Update: After further research, and some excellent info from readers, I have decided to say that you should not use this information. This is not a safe feature to use in any equipment. In fact it is hard to believe that Cisco ships the unit with this feature enabled. Password length and complexity will not ensure your security using this feature. I will, next time I have available work on a more secure VPN solution – likely SSL or client based. Sorry for the hassle.
I want to have an emergency access to my home lab – if my View environment goes down I want to be able to come in and fix things. I use the Cisco Small Business firewall – RV325 to protect my home lab. Nice firewall and much easier then other Enterprise Cisco products. I showed you how to set it up and configure it here. But now we want VPN so lets get it done.
I researched it first, and checked out the product documentation and it was overwhelming. Lots of choices and it seems there was two types of VPN plus various ways of doing each. And some could be done multiple different ways.
So I thought I would check out Support since some of the confusion came from Cisco videos. It was a very pleasant experience. And he told me to ignore everything. That there was another way that was very good for small companies and that it worked easy and was supported by Mac and Windows customers. I may be a home lab, but even still it sounded pretty good. If I had more time I would have a virtual firewall, and do VPN from it. I knew the developers who worked on that stuff when it was vCNS and it would have been cool. But with that being depreciated and NSX being the choice that is a little harder to justifiy and really hard to find the bits. But lets get this going!
Things to get ready?
There was for me and it was all research. But I know what to do now!
I suggest you upgrade your firewall first. If you need help you can find out how further down in this article. When that is done use the steps below.
- You need to log into your firewall UI.
- Change to VPN \ PPTP Server.
- As you can see above it is already enabled. You need to pick the appropriate IP range for PPTP to share with the incoming people. It must not step on the IP addresses that are or might be in use inside your network.
- Below the IP Range you can see anyone who has connected via PPTP.
- Now we need to create a user who can use PPTP. Lets change to User Management.
- Use the Add button and create a user. I put them into Mobile as it seems logical to me and not for any specific reason.
- Make sure to hit the Save button.
We are now complete with the configuration of PPTP VVPN support in the Firewall. Yes, that does sound odd. It turns out that the rules do not impact this VPN from working or not. That seems crazy weird to me but such is Cisco and this Small Business firewall. It does have traditional client-less and client-based VPN in this firewall but we are doing the simple choice.
- While we are done I like to do a backup. So change to System Management \ Backup and Restore.
- You can see the button above that will get a backup done. It will copy config.exp to your local drive. I copy it somewhere else and give the file-name a date time stamp.
Now we are really done.
So we do this configuration on the computer we want to use from outside my home lab. I use a Mac so I am doing this on a Mac so will show those screenshots. While the process is different on a Mac from Linux or Windows this VPN is supported from those platforms too. As I get time and opportunity I will try to add Windows to this article.
You start in your System Preferences and Networks.
- Now use the indicated plus sign to create a new network.
- Change the Interface to say VPN, and the you will be prompted for a VPN Type and in that one make sure it says PPTP, and then for the Service Name put what you like.
- Once you use Create, you will have some additional choices and be out at the network list.
- You need to add the server address and account name – remember you added an account in the PPTP Server area of the firewall?
Now it is time to test.
So I test. I use the connect button we can see above in the screenshot.
Can you connect? I did. But, I could only ping or RDP via IP. No DNS support. I thought about that and of course it makes sense. I have an IP from the PPTP process but no DNS info. I did not see where that was possible. But if you use the Advanced button as seen in the image above, you can access the DNS page and add one in (and DNS search order too). Next time you connect using that specific VPN connection that DNS will be used for you.
BTW, I would do a more traditional Active Directory connected solution if this was for a customer, or if multiple people worked in my lab. But this method is good for me in my home lab.
Thanks for checking out my article. You can find all of my RV325 articles using this tag – notesfrommwhite.net/tag/RV325.
Questions and comments welcome!
=== END ===