VPN for wireless Question

kryolla

Has anybody set up a VPN from wireless client to the local router in order to get access to resources such as the LAN and internet. I remember Jeremy Ciaro from CBT nuggets talking about how a wireless client associates with the AP and then VPN to the local router so if people that are not authorize on the network accesses the AP they cant do anything. I was planning on doing this in my home network and I don't have a CA or Radius server so I cant use any EAP security, dot1x, etc just good old PSK. Thanks

tech-airman

kryolla wrote:

Has anybody set up a VPN from wireless client to the local router in order to get access to resources such as the LAN and internet. I remember Jeremy Ciaro from CBT Nuggets talking about how a wireless client associates with the AP and then VPN to the local router so if people that are not authorize on the network accesses the AP they cant do anything. I was planning on doing this in my home network and I don't have a CA or Radius server so I cant use any EAP security, dot1x, etc just good old PSK. Thanks

kryolla,

Does the "local router" have an integrated AP?

kryolla

I have a 851w which has an integrated AP but I can also just use it as in AP and use one of my lab routers. Thanks

Drew

tech-airman

kryolla wrote:

I have a 851w which has an integrated AP but I can also just use it as in AP and use one of my lab routers. Thanks

Drew

kryolla,

Let's see if I understand your questions properly:

1. Can a wireless client access the Internet?
2. Can a wireless client access the LAN?
3. Can a wireless client form a VPN to the Cisco 851W router?
4. Can the Cisco 851W wireless router be configured to disable network access for unauthorized wireless clients?
5. Any question(s) I'm missing?

kryolla

The only way the wireless client can access the LAN and internet is via VPN to the router.

I'll see if I can get it to work this weekend hopefully the wife wont be too mad that she can't access the internet until I get it working or put it back. I cant spend too much time on it I have my ISCW test next Friday.

tech-airman

kryolla wrote:

The only the way the wireless client can access the LAN and internet is via VPN to the router.

I'll see if I can get it to work this weekend hopefully the wife wont be too mad that she can't access the internet until I get it working or put it back. I cant spend too much time on it I have my ISCW test next Friday.

kryolla,

Here's the "Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide" that I found at cisco.com.

Link: Cisco 850 Series and Cisco 870 Series Access Routers Software Configuration Guide - http://www.cisco.com/en/US/docs/routers/access/800/850/software/configuration/guide/857sg_bk.pdf

dynamik

Is this just a proof of concept or something you actually intend on using regularly? Every time I've heard someone talk about this, he or she says this is a cumbersome solution and not a best practice. What are you trying to achieve?

kryolla

thanks tech-airman for the link but I have that config guide.

dynamik this isn't a proof of concept because its been done before, I agree this isn't best practice for a business but a SOHO environment who doesn't have a CA or radius server might be the best alternative. After I finish my NP I will probably get a 1RU server and install RADIUS on it and mess around with dot1x and EAP. I don't have anything in my network that is sensitive enough to make it permanent so once I make it work I will probably revert to the original layout.

Anybody have any suggestions or point me in the right direction to get this working. Thanks

dtlokee

We do this all the time for clients that want to have a public wireless for basic Internet access and also allow their internal users access to the internal network only after establishing a VPN connection. This can also be accomplished using separate SSIDs and security settings on each WLAN but that is not always an option. EAP and the various derivatives (like LEAP) have been shown to have security holes and some security policies will forbid it's use.

kryolla

dtlokee wrote:

We do this all the time for clients that want to have a public wireless for basic Internet access and also allow their internal users access to the internal network only after establishing a VPN connection. This can also be accomplished using separate SSIDs and security settings on each WLAN but that is not always an option. EAP and the various derivatives (like LEAP) have been shown to have security holes and some security policies will forbid it's use.

Thanks for the reply any tips or suggestions on how to accomplish this. I have a 851w which has an integrated AP or I can just use it as an AP without the WAN port and connect it to a switch which in turn will be connected to a router that is hooked up to the internet. The 851w only allow one ssid and one vlan so I am limited on what I can do with. I also just got a pix 501 firewall today if that helps.

Drew

dtlokee

My preferred method is to connect the AP or wireless network to a DMZ interface on the firewall allowing me to configure connectivity to the Internet without worrying about the wireless traffic traversing the internal network. I will usually create a crypto map for remote access VPN and apply it to the interface on the firewall. If you are using a PIX (or ASA) then you can assign security level 0 to the outside, security level 50 for the DMZ and security level 100 for the inside. You can then use an inbound access-list to restrict traffic to TCP ports 80/443 and UDP port 53 to the Internet. To gain access to the inside network you will need to establish a VPN connection to the firewall.