Enable VPN to the home lab – on RV325 – the wrong way

Update: After further research, and some excellent info from readers, I have decided to say that you should not use this information.  This is not a safe feature to use in any equipment.  In fact it is hard to believe that Cisco ships the unit with this feature enabled.  Password length and complexity will not ensure your security using this feature.  I will, next time I have available work on a more secure VPN solution – likely SSL or client based.  Sorry for the hassle.

Michael

Hi there,

I want to have an emergency access to my home lab – if my View environment goes down I want to be able to come in and fix things.  I use the Cisco Small Business firewall – RV325 to protect my home lab.  Nice firewall and much easier then other Enterprise Cisco products.  I showed you how to set it up and configure it here. But now we want VPN so lets get it done.

I researched it first, and checked out the product documentation and it was overwhelming.  Lots of choices and it seems there was two types of VPN plus various ways of doing each.  And some could be done multiple different ways.

So I thought I would check out Support since some of the confusion came from Cisco videos.  It was a very pleasant experience.  And he told me to ignore everything.  That there was another way that was very good for small companies and that it worked easy and was supported by Mac and Windows customers.  I may be a home lab, but even still it sounded pretty good.  If I had more time I would have a virtual firewall, and do VPN from it.  I knew the developers who worked on that stuff when it was vCNS and it would have been cool.  But with that being depreciated and NSX being the choice that is a little harder to justifiy and really hard to find the bits.  But lets get this going!

Things to get ready?

There was for me and it was all research.  But I know what to do now!

Firewall Config

I suggest you upgrade your firewall first.  If you need help you can find out how further down in this article.  When that is done use the steps below.

  • You need to log into your firewall UI.
  • Change to VPN \ PPTP Server.
PPTP VPN config

PPTP VPN Config

  • As you can see above it is already enabled.  You need to pick the appropriate IP range for PPTP to share with the incoming people.  It must not step on the IP addresses that are or might be in use inside your network.
  • Below the IP Range you can see anyone who has connected via PPTP.
  • Now we need to create a user who can use PPTP.  Lets change to User Management.
User Management

User Management

  • Use the Add button and create a user.  I put them into Mobile as it seems logical to me and not for any specific reason.
User2

New user created

  • Make sure to hit the Save button.

We are now complete with the configuration of PPTP VVPN support in the Firewall.  Yes, that does sound odd.  It turns out that the rules do not impact this VPN from working or not.  That seems crazy weird to me but such is Cisco and this Small Business firewall.  It does have traditional client-less and client-based VPN in this firewall but we are doing the simple choice.

  • While we are done I like to do a backup.  So change to System Management \ Backup and Restore.
Backup

Backup Menu

  • You can see the button above that will get a backup done.  It will copy config.exp to your local drive.  I copy it somewhere else and give the file-name a date time stamp.

Now we are really done.

Client Configuration

So we do this configuration on the computer we want to use from outside my home lab. I use a Mac so I am doing this on a Mac so will show those screenshots.  While the process is different on a Mac from Linux or Windows this VPN is supported from those platforms too. As I get time and opportunity I will try to add Windows to this article.

Mac Config

You start in your System Preferences and Networks.

Network1

Preferences – Networking

  • Now use the indicated plus sign to create a new network.
Network2

Not configured network UI

  • Change the Interface to say VPN, and the you will be prompted for a VPN Type and in that one make sure it says PPTP, and then for the Service Name put what you like.
Network3

Configured interface

  • Once you use Create, you will have some additional choices and be out at the network list.
Network4

Almost ready to test

  • You need to add the server address and account name – remember you added an account in the PPTP Server area of the firewall?

Now it is time to test.

Testing

So I test. I use the connect button we can see above in the screenshot.

Test1

Test time

Can you connect?  I did.  But, I could only ping or RDP via IP.  No DNS support.  I thought about that and of course it makes sense.  I have an IP from the PPTP process but no DNS info.  I did not see where that was possible.  But if you use the Advanced button as seen in the image above, you can access the DNS page and add one in (and DNS search order too).  Next time you connect using that specific VPN connection that DNS will be used for you.

BTW, I would do a more traditional Active Directory connected solution if this was for a customer, or if multiple people worked in my lab. But this method is good for me in my home lab.

Thanks for checking out my article.  You can find all of my RV325 articles using this tag – notesfrommwhite.net/tag/RV325.

Questions and comments welcome!

Michael

=== END ===

 

 

Tagged with:
Posted in Home Lab, How To
4 comments on “Enable VPN to the home lab – on RV325 – the wrong way
  1. Im using osx, and was able to connect to the vpn. but RDP doesnt work when i try to connect to the local address (as if i was in the actual office network) is there a gateway? what settings for service order of internet within osx should i set?

  2. Al Salmi Said says:

    Hello I have RV345 with anyconnect working fine within the local network but I cannot make it working from other network!!!
    Can someone please support?

    • Hello there,

      I am not sure what to suggest. But if you have it working on the inside, but not the outside, I suspect it is the rules you have specified. Or maybe when you configure anyconnect support it is done from the wrong point of view. I suggest you check with Cisco Support.

      Michael

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: