN Remote Phase II feature for Cisco 806, Cisco 826, Cisco 827, and Cisco 828 routers; Cisco 1700 series routers; and Cisco uBR905 and Cisco uBR925 cable access routers in Cisco IOS Release 12.2(8)YJ. This document provides information on configuring and monitoring the Cisco Easy VPN Remote Phase II feature to create IPSec Virtual Private Network (VPN) tunnels between a supported router and another Cisco router that supports this form of IPSec encryption and decryption.
This document includes the following sections:
•
Supported Standards, MIBs, and RFCs
Feature Overview
Cable modems, xDSL routers, and other forms of broadband access provide high-performance connections to the Internet, but many applications also require the security of VPN connections that perform a high level of authentication and that encrypt the data between two particular endpoints. However, establishing a VPN connection between two routers can be complicated, and typically requires tedious coordination between network administrators to configure the two routers' VPN parameters.
The Cisco Easy VPN Remote Phase II feature eliminates much of this tedious work by implementing Cisco Unity Client Protocol, which allows most VPN parameters to be defined at a VPN remote access server. This server can be a dedicated VPN device such as a Cisco VPN 3000 concentrator or a Cisco PIX Firewall, or a Cisco IOS router that supports the Cisco Unity Client Protocol.
After the VPN remote access server has been configured, a VPN connection can be created with minimal configuration on an IPSec client, such as a Cisco uBR905 or Cisco uBR925 cable access router, as well as on the Cisco 806/826/827/828 and Cisco 1700 series routers. When the IPSec client then initiates the VPN tunnel connection, the VPN remote access server pushes the IPSec policies to the IPSec client and creates the corresponding VPN tunnel connection.
The Cisco Easy VPN Remote Phase II feature provides for automatic management of the following details:
•
•
•
•
•
•
Modes of Operation
The Cisco Easy VPN Remote Phase II feature supports two modes of operation:
•
In client mode, the Cisco Easy VPN Remote Phase II feature automatically configures the NAT/PAT translation and access lists that are needed to implement the VPN tunnel. These configurations are automatically created when the IPSec VPN connection is initiated. When the tunnel is torn down, the NAT/PAT and access list configurations are automatically deleted.
The NAT/PAT configuration is created with the following assumptions:
–
–
Tip
•
Both modes of operation also optionally support split tunneling, which allows secure access to corporate resources through the VPN tunnel while also allowing Internet access through a connection to an Internet Service Provider (ISP) or other service—thereby eliminating the corporate network from the path for web access.
Authentication can also be done using Extended Authentication (XAUTH). In this situation, when the VPN remote access server requests XAUTH authentication, the following messages are displayed on the router's console:
EZVPN: Pending XAuth Request, Please enter the following command:EZVPN: crypto ipsec client ezvpn xauthThe user can then provide the necessary user ID, password, and other information by entering the crypto ipsec client ezvpn xauth command and responding to the prompts that follow.
Note
Figure 1 illustrates the client mode of operation. In this example, the Cisco uBR905 cable access router provides access to two PCs, which have IP addresses in the 10.0.0.0 private network space. These PCs connect to the Ethernet interface on the Cisco uBR905 router, which also has an IP address in the 10.0.0.0 private network space. The Cisco uBR905 router performs NAT/PAT translation over the VPN tunnel so that the PCs can access the destination network.
Figure 1 Cisco Easy VPN Client Connection
Note
Figure 2 also illustrates the client mode of operation, in which a VPN concentrator provides destination endpoints to multiple xDSL clients. In this example, Cisco 800 series routers provide access to multiple small business clients, each of which uses IP addresses in the 10.0.0.0 private network space. The Cisco 800 series routers perform NAT/PAT translation over the VPN tunnel, so that the PCs can access the destination network.
Figure 2 Cisco Easy VPN Client Connection (using VPN concentrator)
Figure 3 illustrates the network extension mode of operation. In this example, the Cisco uBR905 cable access router and Cisco 1700 series router both act as Cisco Easy VPN Clients, connecting to a Cisco VPN 3000 concentrator.
