#Cisco VPN site-to-site Ionel Mocanu Cisco VPN site-to-site — Ionel Mocanu
Skip to content
 

Cisco VPN site-to-site

Pentru realizarea unui VPN site-to-site Cisco IOS foloseste IP Security (IPSec).

Routerul Cisco (numit si VPN endpoint in aceasta implementare) cripteaza datele destinate hosturilor din situl indepartat si apoi le forwardeaza prin vpn. Pentru celelate destinatii se foloseste tabela de rutare.

Pe routerul WEST se executa urmatoarele comenzii relevante:

WEST(config)# ip access-list extended FIREWALL-ACL 
WEST(config-ext-nacl)# permit udp any any eq isakmp
WEST(config-ext-nacl)# permit udp any eq isakmp any
WEST(config-ext-nacl)# permit esp any any
WEST(config-ext-nacl)# permit icmp any any administratively-prohibited
WEST(config-ext-nacl)# permit icmp any any echo-reply
WEST(config-ext-nacl)# permit icmp any any packet-too-big
WEST(config-ext-nacl)# permit icmp any any time-exceeded
WEST(config-ext-nacl)# permit icmp any any traceroute
WEST(config-ext-nacl)# permit gre any any
WEST(config-ext-nacl)# deny ip any any
WEST(config-ext-nacl)# exit
WEST(config)# ip access-list extended NAT-ACL
WEST(config-ext-nacl)# deny ip 172.16.0.0 0.0.0.255 172.30.0.0 0.0.0.255
WEST(config-ext-nacl)# permit ip 172.16.0.0 0.0.0.255 any
WEST(config-ext-nacl)# exit
WEST(config)# route-map NO-NAT permit 10
WEST(config-route-map)# match ip address NAT-ACL
WEST(config-route-map)# exit
WEST(config)# ip nat inside source route-map NO-NAT int fa0/0 overload
WEST(config)# int loopback0
WEST(config-if)# ip address 1.1.1.1 255.255.255.252
WEST(config-if)# exit
WEST(config)# ip access-list ext NONAT-LAN-ACL
WEST(config-ext-nacl)# permit ip 172.16.0.0 0.0.0.255 172.30.0.0 0.0.0.255
WEST(config-ext-nacl)# exit
WEST(config)# route-map NONAT-LAN
WEST(config-route-map)# match ip address NONAT-LAN-ACL
WEST(config-route-map)# set interface loopback0
WEST(config-route-map)# exit
WEST(config)# int fa0/1
WEST(config-if)# ip policy route-map NONAT-LAN
WEST(config-if)# exit
WEST(config)# crypto isakmp policy 1 
WEST(config-isakmp)# encryption aes 256
WEST(config-isakmp)# hash sha
WEST(config-isakmp)# authentication pre-share
WEST(config-isakmp)# group 2
WEST(config-isakmp)# exit
WEST(config)# crypto isakmp key ionelmocanu.eu Address 10.10.10.2
WEST(config)# crypto ipsec security-association lifetime seconds 28800
WEST(config)# ip access-list extended VPN-ACL
WEST(config-ext-nacl)# permit ip 172.16.0.0 0.0.0.255 172.30.0.0 0.0.0.255
WEST(config-ext-nacl)# exit
WEST(config)# crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
WEST(config)# crypto map VPN 10 ipsec-isakmp 
WEST(config-crypto-map)# set peer 10.10.10.2
WEST(config-crypto-map)# set transform-set SET1
WEST(config-crypto-map)# set pfs group2
WEST(config-crypto-map)# match address VPN-ACL
WEST(config-crypto-map)# exit
WEST(config)# int fa0/1
WEST(config-if)# ip nat inside
WEST(config-if)# int fa0/0
WEST(config-if)# ip nat outside
WEST(config-if)# ip access-group FIREWALL-ACL in
WEST(config-if)# crypto map VPN

Pe routerul EAST se executa comenzile:

EAST(config)# ip access-list extended FIREWALL-ACL 
EAST(config-ext-nacl)# permit udp any any eq isakmp
EAST(config-ext-nacl)# permit udp any eq isakmp any
EAST(config-ext-nacl)# permit esp any any
EAST(config-ext-nacl)# permit icmp any any administratively-prohibited
EAST(config-ext-nacl)# permit icmp any any echo-reply
EAST(config-ext-nacl)# permit icmp any any packet-too-big
EAST(config-ext-nacl)# permit icmp any any time-exceeded
EAST(config-ext-nacl)# permit icmp any any traceroute
EAST(config-ext-nacl)# permit gre any any
EAST(config-ext-nacl)# deny ip any any
EAST(config-ext-nacl)# exit
EAST(config)# ip access-list extended NAT-ACL
EAST(config-ext-nacl)# deny ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255
EAST(config-ext-nacl)# permit ip 172.30.0.0 0.0.0.255 any
EAST(config-ext-nacl)# exit
EAST(config)# route-map NO-NAT permit 10
EAST(config-route-map)# match ip address NAT-ACL
EAST(config-route-map)# exit
EAST(config)# ip nat inside source route-map NO-NAT int fa0/0 overload
EAST(config)# int loopback0
EAST(config-if)# ip address 1.1.1.1 255.255.255.252
EAST(config-if)# exit
EAST(config)# ip access-list ext NONAT-LAN-ACL
EAST(config-ext-nacl)# permit ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255
EAST(config-ext-nacl)# exit
EAST(config)# route-map NONAT-LAN
EAST(config-route-map)# match ip address NONAT-LAN-ACL
EAST(config-route-map)# set interface loopback0
EAST(config-route-map)# exit
EAST(config)# int fa0/1
EAST(config-if)# ip policy route-map NONAT-LAN
EAST(config-if)# exit
EAST(config)# crypto isakmp policy 1 
EAST(config-isakmp)# encryption aes 256
EAST(config-isakmp)# hash sha
EAST(config-isakmp)# authentication pre-share
EAST(config-isakmp)# group 2
EAST(config-isakmp)# exit
EAST(config)# crypto isakmp key ionelmocanu.eu address 10.0.0.2
EAST(config)# crypto ipsec security-association lifetime seconds 28800
EAST(config)# ip access-list extended VPN-ACL
EAST(config-ext-nacl)# permit ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255
EAST(config-ext-nacl)# exit
EAST(config)# crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac
EAST(config)# crypto map VPN 10 ipsec-isakmp
EAST(config-crypto-map)# set peer 10.0.0.2
EAST(config-crypto-map)# set transform-set SET1
EAST(config-crypto-map)# set pfs group2
EAST(config-crypto-map)# match address VPN-ACL
EAST(config-crypto-map)# exit
EAST(config)# int fa0/1
EAST(config-if)# ip nat inside
EAST(config-if)# int fa0/0
EAST(config-if)# ip nat outside
EAST(config-if)# ip access-group FIREWALL-ACL in
EAST(config-if)# crypto map VPN
EAST(config-if)# exit

One Comment

  1. Florin Simion says:

    Buna ziua,
    Dispun de 2 conexiuni internet in 2 locatii diferite (locatia A cu IP fix si locatia B cu IP fix si o clasa de IP-uri publice rutata prin acel IP fix).
    Ceea ce doresc este sa realizez un tunel intre A si B astfel incat IP-urile din clasa disponibila sa fie utilizate in cele 2 locatii.
    Dispun de Cisco 871.
    Va multumesc, Florin Simion

Leave a Reply