Scenario Analysis
Many people want to build one of their ownWIFI_WEBCertified Network,The main technology used is Portal (Portal),It can authenticate legitimate users through WEB page。Through this technology to do a certified third-party solutions haveWIFIAP、WIWIZ,Both companies are more representative。According to my investigation,Wah also Portal Solutions,Cisco alone I have not found related solutions (RS it in this field,I did not learn Cisco wireless)。So I want to use other techniques to achieve my purpose。Android phones have been quite popular now,Android phones and computers have the VPN dial-in capabilities,So I think through the VPN dial-in as my solution。
expected outcome
Dial VPN users can access the Internet or my specified network,No dial-in VPN users can only access specific network。
1、Preconfigured
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 |
配置外网端口fa1/0的IP地址 R1(config)#interface FastEthernet1/0 R1(config-if)#ip address 1.1.1.2 255.255.255.0 ---- 配置内网端口fa0/1的IP地址 R1(config)#interface FastEthernet0/1 R1(config-if)#ip address 10.1.1.1 255.255.255.0 ---- 设置DNS域名解析服务器 R1(config)#ip name-server 8.8.8.8 ---- 开启域名解析功能*必须开启* R1(config)#ip domain-lookup ---- 写一条通往外网的默认路由 R1(config)#ip route 0.0.0.0 0.0.0.0 FastEthernet1/0 ---- 创建一个用来测试的账户 用户名:pptp 密码:pptp R1(config)#username pptp password pptp |
2、VPN PPTP
Create a virtual template it can also be understood as a VPN gateway
R1(config)#interface Virtual-Template 1
This virtual interface to configure an IP address
R1(config-if)#ip address 172.16.1.1 255.255.255.0
Set the authentication mode of this virtual link
R1(config-if)#ppp authentication chap ms-chap ms-chap-v2
Set dial-in user to obtain the IP address of the address pool named vpn
R1(config-if)#peer default ip address dhcp-pool vpn
Troubleshooting Virtual Interface IP address in the address pool
R1(config)#ip dhcp excluded-address 172.16.1.1
Creating a pool of automatically assigned address called vpn
R1(config)#ip dhcp pool vpn
Is provided to the user is preferably assigned address segment and a Virtual-Template IP address in the same network segment
R1(dhcp-config)#network 172.16.1.0 255.255.255.0
Set assigned to the user's DNS domain name server
R1(dhcp-config)#dns server 8.8.8.8
Open virtual link dial-in capabilities
R1(config)#vpdn enable
Create a group called dial-vpn
R1(config)#vpdn-group vpn
Setting allows the user to dial
R1(config-vpdn)#accept-dialin
PPTP protocol setting dial
R1(config-vpdn-acc-in)#protocol pptp
Call the above virtual template
R1(config-vpdn-acc-in)#virtual-template 1
4、NAT
Create a list of conversion list named vpnnat
R1(config)#ip access-list extended vpnnat
Grab users dial to obtain IP addresses
R1(config-ext-nacl)#permit ip 172.16.1.0 0.0.0.255 any
Create an Address Resolution Protocol so that users can access the Internet outside ports
R1(config)#ip nat inside source list vpnnat interface FastEthernet1/0 overload
The external network port is provided to an external port
R1(config)#interface FastEthernet1/0
R1(config)#ip nat outside
The external network port is provided to the internal port
R1(config)#interface Virtual-Template1
R1(config-if)#ip nat inside
5、ACL
Create a list of blocked user access to the Internet is not a VPN Dial
R1(config)#ip access-list extended novpn
Crawl inside the port block access to the Internet network segment
R1(config-ext-nacl)#deny ip 10.1.1.0 0.0.0.255 any
Let other traffic
R1(config-ext-nacl)#permit ip any any
The direction of the outer limit the list to call the network port
R1(config)#interface FastEthernet1/0
R1(config-if)#ip access-group novpn out
PS
I would like to call the user database server as a PPTP VPN's Radius,But ordinary router does not have this feature,Need to use Cisco's firewall products can achieve call Radius server database。
Original article written by LogStudio:R0uter's Blog » Internet access via PPTP VPN authentication
Reproduced Please keep the source and description link:https://www.logcg.com/archives/428.html