The client hosts are given IP addresses that are fully routable by the destination network over the tunnel. These IP addresses could be either in the same subnet space as the destination network, or they could also be in separate subnets, as long as the destination routers are configured to properly route those IP addresses over the tunnel.
In this example, the PCs and hosts attached to the two routers have IP addresses that are in the same address space as the destination enterprise network. The PCs connect to the Cisco uBR905 router's Ethernet interface, which also has an IP address in the enterprise address space. This provides a seamless extension of the remote network.
Figure 3 Cisco Easy VPN Network Extension Connection
Note
Enhancements Specific to Phase II
The Phase II implementation of the Cisco Easy VPN Remote feature provides enhancements and additional capabilities to Phase I features. In Phase II, the Cisco Easy VPN Remote feature provides the following enhancements:
•
•
•
•
•
•
•
•
•
•
•
•
In addition, as part of configuring the Cisco VPN 3000 series concentrator—for the Cisco Easy VPN Remote Phase II image—you do not need to create a new IPSec Security Association. Use the default Internet Key Exchange (IKE) and IPSec client lifetime configured on the Cisco VPN 3000 series concentrator.
Manual Tunnel Control
The IPSec Virtual Private Network (VPN) tunnel is automatically connected when the Cisco Easy VPN Remote feature is configured on an interface. If the tunnel times out or fails, the tunnel automatically reconnects and retries indefinitely. Cisco Easy VPN Remote Phase II implements manual control of IPSec VPN tunnels so that you can establish and terminate the IPSec VPN tunnel on demand.
The Easy VPN Remote configuration command, crypto ipsec client ezvpn name, is enhanced with a new subcommand, connect [auto | manual], to allow you to specify manual tunnel control.
Automatic is the default setting because it was the initial Phase I functionality. If automatic is the configuration, then you do not need to use the subcommand.
The manual setting means that the Cisco Easy VPN Client will wait for a command before attempting to establish the Cisco Easy VPN Remote connection. When the tunnel times out or fails, then subsequent connections will have to wait for the command also.
If the configuration is manual, then the tunnel is connected only after you issue the new command, crypto ipsec client ezvpn connect name.
The clear command, clear crypto ipsec client ezvpn [name], is enhanced to disconnect a given tunnel.
See "Configuring Manual Tunnel Control" section for information on how to configure manual control of a tunnel.
Multiple Inside Interface Enhancements
The Cisco Easy VPN Client Phase I feature supported only one inside interface, which by default was the Fastethernet interface on the Cisco 1700 series and the ethernet interface on the Cisco 800 series and Cisco uBR900 series.
The inside interface support is enhanced in Cisco Easy VPN Remote Phase II to support multiple inside interfaces for all platforms. Inside interfaces can be manually configured with the enhanced command and subcommand:
interface interface-namecrypto ipsec client ezvpn name [outside | inside]If you want to disable the default inside interface and configure another inside interface on the Cisco uBR905, Cisco uBR925, and on a Cisco 800 series router, you must configure the other inside interface first and then disable the default inside interface. You can use the following command to disable the default inside interface:
no crypto ipsec client ezvpn <name> insideIf you did not configure the other inside interface first before disabling the default inside interface, you receive a message such as the following:
ezvpn_client_37(config)#int e0ezvpn_client_37(config-if)#no crypto ipsec client ezvpn hw-client insideCannot remove the single inside interface unlessone other inside interface is configuredSee "Configuring Multiple Inside Interfaces" section for information on how to configure more than one inside interface.
The multiple inside interface enhancements support the following capabilities:
•
•
•
•
Configuration information for the default inside interface is shown with the show crypto ipsec client ezvpn command. All inside interfaces, whether they belong to a tunnel, are listed in interface configuration mode as an inside interface, along with the tunnel name.
