Pentru realizarea unui VPN site-to-site Cisco IOS foloseste IP Security (IPSec).
Routerul Cisco (numit si VPN endpoint in aceasta implementare) cripteaza datele destinate hosturilor din situl indepartat si apoi le forwardeaza prin vpn. Pentru celelate destinatii se foloseste tabela de rutare.
Pe routerul WEST se executa urmatoarele comenzii relevante:
WEST(config)# ip access-list extended FIREWALL-ACL WEST(config-ext-nacl)# permit udp any any eq isakmp WEST(config-ext-nacl)# permit udp any eq isakmp any WEST(config-ext-nacl)# permit esp any any WEST(config-ext-nacl)# permit icmp any any administratively-prohibited WEST(config-ext-nacl)# permit icmp any any echo-reply WEST(config-ext-nacl)# permit icmp any any packet-too-big WEST(config-ext-nacl)# permit icmp any any time-exceeded WEST(config-ext-nacl)# permit icmp any any traceroute WEST(config-ext-nacl)# permit gre any any WEST(config-ext-nacl)# deny ip any any WEST(config-ext-nacl)# exit WEST(config)# ip access-list extended NAT-ACL WEST(config-ext-nacl)# deny ip 172.16.0.0 0.0.0.255 172.30.0.0 0.0.0.255 WEST(config-ext-nacl)# permit ip 172.16.0.0 0.0.0.255 any WEST(config-ext-nacl)# exit WEST(config)# route-map NO-NAT permit 10 WEST(config-route-map)# match ip address NAT-ACL WEST(config-route-map)# exit WEST(config)# ip nat inside source route-map NO-NAT int fa0/0 overload WEST(config)# int loopback0 WEST(config-if)# ip address 1.1.1.1 255.255.255.252 WEST(config-if)# exit WEST(config)# ip access-list ext NONAT-LAN-ACL WEST(config-ext-nacl)# permit ip 172.16.0.0 0.0.0.255 172.30.0.0 0.0.0.255 WEST(config-ext-nacl)# exit WEST(config)# route-map NONAT-LAN WEST(config-route-map)# match ip address NONAT-LAN-ACL WEST(config-route-map)# set interface loopback0 WEST(config-route-map)# exit WEST(config)# int fa0/1 WEST(config-if)# ip policy route-map NONAT-LAN WEST(config-if)# exit WEST(config)# crypto isakmp policy 1 WEST(config-isakmp)# encryption aes 256 WEST(config-isakmp)# hash sha WEST(config-isakmp)# authentication pre-share WEST(config-isakmp)# group 2 WEST(config-isakmp)# exit WEST(config)# crypto isakmp key ionelmocanu.eu Address 10.10.10.2 WEST(config)# crypto ipsec security-association lifetime seconds 28800 WEST(config)# ip access-list extended VPN-ACL WEST(config-ext-nacl)# permit ip 172.16.0.0 0.0.0.255 172.30.0.0 0.0.0.255 WEST(config-ext-nacl)# exit WEST(config)# crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac WEST(config)# crypto map VPN 10 ipsec-isakmp WEST(config-crypto-map)# set peer 10.10.10.2 WEST(config-crypto-map)# set transform-set SET1 WEST(config-crypto-map)# set pfs group2 WEST(config-crypto-map)# match address VPN-ACL WEST(config-crypto-map)# exit WEST(config)# int fa0/1 WEST(config-if)# ip nat inside WEST(config-if)# int fa0/0 WEST(config-if)# ip nat outside WEST(config-if)# ip access-group FIREWALL-ACL in WEST(config-if)# crypto map VPN |
Pe routerul EAST se executa comenzile:
EAST(config)# ip access-list extended FIREWALL-ACL EAST(config-ext-nacl)# permit udp any any eq isakmp EAST(config-ext-nacl)# permit udp any eq isakmp any EAST(config-ext-nacl)# permit esp any any EAST(config-ext-nacl)# permit icmp any any administratively-prohibited EAST(config-ext-nacl)# permit icmp any any echo-reply EAST(config-ext-nacl)# permit icmp any any packet-too-big EAST(config-ext-nacl)# permit icmp any any time-exceeded EAST(config-ext-nacl)# permit icmp any any traceroute EAST(config-ext-nacl)# permit gre any any EAST(config-ext-nacl)# deny ip any any EAST(config-ext-nacl)# exit EAST(config)# ip access-list extended NAT-ACL EAST(config-ext-nacl)# deny ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255 EAST(config-ext-nacl)# permit ip 172.30.0.0 0.0.0.255 any EAST(config-ext-nacl)# exit EAST(config)# route-map NO-NAT permit 10 EAST(config-route-map)# match ip address NAT-ACL EAST(config-route-map)# exit EAST(config)# ip nat inside source route-map NO-NAT int fa0/0 overload EAST(config)# int loopback0 EAST(config-if)# ip address 1.1.1.1 255.255.255.252 EAST(config-if)# exit EAST(config)# ip access-list ext NONAT-LAN-ACL EAST(config-ext-nacl)# permit ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255 EAST(config-ext-nacl)# exit EAST(config)# route-map NONAT-LAN EAST(config-route-map)# match ip address NONAT-LAN-ACL EAST(config-route-map)# set interface loopback0 EAST(config-route-map)# exit EAST(config)# int fa0/1 EAST(config-if)# ip policy route-map NONAT-LAN EAST(config-if)# exit EAST(config)# crypto isakmp policy 1 EAST(config-isakmp)# encryption aes 256 EAST(config-isakmp)# hash sha EAST(config-isakmp)# authentication pre-share EAST(config-isakmp)# group 2 EAST(config-isakmp)# exit EAST(config)# crypto isakmp key ionelmocanu.eu address 10.0.0.2 EAST(config)# crypto ipsec security-association lifetime seconds 28800 EAST(config)# ip access-list extended VPN-ACL EAST(config-ext-nacl)# permit ip 172.30.0.0 0.0.0.255 172.16.0.0 0.0.0.255 EAST(config-ext-nacl)# exit EAST(config)# crypto ipsec transform-set SET1 esp-aes 256 esp-sha-hmac EAST(config)# crypto map VPN 10 ipsec-isakmp EAST(config-crypto-map)# set peer 10.0.0.2 EAST(config-crypto-map)# set transform-set SET1 EAST(config-crypto-map)# set pfs group2 EAST(config-crypto-map)# match address VPN-ACL EAST(config-crypto-map)# exit EAST(config)# int fa0/1 EAST(config-if)# ip nat inside EAST(config-if)# int fa0/0 EAST(config-if)# ip nat outside EAST(config-if)# ip access-group FIREWALL-ACL in EAST(config-if)# crypto map VPN EAST(config-if)# exit |
Buna ziua,
Dispun de 2 conexiuni internet in 2 locatii diferite (locatia A cu IP fix si locatia B cu IP fix si o clasa de IP-uri publice rutata prin acel IP fix).
Ceea ce doresc este sa realizez un tunel intre A si B astfel incat IP-urile din clasa disponibila sa fie utilizate in cele 2 locatii.
Dispun de Cisco 871.
Va multumesc, Florin Simion