Multiple Outside Interfaces Support
The Cisco Easy VPN Client Phase I feature supported the configuration of only one tunnel for a single outside interface. The Phase II enhancement adds support for configuration of multiple tunnels for outside interfaces, by establishing one tunnel per outside interface. This functionality is applicable to multiple outside interface platforms such as the Cisco 1700 series routers. The Cisco 800 series router, and uBR905 and uBR925 cable access routers are not affected, because these routers support only one outside interface.
You can configure a maximum of four tunnels. This is done by the enhanced command, crypto ipsec client ezvpn name outside.
Note
To disconnect or clear a specific tunnel, the enhanced command, clear crypto ipsec ezvpn <name>, specifies the IPSec VPN tunnel name. If there is no tunnel name specified, then all existing tunnels are cleared.
See "Configuring Multiple Outside Interfaces" section for more information on configuring more than one outside interface.
NAT Interoperability Support
Cisco Easy VPN Remote Phase II supports interoperability with Network Address Translation (NAT). You can have a NAT configuration and a Cisco Easy VPN Remote Phase II configuration coexist. When an IPSec VPN tunnel is down, the NAT configuration works.
The Cisco Easy VPN Remote Phase II feature automatically creates a NAT configuration, with the corresponding access lists, to implement client mode and split tunneling. In the initial release of the Cisco Easy VPN Client feature, this automatic NAT and access list configuration overrode any previous NAT and access list configuration. When a tunnel timed out or disconnected—due to manual tunnel control, for example—the automatic NAT and access configuration was automatically removed, which prevented any Internet access even to non-tunnel destinations.
In Phase II of the Cisco Easy VPN Remote feature, the router automatically restores the previous NAT configuration when the IPSec VPN tunnel is torn down. The user-defined access lists are not disturbed. Users can continue to access non-tunnel areas of the Internet when the tunnel times out or disconnects.
Local Address Support for Easy VPN Remote
The Cisco Easy VPN Remote Phase II feature is enhanced to support an additional local-address attribute that specifies which interface is used to determine the IP address used to source the Easy VPN Remote tunnel traffic. After specifying the interface with the local-address subcommand, you can manually assign a static IP address to the interface or use the cable-modem dhcp-proxy interface command to automatically configure the specified interface with a public IP address. See Configuring Easy VPN Remote with a Static IP Address and Configuring Easy VPN Remote Using Cable DHCP Proxy for configuration information. See "Cable DHCP Proxy Enhancement" section for more information on the cable-modem dhcp-proxy interface command.
The local-address support is available for all platforms, but it is more applicable to the Cisco uBR905 and Cisco uBR925 cable access routers in conjunction with the cable-modem dhcp-proxy interface command. Typically, the loopback interface is the interface used to source tunnel traffic for the Cisco uBR905 and Cisco uBR925 cable access routers.
Cable DHCP Proxy Enhancement
In a typical DOCSIS network, the Cisco uBR905 and Cisco uBR925 cable access routers are normally configured with a private IP address on the cable-modem interface. In Cisco Easy VPN Client Phase I, a public IP address was required on the cable-modem interface to support the Easy VPN Client.
In Phase II, cable providers can use the Cable DHCP Proxy feature to obtain a public IP address and assign it to the cable modem interface, which is usually the loopback interface.
To support the Cisco Easy VPN Remote Phase II feature on the uBR905 and uBR925 cable access routers, the existing cable-modem dhcp-proxy interface configuration command is enhanced to support the loopback interface. The router automatically configures the loopback interface with the public IP address obtained from the DHCP server. You must create the loopback interface, which is a virtual interface, first before issuing the cable-modem dhcp-proxy interface command.
See "Configuring Easy VPN Remote Using Cable DHCP Proxy" section for information on how to configure the Cable DHCP Proxy feature.
For more information on the cable-modem dhcp-proxy interface command, refer to the "Cable CPE Commands" chapter at http://www.cisco.com/univercd/cc/td/doc/product/cable/bbccmref/bbcmcpe.htm in the Cisco Broadband Cable Command Reference Guide at http://www.cisco.com/univercd/cc/td/doc/product/cable/bbccmref/index.htm.
Note
Peer Hostname Enhancement
The peer in a Cisco Easy VPN Remote Phase II feature configuration can be defined as an IP address or a hostname. Typically when a peer is defined as a hostname, a Domain Name System (DNS) lookup is done immediately to get an IP address. In the Cisco Easy VPN Remote Phase II feature, the peer hostname operation is enhanced to support DNS entry changes. The text string of the hostname is stored so that the DNS lookup is done at the time of the tunnel connection, not when the peer is defined as a hostname.
See "Configuring and Assigning the Cisco Easy VPN Remote Configuration" section for information on enabling the peer hostname functionality.
Proxy DNS Server Support
When the WAN connection is down—that is, the IPSec VPN tunnel is down—the Domain Name System (DNS) addresses of the ISP or cable provider should be used to resolve DNS requests. When the WAN connection is up, the enterprise's DNS addresses should be used.
As a way of implementing use of the cable provider's DNS addresses when the WAN connection is down, the router in a Cisco Easy VPN Remote Phase II configuration can be configured to act as a proxy DNS server. The router, acting as a proxy DNS server for LAN connected users, receives DNS queries from local users on behalf of the real DNS server. The DHCP server then is able to send out the router's LAN address as the DNS server's IP address. Then after the WAN connection comes up, the router forwards the DNS queries to the real DNS server and caches the DNS query records.
See "Configuring Proxy DNS Server Support" section for information on enabling the proxy DNS server functionality.
PIX Interoperability Support
The Cisco Easy VPN Remote Phase II feature supports Cisco PIX Firewall Version 6.2.
See "PIX Interoperability Support Example" section for an example output.
You can refer to Cisco PIX Firewall and VPN Configuration Guide Version 6.2 documentation on Cisco.com at the following URL:
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/index.htm
Cisco IOS Firewall Support
The Cisco Easy VPN Remote Phase II feature works in conjunction with Cisco IOS Firewall configurations on all platforms.
Simultaneous Easy VPN Client and Server Support
You can configure simultaneous Cisco Easy VPN Client and Cisco Easy VPN Server support on the same Cisco 1700 series routers. You can configure one outside interface as a Cisco Easy VPN Server and another outside interface on the same router as a Cisco Easy VPN Client. This support is applicable for multiple outside interface platforms, such as the Cisco 1700 series routers.
Cisco Easy VPN Remote Web Manager
The Cisco Easy VPN Remote Web Manager is a web interface used to manage the Cisco Easy VPN Remote Phase II feature for Cisco uBR905 and Cisco uBR925 cable access routers. Users do not need access to the command-line interface (CLI) to manage the Cisco Easy VPN Remote Phase II connection. The web interface allows the user to:
•
•
•
•
See Configuring and Using the Cisco Easy VPN Remote Web Manager for more information.
Differences Between Cisco Easy VPN Remote Phase II and Phase I
Table 1 summarizes the major differences between the Cisco Easy VPN Remote Phase II feature and the Cisco Easy VPN Client Phase I feature.
Benefits
•
•
•
•
•
•
•
•
Restrictions
Sub-interfaces Not Supported
Establishing Cisco Easy VPN Remote Phase II tunnels over sub-interfaces is not supported in Cisco IOS Release 12.2(8)YJ.
Cisco Easy VPN Remote Web Manager Does Not Support Cable-Monitor Web Interface
The Cisco Easy VPN Remote Web Manager does not work with the cable -monitor web interface in Cisco IOS 12.2(8)YJ Release. To access the cable-monitor web interface, you must first disable the Cisco Easy VPN Remote web interface with the no ip http ezvpn command, and then enable the Cable Monitor with the ip http cable-monitor command.
Only One Destination Peer Supported
The Cisco Easy VPN Remote Phase II feature supports the configuration of only one destination peer and tunnel connection. If your application requires the creation of multiple VPN tunnels, you must manually configure the IPSec VPN and NAT/PAT parameters on both the client and the server.
Required Destination Servers
The Cisco Easy VPN Remote Phase II feature requires that the destination peer be a VPN remote access server or VPN concentrator that supports the Cisco Easy VPN Server feature. At the time of publication, this includes the following platforms when running the indicated software releases:
•
•
•
•
•
•
•
•
•
•
•
•
Digital Certificates Not Supported
In Cisco IOS Release 12.2(8)YJ, the Cisco Easy VPN Remote Phase II feature does not support authentication using digital certificates. Authentication is supported using preshared keys and Extended Authentication (XAUTH).
Only ISAKMP Policy Group 2 Supported on IPSec Servers
The Unity Protocol supports only ISAKMP policies that use group 2 (1024-bit Diffie-Hellman) IKE negotiation, so the IPSec server being used with the Cisco Easy VPN Remote Phase II feature must be configured for a group 2 ISAKMP policy. The IPSec server cannot be configured for ISAKMP group 1 or group 5 when being used with a Cisco Easy VPN Client.
Perfect Forward Secrecy Not Supported
The Cisco Easy VPN Remote Phase II feature does not support the Perfect Forward Secrecy (PFS) feature that is available on the Cisco VPN 3000 concentrator.
Transform Sets Supported
To ensure a secure tunnel connection, the Cisco Easy VPN Remote Phase II feature does not support transform sets that provide encryption without authentication (ESP-DES and ESP-3DES) or transform sets that provide authentication without encryption (ESP-NULL ESP-SHA-HMAC and ESP-NULL ESP-MD5-HMAC).
Changing the IP Address on the LAN Interface on Cisco 800 Series Routers
The Ethernet 0 LAN interface on the Cisco 800 series routers defaults to a primary IP address in the private network of 10.10.10.0. You can change this IP address to match the local network's configuration by using either the ip address CLI command or the Cisco Router Web Setup (CRWS) web interface.
These two techniques differ slightly in how the new IP address is assigned. When the CLI command is used, the new IP address is assigned as the primary address for the interface. When the CRWS interface is used, the new IP address is assigned as the secondary address and the existing IP address is preserved as the primary address for the interface. This allows the CRWS interface to maintain the existing connection between the PC web browser and the Cisco 800 series router.
Because of this behavior, the Cisco Easy VPN Remote Phase II feature assumes that if a secondary IP address exists on the Ethernet 0 interface, the secondary address should be used as the IP address for the inside interface for the NAT/PAT configuration. If no secondary address exists, the primary IP address is used for the inside interface address, as is normally done on other platforms. If this behavior is not desired, use the ip address CLI command to change the interface's address, instead of using the CRWS web interface.
VPN 3000 Configuration
The configuration of the Cisco VPN 3000 concentrator has some restrictions when used with the Cisco Easy VPN Remote Phase II feature. See the "Configuring the Cisco VPN 3000 Series Concentrator" section for more details.
See the "PIX Interoperability Support" section for information on Cisco PIX Firewall Version 6.2 support.
Related Documents
This section lists other documentation related to the configuration and maintenance of the Cisco Easy VPN Remote Phase II feature and the supported routers.
Platform-Specific Documentation
Cisco 800 Series Routers
•
•
•
•
•
•
•
•
•
•
Cisco uBR905 and Cisco uBR925 Cable Access Routers
•
•
•
•
•
•
Cisco 1700 Series Routers
•
•
•
•
•
•
•
•
•
Also see the Cisco IOS release notes for Cisco IOS Release 12.2(4)YA:
•
•
•
IPsec and VPN Documentation
For information on the VPN Remote Access Enhancements feature, which provides Cisco Unity client support for the Cisco Easy VPN Remote Phase II feature, see the VPN Remote Access Enhancements feature module for Cisco IOS Release 12.2(8)T.
For general information on IPSec and VPN subjects, see the following information in the product literature and IP technical tips sections on Cisco.com:
•
•
•
The following technical documents, available on Cisco.com and the Documentation CD-ROM, also provide more in-depth configuration information:
•
•
•
Note
Supported Platforms
•
•
•
Determining Platform Support Through Feature Navigator
Cisco IOS software is packaged in feature sets that support specific platforms. To get updated information regarding platform support for this feature, access Feature Navigator. Feature Navigator dynamically updates the list of supported platforms as new platform support is added for the feature.
Feature Navigator is a web-based tool that enables you to quickly determine which Cisco IOS software images support a specific set of features and which features are supported in a specific Cisco IOS image.
To access Feature Navigator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions at http://www.cisco.com/register.
Feature Navigator is updated regularly when major Cisco IOS software releases and technology releases occur. For the most current information, go to the Feature Navigator home page at the following URL:
Supported Standards, MIBs, and RFCs
Standards
No new or modified standards are supported by this feature.
MIBs
The following new or modified MIBs are supported by this feature:
•
•
•
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
No new or modified RFCs are supported by this feature.
Prerequisites
The following requirements are necessary to use the Cisco Easy VPN Remote Phase II feature:
•
•
Configuration Tasks
See the following sections for configuration tasks for the Cisco Easy VPN Remote Phase II feature. Each task in the list is identified as either required or optional.
•
•
•
•
•
•
•
•
•
•
•
Configuring Manual Tunnel Control
To configure control of IPSec VPN tunnels manually so that you can establish and terminate the IPSec VPN tunnels on demand, use the following procedure beginning in global configuration mode:
Configuring Multiple Inside Interfaces
You can configure up to three inside interfaces for all platforms. You need to manually configure each inside interface with the following procedure:
Configuring Multiple Outside Interfaces
You can configure multiple tunnels for outside interfaces, setting up a tunnel for each outside interface. You can configure a maximum of four tunnels using the following procedure for each outside interface:
Verifying Outside Interface Configuration
The following is a partial example show run output on a Cisco 1760 router that shows an outside interface configured on hw1:
1760#sh runnBuilding configuration...Current configuration : 1246 bytes!version 12.2service timestamps debug uptimeservice timestamps log uptimeno service password-encryption!hostname 1760!aaa new-model!!aaa session-id common!ip subnet-zero!!!!!!!!!interface Serial1/0ip address 6.6.6.2 255.255.255.0clockrate 4000000no cdp enablecrypto ipsec client ezvpn hw1 outside!ip classlessno ip http serverip pim bidir-enable!!!radius-server retransmit 3radius-server authorization permit missing Service-Type!line con 0line aux 0line vty 0 4!no scheduler allocateendConfiguring Easy VPN Remote Using Cable DHCP Proxy
You can configure the Cisco Easy VPN Remote feature to automatically obtain a public IP address, which is required to support a tunnel interface for the Cisco uBR905 and Cisco uBR925 cable access routers, and assign it to the router's loopback interface. Use the following steps:
1.
2.
Configuring Easy VPN Remote with a Static IP Address
You can configure the Cisco Easy VPN Remote feature with a manually assigned public IP address, which is required to support a tunnel interface for the Cisco uBR905 and Cisco uBR925 cable access routers, and assign it to the router's loopback interface. Use the following steps:
1.
2.
Configuring Proxy DNS Server Support
As a way of implementing the use of the cable provider's DNS addresses when the WAN connection is down, the router in a Cisco Easy VPN Remote configuration can be configured to act as a proxy DNS server. To enable the proxy DNS server functionality with the ip dns server command in global configuration mode, use the following commands beginning in global configuration mode.
After configuring the router, you configure the VPN remote access server as follows:
•
dns A.B.C.D A1.B1.C1.D1
These DNS server addresses should be pushed from the server to the Cisco Easy VPN Client, and be dynamically added to or deleted from the router's running configuration.
Verifying Proxy DNS Server Support
When the tunnel is connected (up), you can see the following entries in the running configuration:
ip name-server A.B.C.Dip name-server A1.B1.C1.D1When the tunnel is disconnected (down), you can see the following entries are deleted from the running configuration:
ip name-server A.B.C.Dip name-server A1.B1.C1.D1Configuring and Using the Cisco Easy VPN Remote Web Manager
To configure and use the Cisco Easy VPN Remote Web Manager for the Cisco uBR905 and Cisco uBR925 cable access routers, follow these steps:
1.
